Privacy Policy

Effective Date: October 19, 2025
Last Updated: December 5, 2025

1. Introduction

Didit.fyi ("we," "us," or "our") operates a fitness tracking platform that allows users to log workouts, track progress, and receive AI-generated insights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Didit.fyi is developed and maintained by Mithras R&D AS, a Norwegian limited liability company registered with organization number 984851006.

By using Didit.fyi, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, display name, and authentication credentials (managed through Firebase Authentication)
  • Profile Information: Optional fitness goals, personal notes about yourself, and preferences
  • Workout Data: Exercise logs, sets, repetitions, weight, RPE (Rate of Perceived Exertion), notes, tags, and performance dates
  • Location Information (Optional): When completing a workout session, you may optionally provide a location (e.g., city name, gym name) that will be publicly displayed in our live activity feed
  • Media Content: Photos and videos you upload (images up to 10MB, videos up to 100MB) to document exercises or achievements
  • Payment Information: Payment details processed and stored by Stripe (we do not store credit card numbers)
  • Communications: Messages you send to our support team

2.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns
  • Device Information: Browser type, operating system, device type, IP address, and general location (country level)
  • Performance Data: Error logs and performance metrics collected through Sentry for debugging and improvement
  • Cookies and Similar Technologies: We use cookies for authentication, preferences, and analytics

3. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To provide, maintain, and improve our fitness tracking platform
  • AI-Powered Features: To generate personalized daily workout tips and insights using OpenAI's GPT-4o-mini model based on your workout history and goals
  • Achievement Sharing: To generate motivational text when you share workout achievements publicly
  • Analytics and Progress Tracking: To calculate personal records, volume trends, estimated 1-rep max, and other fitness metrics
  • Account Management: To manage your subscription, process payments, and enforce usage limits based on your plan
  • Communication: To send essential service notifications, subscription updates, and respond to inquiries
  • Security and Fraud Prevention: To detect, prevent, and address technical issues, unauthorized access, and fraudulent activity
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Service Improvement: To analyze aggregated, anonymized usage patterns to improve features and user experience
  • Live Activity Feed: To display recent workout activities (with optional location) publicly on our landing page to motivate and inspire the fitness community

4. Third-Party Services and Data Sharing

4.1 Service Providers We Use

OpenAI (Artificial Intelligence)

  • Purpose: Generate personalized daily workout tips and achievement sharing text
  • Data Shared: Workout history (exercises, sets, reps, weight, RPE), fitness goals, and your sharing reasons
  • Privacy: OpenAI does not use data sent via API for training their models (see OpenAI's API data policy)
  • Model: GPT-4o-mini

Firebase (Google Cloud Platform)

  • Firebase Authentication: Manages user authentication and login sessions
  • Firebase Storage: Stores uploaded media files (images and videos)
  • Data Shared: Email, authentication tokens, and uploaded media

Stripe (Payment Processing)

  • Purpose: Process subscription payments and manage billing
  • Data Shared: Email address, subscription plan, and payment information
  • Note: We do not store your credit card information; Stripe handles all payment data securely

Sentry (Error Monitoring)

  • Purpose: Monitor application errors and performance issues
  • Data Shared: Error logs, device information, and user IDs (for debugging)

4.2 Third-Party Integrations (Optional)

You may choose to connect your Didit.fyi account with third-party fitness services. These integrations are entirely optional and require your explicit authorization.

WHOOP

  • Purpose: Import recovery, strain, and sleep data from your WHOOP device to enhance your training insights
  • Data Received: Recovery scores, strain scores, sleep performance, heart rate variability (HRV), and related metrics from WHOOP's API
  • Authorization: You must explicitly authorize access through WHOOP's OAuth flow. You can revoke access at any time through your Didit.fyi account settings or WHOOP app
  • Data Storage: WHOOP data is stored in your account and used to provide personalized insights. We do not share this data with other third parties
  • Privacy: We only access the data scopes you authorize and follow WHOOP's API terms of service

Strava

  • Purpose: Import your recent endurance activities (runs, rides, etc.) to provide personal training context
  • Data Received: Activity summaries such as distance, duration, elevation, and heart rate zones
  • Authorization: You must explicitly authorize access through Strava's OAuth flow. You can disconnect at any time in your Didit.fyi settings
  • Data Storage: Strava data is cached temporarily (up to 7 days) and only displayed to you; we do not share it with other users or third parties
  • Privacy: We only access the scopes you authorize and follow Strava's API terms

We may add additional integrations in the future. Any new integrations will follow the same principles: explicit opt-in, clear data scope, and easy disconnection.

4.3 When We Share Your Information

  • With Your Consent: When you explicitly choose to share workout achievements publicly via share links
  • Service Providers: With trusted third parties who help us operate our service (listed above)
  • Legal Requirements: When required by law, subpoena, or legal process
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)
  • Protection of Rights: To protect our rights, property, safety, or that of our users

4.4 What We Never Do

  • We never sell your personal information to third parties
  • We never share your workout data for advertising purposes
  • We never use your data for purposes beyond what is described in this policy without explicit consent

5. Public Sharing Features

When you use our sharing features, certain information becomes publicly accessible:

5.1 Live Activity Feed

Our landing page features a live activity feed that publicly displays recent workout activities from our community. When you complete a workout session:

  • Displayed Information: Your display name (or initials), exercise details, sets, weight, reps, and optional location are shown in the live feed
  • Location is Optional: Before saving a workout, you'll be prompted to optionally share your location. You are clearly notified that this will be publicly visible. You can always skip this
  • Public Reactions: Anyone visiting our landing page (including anonymous users) can react to activities with emojis (heart, dumbbell, fire)
  • Reaction Notifications: If you're logged in, you'll receive notifications when others react to your workouts
  • Anonymous Reactions: Reactions from non-logged-in users are tracked anonymously and do not include personal information
  • Automatic Display: All completed workout sessions are eligible to appear in the live feed (displayed in rotation)

5.2 Shared Workout Sets

  • Share Links: When you generate a share link for a workout set, anyone with the link can view exercise details, weight, reps, RPE, notes, your display name, and AI-generated achievement text
  • Optional Media: You can choose whether to include photos/videos in shared links
  • Link Expiration: Share links expire after 7 days by default
  • Control: You can delete or revoke shared content at any time by deleting the original set

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit using TLS/SSL and at rest in our database
  • Authentication: Secure Firebase Authentication with JWT verification for all API requests
  • Access Controls: Strict access controls ensure you can only access your own data
  • Regular Audits: We regularly review our security practices and update them as needed
  • Infrastructure: Data is hosted on secure, reputable cloud platforms with high security standards

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

  • Active Accounts: All workout data, media, and account information is retained while your account is active
  • AI Insights: Daily AI-generated insights are automatically deleted after 90 days
  • Deleted Accounts: When you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law
  • Payment Records: Financial records are retained for 7 years for legal and tax compliance
  • Shared Content: Public share links expire after 7 days, but the underlying data remains in your account until you delete it

8. Your Rights

You have the following rights regarding your personal information:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Update or correct inaccurate information in your profile settings
  • Deletion: Delete your account and all associated data at any time through account settings or by contacting support
  • Data Portability: Request an export of your workout data in a machine-readable format
  • Opt-Out: Opt out of non-essential communications (essential service notifications will still be sent)
  • Object to Processing: Object to certain types of data processing (may limit service functionality)
  • Withdraw Consent: Withdraw consent for data processing at any time (may affect service availability)

To exercise these rights, contact us at support@didit.fyi. We will respond within 30 days.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information.

10. International Users

Our service is operated from Norway, but accessible globally. If you access our service from outside Norway, your information may be transferred to, stored, and processed in Norway, the United States (where some of our service providers operate), or other countries.

By using our service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to opt out of the sale of personal information
  • Right to deletion of personal information
  • Right to non-discrimination for exercising your rights

Note: We do not sell personal information.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on consent, contract performance, legitimate interests, and legal obligations
  • Data Controller: Mithras R&D AS (org. nr. 984851006) operating as Didit.fyi is the data controller for your personal information
  • Rights: You have all rights listed in Section 8 above
  • Complaints: You have the right to lodge a complaint with your local data protection authority (Datatilsynet in Norway)

13. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Required for authentication and basic functionality
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Understand how you use our service to improve it

You can control cookies through your browser settings, but disabling essential cookies may limit functionality.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the new policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for material changes (if you have an active subscription)

Your continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Company Name: Mithras R&D AS

Organization Number: 984851006

Country: Norway

Email: support@didit.fyi

Website: didit.fyi

This Privacy Policy is effective as of October 19, 2025, and applies to all users of Didit.fyi.

← Back to Home