Privacy Policy

1. Introduction

Didit.fyi ("we," "us," or "our") operates a fitness tracking platform that allows users to log workouts, track progress, and receive AI-generated insights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Didit.fyi is owned and operated by Mithras Holding AS, a Norwegian company registered with organization number 935918782.

By using Didit.fyi, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, display name, and authentication credentials (managed through Firebase Authentication)
• Profile Information: Optional fitness goals, personal notes about yourself, and preferences
• Workout Data: Exercise logs, sets, repetitions, weight, RPE (Rate of Perceived Exertion), notes, tags, and performance dates
• Media Content: Photos and videos you upload (images up to 10MB, videos up to 100MB) to document exercises or achievements
• Payment Information: Payment details processed and stored by Stripe (we do not store credit card numbers)
• Communications: Messages you send to our support team

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns
• Device Information: Browser type, operating system, device type, IP address, and general location (country level)
• Performance Data: Error logs and performance metrics collected through Sentry for debugging and improvement
• Cookies and Similar Technologies: We use cookies for authentication, preferences, and analytics

3. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our fitness tracking platform
• AI-Powered Features: To generate personalized daily workout tips and insights using OpenAI's GPT-4o-mini model based on your workout history and goals
• Achievement Sharing: To generate motivational text when you share workout achievements publicly
• Analytics and Progress Tracking: To calculate personal records, volume trends, estimated 1-rep max, and other fitness metrics
• Account Management: To manage your subscription, process payments, and enforce usage limits based on your plan
• Communication: To send essential service notifications, subscription updates, and respond to inquiries
• Security and Fraud Prevention: To detect, prevent, and address technical issues, unauthorized access, and fraudulent activity
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Service Improvement: To analyze aggregated, anonymized usage patterns to improve features and user experience

4. Third-Party Services and Data Sharing

4.1 Service Providers We Use

4.2 When We Share Your Information

• With Your Consent: When you explicitly choose to share workout achievements publicly via share links
• Service Providers: With trusted third parties who help us operate our service (listed above)
• Legal Requirements: When required by law, subpoena, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)
• Protection of Rights: To protect our rights, property, safety, or that of our users

4.3 What We Never Do

• We never sell your personal information to third parties
• We never share your workout data for advertising purposes
• We never use your data for purposes beyond what is described in this policy without explicit consent

5. Public Sharing Features

When you use our sharing features, certain information becomes publicly accessible:

• Shared Workout Sets: When you generate a share link for a workout set, anyone with the link can view exercise details, weight, reps, RPE, notes, your display name, and AI-generated achievement text
• Optional Media: You can choose whether to include photos/videos in shared links
• Link Expiration: Share links expire after 7 days by default
• Control: You can delete or revoke shared content at any time by deleting the original set

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit using TLS/SSL and at rest in our database
• Authentication: Secure Firebase Authentication with JWT verification for all API requests
• Access Controls: Strict access controls ensure you can only access your own data
• Regular Audits: We regularly review our security practices and update them as needed
• Infrastructure: Data is hosted on secure, reputable cloud platforms with high security standards

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: All workout data, media, and account information is retained while your account is active
• AI Insights: Daily AI-generated insights are automatically deleted after 90 days
• Deleted Accounts: When you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law
• Payment Records: Financial records are retained for 7 years for legal and tax compliance
• Shared Content: Public share links expire after 7 days, but the underlying data remains in your account until you delete it

8. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of all personal data we hold about you
• Correction: Update or correct inaccurate information in your profile settings
• Deletion: Delete your account and all associated data at any time through account settings or by contacting support
• Data Portability: Request an export of your workout data in a machine-readable format
• Opt-Out: Opt out of non-essential communications (essential service notifications will still be sent)
• Object to Processing: Object to certain types of data processing (may limit service functionality)
• Withdraw Consent: Withdraw consent for data processing at any time (may affect service availability)

To exercise these rights, contact us at support@didit.fyi. We will respond within 30 days.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information.

10. International Users

Our service is operated from Norway, but accessible globally. If you access our service from outside Norway, your information may be transferred to, stored, and processed in Norway, the United States (where some of our service providers operate), or other countries.

By using our service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt out of the sale of personal information
• Right to deletion of personal information
• Right to non-discrimination for exercising your rights

Note: We do not sell personal information.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on consent, contract performance, legitimate interests, and legal obligations
• Data Controller: Mithras Holding AS (org. nr. 935918782) operating as Didit.fyi is the data controller for your personal information
• Rights: You have all rights listed in Section 8 above
• Complaints: You have the right to lodge a complaint with your local data protection authority (Datatilsynet in Norway)

13. Cookies and Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and basic functionality
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Understand how you use our service to improve it

You can control cookies through your browser settings, but disabling essential cookies may limit functionality.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email notification for material changes (if you have an active subscription)

Your continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us: