Skip to content

Privacy Policy

Last updated: June 7, 2026

1. Introduction

StarFit is a product operated by FITSTARS FZCO (License No. 25469, TRN 104109774000003), a free-zone company registered in the United Arab Emirates with its registered address at Dubai Silicon Oasis (IFZA Properties, DSO-IFZA), Dubai, United Arab Emirates (“FitStars,” “we,” “us,” or “our”). We operate the StarFit platform at starfit.com and related mobile applications (together, the “Platform”).

StarFit provides personalized fitness services: workout videos, AI-powered coaching, personalized daily plans, streak-based motivation through our Growth Garden, and structured workout programs. We take your privacy seriously and are committed to protecting the personal data you share with us.

This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have. It applies to all users of the Platform regardless of location. We offer the Platform to people in the European Union and elsewhere, so we apply the EU General Data Protection Regulation (GDPR) standard to your data and honor the rights it gives you. California residents also have specific rights described in our Your Privacy Choices notice.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored in hashed form). If you sign in through a third-party provider such as Google or Apple, we receive your name and email from that provider. We do not receive or store your third-party password.

2.2 Health and Fitness Data

To personalize your experience, we collect information you provide through our fitness assessment quiz and ongoing interactions. This may include your age range, fitness level, physical limitations, movement preferences, areas of focus (such as flexibility, strength, or pelvic floor health), and any injuries or conditions you report.

We also collect data generated through your use of the Platform: workout history, exercise completion records, streak data (your Growth Garden stage), program progress, and interactions with the AI Coach. If you connect a wearable device or Apple Health, we may receive heart rate and activity data you explicitly authorize.

Health and fitness data is treated as special-category data under GDPR Article 9. We process it only with your explicit consent, which you grant when completing the fitness assessment or enabling health integrations.

2.3 Payment Information

We use Stripe for individual course purchases and Paddle as our Merchant of Record for subscription payments. Both providers process your payment card details directly. We never see, store, or have access to your full card number. We receive a transaction ID, payment status, subscription state, and billing country from these providers.

For iOS in-app purchases, payments are handled by Apple through RevenueCat. We receive subscription status and transaction identifiers but no payment card details.

2.4 Usage Data

We collect information about how you interact with the Platform: pages visited, features used, workout sessions started and completed, time spent on exercises, device type, browser, operating system, screen resolution, and referring URLs. We assign each visitor a random anonymous identifier stored in your browser (localStorage) to understand usage patterns without linking them to your identity until you sign in.

If you arrive through an advertising link, we may capture click identifiers (such as Facebook's fbclid or Google's gclid) to measure campaign performance. These identifiers are stored locally in your browser and transmitted to our analytics endpoint.

2.5 Cookies and Local Storage

We use minimal cookies. Our anonymous identifier (_sf_aid) is stored in localStorage and mirrored to a first-party cookie for server-side analytics. Session identifiers are stored in sessionStorage and cleared when you close your browser.

We do not use third-party tracking cookies. Our analytics are self-hosted. If we introduce third-party cookies in the future, we will update this policy and implement a consent mechanism before doing so.

4. How We Use Your Data

We use the data described above to:

  • Create and maintain your account, authenticate your sessions, and keep your data secure.
  • Personalize your workout plans, exercise recommendations, and AI Coach interactions based on your fitness profile, preferences, and history.
  • Power the AI Coach. Our Coach uses Google Gemini models to generate responses. Your fitness profile, recent workout history, and current conversation context are sent to Google's API to produce personalized coaching responses. We do not send your name, email, or payment information to the AI model.
  • Track your Growth Garden streak, award achievements, and calculate your progress across programs.
  • Process payments, manage subscriptions, and handle refund requests.
  • Send transactional emails (account confirmation, password reset, trial reminders, payment receipts) and, with your consent, marketing communications about new programs or features.
  • Analyze aggregate usage patterns to improve content, fix bugs, and develop new features. We look at trends across all users, not individual browsing behavior.
  • Detect and prevent fraud, abuse, and security threats.

We do not sell your data. We do not build advertising profiles. We do not share your health data with insurance companies, employers, or data brokers.

