Privacy Policy

1. Introduction

Fitness & Fuel™ ("we", "our", "us", "the Platform") is a fitness coaching marketplace application developed and operated by VCDS™ (Valhalla Custom Design Studios), based in Heidelberg, Gauteng, South Africa. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and associated services.

This policy complies with the Protection of Personal Information Act (POPIA) 4 of 2013.

Trainers on the Platform operate as independent service providers. VCDS™ provides the technology platform; individual trainers are responsible for the coaching services they deliver.

By using Fitness & Fuel™, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not access the application.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

• Identity data: Name, surname, email address, phone number
• Profile data: Bio, profile photo, medical history
• Legal data: Digital signature, terms acceptance timestamp

2.2 Health & Fitness Data

To provide coaching services, we collect:

• Body measurements: Weight, body fat percentage, chest, waist, hips, arms, thighs, calves
• Training data: Exercise sessions, sets, reps, workout history
• Nutrition data: Meal logs, calorie intake, food items, photo-analysed meals (Snap & Stack)
• Fitness goals: Selected goals, categories, and progress tracking
• Location data: GPS altitude (used by Hoogtelyn for calorie adjustment) — collected only when you actively use the feature, not in the background

2.3 Payment & Transaction Data

• Subscription tier, status, and billing period
• PayFast subscription token (for managing recurring payments — we do not store credit card or bank details)
• Product orders, purchase history, and payment proof images (for EFT payments)
• Booking history and session details

2.4 Communication Data

• Phone number: Used to send transactional SMS via BulkSMS (password reset OTPs, booking confirmations, subscription confirmations)
• Push notification token: Device token stored to deliver push notifications via Firebase Cloud Messaging (FCM) and Expo Push Service

2.5 Technical Data

• Device push notification tokens
• App usage data and interactions

3. How We Use Your Information

We use the collected information to:

• Provide personalised fitness coaching and training plans
• Facilitate communication between you and your trainer
• Process subscription payments via PayFast
• Process product orders and manage EFT payments
• Send transactional SMS notifications (password reset, booking confirmations, subscription updates) via BulkSMS
• Send push notifications about messages, bookings, plans, and subscription status
• Track your fitness progress and body measurements
• Provide AI-powered features (Snap & Stack, Klimaat Coach, AI Coach)
• Adjust calorie calculations based on altitude (Hoogtelyn)
• Manage session bookings and scheduling
• Improve our services and user experience

4. Third-Party Service Providers

We do not sell, trade, or rent your personal information. Your data is shared only with these service providers as necessary to operate the Platform:

• PayFast (Pty) Ltd — processes subscription payments securely. See PayFast Privacy Policy.
• BulkSMS (Pty) Ltd — delivers transactional SMS to your SA mobile number. See BulkSMS Privacy Policy.
• Firebase / Google Cloud — delivers push notifications via FCM.
• Expo (820 Inc.) — push notification delivery service.
• Amazon Web Services (AWS) — secure cloud storage for uploaded files (profile photos, payment proofs, documents).
• Abacus.AI — powers AI features (Snap & Stack photo analysis, AI Coach). Meal photos and text prompts are sent to the AI service for processing; they are not stored by the AI provider beyond the immediate request.
• Your linked trainer: Can view your profile, fitness data, body measurements, bookings, and messages. Trainers only see data from their own clients (linked via invite code).

5. Data Security

We implement industry-standard security measures to protect your data:

• Passwords are encrypted using bcrypt hashing
• All API communications use HTTPS/TLS encryption
• Authentication tokens (JWT) are stored securely on your device (Keychain on iOS, Keystore on Android)
• File uploads use pre-signed URLs with time-limited access
• Rate limiting protects against brute-force attacks on authentication endpoints
• Payment processing is handled entirely by PayFast — no card data touches our servers

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Specifically:

• Account data: retained until you delete your account
• Subscription records: retained for 12 months after cancellation for billing dispute resolution
• SMS OTP codes: automatically expire after 10 minutes and are marked as used
• Push notification tokens: deleted upon logout or account deletion

If you delete your account, all personal data is permanently removed from our systems, unless retention is required by South African law.

7. Your Rights (POPIA)

Under the Protection of Personal Information Act, you have the right to:

• Access: View your personal data through the app's Profile section
• Correction: Edit your profile information, bio, and medical history at any time
• Deletion: Permanently delete your account and all associated data from within the app (Profile → Delete Account) or via our account deletion page
• Object: You may object to processing by contacting us; we will cease processing unless we have legitimate grounds
• Data Portability: Request a copy of your data by contacting us
• Withdraw Consent: You may stop using the App at any time; remove your phone number to stop SMS; disable push notifications via device settings

8. Trainer Relationship

Trainers on Fitness & Fuel™ are independent service providers, not employees of VCDS™. VCDS™ provides the technology platform only. Each trainer is solely responsible for:

• The quality and safety of coaching advice provided
• Compliance with applicable health and fitness regulations
• Their own tax obligations and business registration
• Setting their own pricing, session types, and products

VCDS™ is not liable for any injury, loss, or damage arising from training advice or coaching services provided by trainers on the Platform.

9. Children's Privacy

Fitness & Fuel™ is not intended for children under the age of 16. We do not knowingly collect personal information from children. If we discover that a child under 16 has provided us with personal information, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or push notification. Continued use of the App after changes constitutes acceptance. You are advised to review this policy periodically.

11. Information Officer

For POPIA-related enquiries or to exercise your rights, contact our Information Officer:

VCDS™ (Valhalla Custom Design Studios)
Platform: Fitness & Fuel™
Heidelberg, Gauteng, South Africa
Email: [email protected]