Legal

Privacy Policy

Effective date: April 29, 2026

This Privacy Policy explains how RubanasFit ("we", "our", or "us") collects, uses, and protects information about you when you use our Telegram bot, Trainer Mini App, Gym Owner Dashboard, or this website (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please stop using the Service.

1. Who We Are

RubanasFit is a fitness coaching platform that connects clients with personal trainers and gym owners through Telegram. We are the data controller for personal data processed through the Service.

If you have questions about this policy or your data, contact us at: privacy@rubanasfit.com

2. Data We Collect

We collect data in the following categories depending on how you use the Service:

From clients (via Telegram bot):

• Telegram user ID, first name, and username (provided by Telegram on bot start)
• Fitness data you provide: weight logs, workout completion records, streak history
• Onboarding information: fitness goal, experience level, workout days per week, target weight
• Message content when you interact with bot commands

From trainers (via Trainer Mini App):

• Telegram user ID, display name, and username
• Profile information: biography, specialisations
• Exercise videos and images you upload to your library
• Workout programs and nutrition plans you create

From gym owners (via Gym Owner Dashboard):

• Email address and password (hashed — we never store plaintext passwords)
• Gym name and business details provided during registration
• Session data (JWT tokens stored in your browser)

From website visitors (rubanasfit.com):

• Analytics data (page views, session duration, referrer) — only if you accept cookies
• Technical data: browser type, device type, country (inferred from IP, not stored directly)

3. How We Use Your Data

• To operate and deliver the Service (bot messages, workout delivery, progress tracking)
• To allow trainers to manage their client relationships and content
• To allow gym owners to oversee trainers and clients within their gym
• To send you re-engagement notifications if you have an inactive streak (clients only)
• To improve the platform using aggregated, anonymised analytics (website only, with consent)
• To detect and prevent abuse, fraud, or security incidents
• To comply with legal obligations

We do not sell your personal data to third parties. Ever.

4. Legal Basis (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your data under:

• Contract — to provide the Service you signed up for
• Legitimate interests — platform security, abuse prevention, operational analytics
• Consent — for website analytics cookies (PostHog). You may withdraw consent at any time via our Cookie Policy page

5. Data Sharing

We share data only with:

• Telegram — the bot runs on Telegram's infrastructure. Their Privacy Policy applies to your Telegram account
• PostHog — website analytics (EU region), only if you accept cookies. PostHog Privacy Policy
• Resend — transactional email delivery for gym owner accounts. No marketing emails
• Hostinger — our VPS hosting provider. All data is stored on servers within the EU

Your trainer can see all fitness data you share via the bot (this is the core purpose of the Service). Your gym owner can see aggregated performance data for trainers and clients within their gym. Clients cannot see each other's data.

6. Data Retention

• Client fitness data is retained for as long as your account is active
• If you ask your trainer to delete your account, your data is deleted within 30 days
• Gym owner accounts are retained until deleted by an administrator
• Analytics data (PostHog) is retained for 12 months per PostHog's default policy
• Server logs are retained for 30 days for security purposes

7. Your Rights (GDPR)

If you are in the EEA or UK, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — ask us to limit how we use your data
• Data portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — for analytics cookies, via our Cookie Policy page

To exercise any right, email privacy@rubanasfit.com. We will respond within 30 days.

8. Security

We take security seriously. Measures include: encrypted HTTPS connections, hashed passwords (bcrypt), Redis authentication, rate limiting on all public endpoints, and restricted admin access. No system is perfectly secure — if you believe your data has been compromised, contact us immediately.

9. Children

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the Telegram bot (for clients) or email (for gym owners) at least 14 days before they take effect. The "Effective date" at the top of this page reflects the latest revision.