movina
Get the app

Privacy Notice for the use of Movina

Last updated: 2026-03-24

Last updated: 2026-03-24

Thank you for using Movina! Movina protects your privacy. This Privacy Notice describes how we collect, use, disclose, and otherwise process your personal data, as well as the rights and choices you have with respect to your personal data.

The use of our services is subject to our Terms and Conditions, including the applicable provisions on limitation of liability and dispute resolution.

1. Controller and Contact

Unless otherwise stated in this Privacy Notice, the controller responsible for data processing is:

Fastic GmbH (hereinafter "Movina" or "we" / "us") Pappelallee 78/79 10437 Berlin Germany

  • Email: info@fastic.com
  • Managing Director: Benjamin Bak
  • Commercial Register: HRB 213132 B, Amtsgericht Charlottenburg

You can reach our Data Protection Officer at: datenschutz@fastic.com

For inquiries and suggestions regarding data protection, we or our Data Protection Officer are happy to assist.

2. Scope

This Privacy Notice applies to the processing of personal data by Fastic GmbH in connection with the following offerings:

  • our website www.fastic.com,
  • our mobile apps (iOS, Android) Movina,
  • as well as our presences on social networks and review platforms (e.g., Instagram, Facebook, LinkedIn, Trustpilot) for the Movina app.

Fastic GmbH operates both the Fastic app and the Movina app. This Privacy Notice applies exclusively to the app, website, and social media presence in connection with Movina.

Where the website or social media channels are not yet available at the time of use, this Privacy Notice applies to the existing offerings and will be updated accordingly when additional offerings are added.

It applies to all processing activities related to the use of the above-mentioned offerings, including:

  • the use of the app (including without registration, i.e., with an automatically created anonymous account),
  • the onboarding questionnaire and creation of personalized training plans,
  • the optional registration or linking of a personal account (account linking),
  • the use of workout, progress, and planning features,
  • the processing of subscriptions and in-app purchases,
  • sending push notifications,
  • contacting us (e.g., by email),
  • the use of analytics and debugging tools within the app,
  • as well as visiting our social media channels (once available).

3. Collection of Personal Data

As described below, we may collect personal data directly from you, from third parties, and automatically through your use of our services.

3.1 Data Collected Directly from You

a) Account and Identity Data

When you first use the app, an anonymous account is automatically and transparently created via Firebase Authentication. No registration is required to use the app. You can use Movina entirely with an anonymous account. The following data is collected:

  • A unique Firebase user ID (UID),
  • time of account creation.

No personally identifying information such as name or email address is requested at this stage.

Optionally, you may upgrade your anonymous account to a personal account at any time ("Account Linking"). This is not a prerequisite for using the app. Depending on the login method chosen, the following data is collected:

  • Email and password: Email address and encrypted password (stored by Firebase Auth),
  • Apple Sign-In: Apple-provided user ID, and possibly email address and name (depending on your Apple settings),
  • Google Sign-In: Google-provided user ID, email address, and possibly profile name.

In addition, you may optionally provide a display name and an avatar URL.

The Firebase UID is preserved during account linking, so that all previously stored data (profile, progress, subscription) remains associated with the account.

b) Onboarding and Profile Data

On first app launch – before any registration – you complete a multi-step onboarding questionnaire in which we collect information used to create a personalized training plan. The entries are voluntary; individual steps may be skipped. The following data categories may be collected as part of the onboarding:

  • Training-related information: e.g., training goal, training frequency, workout preferences, preferred training days and duration
  • Body and health-related information: e.g., gender, age, height, weight, target weight, body type, existing injuries or limitations
  • Fitness-related information: e.g., activity and fitness level, self-assessments of endurance and flexibility
  • Settings: e.g., notification preferences, unit system (metric/imperial)

The type and scope of data collected may change as the onboarding process evolves.

