Privacy Policy

Last updated: [EFFECTIVE_DATE]

1. Introduction

This Privacy Policy explains how PFA DANIEL COCOS ("we," "us," or "our") collects, uses, and protects your personal data when you use the FormChase application and website (the "Service").

We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the General Data Protection Regulation (GDPR) and Romanian data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Important Health Data Disclaimer

4. Data We Collect

4.1 Account Data

When you create an account, we collect:

• Full name and display name
• Email address
• Phone number (optional)
• Profile photo (optional)
• Language and timezone preferences

4.2 Authentication Data

Depending on your sign-in method:

• Email and password (hashed, never stored in plain text)
• Google OAuth identifier
• Apple Sign-In identifier

4.3 Fitness and Workout Data

• Exercise logs (type, duration, sets, reps, weights)
• Workout routines and schedules
• Workout notes and session data
• Progress tracking statistics

4.4 Nutrition Data

• Meal logs (foods, portions, timestamps)
• Calorie and macronutrient calculations
• Water intake records
• Custom recipes and food preferences
• Meal plans and schedules

4.5 Body Measurements

• Height and weight (for BMI calculation)
• Body composition data (if entered)
• Progress photos (optional)

4.6 Subscription and Billing Data

• Subscription plan and status
• Stripe customer ID and subscription ID
• Payment history and invoices
• Promotional codes redeemed

We do NOT store your payment card details. All payment processing is handled securely by Stripe.

4.7 Technical Data

• Device type and operating system
• Session identifiers (locally generated)
• App usage patterns for service improvement
• Error reports (with personal data removed)

5. Apple Health Integration (Optional)

If you choose to enable Apple Health integration, we may read:

• Workout data (type, duration, calories)
• Step counts
• Heart rate data
• Body measurements

This integration is entirely optional and requires your explicit permission. We do NOT write data to Apple Health; we only read data that you authorize.

6. Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

7. How We Use Your Data

We use your personal data to:

• Provide the Service: Enable workout logging, meal tracking, progress monitoring, and all core features
• Manage your account: Process registration, authentication, and account settings
• Process payments: Handle subscriptions and billing through Stripe
• Improve the Service: Analyze usage patterns to enhance features (using aggregated, non-identifiable data)
• Provide support: Respond to your inquiries and resolve issues
• Ensure security: Detect and prevent fraud, abuse, and security threats
• Comply with laws: Meet legal obligations, including Romanian fiscal retention requirements

8. Data Sharing and Third Parties

We share your data only with the following categories of processors:

8.1 Supabase (Database Hosting)

• Purpose: Cloud database and authentication services
• Location: EU (Paris, France)
• Data shared: All user data stored in our database
• Safeguards: GDPR-compliant, EU data residency

8.2 Stripe (Payment Processing)

• Purpose: Subscription billing and payment processing
• Location: United States (with EU Standard Contractual Clauses)
• Data shared: Email, subscription details, payment information
• Safeguards: PCI-DSS compliant, SCCs for EU transfers

8.3 Sentry (Error Reporting)

• Purpose: Crash reporting and error monitoring in production
• Location: United States (with appropriate safeguards)
• Data shared: Device info, crash data (personal data scrubbed before sending)
• Safeguards: PII scrubbing, data minimization

8.4 Open Food Facts (Food Database)

• Purpose: Nutritional information for food logging
• Location: EU
• Data shared: Search queries only (no user identifiers)
• Safeguards: No personal data transmitted

We do NOT sell your personal data to third parties.

9. International Data Transfers

Your data is primarily stored within the European Union (EU) on servers located in Paris, France.

When data is transferred outside the EU (to Stripe or Sentry in the US), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Data processing agreements
• Technical and organizational security measures

10. Data Retention

We retain your data for the following periods:

After account deletion, your personal data is anonymized or deleted, except where retention is required by law.

11. Your Rights Under GDPR

As an EU resident, you have the following rights:

11.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

11.2 Right to Rectification (Art. 16)

You can correct inaccurate or incomplete personal data.

11.3 Right to Erasure (Art. 17)

You can request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days, except where retention is legally required.

11.4 Right to Restrict Processing (Art. 18)

You can request restriction of processing in certain circumstances.

11.5 Right to Data Portability (Art. 20)

You can request your data in a portable format (JSON export available in app settings).

11.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests.

11.7 Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you can withdraw consent at any time.

To exercise your rights, use the in-app features (Settings → Privacy → Data Export / Delete Account) or contact us at contact@formchase.ro.

We will respond to valid requests within 30 days.

12. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Row-Level Security (RLS) policies in our database
• Secure authentication with hashed passwords
• Access controls and principle of least privilege
• Regular security reviews and updates
• Automatic PII scrubbing in error reports

13. Children's Privacy

FormChase is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@formchase.ro.

14. Automated Decision-Making

FormChase does not use automated decision-making or profiling that produces legal or similarly significant effects on you. Any analytics we perform are for service improvement only.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through in-app notifications or email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions or to exercise your data rights, contact us:

Supervisory Authority

You have the right to lodge a complaint with the Romanian data protection authority: