Privacy Policy

The data controller responsible for your personal data is:

Fittasapp Limited is registered as a data controller with the Information Commissioner's Office (ICO) in accordance with UK data protection law. For any data protection enquiries, please contact us at privacy@fittasapp.com.

Customer Data

Fitter & Partner Data

Directly From You

• Account registration on our website or mobile apps (email, phone, name, address).
• Booking forms (service details, property information, measurements).
• Customer support interactions (chat, email, phone).
• Ratings and reviews submitted after service completion.
• Photos uploaded for dispute resolution or job documentation.
• Fitter onboarding applications (personal details, qualifications, documents).

Automatically From Your Device

• Location data: GPS coordinates collected via the mobile app when location permissions are granted.
• Device information: Device model, operating system, app version, screen resolution.
• Firebase Cloud Messaging (FCM) tokens: Unique device identifiers for push notification delivery.
• IP address: Collected during login for security monitoring and suspicious login detection.
• Cookies and similar technologies: Session management and analytics (see Section 13).

From Third Parties

• Stripe: Payment verification status, transaction records, Stripe Connect account status.
• Brevo (formerly Sendinblue): Email delivery status, SMS delivery confirmations.
• Firebase (Google): Push notification delivery status, crash reports.
• Apple/Google App Stores: Basic installation analytics.

Under UK GDPR, we process your personal data on the following lawful bases:

Where we rely on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Service Delivery

• Process and manage bookings between customers and fitters.
• Match customers with qualified, available fitters based on postcode district, service type, and availability.
• Calculate and process payments, refunds, and fitter earnings through Stripe.
• Provide real-time order tracking and job status updates via push notifications and WebSocket connections.
• Facilitate communication between customers and fitters through the Platform.

Account Management

• Create and maintain your user account across web and mobile platforms.
• Verify your identity through OTP (one-time password) codes sent via SMS.
• Authenticate login sessions (JWT-based, 8-hour maximum session duration).
• Detect and alert you to suspicious login activity from new IP addresses.
• Enforce rate limiting (10 failed attempts per 15 minutes) to protect against brute-force attacks.

Fitter Onboarding & Compliance

• Process fitter applications through multi-stage verification.
• Create Stripe Connect Express accounts for payout processing.
• Monitor fitter performance through ratings, completion rates, and compliance metrics.
• Manage fitter availability schedules, leave, and shift assignments.

Quality Assurance & Safety

• Administer our mandatory customer rating system (5 quality dimensions).
• Investigate and resolve service quality disputes.
• Monitor and improve platform reliability, performance, and security.
• Detect and prevent fraudulent activity, abuse, or policy violations.

SMS Communications (via Brevo)

We send SMS messages to your registered mobile number for:

Email Communications (via Brevo)

Emails are sent from no-reply@fittasapp.com (or configured sender) for:

• Account verification and email confirmation.
• OTP codes for email-based authentication.
• Partner onboarding lifecycle emails (verification pending, submitted, under review, approved, activated, rejected).
• Password reset instructions.
• Suspicious login alerts (new IP address detected).
• Booking receipts, invoices, and refund confirmations.
• Platform updates and service announcements.

Push Notifications (via Firebase Cloud Messaging)

Push notifications are delivered to your iOS or Android device for real-time updates:

• For Customers: Fitter assigned, fitter en route, fitter arrived, fitter knocking, job started, measurement updated, job completed, booking confirmed, booking reminder (30min), booking cancelled, no-show alert.
• For Fitters: New job broadcasts (HIGH PRIORITY — bypasses Do Not Disturb), shift reminders (30min before start), appointment confirmation reminders (~24h before), and earnings notifications.

Managing Communication Preferences

You can manage your communication preferences through:

• Push Notifications: Manage via your device settings (iOS: Settings → Notifications → FittasApp; Android: Settings → Apps → FittasApp → Notifications).
• Marketing Emails: Unsubscribe via the link in any marketing email, or through your account settings.
• Marketing SMS: Reply STOP to opt out of promotional SMS messages.

Note: You cannot opt out of transactional and security-critical communications while maintaining an active account, as they are essential for service delivery and account security.

What Location Data We Collect

How We Use Location Data

• Service Area Matching: We use UK postcode districts to determine if services are available in your area and to match you with fitters who cover your district.
• Fitter Navigation: Fitter GPS location is used to provide navigation to customer properties.
• Real-Time Tracking: When a fitter is en route, their live location is shared with the customer via the app so you can track their arrival.
• Job Verification: Location data confirms fitter arrival at the service location.
• Nearby District Calculation: We use pre-computed nearby district data to suggest expanded coverage for fitters.

Location Data Controls

• iOS: Go to Settings → Privacy & Security → Location Services → FittasApp. Choose "While Using the App", "Always", or "Never".
• Android: Go to Settings → Location → App Permissions → FittasApp. Choose "Allow only while using the app", "Allow all the time", or "Don't allow".
• Denying location permissions may limit functionality including service area detection and real-time fitter tracking.
• We do not track your location continuously in the background when you are not actively using the app or on an active shift.

Customer Payment Data

• All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.
• FittasApp does not store your full credit/debit card number, CVV, or complete card details on our servers.
• We store only a Stripe customer ID and the last 4 digits of your card for reference.
• Payment authorisations, captures, and refunds are processed entirely through Stripe's secure infrastructure.
• Our escrow system holds funds via Stripe until service completion and customer rating.

Fitter Financial Data

• Fitter payouts are processed through Stripe Connect Express accounts.
• During onboarding, fitters provide personal and financial details directly to Stripe for KYC (Know Your Customer) verification.
• FittasApp stores the Stripe Connect account ID and metadata (partner ID, partner name) for payout management.
• Bank account details are held securely by Stripe, not by FittasApp.
• Earnings breakdowns (service earnings, tips, commission) are visible in the Partner app and stored in our database.

Business User Wallet Data

Business users' wallet balances and transaction history are stored in our database. Wallet top-ups are processed through Stripe. Transaction records are retained for accounting and regulatory compliance.

We share your data only where necessary for service delivery, legal compliance, or with your consent. We never sell your personal data.

Service Providers (Data Processors)

Other Sharing Scenarios

• Between Customers and Fitters: When a booking is confirmed, we share limited data — customer first name, service address, and booking details are shared with the assigned fitter. Fitter first name and estimated arrival is shared with the customer.
• Legal Requirements: We may disclose data where required by law, court order, or regulatory obligation, or to protect the vital interests of any person.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
• With Your Consent: For any other sharing not described here, we will seek your explicit consent.

Encryption

• At Rest: Sensitive personal data (addresses, identity details) is encrypted using AES-256-GCM (authenticated encryption with associated data). Each encrypted field includes a unique initialisation vector and authentication tag.
• Searchable Fields: Some encrypted fields use HMAC-SHA256 deterministic hashing for efficient database queries without exposing raw data.
• In Transit: All data transmitted between your device and our servers is protected with TLS 1.2+ (HTTPS).
• Key Management: Encryption keys (PII_ENCRYPTION_KEY, PII_HMAC_KEY) are stored as environment variables, never in source code, and are 256-bit (32-byte) keys.

Authentication Security

• OTP codes are hashed using SHA-256 with a secret pepper before storage — raw codes are never stored.
• Login sessions use JSON Web Tokens (JWT) with an 8-hour maximum lifetime.
• Rate limiting: 10 failed login attempts per email address within 15 minutes.
• Suspicious login detection monitors for IP address changes and sends alerts.
• Phone number normalisation handles multiple UK formats (+447xxx, 07xxx) securely.

Infrastructure Security

• Presigned URLs for file uploads with 5-minute expiry to prevent unauthorised access.
• Presigned download URLs for private files with 2-hour expiry.
• Image proxy URLs for long-lived display without exposing direct storage access.
• Portal-based access control: admin, partner, and customer portals are strictly segregated.
• Regular security reviews and vulnerability assessments.

Where We Store Data

• Primary Database: MongoDB Atlas (configured data centre region).
• File Storage: DigitalOcean Spaces (S3-compatible cloud storage).
• Payment Data: Stripe infrastructure (PCI DSS Level 1).
• Email/SMS: Brevo infrastructure (EU-based).

International Data Transfers

Some of our service providers process data outside the UK and European Economic Area (EEA). Where this occurs, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission and adopted under UK GDPR.
• Adequacy Decisions: Where the UK Government has determined a country provides adequate data protection.
• Provider Certifications: Our providers maintain relevant compliance certifications (SOC 2, ISO 27001, PCI DSS as applicable).

We retain your personal data only for as long as necessary for the purposes it was collected:

After retention periods expire, data is securely deleted or anonymised so it can no longer be associated with you.

What We Use

Mobile App Tracking

Our mobile applications use:

• Firebase Cloud Messaging tokens: For push notification delivery (essential for service notifications).
• Firebase Analytics: For crash reporting and app performance monitoring.
• We respect Apple's App Tracking Transparency (ATT) framework on iOS and Google's advertising ID policies on Android.
• We do not use cross-app tracking or share data with advertising networks.

Managing Cookies

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using core Platform features. For mobile apps, tracking preferences can be managed through your device settings.

FittasApp Customer App (iOS & Android)

FittasApp Partner App (iOS & Android)

Web-to-Native Bridge

Our mobile applications use a web-to-native bridge for communication between the web view and native device features. This bridge handles:

• User login/logout events for native session synchronisation.
• Location permission requests from the web application.
• Push notification registration and tap handling.
• Real-time order and job updates via custom events.
• Deep link routing for in-app navigation.

No personal data is transmitted outside the app through this bridge. All communication occurs locally on your device between the web view and native application layer.

App Store Privacy Labels

We maintain accurate and up-to-date privacy nutrition labels on both the Apple App Store and Google Play Store, detailing the categories of data collected and their purposes as described in this Privacy Policy.

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:

How to Exercise Your Rights

• Email: Send your request to privacy@fittasapp.com
• In-App: Use the "Privacy & Data" section in your account settings.
• Post: Write to our data protection team at our registered office address.

We will verify your identity before processing any request. We aim to respond within 30 days. In complex cases, we may extend this by up to 60 additional days with notification. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

FittasApp is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected data from a child under 18, we will take immediate steps to delete that data.

If you are a parent or guardian and believe your child has provided personal data to FittasApp, please contact us at privacy@fittasapp.com and we will promptly remove the data.

FittasApp uses certain automated processes in its operations:

• Fitter Job Matching: Jobs are automatically broadcast to qualified fitters based on service area coverage, availability, and existing job commitments. This is not solely automated — fitters choose whether to accept jobs.
• Rate Limiting: Automated blocking of login attempts after 10 failures within 15 minutes (security measure).
• Payment Authorisation: Automated escrow hold and release based on booking status and customer rating submission.
• Pricing Calculation: Automated pricing based on service type, measurements, and applicable rates.

None of these automated processes produce legal effects or similarly significantly affect you without human oversight. You have the right to request human intervention in any automated decision that affects you.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Effective Date" at the top of this page.
• We will notify you via email to your registered email address.
• We will send a push notification through the mobile applications.
• We will display a prominent notice on our website.
• Where required by law, we will seek your renewed consent before applying material changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes are posted constitutes your acknowledgment of the revised policy.

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with:

We encourage you to contact us first at privacy@fittasapp.com so we can try to resolve your concern directly. We take all complaints seriously and aim to resolve them within 30 days.

For any questions, requests, or concerns about this Privacy Policy or our data practices:

This Privacy Policy was last updated on 25 March 2026 and applies to all users of the FittasApp platform, including the website at fittasapp.com, the FittasApp Customer app (iOS and Android), the FittasApp Partner app (iOS and Android), and all related services operated by Fittasapp Limited, a company registered in England and Wales with its registered office in London, United Kingdom.