5. Sharing Your Data

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Payment processors— Stripe and Paddle receive transaction data to process your payments. Paddle acts as Merchant of Record for subscriptions and is an independent controller for payment data. RevenueCat processes iOS subscription management.
  • AI model provider— Google (Gemini) receives anonymized fitness context to generate Coach responses. We transmit no directly identifying information.
  • Infrastructure providers— Amazon Web Services (hosting, database), Cloudflare (CDN, DDoS protection), and Kinescope (video hosting). These providers process data on our behalf under data processing agreements.
  • Email delivery— Resend delivers transactional and marketing emails. They receive your email address and message content.
  • Error monitoring— Sentry receives error reports that may include device information and anonymized usage context. It does not receive health data.
  • Legal requirements— we may disclose data when required by law, court order, or to protect the safety of our users.

All third-party processors are bound by data processing agreements that restrict them from using your data for their own purposes.

6. International Transfers

FitStars is based in the United Arab Emirates, and our processors operate in several countries, including the United States and the European Economic Area. When we transfer the personal data of EU or UK users to a country without an adequacy decision, we rely on appropriate safeguards:

  • The EU-U.S. Data Privacy Framework for U.S.-based processors that are certified participants.
  • Standard Contractual Clauses (SCCs) approved by the European Commission for processors not covered by an adequacy decision or the DPF.

You may request a copy of the relevant transfer safeguards by contacting us at support@starfit.com.

7. Data Retention

We retain your data as follows:

  • Account and profile data— for as long as your account is active, plus 30 days after deletion to allow recovery if requested.
  • Health and fitness data— for as long as your account is active. Deleted within 30 days of account closure.
  • Workout history and streaks— for as long as your account is active. You may request export of this data at any time.
  • AI Coach conversations— retained for up to 90 days to maintain conversation context, then automatically purged. You can clear your Coach history at any time from settings.
  • Payment records— retained for the period required by applicable tax and accounting law, typically up to 7 years after the transaction.
  • Usage analytics— aggregated and anonymized after 12 months. Raw event data is deleted after 24 months.
  • Marketing consent records— retained for 3 years after withdrawal as proof of compliance.

When data reaches the end of its retention period, it is deleted or irreversibly anonymized within 30 days.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access(Art. 15) — you can request a copy of all personal data we hold about you.
  • Right to rectification(Art. 16) — you can ask us to correct inaccurate data or complete incomplete data.
  • Right to erasure(Art. 17) — you can request deletion of your data. We will comply unless we have a legal obligation to retain it.
  • Right to restrict processing(Art. 18) — you can ask us to limit how we use your data while a complaint or correction is being resolved.
  • Right to data portability(Art. 20) — you can request your data in a structured, machine-readable format (JSON) to transfer to another service.
  • Right to object(Art. 21) — you can object to processing based on legitimate interest. We will stop unless we demonstrate compelling grounds.
  • Right to withdraw consent(Art. 7(3)) — where we rely on consent (health data, marketing emails), you can withdraw at any time.
  • Right to lodge a complaint— if you are in the European Union or the United Kingdom, you may file a complaint with the data protection supervisory authority in your country of residence.

To exercise any right, email us at support@starfit.com with the subject line “Privacy Request.” We will respond within 30 days. If your request is complex, we may extend the response period by an additional 60 days and will notify you of the extension.

We may ask you to verify your identity before fulfilling a request to prevent unauthorized access to your data.

9. Security

We implement technical and organizational measures to protect your data:

  • All data in transit is encrypted with TLS 1.2 or higher.
  • Databases are encrypted at rest using AES-256.
  • Passwords are hashed with bcrypt. We cannot read your password.
  • Access to production systems is restricted to authorized personnel with multi-factor authentication.
  • We run automated error monitoring and security alerting through Sentry and server-side logging.
  • Our infrastructure runs on AWS with network isolation, security groups, and regular patching.

No system is perfectly secure. If we discover a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Children's Privacy

StarFit is designed for adults. We do not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us at support@starfit.com and we will delete it promptly.

11. Changes to This Policy

We may update this policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice on the Platform at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, reach us at:

FITSTARS FZCO

License No. 25469 · TRN 104109774000003

Dubai Silicon Oasis (IFZA Properties, DSO-IFZA), Dubai, United Arab Emirates

support@starfit.com