Insofar as data (e.g., weight, height, body type, or injuries) qualifies as health data within the meaning of Art. 9 GDPR, we process such data on the basis of your explicit consent (Art. 9(2)(a) GDPR). Before entering health-related data, you will be separately informed about the voluntary nature and purpose of the data processing and asked for your explicit consent.

c) Usage, Progress, and Interaction Data

  • Workout history (workout ID, date, duration, calories, exercise progress)
  • Favorited workouts
  • Plan/program status, weekly plans
  • Changes to profile, theme, language, units, sound, notifications

d) Subscription and Payment-Related Data

  • Subscription plan, subscription status, expiration/renewal information
  • Product/SKU metadata of in-app purchases
  • Store context (App Store / Play Store)

Payment data (e.g., credit card numbers) is not processed directly by us but rather by the respective App Store / payment service provider.

e) Communication and Contact

When you contact us — for example by email or through our social media channels — we collect and store your contact details, your messages, and our responses thereto.

f) Preferences and Settings

We collect information about your personal preferences — e.g., how you use our services, which notifications you wish to receive, or which customizations you make.

3.2 Data Collected from Third Parties

We may also receive personal data from third parties, in particular:

  • Social Login (Apple / Google): When you register via Apple Sign-In or Google Sign-In, we receive the data shared by the respective provider (provider-specific user ID, and possibly email address). Your credentials (password) are not disclosed to us.
  • App Store providers: Transaction metadata in connection with in-app purchases.

For more information on data processing by these providers, please refer to their privacy policies:

  • Apple: https://www.apple.com/legal/privacy/
  • Google: https://policies.google.com/privacy

3.3 Automatically Collected Data

We and our partners may automatically collect personal data when you use Movina. This includes in particular:

Device and connection data:

  • IP address of the requesting device
  • Operating system and app version
  • Device type and model
  • Time of the request
  • Requested API endpoints

Activity and usage data:

  • App events (e.g., onboarding steps, workout start/completion, paywall interactions)
  • Features used and content viewed
  • Duration of use

Push and device permission data:

  • Push token (Expo Push Token, Device Push Token)
  • Permission status for push notifications
  • Tracking transparency status (ATT on iOS)

4. Purposes of Processing and Legal Bases

We process the personal data we collect for the purposes set out below. Each purpose is accompanied by the applicable legal basis.

4.1 Provision of the Service and Support

We process your personal data to provide you with Movina. This includes in particular:

  • the creation and management of your user account (including anonymous initial registration),
  • authentication and session management,
  • the provision of personalized training plans based on your onboarding data,
  • the storage and display of your workout history and progress data,
  • the management of your favorites and weekly plans,
  • communication with our customer support,
  • as well as other support and administrative tasks.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4.2 Personalization

We process your personal data to customize content individually. This includes:

  • the creation and adaptation of your personalized training plan based on your onboarding data (goal, fitness level, injuries, preferences),
  • the selection of suitable workouts by difficulty, duration, and type,
  • the calculation of program duration based on the difference between current weight and target weight,
  • the customization of the user interface (theme, language, unit system).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — personalization as a core contractual element).

4.3 Processing of Health-Related Data

Insofar as data collected during onboarding or in the profile settings qualifies as special categories of personal data under Art. 9 GDPR (e.g., data on weight, body type, or injuries), we process such data exclusively on the basis of your explicit consent. You will be separately asked for your consent before entering such data.

Legal basis: Art. 9(2)(a) GDPR (explicit consent). Withdrawal: You may withdraw your consent at any time — e.g., by deleting your account (Settings > Delete Account), after which all associated data will be removed. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

4.4 Subscriptions and Payments

We process your data for the handling and management of subscriptions. Payment processing is carried out entirely through the Apple App Store (iOS) or the Google Play Store (Android). We do not have access to your payment instruments.

For subscription management, we use RevenueCat, Inc. (see Section 5). RevenueCat processes on our behalf your Firebase user ID, subscription status, subscription plan, expiration date, and store transaction metadata.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4.5 Push Notifications

We offer various push notifications to remind you of workouts, inform you of progress, and support you in achieving your goals. Notifications may be planned and delivered both locally on your device and via server.

In this context, we process your push permission status, your individual notification settings, push tokens, and scheduled notification IDs. The type and scope of notification types may change as the app evolves.

