Privacy Policy

FitMesh Sync ("we", "our", "the app") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use and safeguard health information when you use our mobile application FitMesh Sync (com.fitmeshsync.app on Google Play).

Legal basis: GDPR Art. 6(1)(b) (performance of a service requested by the user) and Art. 9(2)(a) (explicit consent to processing health-related data, granted through the Health Connect/Samsung Health authorizations inside the app).

FitMesh Sync reads the following health-related data from your Android device via authorized services (Health Connect, Samsung Health Data SDK):

• •Physical activity: steps, distance travelled, calories burned (active and total), floors climbed
• •Heart rate: average, min/max range, resting heart rate, HRV
• •Sleep: total duration, stages (deep, REM, light, awake), start/end times
• •Body composition: weight, height, BMI (when provided by the user)
• •Other metrics: oxygen saturation (SpO₂), VO₂ max, skin temperature, elevation gain
• •Exercise sessions: activity type, duration, distance, calories
• •Account: email address (Supabase Auth) and device identifier

The collected data is used exclusively to:

• •Sync: ingest and persist your health metrics on our cloud backend
• •Visualization: display the data on the in-app dashboard
• •Support: diagnose technical issues when you report them by email
• •Notifications: deliver configurable reminders (e.g. sync nudges) via Firebase Cloud Messaging

We never sell, share or use your data for advertising or marketing. No automated profiling that produces legal effects on the user is performed.

Synced data is sent to the FitMesh Sync backend hosted on:

• •Vercel Inc.: serverless API for fitmesh.fit (preferred region: Europe fra1; some edge functions run closest to the user)
• •Supabase Inc.: managed PostgreSQL + auth + storage (EU region, eu-central-1 Frankfurt)

Data stays on your Android device in a local cache until sync. After delivery is confirmed, the local cache is cleared.

The primary database (Supabase Postgres) is hosted in the European Union (Frankfurt, Germany). However, some auxiliary services involve a transfer to third countries (in particular the United States):

• •Vercel (US): edge runtime and request logging. Transfer governed by Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) and Data Processing Addendum signed with Vercel
• •Resend (US): transactional email delivery (beta signup confirmation, support replies). Transfer governed by SCC + DPA
• •Firebase Cloud Messaging (Google LLC, US): push notification transport. Google adheres to SCC + EU-US Data Privacy Framework
• •Google Sign-In (Google LLC, US): optional authentication via Google account. Transfer governed by SCC + DPF

Before transferring data to the US we performed a Transfer Impact Assessment: data transferred is limited and does not include raw biometric identifiers; the SCC include suspension clauses in case of government authority requests; chosen vendors adhere to the EU-US Data Privacy Framework where available.

• •Health metrics: kept while the user account is active. Deleted within 30 days of an account-deletion request or confirmed uninstall
• •Application and sync logs: kept for 90 days for troubleshooting, then automatically purged
• •Contact emails (privacy/support): kept for 24 months to ensure support continuity, then deleted
• •Database backups: 7-day rotation on Supabase point-in-time recovery
• •Beta signup data: kept until public launch, then anonymized or deleted

FitMesh Sync requires the following permissions:

• •Health Connect: to read health data from the Android operating system
• •Samsung Health (optional): if you own a Galaxy Watch, for extra data not exposed by Health Connect
• •Internet access: to sync data with the FitMesh Sync backend
• •Background sync: to send data periodically even when the app is closed
• •Notifications: to receive sync reminders and system notices
• •Battery optimization exemption: to guarantee regular sync (required on Android 14+)

All permissions are requested explicitly and you can revoke them at any time from the device or app settings.

• •Transport: all data flows over HTTPS/TLS 1.2+ to fitmesh.fit
• •Local persistence: the local cache is cleared after server-confirmed delivery
• •Auth tokens: Supabase JWT stored in the Android Keystore (flutter_secure_storage)
• •Row-Level Security: each user can only read/write their own rows (Supabase RLS policies on every exposed table)
• •No third-party trackers in the app: no analytics, advertising or profiling SDKs are bundled in the app

Under the GDPR you have the right to:

• •Access: request a copy of your data stored on our systems
• •Rectify: correct inaccurate or incomplete data
• •Delete: request full deletion of your account and associated data
• •Restrict: request restriction of processing in specific cases
• •Portability: receive your data in a structured JSON format
• •Object: object to processing for legitimate reasons
• •Withdraw consent: disable health-data permissions at any time (withdrawal does not affect the lawfulness of processing before withdrawal)

To exercise these rights, email us at privacy@fitmesh.fit. We reply within 30 days as required by GDPR Art. 12.

FitMesh Sync uses the following data processors:

• •Health Connect (Google LLC): Android health data source — read locally, not communicated by us to Google
• •Samsung Health Data SDK (Samsung Electronics): Galaxy Watch data source — read locally
• •Supabase Inc.: managed PostgreSQL + Auth (Frankfurt, DE) — DPA signed
• •Vercel Inc.: serverless API hosting (US, global edge) — DPA signed + SCC
• •Resend, Inc.: transactional email delivery (US) — DPA + SCC
• •Google LLC (Firebase Cloud Messaging): push notification transport (US) — DPA + SCC + DPF
• •Google LLC (Google Sign-In, optional): OAuth authentication (US) — DPA + SCC + DPF
• •Google LLC (Google Play Billing): in-app purchase handling — subject to Google Play Terms
• •Google Analytics 4 (website only, opt-in): anonymous analytics enabled only after explicit consent via the cookie banner

More website-cookie details in our Cookie Policy.

We may update this Privacy Policy from time to time. For material changes we will notify you by email or with an in-app notice before the next sync. The last-updated date is shown at the top of this page.

FitMesh Sync is not intended for users under 16 years of age (the digital consent age for Italy under GDPR Art. 8). We do not knowingly collect personal data from minors under 16 without parental consent.

If you believe the processing of your data violates the GDPR, you may file a complaint with your national data protection authority. For Italian residents this is the Garante per la Protezione dei Dati Personali (garanteprivacy.it).