Legal

Privacy Policy

Last updated: 24 May 2026

FitRepo(“we”, “us”, “our”) is committed to protecting your personal data. This policy explains what we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who we are

FitRepo is operated as a personal fitness data vault service available at https://mydatafor.life. For data protection purposes, we are the data controller of the personal data you provide to us.

To contact us about privacy matters, email privacy@mydatafor.life.

2. What data we collect

We collect and process the following categories of personal data:

  • Account data — your email address and encrypted password, used to authenticate you and communicate with you about your account.
  • Fitness activity data — workout files (FIT format), session metadata (sport type, duration, distance, elevation, start time), and associated metrics uploaded or synced from connected devices such as Wahoo.
  • Connection credentials — OAuth tokens for third-party services you connect (Strava, Wahoo), and API keys for services such as Intervals.icu. These are stored encrypted and used solely to forward your data on your instruction.
  • Usage data — basic server logs (IP address, request path, timestamp) retained for up to 30 days for security and debugging purposes.

We do not collect payment data, biometric data beyond that contained in your fitness files, or any data from minors. FitRepo is not directed at users under 16.

3. Legal basis for processing

We process your data under the following legal bases:

  • Contract — processing your account data and fitness files is necessary to provide the FitRepo service you have signed up for.
  • Legitimate interests — server logs are retained for security monitoring and fraud prevention, balanced against your right to privacy.
  • Consent — where you explicitly connect third-party services, you consent to us accessing and forwarding data on your behalf via those services.

4. How we use your data

  • Authenticate and secure your account.
  • Store your fitness files in your personal vault.
  • Forward workout data to third-party platforms you have connected (Strava, Intervals.icu, etc.) according to your sync settings.
  • Respond to support requests you initiate.
  • Comply with legal obligations.

We do not sell your data, share it with advertisers, or use it for any purpose beyond providing and improving the FitRepo service.

5. Data storage and security

Your fitness files are stored in Cloudflare R2 object storage (EU region). Account data and activity metadata are stored in Supabase (PostgreSQL) hosted in the EU (eu-west-1, Ireland). All data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Third-party OAuth tokens are stored encrypted in our database. We apply row-level security policies to ensure users can only access their own data, and all service accounts operate on a least-privilege basis.

FitRepo is an independent service. We apply security best practices throughout but do not currently conduct formal third-party penetration testing. In the event of a security incident affecting your personal data we will notify you promptly by email and, where required, report to the ICO within 72 hours.

6. Data retention

We retain your account data and fitness files for as long as your account is active. If you delete your account, all personal data (account, fitness files, connection tokens) will be permanently deleted within 30 days, except where retention is required by law.

Server logs are deleted after 30 days.

7. Third-party services

FitRepo integrates with the following third-party services at your request. Each has its own privacy policy:

We only transmit data to these services when you have explicitly connected them and enabled sync.

8. Your rights

Under UK GDPR you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure— request deletion of your data (“right to be forgotten”). You can do this from your account Settings page.
  • Portability — export your fitness data in a machine-readable format from your Settings page.
  • Objection — object to processing based on legitimate interests.
  • Restriction — request that we restrict processing of your data in certain circumstances.

To exercise any right, email privacy@mydatafor.life. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

9. Cookies

FitRepo uses only essential session cookies required to keep you signed in. We do not use tracking, advertising, or analytics cookies.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified to you by email at least 14 days before taking effect. Continued use of FitRepo after that date constitutes acceptance of the updated policy.

© 2026 FitRepo. All rights reserved.