Legal basis: Art. 6(1)(a) GDPR (consent by granting push permission), Art. 6(1)(b) GDPR (performance of a contract, insofar as reminders form a core part of the contract).

4.6 App Tracking Transparency (iOS)

On iOS devices, we ask for your consent through the standardized ATT dialog as to whether data about your activity may be used to improve analytics and personalization. The status of your decision is stored in your user document.

If you decline, we restrict data processing by analytics SDKs accordingly.

Legal basis: Art. 6(1)(a) GDPR (consent).

4.7 Analytics and Quality Improvement

We process personal data to gain a better understanding of how users access and use Movina. This serves in particular:

  • conducting analytics on the use of our app,
  • evaluating and continuously improving our app,
  • further developing and optimizing our products,
  • conducting internal quality controls.

The analytics services used are described in Section 7.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement and analytics). Insofar as consent via ATT is required, processing is based on Art. 6(1)(a) GDPR.

4.8 Error Reports and Stability

We process technical data (error messages, stack traces, device model, app version) to capture, analyze, and resolve app crashes and runtime errors.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error resolution and app stability).

4.9 Security and Abuse Prevention

We process your personal data to protect the security and integrity of Movina, to detect and prevent unauthorized access, and to investigate potential violations of our Terms of Use.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against unlawful conduct and in safeguarding our IT systems).

4.10 Communication

We process your personal data to respond to your inquiries, to provide you with requested information about our service, and to send you administrative notices (e.g., notices of changes to our Terms of Use or Privacy Notice).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract), insofar as the communication relates to an existing contractual relationship. Otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

4.11 Performance Marketing and User Acquisition

We transmit pseudonymized or aggregated usage data (e.g., device IDs, app installation and conversion events) to advertising platforms (see Section 5.2) to measure the effectiveness of our marketing campaigns and to acquire new users. No real names, email addresses, or health data are transmitted to advertising platforms.

Legal basis: Art. 6(1)(a) GDPR (consent), insofar as consent is required (in particular via ATT on iOS). Otherwise Art. 6(1)(f) GDPR (legitimate interest in marketing our services).

4.12 UX Analysis and Session Recording

We use tools for recording and analyzing user sessions (e.g., UXCam) to improve the usability of our app. Screen interactions are recorded in this process. Sensitive input fields (e.g., passwords) are automatically masked. Recordings are processed in pseudonymized form.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving usability). Insofar as consent is required: Art. 6(1)(a) GDPR.

4.13 Compliance and Legal Proceedings

We process your personal data to comply with legal, regulatory, and governmental obligations, including the fulfillment of statutory retention obligations and the response to legal requests.

Legal basis: Art. 6(1)(c) GDPR (legal obligation). Insofar as the obligation does not arise from EU law: Art. 6(1)(f) GDPR (legitimate interest).

4.14 Access to and Storage of Information on the End Device

We store information on your end device or access information already stored thereon (e.g., via MMKV, SDK identifiers, push tokens, auth tokens). This is done in particular to support technical functions, to analyze usage, and to personalize our services.

Insofar as such access is not strictly necessary to provide Movina, it only takes place on the basis of your consent pursuant to § 25 TDDDG (German implementation of the ePrivacy Directive).

For more information on the technologies used and your control options, see Section 7.

5. Disclosure of Personal Data

We may share the personal data we collect for the purposes described in this Privacy Notice with the following categories of recipients:

5.1 Data Processors (Art. 28 GDPR)

We engage carefully selected external service providers who process personal data exclusively on our behalf and on the basis of a data processing agreement:

