← faff.fit

Privacy Policy

Last Updated: 10 April 2026

1. Who We Are

faff.fit is operated by Maison Regneugneux (“we”, “us”, or “our”). We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

Contact: info@faff.fit

2. What Personal Data We Collect

We collect the following personal data when you use faff.fit:

  • Email address — provided by your Google or Apple account during sign-in, used for authentication.
  • Username — chosen by you at registration.
  • Profile photo — optionally uploaded by you.
  • Practice logs — videos, images, and text you upload to track your practice.
  • Comments and reactions — content you post on shared practice containers.
  • Push notification token — a device identifier used by Firebase Cloud Messaging (FCM) to deliver notifications.
  • IP address — collected in server logs but immediately anonymised (last octet removed).

We do not collect location data, contacts, or any data from other apps on your device.

3. Why We Process Your Data (Legal Basis)

Under GDPR Article 6, we process your data on the following legal bases:

Contractual necessity (Art. 6(1)(b)):

  • Account creation and authentication (email, username)
  • Practice logging, sharing, comments, and reactions
  • Profile management (username, profile photo)

Legitimate interest (Art. 6(1)(f)):

  • Push notifications — to inform you of activity on your shared practice containers (comments, reactions, shares). You can disable notifications at any time via your device settings.
  • Anonymised IP logging — for security monitoring and abuse prevention.

4. How Long We Keep Your Data

  • Active account — your data is kept for the duration of your account.
  • Inactive account — if you do not log in for 3 years, your account is automatically anonymised.
  • Deleted account — when you delete your account, your personally identifiable information is erased immediately. Comments and reactions you posted on other users’ practice containers are anonymised (your name is replaced with “[deleted user]” and comment content is replaced with “[deleted]”).
  • Data exports — export files are automatically deleted after 7 days.
  • Rate-limit and deduplication records — purged every 15 minutes.

5. Who Has Access to Your Data

We use the following third-party processors to operate faff.fit. All primary data processing takes place within the European Union.

EU-based processors:

  • OVHcloud (France) — server hosting and media file storage (Object Storage).
  • Scaleway (France) — managed PostgreSQL database.

Non-EU processors (push notifications only):

  • Google / Firebase (US) — delivers push notifications via Firebase Cloud Messaging. Only your device token and the notification content are transmitted. Covered by EU Standard Contractual Clauses (SCCs).
  • Apple (US) — delivers push notifications via Apple Push Notification service (APNs). Only your device token and the notification content are transmitted. Covered by Apple’s Data Processing Agreement.

No personal data other than push notification tokens and notification payloads is transferred outside the EU. We do not sell or share your data with advertisers or data brokers.

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — correct your username or profile photo directly in the app.
  • Right to erasure (Art. 17) — delete your account in Settings. All personally identifiable information is erased immediately.
  • Right to data portability (Art. 20) — export your data in Settings. You will receive a download link containing all your data in a machine-readable format.
  • Right to restrict processing (Art. 18) — contact us to request restriction of processing in specific circumstances.
  • Right to object (Art. 21) — object to processing based on legitimate interest (push notifications, anonymised IP logging). You can disable push notifications via your device settings at any time.
  • Right to lodge a complaint — you may file a complaint with your local data protection supervisory authority. In France, this is the CNIL. In the Netherlands, this is the Autoriteit Persoonsgegevens.

To exercise any of these rights, contact us at info@faff.fit. We will respond within 30 days.

7. Data Security

We take the security of your data seriously and implement the following measures:

  • All data in transit is encrypted with TLS 1.3.
  • Database contents are encrypted at rest (AES-256).
  • Server access is restricted to SSH key authentication only.
  • IP addresses are anonymised before being written to logs.
  • Session data is stored in memory only and never written to disk.

8. Children’s Privacy

faff.fit is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@faff.fit and we will delete it promptly.

9. Automated Decision-Making

We do not use automated decision-making or profiling as defined under GDPR Article 22.

10. Is Providing Your Data Required?

An email address (via Google or Apple Sign-In) and a username are required to create an account and use faff.fit. Without this data we cannot provide the service. All other data (profile photo, practice logs, comments, reactions) is provided voluntarily.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app with a revised “Last Updated” date. Your continued use of faff.fit after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

Maison Regneugneux
Email: info@faff.fit

© 2026 faff.fit — Maison Regneugneux