Last updated: April 12, 2026
This Privacy Policy explains how fittree collects, uses, stores, and shares personal data when you use the Service.
The controller for data processing in connection with the Service is Volkan Arisli, a natural person based in Germany.
General support and privacy contact: fittree.info@gmail.com Service website: https://www.fittree.bio/
This policy applies to personal data processed when you create an account, manage a public profile page, connect integrations (including Strava), view analytics, or contact support.
Public profile pages are intended to be publicly accessible. Information you choose to publish on your page may be viewed by visitors, indexed by search engines, and copied by third parties beyond our control.
Depending on how you use fittree, we process:
- Account and identity data (for example name, email, account identifiers, login metadata). - Profile and page content (for example username, bio, links, images, credentials, and other content you publish). - Integration data (for example Strava account connection status and activity data you permit us to access). - Usage and device data (for example IP address, browser/device information, timestamps, referring URLs, and interaction logs). - Analytics data (for example link clicks, referrers, and basic traffic/funnel events available to creators). - Billing-related metadata from payment partners (for example subscription status, plan, and renewal dates; no payment card data is stored by us). - Communications data (for example support messages and legal/abuse reports).
We collect personal data:
- Directly from you (for example registration, profile edits, support requests). - Automatically when you use the Service (for example logs, technical telemetry, and click events). - From third-party providers you choose to connect (for example Strava via OAuth). - From service providers that support billing, hosting, authentication, and analytics.
If you connect your Strava account, we request and process Strava data strictly to provide integration features in fittree (for example showing selected activity highlights on your public page and related creator insights).
Strava data processing details: - Connection is optional and initiated by you through Strava OAuth permissions. - We access only data allowed by your granted Strava scopes and Strava API rules. - We do not sell Strava personal data. - We do not use Strava data for unrelated advertising profiles. - You can disconnect Strava access from your fittree account settings and/or within your Strava account permissions. - After disconnection, previously synced Strava data may remain for a limited period in backups or logs, then is deleted according to retention controls.
Strava may process your data under its own privacy terms. Please review Strava's privacy documentation for details on Strava-side processing.
We process data for the following purposes:
- Service delivery and account management (contract performance). - Security, fraud prevention, abuse handling, and enforcement (legitimate interests; legal obligations where applicable). - Product analytics and service improvement (legitimate interests; consent where required by local law for non-essential tracking). - Billing and subscription administration via payment partners (contract performance and legal obligations). - Support and legal communications (legitimate interests; legal obligations where applicable).
For EEA/UK users, legal bases generally include Article 6(1)(b) GDPR (contract), 6(1)(c) (legal obligation), and 6(1)(f) (legitimate interests). Where consent is required (for example non-essential cookies), we rely on consent and provide withdrawal choices.
Core service data is stored in Supabase (PostgreSQL and Supabase Auth). The application is hosted on Vercel infrastructure. We use technical and organizational measures designed to protect personal data, including access controls, encryption in transit, and least-privilege operational practices.
No system is perfectly secure. If we detect a data incident, we will act under applicable notification requirements.
We share personal data only as needed to operate the Service, including with:
- Hosting and CDN providers (for example Vercel). - Database and authentication providers (for example Supabase). - Payment and subscription providers acting as merchant of record (for example Lemon Squeezy). - Integration partners you choose to connect (for example Strava).
We may also disclose data when required by law, valid legal process, or to protect rights, safety, and service integrity.
Because our vendors and partners may operate globally, personal data may be transferred outside your country, including to the United States. Where required, we use transfer mechanisms recognized by applicable law (for example contractual safeguards) and apply supplementary protections where feasible.
We keep personal data only for as long as needed for the purposes described in this policy, including:
- Active account data: retained while your account is active. - Profile/public page content: retained until you remove it or close your account, subject to short technical delay. - Security and audit logs: retained for limited periods needed for security and compliance. - Billing and transaction records: retained as required by tax/accounting law and merchant-of-record obligations. - Backups: deleted on rolling schedules after expiry.
Exact retention windows may be updated as operations mature and will be reflected in policy updates.
Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability where applicable. You may also withdraw consent where processing is based on consent.
How to exercise rights: - Request access/correction/deletion at fittree.info@gmail.com. - You may remove profile content directly in-product where those controls exist. - You may close your account and request deletion of associated personal data, subject to legal retention duties.
For EEA users, you may also complain to your local data protection authority. Users based in Turkey may exercise their rights under applicable Turkish data protection law using the same contact above.
We use cookies or similar technologies necessary to operate the Service. If non-essential analytics or marketing cookies are enabled, we will implement consent controls and, where appropriate, a separate Cookie Notice.
The Service is not intended for children under 16. We do not knowingly allow accounts for users under 16.
We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice (for example on the site or by email where available) and update the "Last updated" date.