| Service | Provider | Location | Purpose | Data Categories | |---|---|---|---|---| | Google Cloud / Firebase | Google Ireland Limited | Ireland / US | Authentication (Firebase Auth), data storage (Cloud Firestore), usage analytics (Firebase Analytics), error reports (Crashlytics), configuration (Remote Config), performance monitoring, data analysis (BigQuery) | Firebase UID, profile and usage data, pseudonymized event data, device data, error/stack trace data | | Amplitude | Amplitude, Inc. | US | Product analytics and event tracking | Pseudonymized event data, user ID | | RevenueCat | RevenueCat, Inc. | US | Subscription management | Firebase UID, subscription status, product metadata | | Expo Push | 650 Industries, Inc. | US | Push token infrastructure | Expo Push Token | | AppsFlyer | AppsFlyer Ltd. | Israel | Mobile attribution and install measurement | Device ID, install/event data, IP address (truncated) | | UXCam | UXCam Inc. | US | Session recording and UX analysis | Screen interactions (anonymized), device data, session metadata | | Freshworks | Freshworks Inc. | US / India | Customer support and helpdesk | Name, email address, inquiry contents | | Mailgun | Sinch Email (Mailgun Technologies, Inc.) | US | Transactional email delivery | Email address, delivery metadata | | Cloudflare | Cloudflare, Inc. | US | CDN, DDoS protection, network security | IP address, technical connection data | | DoIT International | DoIT International Ltd. | Israel | Google Cloud contract management (reseller) | Contract data, technical account data | | Tableau | Salesforce, Inc. (Tableau) | US | Business intelligence and data visualization | Aggregated/pseudonymized usage data | | Admiral Media | MGD Marketing Management LLC | UAE (Dubai) | Performance marketing agency (campaign management) | Pseudonymized campaign data, attribution data |

These service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, maintain appropriate technical and organizational measures to protect the rights of data subjects, and are regularly monitored by us.

5.2 Marketing and Advertising Platforms

In the context of performance marketing campaigns for user acquisition, pseudonymized or aggregated data may be transmitted to the following advertising platforms. These platforms process the received data as independent controllers:

| Platform | Provider | Location | Purpose | Data Categories | |---|---|---|---|---| | Meta Ads | Meta Platforms Ireland Limited | Ireland / US | Performance marketing, user acquisition, conversion measurement | Device ID (IDFA/GAID), app events (pseudonymized), IP address | | TikTok Ads | TikTok Technology Limited | Ireland / Singapore | Performance marketing, user acquisition | Device ID, app events (pseudonymized), IP address | | Google Ads | Google Ireland Limited | Ireland / US | Performance marketing, user acquisition, conversion measurement | Device ID, app events (pseudonymized), IP address | | Moloco | Moloco, Inc. | US | Programmatic advertising, user acquisition | Device ID, app events (pseudonymized), IP address |

Data transmission to these platforms is based on your consent (Art. 6(1)(a) GDPR), insofar as such consent is required (in particular via the ATT dialog on iOS), or on our legitimate interest (Art. 6(1)(f) GDPR) in marketing and reach analysis of our services.

For more information, please refer to the privacy policies of the respective platforms:

  • Meta: https://www.facebook.com/privacy/policy/
  • TikTok: https://www.tiktok.com/legal/privacy-policy
  • Google: https://policies.google.com/privacy
  • Moloco: https://www.moloco.com/privacy-policy

5.3 Third Parties as Independent Controllers

In certain cases, data is shared with third parties who process such data under their own responsibility:

  • Apple Inc. / Google LLC when using Apple Sign-In, Google Sign-In, or payment processing through the respective App Store,
  • RevenueCat, Inc. in the context of subscription management, insofar as RevenueCat acts as an independent controller,
  • AppsFlyer Ltd. in the context of attribution, insofar as AppsFlyer acts as an independent controller.

In these cases, data protection responsibility lies with the respective third party. For more information, please refer to their privacy policies:

  • Apple: https://www.apple.com/legal/privacy/
  • Google: https://policies.google.com/privacy
  • RevenueCat: https://www.revenuecat.com/privacy
  • AppsFlyer: https://www.appsflyer.com/privacy-policy/
  • Amplitude: https://amplitude.com/privacy

5.4 Public Authorities

Where necessary for the enforcement or defense of legal claims, or where we are compelled by an enforceable governmental order, we transmit personal data to the competent authorities, courts, or other public bodies.

5.5 Corporate Transactions

In connection with a merger, acquisition, investment, restructuring, or insolvency, personal data may be disclosed or transferred to involved third parties, provided this is in compliance with applicable data protection laws.

