Privacy Policy

Effective Date: April 26, 2026

Legal Entity: Zapis Fit is owned and operated by Milan Vlaški, an individual entrepreneur based in Istočno Sarajevo, Bosnia and Herzegovina.

1. Data We Collect

• Identity Data: We collect your email address. This serves as your unique identifier for authentication via Magic Links and to verify your subscription tier. We do not maintain user "profiles."
• Transaction Data: Purchases are processed via Lemon Squeezy. We receive a webhook containing your order ID and payment status. We never see or store your credit card details or billing address.
• Workout Data: * Paid/Cloud Tiers: Your workout logs are stored in an SQLite database on our private server to enable multi-device synchronization.
  • Basic/Demo Versions: Your data remains strictly on your local device (IndexedDB) and is never transmitted to our servers.

2. How We Use Data

• To authenticate your session via an encrypted cookie.
• To synchronize your data across your devices (Cloud users only).
• To send Magic Links for login via Resend.

3. Third-Party Processors

• Lemon Squeezy: Merchant of Record (Payments and Tax).
• Resend: Email delivery.
• Hetzner: Infrastructure hosting (Servers located in Germany/EU).

4. Cookies We use exactly one HttpOnly; Secure; SameSite=Strict session cookie. This is a purely functional cookie required to keep you logged in. We do not use any marketing, tracking, or analytical cookies.

5. Legal Basis (GDPR) We process your data under the basis of Contractual Necessity. To provide the synchronization and authentication services you have purchased, we must process your email and workout data.

6. International Transfers

• Storage: All workout data is stored on servers in Germany (EU).
• Operation: Zapis Fit is operated from Bosnia and Herzegovina. While your data resides in the EU, it is accessed from outside the EEA for maintenance and technical support. We use industry-standard providers that comply with strict data protection regulations.

7. Your Rights & Data Control

• Access & Portability: You can export your entire history to a CSV file via the app settings at any time.
• Erasure: To permanently delete your identity record and all associated cloud data, email [email protected].
• Correction: Your email address is your identity within the system. It cannot be changed via the interface. For manual updates to your registered email, please contact support.
• Local Deletion: You can wipe all local data by using your browser’s "Clear Site Data" function or the "Reset App" button in the settings.

8. Server Logs Our web server (Caddy) automatically collects standard connection logs (IP addresses and User Agents). This is a technical necessity to prevent abuse, mitigate DDoS attacks, and ensure server stability. These logs are stored for 14 days and then automatically purged. This processing is based on our Legitimate Interest in maintaining a secure service.