This Privacy Policy explains what personal information FitCross collects, how it is used, who it may be shared with, and the choices you have. It applies to the FitCross web application and related services operated at fitcross.world (the "Service").
1. Information we collect
Account information — email address, an authentication credential (stored only as an industry-standard cryptographic hash), display name, preferred language, and (optionally) gender, country, and city. If you sign in through a third-party identity provider, we receive the basic profile information that provider shares with us (for example, email address and profile image). Service content — the workouts, athlete profiles, scores, and photos you create or upload while using the Service. Technical information — standard server logs (IP address, user-agent, timestamps) used for security, debugging, and abuse prevention.
2. How we use your information
We process your information to: (a) provide and operate the Service, including authentication, language settings, and role-based access within your box; (b) convert photos you upload into structured workout and score data; (c) maintain the security and integrity of the Service and prevent abuse; (d) respond to support requests; and (e) comply with legal obligations. We do not sell your personal information and we do not use it for third-party advertising.
3. Retention and deletion
We keep account data for as long as your account is active. When you delete your account, we delete or anonymize associated personal information within 30 days, except where a longer retention period is required by law (for example, accounting or tax records), in which case the information is stored separately and access is restricted.
4. Sharing and service providers
We do not sell or rent personal information. We share it only with categories of service providers that support the Service on our behalf, and only as needed to provide it: • Cloud infrastructure and hosting providers that run the application and database. • Managed authentication and storage providers that secure accounts and store uploaded content. • AI-based image and text processing providers that extract structured data from whiteboard photos. • Communication providers for transactional email (for example, password resets). Each provider is bound by a written data processing agreement and may process personal information only on our instructions. We may also disclose information where required by law, legal process, or to protect the rights, property, or safety of users.
5. Cookies and local storage
The Service uses essential cookies only — a session cookie that keeps you signed in, a language-preference cookie, and an onboarding-state cookie. We mirror your language choice and cookie-acknowledgement state in browser localStorage so your preferences persist across visits. We do not currently use analytics, advertising, or cross-site tracking cookies. If this changes we will update this Policy and request consent first.
6. Children
The Service is not directed to children. We do not knowingly collect personal information from children under 13 in the United States, under 16 in the European Economic Area, or under the equivalent age in other jurisdictions, without verified parental or guardian consent. If you believe a child has provided us with personal information, contact us and we will delete it promptly.
7. Your rights
Depending on where you live, you may have the right to access, correct, port, or delete personal information we hold about you; to object to or restrict certain processing; and to withdraw consent where processing is based on consent. California residents also have the rights described under the CCPA/CPRA, including the right not to be discriminated against for exercising privacy rights. To exercise any of these rights, contact us at support@fitcross.world. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data protection authority.
8. Security
We apply reasonable administrative, technical, and physical safeguards designed to protect personal information, including encryption of data in transit (HTTPS/TLS), hashed authentication credentials, role-based access control, and logical access restrictions on back-end systems. No system is perfectly secure; if we learn of a breach affecting your information, we will notify you and the relevant authorities in accordance with applicable law.
9. International transfers
Because the Service is operated with global infrastructure, your personal information is transferred to and processed in countries other than the one in which you reside. The current list of overseas transferees is as follows. • Vercel Inc. (United States) — contact: privacy@vercel.com — items transferred: account information, service content, technical logs — purpose: web hosting and serverless function execution — method and timing: transmitted in encrypted form (HTTPS/TLS) over the network whenever you use the Service — retained until membership withdrawal or termination of the outsourcing contract. • Supabase Inc. (United States) — contact: privacy@supabase.com — items: account information, service content, authentication credentials (hashed) — purpose: database, authentication, file storage — method and timing: same as above — retained until membership withdrawal or termination of the outsourcing contract. • Anthropic PBC (United States) — contact: privacy@anthropic.com — items: whiteboard images you upload and the text extracted from them — purpose: image recognition and structured-data extraction — method and timing: transmitted over the API at the time of extraction — retained in accordance with Anthropic's API data retention policy (by default, not used to train models). • Google LLC (United States) — contact: support-google-cloud@google.com — items: whiteboard images you upload — purpose: Cloud Vision OCR — method and timing: same as above — retained in accordance with Google Cloud Platform's data retention policy. We rely on appropriate legal mechanisms (such as standard contractual clauses) for these transfers, and in accordance with Article 28-8 of the Personal Information Protection Act of Korea, you may refuse consent to the overseas transfer. If you refuse, however, certain Service features (such as AI whiteboard extraction) may become unavailable.
10. Privacy Officer and contact
We have designated the following Privacy Officer to take overall responsibility for the processing of personal information and to handle complaints and damage relief in connection therewith. • Privacy Officer: Chulhoe Koo (Stayfit) • Email: support@fitcross.world Questions, requests to exercise your rights, or complaints regarding the processing of personal information can be sent to the email above. We will respond without delay, and in principle within 10 days of receipt. Where it is difficult to respond within 10 days, we will notify you of the reason and the expected timeframe.
11. Complaints to a supervisory authority
If you are not satisfied with how we handle your information, you have the right to lodge a complaint with the data protection authority in your country of residence. For example: in the European Economic Area, the lead supervisory authority for your jurisdiction (see edpb.europa.eu); in the United Kingdom, the Information Commissioner's Office (ico.org.uk); in California, the California Privacy Protection Agency (cppa.ca.gov); in South Korea, the Personal Information Protection Commission (pipc.go.kr) or the Korea Internet & Security Agency (+82 118, privacy.kisa.or.kr).
12. Changes to this policy
We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes we will provide a more prominent notice (for example, email or an in-app banner) before the change takes effect.