6. Transfers to Third Countries

Certain providers we use may process data outside the EU/EEA (in particular in the US). We ensure that your data protection rights are safeguarded in accordance with legal requirements.

This is achieved in particular through:

  • Adequacy decisions of the European Commission (Art. 45 GDPR),
  • EU-US Data Privacy Framework (where the provider is certified),
  • EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

| Provider | Basis for Transfer | |---|---| | Google LLC (Firebase, Analytics, Crashlytics, BigQuery, Google Ads) | EU-US Data Privacy Framework / Standard Contractual Clauses | | Amplitude, Inc. | Standard Contractual Clauses | | RevenueCat, Inc. | Standard Contractual Clauses | | Expo / 650 Industries, Inc. | Standard Contractual Clauses | | AppsFlyer Ltd. (Israel) | Adequacy Decision (Israel) | | UXCam Inc. | Standard Contractual Clauses | | Meta Platforms, Inc. | EU-US Data Privacy Framework / Standard Contractual Clauses | | TikTok Technology Limited (Singapore) | Standard Contractual Clauses | | Moloco, Inc. | Standard Contractual Clauses | | Freshworks Inc. | Standard Contractual Clauses | | Mailgun Technologies, Inc. | Standard Contractual Clauses | | Cloudflare, Inc. | EU-US Data Privacy Framework / Standard Contractual Clauses | | Salesforce, Inc. (Tableau) | EU-US Data Privacy Framework / Standard Contractual Clauses | | MGD Marketing Management LLC (UAE) | Standard Contractual Clauses |

In addition, we assess the level of protection in the recipient country and — where necessary — implement supplementary technical, organizational, or contractual measures to ensure a level of protection comparable to European data protection standards (e.g., encryption, pseudonymization).

Where a transfer to a third country is envisaged and no adequacy decision or appropriate safeguards are in place, there is a risk that authorities in the respective third country may gain access to the transferred data and that the enforceability of your data subject rights may not be guaranteed.

Note for users in Switzerland

To the extent the Swiss Federal Act on Data Protection (nDSG) applies, the above provisions apply accordingly. For data transfers to the US, we rely — where applicable — on the Swiss-US Data Privacy Framework. Otherwise, the Standard Contractual Clauses recognized by the FDPIC or other appropriate safeguards under Art. 16 nDSG apply. Data is transferred to the countries listed in the table above.

7. Cookies, Tracking, and Analytics

7.1 General

In native mobile apps, traditional browser cookies are generally not used. Instead, we use functionally equivalent technologies:

  • Local key-value stores (MMKV): Store app settings, states, and progress directly on your device.
  • SDK identifiers: Technical identifiers generated by integrated analytics and service SDKs (e.g., Firebase Instance ID, Analytics App Instance ID).
  • Push tokens: Unique device addresses generated by Apple (APNs) or Google (FCM) for push notifications.
  • Authentication tokens: Session tokens managed by Firebase Auth.

Access to information on the end device is subject not only to the GDPR but also to § 25 TDDDG (German implementation of the ePrivacy Directive). Technically necessary access is permitted without consent; all other access requires your prior consent.

7.2 Analytics and Performance Services Used

Firebase Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

We use Firebase Analytics to analyze the usage of our app. In doing so, pseudonymized event data is processed (e.g., onboarding steps, workout start/completion, paywall interactions, settings changes) as well as device information. Firebase Analytics stores data on Google servers. Data is combined with other Google services only insofar as you have enabled this in your Google account settings.

More information: https://firebase.google.com/support/privacy

Amplitude (Amplitude, Inc., 201 Third Street, Suite 200, San Francisco, CA 94103, USA)

We use Amplitude as a supplementary analytics tool. Amplitude processes app events and associated user IDs to enable usage analysis and product improvements. Amplitude stores data in the US. EU Standard Contractual Clauses have been agreed for the transfer.

More information: https://amplitude.com/privacy

Firebase Crashlytics (Google)

We use Firebase Crashlytics to capture app crashes and runtime errors. In doing so, error messages, stack traces, device model, operating system, app version, and error timestamps are processed.

