PRIVACY POLICY

Effective Date: January 11, 2025

Fitnotes X

1. Introduction

Welcome to Fitnotes X (the "App"). This Privacy Policy explains how Arkt Labs Inc. ("we," "us," or "our") collects, uses, discloses, and protects your information when you use our fitness tracking application. We are committed to protecting your privacy and have designed our App to collect minimal personal data.

This Privacy Policy applies to users worldwide and has been designed to comply with applicable privacy laws including, but not limited to, the General Data Protection Regulation (GDPR) in the European Economic Area, the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), other U.S. state privacy laws, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the Protection of Personal Information Act (POPIA) in South Africa, the Privacy Act 2020 in New Zealand, and the Privacy Act 1988 in Australia.

By using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App.

2. Data Controller Information

For the purposes of applicable data protection laws, the data controller responsible for your information is:

Arkt Labs Inc.
2620 Credit Valley Rd., Mississauga, Canada
Email: support@arkt.io

For users in the European Economic Area, United Kingdom, or Switzerland, if you have questions about our data practices, you may contact us at the address above.

3. Information We Collect

We have designed Fitnotes X to minimize personal data collection. Here is everything we collect:

3.1 Email Address

When you create an account using Google Single Sign-On (SSO) or Apple Sign-In, we receive only your email address. We do not receive or store your password, name, phone number, or any other personal information from these authentication providers.

Your email address is used for: account identification and authentication, customer support communications, and marketing communications (with your consent).

3.2 Workout Data

Workout data—including exercises, sets, repetitions, weights, and other fitness metrics—is stored in the cloud and linked to your email address and device ID for syncing purposes. However, this data is not linked to any personal identity information such as your name, age, gender, location, or any other identifying details. We use the email and device ID solely to enable you to access your workout history across devices.

3.3 Device Identifier (For Push Notifications Only)

If you opt in to receive push notifications, we collect a device identifier solely for delivering those notifications. This identifier is not linked to your email or any personal information and is not used to track you.

3.4 What We Do NOT Collect

We do not collect: names, phone numbers, physical addresses, payment information, location data, photos, health data from other apps, social media profiles, or any other personal information.

4. How We Use Your Information

We use the limited information we collect as follows:

  • Email Address: For account authentication, customer support, and marketing communications (with your consent).

  • Workout Data: Stored in the cloud and linked to your email and device ID to enable syncing across devices. This data is not linked to any personal identity information.

  • Device Identifier: Solely to deliver push notifications if you have opted in.


5. Legal Basis for Processing (EEA, UK, and Switzerland)

For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following legal bases under GDPR and UK GDPR:

  • Contractual Necessity (Article 6(1)(b)): Processing your email address to provide account authentication and the App's services.

  • Consent (Article 6(1)(a)): For marketing communications and push notifications. You may withdraw consent at any time.

  • Legitimate Interests (Article 6(1)(f)): For customer support and improving our services.

6. Data Sharing and Disclosure

We do not sell your personal information to third parties. We may share your information only in the following limited circumstances:

  • Authentication Providers: Google and Apple process authentication requests when you sign in (they do not share your personal data with us beyond your email address).

  • Push Notification Services: Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) receive device identifiers to deliver push notifications.

  • Email Service Providers: We may use third-party email service providers to send marketing communications on our behalf.

  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.

  • Business Transfers: In connection with any merger, acquisition, or sale of company assets, your information may be transferred as a business asset.


7. International Data Transfers

Your email address may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

For transfers from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and/or the UK Information Commissioner's Office.

You may request a copy of these safeguards by contacting us at support@arkt.io.

8. Data Retention

  • Email Address: Retained for as long as your account is active. Upon account deletion, your email is deleted within 30 days, except where retention is required by law.

  • Workout Data: Stored in the cloud and retained for as long as your account is active. Upon account deletion, workout data is deleted within 30 days. You may also delete individual workouts at any time through the App.

  • Device Identifiers: Retained only while push notifications are enabled and deleted when you disable notifications or delete your account.

  • Marketing Preferences: We retain a record of your consent or opt-out for marketing communications as required to demonstrate compliance with applicable laws.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information. We respect these rights regardless of your location.

9.1 Rights for All Users

  • Access: Request information about the personal data we hold about you (limited to your email address).

  • Correction: Request correction of your email address if inaccurate.

  • Deletion: Request deletion of your account and email address.

  • Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in any marketing email or by contacting us.

  • Withdraw Consent: Withdraw consent for push notifications through your device settings.

9.2 Additional Rights for EEA, UK, and Swiss Users (GDPR/UK GDPR)

  • Right to Restriction: Request restriction of processing in certain circumstances.

  • Right to Data Portability: Receive your personal data (email address) in a structured, commonly used, machine-readable format.

  • Right to Object: Object to processing based on legitimate interests.

  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.

9.3 Additional Rights for California Residents (CCPA/CPRA)

California residents have the following additional rights:

  • Right to Know: Request disclosure of the personal information we have collected (limited to your email address).

  • Right to Delete: Request deletion of your personal information.

  • Right to Correct: Request correction of inaccurate personal information.

  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.

  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Notice at Collection: We collect only your email address, as described in Section 3. We use this information as described in Section 4.

9.4 Rights for Residents of Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a copy of their personal data. We do not engage in the sale of personal information or targeted advertising. To exercise your rights, contact us at support@arkt.io.

9.5 Rights for Canadian Residents (PIPEDA)

Canadian residents have the right to access their personal information, challenge its accuracy, and withdraw consent. We will respond to requests within 30 days. Contact us at support@arkt.io.

9.6 Rights for South African Residents (POPIA)

South African residents have the right to request access to, correction, or deletion of their personal information, and to lodge a complaint with the Information Regulator.

9.7 Rights for New Zealand Residents (Privacy Act 2020)

New Zealand residents have the right to access their personal information, request corrections, and make complaints to the Office of the Privacy Commissioner.

9.8 Rights for Australian Residents (Privacy Act 1988)

Australian residents have the right to access their personal information, request corrections, and make complaints to the Office of the Australian Information Commissioner (OAIC).

10. How to Exercise Your Rights

To exercise any of your privacy rights, you may:

  • Email us at support@arkt.io

  • Use the App's settings (where available)

  • Write to us at 2620 Credit Valley Rd., Mississauga, Canada

We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally 30-45 days).

11. Data Security

We implement appropriate technical and organizational measures to protect your information, including encryption of data in transit using TLS/SSL, secure authentication through OAuth 2.0 with Google and Apple, and access controls limiting employee access to data.

While we strive to protect your information, no method of transmission or storage is 100% secure. We will notify you and relevant authorities of any data breach as required by applicable law.

12. Children and the App

Fitnotes X is suitable for users of all ages. Because we collect only an email address and do not link workout data to personal identity, children under 16 may use the App to record workouts.

For parents and guardians: The App collects only an email address for account creation. Workout data is stored in the cloud but is linked only to the email and device ID—not to any personal identity information such as name, age, or photos.

If you are a parent or guardian and have concerns about your child's use of the App, please contact us at support@arkt.io.

13. Third-Party Links and Services

The App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

14. Do Not Track Signals

Because there is no universally accepted standard for Do Not Track (DNT) signals, we do not currently respond to DNT signals. However, we do not track users across third-party websites or applications.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App with a new effective date and, where appropriate, sending you an email notification.

Your continued use of the App after any changes indicates your acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:

Arkt Labs Inc.
Attn: Privacy Officer
2620 Credit Valley Rd., Mississauga, Canada
Email: support@arkt.io

We will respond to your inquiry within 30 days or as required by applicable law.

17. Supervisory Authorities

If you are not satisfied with our response to your privacy concerns, you may contact the relevant supervisory authority:

  • European Union: Your local Data Protection Authority (ec.europa.eu)

  • United Kingdom: Information Commissioner's Office (ico.org.uk)

  • California: California Privacy Protection Agency (cppa.ca.gov)

  • Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)

  • South Africa: Information Regulator (inforegulator.org.za)

  • New Zealand: Office of the Privacy Commissioner (privacy.org.nz)

  • Australia: Office of the Australian Information Commissioner (oaic.gov.au)

— End of Privacy Policy —

Contact

Need help? Reach out anytime.

Email

FORM

sayhi@arkt.io

© 2025. All rights reserved.