1. Dữ liệu chúng tôi thu thập

Foxy Fit lưu trữ toàn bộ dữ liệu trên thiết bị của bạn thông qua bộ nhớ cục bộ. Không có máy chủ nào nhận thông tin cá nhân của bạn.

Nếu bạn bật "Giúp Foxy thông minh hơn", chúng tôi gửi ẩn danh qua Firebase Analytics:

• Loại bài tập, nhóm cơ, mức độ hoàn thành
• Cường độ buổi tập (khối lượng, số set)
• Thông tin được tổng hợp, không gắn với tên, email hay định danh thiết bị

2. Dữ liệu chúng tôi KHÔNG thu thập

• Tên, email, số điện thoại (chỉ lưu trên máy bạn, không gửi đi)
• Vị trí GPS (chỉ dùng xác nhận check-in tại gym, không lưu toạ độ)
• Dữ liệu y tế (chỉ dùng để điều chỉnh bài tập trong app)
• Danh bạ, camera, micro (không yêu cầu)

3. Quyền của bạn

• Rút lại đồng ý analytics: Tắt toggle trong Profile → Quyền riêng tư bất kỳ lúc nào
• Xoá toàn bộ dữ liệu: Profile → "Xoá tất cả dữ liệu"
• Sau khi xoá, app không giữ lại bất kỳ thông tin nào trên thiết bị

4. Quy định pháp lý

Foxy Fit tuân thủ Nghị định 13/2023/NĐ-CP về bảo vệ dữ liệu cá nhân tại Việt Nam. Mọi thắc mắc, liên hệ: nguyenduytung.mac@gmail.com

1. Who We Are — Data Controller

The data controller responsible for your personal data is:

Nguyen Duy Tung ("Foxy Fit", "we", "us", "our")
Operating as an independent mobile application developer.
Contact: nguyenduytung.mac@gmail.com

This policy applies to the Foxy Fit iOS application and the website at foxyfit.me. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your data in accordance with the General Data Protection Regulation (GDPR).

2. Personal Data We Collect & Why

We collect the minimum data needed to deliver a great workout experience. Here is a complete breakdown:

A. Data stored exclusively on your device (never transmitted)

• Name, age, body weight, fitness level — used to generate personalised workouts
• Full workout history: exercise names, sets, reps, weights, duration, rest periods
• Health & fitness indicators: muscle groups trained, perceived effort, progression data
• App preferences: language, notification settings, voice coach settings

B. Analytics data — sent only with your explicit consent

If you enable "Help Foxy get smarter" during onboarding or in Profile, we transmit the following anonymised events via Firebase Analytics (Google LLC):

• Workout type (e.g. push, pull, legs), muscle group category
• Session completion rate and duration
• Exercise intensity signals (total volume index, set count range)
• Feature interaction events (e.g. which guidance views are opened)
• App version, device model class (e.g. "iPhone 15 class"), iOS version
• Coarse region (country level, derived from IP by Google — not stored by us)

This data is aggregated and not linked to your name, email, or any persistent device identifier. Firebase's data minimisation settings are configured to disable advertising ID collection and user-level reporting.

C. Location data

• GPS coordinates are requested only once per session to verify proximity to your gym (gym check-in feature). Coordinates are compared locally and immediately discarded — never stored on device or transmitted.

3. Our Legal Bases for Processing (GDPR Article 6 & 9)

We rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing your profile and workout data is necessary to provide the core app service you signed up for.
• Explicit consent (Art. 6(1)(a) & Art. 9(2)(a)): Sending anonymised analytics to Firebase requires your prior opt-in. Because workout and fitness data may constitute health data — a special category under GDPR Art. 9 — we obtain your explicit consent before any such data is included in analytics events.
• Legitimate interests (Art. 6(1)(f)): We process aggregated, non-identifiable usage patterns to improve app performance and detect crashes. This processing does not override your fundamental rights.

You may withdraw consent at any time without penalty. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Data We Do NOT Collect

• Email address or phone number (entered only locally, never transmitted)
• Precise GPS coordinates (used momentarily for check-in, then discarded)
• Camera, microphone, or contacts (the app never requests these permissions)
• Advertising identifiers (IDFA) — disabled in our Firebase configuration
• Payment data (no in-app purchases or subscriptions)
• Data from third-party social accounts (no social login)

5. Third-Party Data Processors

We share anonymised analytics data with one sub-processor:

Google LLC — Firebase Analytics
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Purpose: aggregated, anonymised usage analytics
Data processed: anonymised event data (see Section 2B)
Privacy policy: policies.google.com/privacy

Google LLC is certified under the EU-U.S. Data Privacy Framework and processes EEA data under Standard Contractual Clauses (SCCs) pursuant to European Commission Decision 2021/914. You can request a copy of applicable SCCs by contacting us.

We do not sell your data. We do not share your data with advertisers, data brokers, or any other third party beyond the processor listed above.

6. International Data Transfers

Foxy Fit is operated from Vietnam. If you are in the EEA or UK, the anonymised analytics data you consent to share is transferred to the United States (Google LLC / Firebase). This transfer is safeguarded by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Google LLC's EU-U.S. Data Privacy Framework certification
• Technical minimisation: data is anonymised before transmission, with advertising ID disabled

Your on-device personal data (profile, workout history) does not leave your device and is therefore not subject to cross-border transfer.

7. Data Retention

• On-device personal data: Retained until you delete it via Profile → "Delete all data", or until you uninstall the app. Deletion is immediate and irreversible.
• Firebase Analytics events: Raw event data is retained for 14 months by Google (Firebase default), after which it is deleted. Aggregated, non-identifiable reports may be retained indefinitely.
• Crash & diagnostic data: We do not use Firebase Crashlytics or any crash reporting service.

8. Security

We take appropriate technical and organisational measures to protect your data:

• All personal data is stored in iOS's sandboxed local storage, protected by the device's hardware encryption and your device passcode / Face ID.
• Analytics data is transmitted over HTTPS/TLS to Firebase. No personal data is transmitted in plaintext.
• No server-side database exists for personal data — there is nothing to breach.
• Firebase API keys are restricted by bundle ID and platform.

9. Your Rights (GDPR Articles 15–22)

If you are in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we process about you.
• Right to rectification (Art. 16): Correct inaccurate data — your profile can be edited at any time in the app.
• Right to erasure / "right to be forgotten" (Art. 17): Delete all on-device data via Profile → "Delete all data". For Firebase-held anonymised data, contact us and we will submit a deletion request to Google.
• Right to restriction of processing (Art. 18): Request that we restrict processing while a dispute is resolved.
• Right to data portability (Art. 20): Export your workout history as a structured JSON file via Profile → "Export data".
• Right to object (Art. 21): Object to processing based on legitimate interests at any time.
• Right to withdraw consent (Art. 7(3)): Turn off the analytics toggle in Profile → Privacy at any time. This does not affect prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g. the CNIL in France, ICO in the UK, or your national DPA).

To exercise any of these rights, email us at nguyenduytung.mac@gmail.com. We will respond within 30 days. We will not discriminate against you for exercising your rights.

10. Children's Privacy

Foxy Fit is not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal information to us, please contact us immediately and we will delete it.

11. How We Obtain & Manage Consent

We use a granular, opt-in consent model:

• During onboarding: A clearly labelled toggle — "Help Foxy get smarter (share anonymous workout stats)" — is presented before any analytics are sent. The toggle is off by default for EEA/UK users; on by default for other regions where permitted. You must actively enable it.
• At any time: Consent can be granted or withdrawn in Profile → Privacy → "Help Foxy get smarter".
• Effect of withdrawal: Firebase Analytics stops receiving new events immediately. No further data is sent. Previously transmitted anonymised events remain in Firebase's 14-month retention window but cannot be linked to you.

Health-related analytics (workout intensity, muscle groups) are bundled into the single consent toggle above. By enabling it, you provide explicit consent for processing health-category data as defined under GDPR Art. 9(2)(a).

12. Changes to This Policy

We may update this policy from time to time. For material changes (changes to data we collect, new third-party processors, or new legal bases), we will notify you with an in-app banner before the changes take effect and update the "Last updated" date above. For non-material changes, we will update the date only.

Continued use of Foxy Fit after the effective date constitutes acceptance of the revised policy. If you do not agree, you may delete all data and uninstall the app.

13. Contact & Data Protection Enquiries

For any privacy questions, rights requests, or concerns:

Nguyen Duy Tung — Foxy Fit
Email: nguyenduytung.mac@gmail.com
Response time: within 30 days

If you are in the EEA or UK and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your national data protection authority. A list of EU DPAs is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).