Firebase Remote Config (Google)

We use Firebase Remote Config to deliver configuration values and feature flags to the app in a server-controlled manner (e.g., paywall variants, notification kill switches, free workout limits).

Firebase Performance Monitoring (Google)

We use Firebase Performance Monitoring to monitor app performance (e.g., load times, network performance).

7.3 Categories and Legal Bases

Technically necessary technologies (authentication, Firestore data storage, MMKV core state, RevenueCat subscription management): Cannot be disabled.

Legal basis: § 25(2) TDDDG (German implementation of the ePrivacy Directive) (strictly necessary), Art. 6(1)(b) and (f) GDPR.

Functional technologies (theme/UI settings, onboarding progress, video download status):

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

Analytics and performance technologies (Firebase Analytics, Amplitude, Crashlytics, Performance Monitoring):

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Insofar as consent via ATT is required on iOS: Art. 6(1)(a) GDPR.

Once a website for Movina is available, a separate cookie policy for website-specific tracking technologies (browser cookies, pixels, etc.) will be provided.

8. Your Privacy Choices

We provide you with various options to manage your privacy preferences:

  • Account and profile. You can view and update the data stored in your profile at any time in the settings.
  • Notifications. You can enable/disable individual push types and set individual times in the app settings (Settings > Notifications). You can also disable push notifications at any time in your device settings.
  • App Tracking Transparency. On iOS, you can manage tracking via Settings > Privacy & Security > Tracking.
  • Data export. You can export your workout history and progress data as a CSV file (Settings > Export Data).
  • UX analysis. You can disable session recording (UX analysis) in the app settings (Settings > Privacy > UX Analysis).
  • Account deletion. You can permanently delete your account at any time (Settings > Delete Account). For details on deletion, see Section 9.3.
  • Local data. Uninstalling the app deletes all locally stored data (MMKV, caches, downloads).

Note: Even if you restrict certain processing activities, we may still send you transactional communications (e.g., information about your account or subscription).

9. Retention and Deletion

9.1 Principles

We retain personal data only for as long as is necessary for the respective processing purposes. Once the purpose ceases to apply, the data is deleted unless statutory retention obligations (in particular commercial and tax law obligations under §§ 257 HGB, 147 AO) require continued retention. In such cases, processing is restricted and the data is deleted after expiry of the statutory retention period.

9.2 Retention Period by Data Category

| Data Category | Criteria for Retention | |---|---| | Account, profile, and usage data (including onboarding profile, workout history, favorites, plans, and programs) | For the duration of your use of our service (i.e., as long as your account exists). In cases of prolonged inactivity, we reserve the right to automatically delete accounts after prior notification (see 9.4). | | Push tokens and permission data | Until the token is replaced by the operating system, the permission is revoked, or the account is deleted. | | Data stored locally on the device | Until app uninstallation, logout, or app reset. This data is under your direct control. | | Analytics and diagnostic data | For the period necessary to achieve the respective analytics purpose. We regularly review our retention settings and adjust them in accordance with the principle of data minimization. | | Subscription and transaction data | For the duration of the contractual relationship; thereafter for as long as statutory retention obligations apply (in particular up to 10 years under §§ 257 HGB, 147 AO). |

9.3 Account Deletion

You can delete your account at any time in the app settings (Settings > Delete Account). Upon account deletion, the following data is removed immediately:

  • Your user profile including all profile data,
  • Your favorites,
  • Your weekly plans and training programs,
  • Your complete workout history,
  • Your user account.

The following data may be retained after account deletion for the specified periods:

  • Subscription and transaction data: Up to 10 years due to commercial and tax law retention obligations.
  • Anonymized or aggregated analytics data: May be retained for service improvement purposes.
  • Data for the establishment, exercise, or defense of legal claims: Until expiry of the applicable statute of limitations (3 years, § 195 BGB).

Note: Active subscriptions must be canceled separately through the settings of the respective App Store. Account deletion alone does not terminate an active subscription.

