Privacy Policy
Last updated: 2026-05-16
This is a summary of what data Palofit Oy processes and why. We aim to collect as little customer data as possible — only what the program and your agreement with us require. If anything is unclear, contact us at hello@palofit.io.
Controller
Palofit Oy, Finnish business ID 3602773-1. We are responsible for processing your personal data as described in this policy. Contact and privacy questions: hello@palofit.io. We usually reply within 1–2 business days.
What we process
When creating an account: email, display name, language and time zone. For your training program: your goals, experience level, schedule, available equipment and any restrictions (e.g. injuries). From training sessions: completed sets, weights, reps, rest times, your feedback and estimated load. If you opt in from Apple Health or Health Connect: steps, active energy, sleep and resting heart rate. On iOS we may also read HRV, respiratory rate and VO2max, and save completed workouts to Apple Health if you allow it. Subscription: subscription status, trial status and renewal info. The payment itself is handled by App Store or Google Play — we don't store your card details. Technical: device type, OS version and anonymized crash reports to keep the service running.
Health data, Apple Health and Health Connect
Apple Health and Health Connect are optional. We only enable the connection if you activate it in PALOFIT and grant device-level permissions in Apple Health or Health Connect. You can revoke access at any time in PALOFIT settings and by removing permissions in the device health app. We use health data to personalize daily readiness, recovery, activity history, nutrition and training guidance, and post-workout feedback. These estimates are directional training and wellbeing context. They are not a medical device, diagnosis, treatment advice, injury-risk assessment, or a decision that training is safe. We do not use Apple Health or Health Connect data for advertising, and we do not sell or rent it. Some values derived from health data, such as sleep, 7-day average steps and 7-day average active energy, may be included in post-workout feedback. If AI-based feedback is enabled, these derived values may pass through our server and the feedback model provider only for generating that feedback. We do not send raw HealthKit or Health Connect history to advertising networks.
How we use it
To personalize your training program, track your progress, write post-workout feedback and maintain the service. We don't use your data for advertising and we don't sell it. Anonymized, non-identifiable statistics may be used to improve the product.
Legal basis
Contract — to deliver your account and program (GDPR 6.1.b). Consent — for health, heart-rate and HRV data (GDPR 9.2.a) — which you can withdraw at any time in Settings without affecting prior processing. Legitimate interest — to investigate technical issues and prevent abuse (GDPR 6.1.f).
Automated decisions
PALOFIT's training algorithm is rule-based and deterministic — the same inputs always produce the same program. This allows us to test and explain every change. Day signal and the optional AI-based post-workout summary are explanatory and directional, not decision-making. Neither produces legally binding decisions or decisions that significantly affect you within the meaning of GDPR Article 22 — you can always edit the program, swap exercises, adjust load or turn off the AI feedback.
Who we share with
We use trusted providers acting on our instructions: database and auth (Supabase, EU), content management (Sanity, EU), subscription state (RevenueCat, US), error tracking (Sentry, EU), site hosting (Vercel, EU/US), and a model provider for the optional post-workout summary. Payments are handled by Apple and Google. For transfers outside the EU we rely on the Commission's Standard Contractual Clauses and any additional safeguards required. We do not sell your data to third parties and we do not share it with advertisers.
Retention
Account essentials and training data: for the lifetime of your account. Health and heart-rate data: until you delete the account or withdraw consent — then removed immediately. Logs and error reports: 30–90 days for incident investigation. When you delete the account, active data is removed immediately and backups within 30 days. Statutory obligations (e.g. the 7-year Finnish bookkeeping requirement for subscription payments) may extend some financial records.
Your rights
You have the right to: • access the data we hold about you • correct inaccurate or incomplete data • request erasure (right to be forgotten) • restrict or object to processing • portability — receive your data in a machine-readable format • withdraw consent at any time Send requests to hello@palofit.io — we'll respond within 30 days. If you feel we haven't handled a matter properly, you can lodge a complaint with your national data protection authority.
Marketing communications
Service-related messages (important updates, changes to terms) are operational and don't require separate consent. Marketing messages (newsletters, product campaigns) are only sent if you've opted in separately at registration or via a newsletter signup. You can withdraw consent at any time from the unsubscribe link in any message or by emailing hello@palofit.io — the withdrawal takes effect immediately. We do not use profiling for targeted advertising.
Cookies
On the website we only use strictly necessary cookies for locale and session — these don't require consent under GDPR. We do not use marketing or third-party analytics cookies at this time. If we add analytics later, we'll show a consent prompt before loading them. The mobile app doesn't use cookies — it stores login state securely on-device using native iOS and Android mechanisms.
Security
Traffic is encrypted in transit (TLS) and data is encrypted at rest. Access is limited to a small team and changes are logged. We run regular vulnerability scans and review our subprocessors' security posture. In case of a data breach, we notify as required by law — you if your risk is high, and the supervisory authority within 72 hours of detection.
Children
We recommend PALOFIT for users aged 16 and above. Users under 16 require parental consent in accordance with EU data protection regulations. If you are a guardian and have questions, contact us — we're happy to help.
Changes to this policy
We announce material changes in the app and by email before they take effect. The current version is always available here, with the date above showing the most recent edit.