FitCard — Privacy Policy

Effective date: 21 June 2026 Last updated: 21 June 2026 Information Officer: Bilal Osman Latib · bilal.osmanlatib@gmail.com

This Privacy Policy describes how FitCard handles your personal information when you use the FitCard mobile app, the website at fitcard.co.za, and any related services (together, the "Service"). It is written in plain English so you can actually read it.

If anything here is unclear, email the Information Officer above and we'll explain.

1. Who runs FitCard

FitCard is operated by FitCard (Pty) Ltd (registration number 2026/470494/07), a South African private company incorporated on 15 June 2026, founded by Bilal Osman Latib. (During the earlier closed beta the operator was Bilal Osman Latib as an individual founder; your data is treated to the same standards under both.)

2. What we collect — and why

We collect the minimum personal information needed to render your trading card and let you contact us. Here is the complete list:

a) Strava activity data

When you connect Strava in the app, we receive:

Your Strava athlete profile (name, profile photo, location set on your Strava profile)
Your Strava activities for the past 90 days (distance, time, pace, elevation, heart rate where available, type of activity, date)
An OAuth access token + refresh token (so the app can fetch your activities)

Why: to render your fitness identity as a trading card. The "Six attributes" (Climb, Distance, Pace, Stamina, Recovery, Consistency), your rarity tier, and your sport position are all derived from this data.

b) Contact information

If you email us for support, we receive your email address and the content of your support message.

Why: to reply to your support request.

c) Your Strava athlete ID

A numeric identifier Strava assigns you (e.g. 12345678). We store this so we can re-associate your tokens with your account on re-login.

Why: session continuity.

3. What we DO NOT collect

For transparency, here is what we explicitly do NOT collect:

We do not request your phone's location.
We do not access your contacts.
We do not access your photos, microphone, or camera.
We do not collect health data from Apple HealthKit (the app does not use HealthKit).
We do not collect device identifiers or advertising IDs.
We do not log your in-app behaviour (no analytics SDK in the closed beta).
We do not track you across other apps or websites.

If any of this changes in a future version, we'll update this policy and re-prompt you for the relevant permission.

4. How we use your data, and on what legal basis

We use your data only for these purposes, and only on the legal bases listed.

Purpose	Legal basis under POPIA (South Africa)	Legal basis under GDPR (EU/UK, if applicable)
Render your card from Strava data — the core app functionality	POPIA §11(1)(b) — necessary for the conclusion or performance of a contract with you	GDPR Art. 6(1)(b) — performance of a contract
Connect to Strava on your behalf — OAuth, token refresh	POPIA §11(1)(a) — consent (you grant Strava OAuth)	GDPR Art. 6(1)(a) — consent
Reply to your support requests	POPIA §11(1)(d) — legitimate interest of FitCard in providing support	GDPR Art. 6(1)(f) — legitimate interests
Improve the app via aggregated, de-identified analytics (from M5; see §2)	POPIA §11(1)(d) — legitimate interest in product improvement	GDPR Art. 6(1)(f) — legitimate interests

We do NOT: - Sell your data. - Share it with advertisers. - Use it to train AI models or feed it into any AI service. - Use it for any purpose not listed in this section.

You can withdraw consent for the Strava connection at any time — see §10 ("How to disconnect & delete"). Disconnecting Strava means your card cannot render and the app's primary functionality stops working.

5. Who we share data with

We share data only with these service providers, and only the minimum each needs to do their job:

Provider	What they receive	Why
Strava	OAuth requests + activity-fetch requests (you authorised this when you connected)	Source of activity data
Vercel (Edge Function host)	OAuth code/refresh tokens (in transit only — never stored server-side)	Server-side OAuth exchange so the Strava Client Secret never sits on your device
Apple (App Store / TestFlight)	App install + crash data (Apple-side; we receive aggregate reports only)	App distribution

We do NOT share your data with any other third party.

6. Where your data is stored, transferred, and how long for

6.1 Storage locations and transborder transfers

On your device (your iPhone, in South Africa or wherever you are): Strava tokens and your Strava athlete ID are stored using Apple's expo-secure-store (Keychain-backed encryption). Not transferred.
In transit through Vercel's edge network (United States — see note below on transborder transfers): OAuth code exchange and refresh requests pass through a Vercel Edge Function we operate. Tokens are NOT stored by the function — it is a stateless proxy. However, Vercel's infrastructure logs each request's IP address, timestamp, and HTTP status code at the platform level, retained per Vercel's own data-retention policy (typically 7-30 days). See Vercel's privacy policy: https://vercel.com/legal/privacy-policy.
In Strava's systems (United States — Strava is a US company, recently acquired by Garmin): your underlying activity data lives in Strava's infrastructure. FitCard pulls a 90-day window on demand. We do not retain copies on our servers. Strava's own privacy practices govern that data — see https://www.strava.com/legal/privacy.
In our email inbox (Google Workspace, United States): support emails you send us are retained in our email provider's inbox.

🔴 Transborder transfers. Some of your personal information leaves South Africa when processed by Vercel (US), Strava (US), and Google Workspace (US). The United States does NOT have a current adequacy decision from the South African Information Regulator or from the European Commission. Our safeguard is contractual: each of these processors operates under its own data-processing agreement, which (for Vercel and Google) includes Standard Contractual Clauses or equivalent. You can request copies of these via the Information Officer.