9.4 Inactive Accounts

We reserve the right to automatically delete accounts that have not been used for an extended period of time, subject to prior notification. Before deletion, you will be informed by email and/or push notification and given the opportunity to reactivate your account.

10. Security

We implement appropriate technical and organizational measures to protect your personal data against loss, misuse, unauthorized access, disclosure, and unauthorized modification. These include in particular:

  • Encryption of data in transit (TLS/HTTPS),
  • Encryption at rest (Google Cloud / Firestore),
  • Access control via Firebase security rules (user-bound read/write permissions),
  • Anonymous account creation as default to minimize data collection,
  • Locally encrypted storage of app states (MMKV).

11. External Links and Third-Party Features

Our app may contain links to external websites or services (e.g., App Store pages, social media profiles). We are not responsible for the data processing by these third parties. We recommend that you read the privacy policies of the respective providers before using their services.

12. Protection of Children's and Minors' Privacy

Movina is intended for persons aged 18 and over. Use by persons between 16 and 17 years of age is only permitted with the consent of a parent or legal guardian. The purchase of paid subscriptions is reserved exclusively for persons of legal age (18 and over).

We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a person under 16, we will delete this data without delay. If you are aware that a person under 16 has provided us with personal data, please contact us at datenschutz@fastic.com.

13. Anonymized and Aggregated Data

Regardless of the processing activities described in this Privacy Notice, we reserve the right to use and share aggregated, anonymized, or other non-identifiable data. We use such data in particular for:

  • Quality control,
  • Internal and external analytics,
  • Research and development,
  • As well as other business and operational purposes.

Anonymized data is information that can no longer be associated with a specific natural person. When we process such data, it is permanently stored in anonymized form and is not used for re-identification purposes.

14. Your Rights

Under the GDPR, you are entitled to the following rights in particular:

14.1 Right of Access (Art. 15 GDPR)

You have the right to request information about the personal data we process. This includes information about the purposes of processing, the categories of personal data, the recipients, and the planned retention period.

14.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate or the completion of incomplete personal data. Within the app, you can adjust many profile data items directly in the settings.

14.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data, provided the conditions of Art. 17 GDPR are met. You can perform a complete deletion independently through the app's "Delete Account" function (see Section 9.3).

14.4 Right to Restriction of Processing (Art. 18 GDPR)

Under certain conditions, you have the right to request the restriction of the processing of your data, e.g., if you dispute the accuracy of the data.

14.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format. The app provides a CSV export function for this purpose (Settings > Export Data).

14.6 Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Irrespective of the above, you have the right to object at any time to the processing of your data for direct marketing purposes — without the need to state specific grounds.

14.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where data processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Options for withdrawal:

  • Push notifications: In the app settings or device settings,
  • ATT tracking: In the iOS device settings,
  • Health data: By deleting your account (Settings > Delete Account),
  • By email to datenschutz@fastic.com.

14.8 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219 10969 Berlin https://www.datenschutz-berlin.de

14.9 Contact for Exercising Your Rights

To exercise your rights, you may contact us at:

  • Email: datenschutz@fastic.com
  • Post: Fastic GmbH, Pappelallee 78/79, 10437 Berlin, Germany

15. Obligation to Provide Data

In general, you are not required to provide us with your personal data. Registration with personal data (email, name) is not required to use the app. However, the use of certain features may require the provision of certain data:

  • On app launch, an anonymous Firebase account is created automatically (technically required for app operation). Only a technical user ID is generated.
  • Without onboarding profile data, no personalized training plan can be created.
  • Without push permission, notifications cannot be delivered.
  • Personal registration (account linking) is only required if you wish to use your account across devices or restore it after uninstalling.

If the provision of certain data is required, we will inform you accordingly.

16. Automated Decision-Making

Exclusively automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you does not take place.

We use algorithmic processes to personalize your training plan (e.g., selection of workouts based on your onboarding data, calculation of program duration). This personalization does not produce legal effects and serves exclusively to enhance your training experience.

17. Changes to This Privacy Notice

We may update this Privacy Notice if legal, technical, or organizational conditions change. We will inform you of material changes through the app. The current version as published in the app or in our legal documents shall apply.