Privacy Policy

Last updated: 28 April 2026

1. Who we are

FitMesh ("we", "us", "our") is a personal fitness data aggregation application operated as a small independent product. FitMesh aggregates fitness activity data from third-party services you choose to connect, displays it in a unified dashboard and generates reports to support your training.

2. Data we collect

FitMesh collects the following data:

  • Account information: your name and email address, collected when you create an account. These are used solely for authentication and to identify your account.
  • Fitness activity data: workout sessions including type, date, duration, distance, elevation, GPS route, heart rate (average and max), calories burned and step counts — synced from the integrations you connect.
  • Strength training data: exercise names, sets, repetitions and weights (from Hevy).
  • Nutrition data: food logs, meal plans and macro-nutrient totals that you manually enter in the app.
  • Habit data: habit names, completion history and streaks that you create and log within the app.
  • Body measurements: weight, height and related metrics that you manually record.
  • Billing information: if you subscribe to FitMesh Pro, your subscription status and Stripe customer ID are stored. Payment card details are handled entirely by Stripe and are never stored by FitMesh.
  • Integration credentials: OAuth access tokens for Strava, Google Fit and Fitbit (never your password), Hevy API key, and Garmin credentials where used — all stored encrypted.

3. How we use your data

  • To authenticate you and maintain your account.
  • To display your workout timeline and statistics within the app.
  • To calculate personal records and volume milestones.
  • To generate check-in reports (PDF and Excel) for your own use or to share with a personal trainer.
  • To provide AI-generated daily motivation messages. Only aggregated statistics (e.g. "ran 3 times this week") are sent to the AI provider — no GPS routes, heart rate data or personally identifiable information is transmitted.
  • To identify and remove duplicate entries when the same workout is recorded by multiple sources.
  • To process subscription payments via Stripe.

We do not sell, rent or share your data with any third party for advertising or marketing purposes.

4. Third-party services

FitMesh integrates with the following services when you choose to connect them:

Strava Privacy policy ↗

Connected via OAuth. We request read-only access to your activities. We never write to or post on your Strava account. In accordance with the Strava API Terms of Service, Strava activity data is automatically deleted from our servers after 7 days.

Garmin Connect Privacy policy ↗

Connected via the Garmin Health API or Garmin Connect credentials. Data is read-only.

Google Fit Privacy policy ↗

Connected via Google OAuth. We request read-only access to fitness sessions and step data. FitMesh's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Fitbit Privacy policy ↗

Connected via OAuth. We request read-only access to workouts, sleep and daily activity data. We never write to your Fitbit account.

Hevy Privacy policy ↗

Connected via your personal Hevy API key. Data is read-only.

Stripe Privacy policy ↗

Used to process subscription payments for FitMesh Pro. FitMesh stores only your Stripe customer ID and subscription status. All payment card data is handled directly by Stripe and is never transmitted to or stored by FitMesh.

Anthropic Privacy policy ↗

Used to generate daily motivation text. Only anonymous fitness summaries are sent — no personal identifiers, GPS data or heart rate values.

Supabase Privacy policy ↗

Your data is stored in a PostgreSQL database hosted on Supabase (EU region). Data is encrypted at rest and in transit.

Vercel Privacy policy ↗

The application is hosted on Vercel. Request logs may be retained for up to 30 days.

5. Google API Limited Use disclosure

FitMesh's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google Fit data is used solely to display your own fitness information within FitMesh and is never transferred to third parties, used for advertising or used for purposes unrelated to providing the FitMesh service.

6. Garmin data usage

Data retrieved from Garmin Connect is used exclusively to populate your personal FitMesh dashboard. It is stored only in your personal FitMesh database, is not shared with any third party and is not used for any purpose beyond displaying your own fitness activity and statistics. You can disconnect Garmin at any time from the Integrations page, and your Garmin data can be deleted on request.

7. Data retention and deletion

Your account data (name, email, habits, nutrition logs, body measurements and manually logged workouts) is retained for as long as you use the service.

Strava data: in accordance with the Strava API Terms of Service, raw Strava activity records are automatically deleted from our servers after 7 days. Workout events derived from Strava data that you have confirmed or manually edited are not affected by this deletion.

You can delete individual workouts within the app. To request complete deletion of all your data, disconnect all integrations from the Data Sources page and contact us. We will delete all stored data within 30 days of a verified request.

8. Security

All data is transmitted over HTTPS. Integration credentials (OAuth tokens, API keys and Garmin credentials) are stored encrypted at rest using AES-256 encryption. We do not log or store credentials in plain text. The application database is hosted on Supabase with row-level security enabled.

9. Your rights

Under UK GDPR and applicable data protection law, you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Disconnect any integration at any time, which stops further data collection from that service
  • Export your data (via the Reports feature)
  • Object to or restrict processing of your data

10. Contact

For privacy questions, data access requests or deletion requests, please visit our Support page. We aim to respond within 5 working days.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be noted at the top of this page with an updated date. Continued use of FitMesh after changes constitutes acceptance of the updated policy.