6.2 Data retention schedule

Data	Retention period	Trigger to delete
Strava OAuth tokens (on-device)	Until you disconnect Strava or uninstall the app	Tap "Disconnect Strava" in-app, or uninstall, or call Strava's revoke endpoint
Strava athlete ID (on-device cache)	Until you disconnect Strava or uninstall the app	Same as above
Vercel server logs (IP + timestamp + status)	Per Vercel's policy — typically 7-30 days	Automatic; you can request earlier deletion via the Information Officer
Support email correspondence	90 days after the matter is resolved, or sooner on request	Email the Information Officer to delete earlier
Strava activity data	Never stored by FitCard; fetched on demand only	n/a — controlled by your Strava account

7.1 EU/UK representative

🔴 If you reside in the EU/EEA or the UK, please note: FitCard's controller (Bilal Osman Latib, transitioning to FitCard (Pty) Ltd) is located in South Africa. Under GDPR Art. 27, a non-EU controller that directs services at EU users is generally required to designate an EU representative. FitCard is currently assessing whether the Art. 27 Small Enterprise exemption applies based on actual EU user counts and the occasional/non-large-scale nature of the processing. Until a representative is designated or the exemption analysis is documented and posted here, EU users may contact the Information Officer (§12) directly with any data-subject request, and we will respond within 30 days. This section will be updated before public App Store launch (Phase 9 per our internal Ship Runbook).

7. Your rights (POPIA & GDPR)

Under the Protection of Personal Information Act 2013 (South Africa) and, if you reside in the EU/EEA/UK, the General Data Protection Regulation, you have the right to:

Access the personal information we hold about you.
Correct information that is wrong.
Delete your data. (See §10 below for how to disconnect Strava and delete your FitCard data.)
Object to any processing you disagree with.
Withdraw consent at any time.
Lodge a complaint with the South African Information Regulator (https://inforegulator.org.za/) or, if applicable, your EU member-state data protection authority.

To exercise any of these rights, email the Information Officer at bilal.osmanlatib@gmail.com. We'll respond within 30 days.

8. Children

FitCard is not intended for children under 13 (or 16 in some jurisdictions). We don't knowingly collect data from anyone in that age range. If you become aware that a child has signed up, email us and we'll delete their account.

9. Security

We take the following measures to protect your data:

OAuth secret never on device. The Strava Client Secret lives only on our Vercel Edge Function; it never ships in the mobile app bundle.
Tokens encrypted at rest on your device via Apple's Keychain (expo-secure-store).
TLS in transit. All network requests use HTTPS.
Minimal data retention. We hold the smallest possible footprint of your personal information.

No system is perfectly secure. If we ever experience a data breach that affects you, we will notify you in line with POPIA's 72-hour notification timeline.

10. How to disconnect & delete

You can disconnect Strava from FitCard at any time:

In FitCard, open Card tab → tap your profile → "Disconnect Strava." This clears tokens from your device.
On Strava (https://www.strava.com/settings/apps), find FitCard in the list and click "Revoke Access." This invalidates the OAuth grant on Strava's side.

To delete any data we hold off your device:

Email bilal.osmanlatib@gmail.com from the email address tied to your Strava account. Say "Please delete my FitCard data." We'll confirm within 7 days and complete the deletion within 30.

11. Algorithmic generation of your card ("The Six")

Your FitCard is generated algorithmically from your Strava activity history. Specifically:

Six attribute bands — Climb (CLB), Distance (DSC), Pace (PCE), Stamina (STM), Recovery (REC), Consistency (CON) — are each computed from defined formulas over your last 90 days of activities.
A per-sport weighting (parkrun, road, trail, marquee, cyclist) is inferred from your activity mix and used to derive a single Overall (OVR) score.
A rarity tier (Bronze / Silver / Gold) is assigned from the OVR score using fixed thresholds.
A "position" label (e.g., "Endurance," "Climber," "All-Rounder") is derived from which attribute(s) dominate.

This is a form of automated processing (under POPIA §71 and GDPR Art. 22, "profiling"). The output — your rarity tier, position, and card design — is displayed to you and used in the share image you may export. It does not produce a legal or similarly significant effect on you in our reading: the card is a creative artefact of your running activity, not a creditworthiness decision, employment screen, or service-eligibility determination.

You can: - See exactly which Strava activities contributed to each attribute by tapping any band on the card-back. - Disagree with the algorithm — email the Information Officer if you believe the card misrepresents you. We will investigate and, where the issue is a bug, fix it. - Stop using FitCard by disconnecting Strava (§10) at any time.

If you reside in the EU/UK and you believe this profiling does produce a significant effect on you, you have the right under GDPR Art. 22 to request human review of the output. Email the Information Officer.

12. Changes to this policy

If we change this policy materially, we'll:

Update the "Last updated" date at the top.
Notify you in-app on next launch.
For EU/UK users — re-ask for consent on any new processing.

Older versions are archived in the FitCard knowledge vault and available on request.

13. Contact

Bilal Osman Latib (Information Officer) Email: bilal.osmanlatib@gmail.com Operating address: Available on request; not published to protect personal safety as a sole founder.

FitCard (Pty) Ltd · Reg 2026/470494/07 · South Africa · fitcard.co.za