01 About Fitbet and This Policy
Fitbet is an Icelandic fitness app where friends compete against each other in workouts using football predictions as motivation. The data controller is Fitbet, email: fitbet@fitbet.fit.
This policy applies to all processing of personal data in connection with the use of the Fitbet app and is in accordance with the Icelandic Act on Data Protection No. 90/2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
02 Legal Status — Not a Gambling Service
Fitbet is not a gambling service within the meaning of the Icelandic Act on Lotteries and Games No. 59/1972 or the Act on Gambling No. 56/2022. In Fitbet, no monetary equivalents are wagered — the stake is always exercise (e.g. running, cycling, push-ups). The app does not require a licence from the Financial Supervisory Authority or the University of Iceland Lottery, and is considered a social fitness application service.
03 Age Limit
Fitbet is intended solely for individuals who are 18 years of age or older. If we become aware that an individual under the age of 18 has registered, we will delete the account and all associated data without delay. Parents or guardians who have reason to believe their child is using the app are encouraged to contact us at fitbet@fitbet.fit.
04 What Data We Collect and on What Legal Basis
We do not collect data on race, religion, health, political opinions, or other special categories of personal data within the meaning of Article 9 GDPR.
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email, username, name, profile picture | Authentication and account management | Contract — Art. 6(1)(b) | Until account deleted + 30 days |
| Bets, challenges, predictions and results | Operating the service | Contract — Art. 6(1)(b) | Until account deleted |
| Proof photos and videos | Verification of completed workouts | Contract — Art. 6(1)(b) | 90 days from upload |
| Strava access tokens and activity history | Automatic workout verification (with consent) | Until disconnected or account deleted | |
| Push notification token | Sending notifications | Legitimate interest — Art. 6(1)(f) | Until notifications declined or account deleted |
| Subscription information | Processing Premium subscription | Contract — Art. 6(1)(b) | 7 years per Icelandic Accounting Act No. 145/1994 |
05 Strava Integration
Strava integration is optional. If you choose to connect your Strava account, you grant Fitbet permission to read recent activity records for the sole purpose of automatically verifying that you have completed a workout challenge. We store access tokens securely on encrypted servers and never share them with third parties.
You can withdraw your consent and disconnect Strava at any time in the app settings — upon disconnection, the access token is immediately deleted from our servers.
06 Sharing Data with Third Parties
We never sell personal data. We share data only in these cases:
Supabase Inc.
Data is stored on European servers (Frankfurt, Germany) within the EEA. Supabase is our data processor under Article 28 GDPR.
Expo / Expo Push Services
Delivery of push notifications via Apple APNs and Google FCM. Only the notification token is shared — no personally identifiable information.
RevenueCat Inc. (United States)
Processing Premium subscriptions. International transfer of data to the United States takes place on the basis of Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) GDPR.
Strava Inc.
Only if you connect your account and on the basis of your specifically given consent.
Competent Authorities
We may be required to disclose data to competent authorities in accordance with Icelandic law, e.g. pursuant to a court order.
07 Storage and Security
All data is stored on Supabase servers in Europe (EEA). We apply the following security measures:
- Encryption via TLS 1.2+ / HTTPS on all communications
- Row Level Security (RLS) in the database — users can only view their own data
- Access tokens and secrets stored in encrypted environment, not in application code
- Regular security updates to the service infrastructure
08 Your Rights under GDPR and Act No. 90/2018
You have the following rights, which we will respond to within 30 days of your request:
Right of access
You can obtain confirmation of what data we store about you and a copy of it.
Right to rectification
You can correct inaccurate or incomplete information about you.
Right to erasure
You can request that we delete your personal data. To delete your account and all associated data, contact fitbet@fitbet.fit.
Right to restriction
You can request that we restrict processing of your data in certain cases.
Right to data portability
You have the right to receive your data in machine-readable format and to transfer it to another service provider.
Right to object
You can object to processing on the basis of legitimate interests.
Where processing is based on consent (e.g. Strava), you can withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal.
To exercise your rights, contact us at fitbet@fitbet.fit.
09 Right to Lodge a Complaint
If you believe that the processing of your personal data violates the law, you have the right to lodge a complaint with Persónuvernd, the Icelandic Data Protection Authority (designated supervisory authority under Art. 77 GDPR):
10 Premium Subscription and Payments
Fitbet Premium is a monthly or annual subscription processed through Google Play or the Apple App Store. The subscription auto-renews unless cancelled through the respective store at least 24 hours before the current subscription period expires.
We do not have access to your payment card details — all payments are processed through Apple or Google. Refund requests are handled according to the App Store or Google Play terms.
11 Changes to This Policy
We may update this policy. When material changes are made, we will notify you through the app or by email with reasonable notice. Continued use of the app after changes take effect constitutes acceptance of the updated policy.
12 Contact
For all privacy matters, rights requests or other questions: