Privacy Policy
Last updated: April 13, 2026
FitFlow ("we", "us", "our") operates a coaching operations platform that helps fitness coaches and personal trainers manage client delivery through messaging channels including WhatsApp and Telegram. This Privacy Policy explains how we collect, use, disclose, and safeguard information for both Coaches (our direct customers) and their Clients (end users who interact with FitFlow through messaging channels).
1. Information We Collect
1.1 Information from Coaches
When you register for and use FitFlow as a coach, we may collect:
- Account information: name, email address, phone number, business name, and login credentials (managed via Supabase Auth)
- Payment information: billing details processed through Stripe Connect. We do not store full credit card numbers on our servers.
- Business data: coaching offers, workout plans, exercise libraries, message templates, and scheduling preferences you create within the platform
- Channel credentials: WhatsApp Business API tokens and Telegram Bot API tokens used to connect your messaging accounts
- Usage data: feature usage, login activity, and interaction patterns with the dashboard
1.2 Information from Clients (End Users)
When a coach's client interacts with FitFlow through WhatsApp or Telegram, we may collect:
- Contact information: name, phone number, email address, and messaging platform identifier
- Health and fitness data: body weight, energy levels, sleep quality, training goals, injury history, experience level, and other information provided through check-ins and onboarding forms
- Workout data: plan assignments, workout completion status, and compliance records
- Communication data: messages exchanged through WhatsApp and Telegram including check-in responses, delivered workout content, and automated bot interactions
- Payment data: payment status and transaction records related to coaching services
1.3 Information Collected Automatically
- Device and browser data: IP address, browser type, operating system, and device identifiers
- Cookies and analytics: session cookies for authentication and anonymized usage analytics
- Log data: server logs including timestamps, request paths, and error reports
2. How We Use Information
2.1 For Coaches
- Provide, maintain, and improve the FitFlow platform
- Authenticate accounts and secure access
- Process payments and manage billing through Stripe Connect
- Deliver automated messages, check-ins, and workout content via WhatsApp and Telegram on the coach's behalf
- Generate analytics dashboards including client compliance, progress trends, and engagement metrics
- Send service-related communications (account updates, security alerts, feature announcements)
- Provide customer support
2.2 For Clients
- Deliver coaching content (workout plans, check-in prompts, milestone messages) through the client's preferred messaging channel
- Collect and process check-in responses (weight, energy, sleep) and surface them to the client's coach
- Track workout completion and progress over time
- Send automated re-engagement messages when a client becomes inactive
- Facilitate onboarding and intake questionnaires
Important: FitFlow processes client data on behalf of coaches. Coaches are the data controllers for their client data. FitFlow acts as a data processor, handling client information only as instructed by the coach through their use of the platform.
3. How We Share Information
We do not sell personal information. We share data only in the following circumstances:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Coaches | Their clients' check-in data, progress, contact info | Core platform functionality |
| Meta (WhatsApp Business API) | Phone numbers, message content | Delivering messages via WhatsApp |
| Telegram Bot API | Telegram user IDs, message content | Delivering messages via Telegram |
| Stripe | Payment and billing information | Payment processing |
| Supabase | Account credentials, database records | Authentication and data storage |
| Law enforcement | As required | Legal compliance |
4. Messaging Channel Data
4.1 WhatsApp (Meta Cloud API)
FitFlow integrates with the Meta Cloud API to send and receive WhatsApp messages on behalf of coaches. This means:
- Messages sent through FitFlow are processed by Meta in accordance with WhatsApp's Privacy Policy
- We store message content and delivery status in our database to provide coaches with message history and analytics
- Phone numbers are used solely for message delivery and client identification
- We use approved WhatsApp message templates in compliance with Meta's Business Messaging policies
- We do not use WhatsApp data for advertising purposes
4.2 Telegram (Bot API)
Each coach may have a dedicated Telegram bot provisioned through the Telegram Bot API:
- Messages are processed by Telegram in accordance with Telegram's Privacy Policy
- We store message content and interaction data to provide coaching functionality
- Telegram user IDs and chat IDs are used solely for message delivery
- Bot interactions are limited to coaching-related functionality (check-ins, workout delivery, progress tracking)
5. Data Retention
- Coach accounts: Data is retained for the duration of the account and for up to 30 days after account deletion to allow for recovery
- Client data: Retained as long as the coach maintains an active account. When a coach removes a client or deletes their account, associated client data is deleted within 30 days
- Message history: Retained for the duration of the coaching relationship. Coaches may delete message history at any time
- Payment records: Retained as required by financial regulations (typically 7 years)
- Server logs: Automatically purged after 90 days
6. Data Security
We implement industry-standard security measures to protect your data:
- All data is transmitted over HTTPS/TLS encryption
- Database access is restricted and authenticated through Supabase Row Level Security
- API authentication uses secure token-based access control
- Webhook endpoints use signature verification to prevent tampering
- Sensitive credentials (API keys, bot tokens) are stored encrypted and never exposed to the client-side
- We conduct regular security reviews of our codebase and infrastructure
7. Your Rights
7.1 Coach Rights
As a FitFlow coach, you have the right to:
- Access your account data and all client data you have collected
- Export your data in a standard format
- Delete your account and all associated data
- Modify your personal and business information at any time
- Disconnect messaging channels (WhatsApp, Telegram) at any time
7.2 Client Rights
As a client of a FitFlow coach, you have the right to:
- Access the data your coach has collected about you by contacting your coach directly
- Request deletion of your data by contacting your coach, who can remove your records from FitFlow
- Opt out of automated messages at any time by notifying your coach
- Contact us directly at the email below if your coach is unresponsive to your data requests
For EU/EEA residents: You have additional rights under the General Data Protection Regulation (GDPR), including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. FitFlow processes data under the legal bases of contractual necessity (for coaches) and legitimate interest (for clients, on behalf of their coach).
8. Cookies
FitFlow uses only essential cookies required for platform functionality:
- Authentication cookies: To maintain your logged-in session
- Preference cookies: To remember your settings (e.g., theme preference)
We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking.
9. Children's Privacy
FitFlow is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. International Data Transfers
Your data may be processed in countries other than your own. Our service providers (Supabase, Stripe, Meta, Telegram) operate globally. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable.
11. Third-Party Services
FitFlow integrates with the following third-party services, each governed by their own privacy policies:
- Supabase — Authentication and database
- Stripe — Payment processing
- WhatsApp / Meta — Messaging delivery
- Telegram — Messaging delivery
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify coaches of material changes via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
FitFlow
Email: privacy@fitflow.app