Your Data, Protected

Last updated: February 2026

FitGlue connects your fitness apps and enhances your workout data. That means we handle health and activity information—and we take that responsibility seriously. This page explains exactly how we protect your data, what we do (and don't do) with it, and the technical measures we use to keep it safe.

Our Approach

FitGlue is built on a simple principle: your data belongs to you. We act as a secure conduit between the fitness platforms you choose to connect—nothing more. We process your data only as you direct, and we never use it for any purpose beyond delivering the service you've asked for.

What We Collect & Why

We collect only the minimum data necessary to provide our service:

• Workout activities: Exercise type, duration, sets, reps, and performance metrics—used to sync and enhance your activities across platforms
• Heart rate & health metrics: When you connect a wearable (Fitbit, Apple Watch, etc.), we access heart rate data to enrich your activities with training zones and calorie estimates
• GPS & location data: Route and elevation data from activities (via Strava, FIT file uploads, or mobile sync) used to provide location context, elevation profiles, and weather enrichment
• Authentication tokens: OAuth tokens from connected platforms, used exclusively to communicate with those services on your behalf
• Account information: Your email address for login and essential service communications

We request only the specific permissions needed for each integration—never broad or unnecessary access.

What We Never Do

We believe in being explicit about boundaries. FitGlue will never:

• Sell, rent, or trade your health data to any third party
• Use your data for advertising or ad targeting
• Mine your health data for profiling or analytics beyond the service
• Share your data with anyone you haven't explicitly authorised
• Store health data in locations outside our secured infrastructure
• Write false or inaccurate data to Apple Health, Health Connect, or any connected platform

How We Protect Your Data

We implement multiple layers of security to protect your information:

Encryption

• In transit: All data is encrypted using TLS/SSL—every API call, webhook, and browser connection is secured
• At rest: All stored data is encrypted at rest using Google Cloud Platform's default encryption with AES-256

Authentication & Access

• OAuth 2.0: We use industry-standard OAuth 2.0 for all platform connections (Strava, Fitbit, etc.), meaning we never see or store your passwords for those services
• API key security: Ingress API keys are hashed using SHA-256 before storage—we never store raw keys
• Firebase Authentication: User accounts are managed through Google's Firebase Authentication infrastructure

Data Lifecycle

• Credential purge: When you disconnect an integration, all stored tokens and credentials are immediately deleted from our systems and any associated API keys are destroyed
• Full deletion: Disconnecting a service triggers a complete destruction of all connection data—not a soft disable, but a hard delete of tokens, keys, and metadata
• Account deletion: Deleting your account permanently removes all your data, deletes all integration credentials, and purges your authentication records

You're Always in Control

We give you full control over your data at every step:

• Granular permissions: You choose exactly which platforms to connect and what data to share
• Disconnect anytime: Remove any integration instantly—all associated data and tokens are immediately destroyed
• Delete your account: Full account deletion is available in-app, removing all data from our systems
• Data rights: Under GDPR and UK data protection law, you can request access to, correction of, or deletion of your personal data at any time

Platform Compliance

FitGlue is designed to meet the health data requirements of both major mobile platforms:

• Apple HealthKit: We comply with Apple's HealthKit guidelines—health data is never used for advertising or data mining, is not stored in iCloud, and is accessed only with your explicit permission
• Google Health Connect: We comply with Google Play's Health Connect policies—we request only minimum necessary permissions, never commercially exploit health data, and maintain robust security controls

Our handling of health data is consistent with both Apple's App Store Review Guidelines and Google's Health Connect policies.

Questions?

If you have any questions about how we handle your data, please contact us at privacy@fitglue.tech. For full details on data collection, sharing, and your rights, see our Privacy Policy.