Privacy Policy
Last updated: February 13, 2026
1. Data Controller
Kinetix, based in Portugal, is the data controller responsible for your personal data. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Portuguese data protection laws.
2. Data We Collect
We collect and process the following categories of personal data:
- Account information: name, email address, and encrypted password hash.
- Fitness and health data: body metrics (height, weight, body fat percentage), training programs, workout logs, exercise performance data, and fitness goals.
- Nutrition data: meal plans, food logs, calorie and macronutrient information.
- Payment metadata: subscription plan, billing status, and payment identifiers (processed by Stripe; we do not store card details).
- Usage analytics: pages visited, features used, device information, and interaction patterns (collected via PostHog and Vercel Analytics).
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Consent: for analytics cookies and optional tracking technologies. You can withdraw consent at any time.
- Contract performance: processing necessary to provide you with the Service, including account management, training programs, and meal planning features.
- Legitimate interest: for improving the Service, ensuring security, and preventing fraud.
4. How We Use Your Data
We use your personal data to: (a) provide and maintain the Service; (b) manage your account and subscriptions; (c) enable trainers to create personalized programs and meal plans; (d) track your fitness progress and generate analytics; (e) process payments through our payment provider; (f) improve the Service through usage analytics; (g) communicate important updates about the Service; (h) ensure the security and integrity of the platform.
5. Third-Party Processors
We share your data with the following third-party processors, each with a specific purpose:
- Stripe: payment processing and subscription management. Stripe processes your payment information directly and is certified PCI DSS Level 1.
- Vercel: hosting, analytics, and performance monitoring. Vercel processes usage data to provide website analytics and speed insights.
- PostHog: product analytics and user behavior tracking (only with your consent). PostHog helps us understand how the Service is used to improve user experience.
6. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential cookies: required for the Service to function properly, including authentication session cookies and security tokens. These cannot be disabled.
- Analytics cookies: used to collect anonymous usage data to improve the Service (PostHog, Vercel Analytics). These are only activated with your explicit consent.
You can manage your cookie preferences at any time through the cookie settings available on our website.
7. Data Retention
We retain your personal data for as long as your account is active and you use the Service. If you delete your account, we will retain your data for 30 days to allow for account recovery. After this period, your personal data will be permanently and irreversibly deleted from our systems, except where longer retention is required by law.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete personal data.
- Right to erasure: request deletion of your personal data ("right to be forgotten").
- Right to data portability: receive your personal data in a structured, machine-readable format.
- Right to object: object to the processing of your personal data for specific purposes.
- Right to restrict processing: request that we limit how we use your personal data.
- Right to withdraw consent: withdraw your consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within 30 days.
9. International Data Transfers
Some of our third-party processors may process data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including: encryption of passwords using industry-standard hashing algorithms; secure HTTPS connections for all data transmission; row-level data isolation in our multi-tenant architecture; regular security reviews and updates. While we strive to protect your data, no method of transmission over the internet is 100% secure.
11. Children's Privacy
The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on the Service and updating the "Last updated" date. We encourage you to review this policy periodically.
13. Contact and Data Protection Officer
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your data, please contact us at:
For data protection inquiries, you may also contact our Data Protection Officer at the same address. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.