thefitishlisa ("we", "us") operates this 30-day bootcamp tracker. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Data controller: thefitishlisa. Questions or requests? Email jonswanepoel@hotmail.com.

When you sign up:

• Name
• Email address
• Password (stored as a salted PBKDF2 hash — we never see the plaintext)
• A chosen emoji and program type (bootcamp or solo)

When you use the app:

• Daily habit check-ins (11 habits: cardio, walking, strength, mobility, water, healthy meal, sleep, gratitude, substance-free, mindfulness, steps)
• Happiness and energy self-ratings (1–5 scale)
• Free-text notes and reflections you choose to write
• Weekly goals, targets, and busyness ratings
• Week 1 baseline time-block data (hour-by-hour activity you enter)

Automatically:

• A session cookie (essential, used only to keep you signed in — SameSite=Lax, Secure in production)
• A CSRF token (essential, to protect form submissions)
• If something goes wrong, an optional error report via Sentry. We configure Sentry with send_default_pii=False, so IP addresses and user identifiers are not sent.

We do not use Google Analytics, advertising cookies, or any third-party tracking.

• Contract (Art. 6(1)(b) GDPR): we need your account details and check-in data to provide the tracker you signed up for.
• Legitimate interest (Art. 6(1)(f)): keeping the service secure (CSRF tokens, error monitoring).
• Consent (Art. 6(1)(a)): the leaderboard shares your display name, emoji, points, and streak with other members of your bootcamp. Participation is optional — solo users are not on any leaderboard, and bootcamp users can request removal at any time.

• You — all of it.
• Bootcamp members — only your name, emoji, points, streak, and habit-completion rates appear on the leaderboard. Your notes, goals, and happiness ratings stay private.
• Admins — the bootcamp organizer can view participant stats and check-ins to support the program.
• Railway (railway.com) — our hosting provider, which runs the app servers and stores the database on our behalf (processor under Art. 28 GDPR).
• Sentry — if enabled, receives anonymized error reports only.

We never sell your data and we never share it for advertising.

Our servers are hosted by Railway (railway.com) in the United States. If you access the service from the EU/UK, your data is transferred to the US. Transfers rely on Railway's EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

• Account data: while your account is active.
• Check-in data: while your account is active — it's what makes the app useful to you.
• After account deletion: we delete your personal data within 30 days. Aggregated, anonymized statistics may be retained.
• Error logs (Sentry): 90 days.

Under GDPR you have the right to:

• Access — request a copy of your data
• Rectification — correct anything inaccurate
• Erasure — have your account and data deleted
• Portability — receive your data in a machine-readable format
• Restriction — ask us to pause processing while a request is reviewed
• Objection — object to processing based on legitimate interest
• Withdraw consent — e.g. to be removed from the leaderboard

To exercise any of these, email jonswanepoel@hotmail.com. We respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority (for example, the Irish Data Protection Commission or the UK ICO).

Passwords are hashed with PBKDF2 (600,000 iterations) and never stored in plaintext. The site is served over HTTPS, session cookies are Secure and SameSite=Lax, and all form submissions are protected by CSRF tokens.

The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.

We'll post any changes on this page and update the date at the top. If the changes are material, we'll notify you by email.