Coding Warehouse Limited operates the FittBio platform at fittbio.com under the FittBio brand ("FittBio", "we", "us"). We are the data controller for the personal data described in this policy. You can reach us at privacy@fittbio.com. Registered office: 1007 London Road, Leigh-On-Sea, Essex SS9 3JY.
2. What we collect
Account data — name, email, and password hash, managed on our behalf by Clerk.
Profile content — anything you publish on your public link-in-bio page (display name, bio, links, photos, programmes).
Payment metadata — subscription status, customer ID, and last 4 digits of your card. Full card details are stored by Stripe, not by us.
Uploaded media — profile and programme files you upload, stored on Cloudflare R2.
Analytics events — page views, link clicks, and form submissions on your public profile. Visitor IP addresses are SHA-256 hashed before storage so individuals cannot be identified.
Lead form submissions — answers visitors give to forms you publish. You are the controller of this data; we process it on your behalf.
Free download (lead magnet) submissions — the email address (and any optional details such as name, Instagram handle, or phone number) a visitor provides to unlock a gated download you publish, plus a record of whether the visitor opted in to receive marketing from you. You are the controller of this data; we process it on your behalf as your processor.
2a. Free downloads / lead magnets
When a visitor unlocks a free download on a trainer's profile:
The trainer is the data controller for the visitor's submission and is responsible for how the data is used afterwards.
FittBio acts as the trainer's processor: we host the gate page, validate the submission, store it, and surface it in the trainer's dashboard.
Email is the only field a visitor must provide — it is necessary to deliver the file and record consent. Other fields (name, Instagram, phone) are always optional regardless of the trainer's configuration.
Marketing consent is separate. The visitor's submission alone is not consent to marketing. Trainers may only send marketing emails, DMs, or calls to contacts who explicitly ticked the marketing consent box on the gate page (lawful basis: consent under PECR + UK GDPR Art 6(1)(a)). The lawful basis for storing the submission itself is legitimate interest (UK GDPR Art 6(1)(f)) — to deliver the requested download.
Visitors can withdraw consent and request deletion at any time by contacting the trainer directly. The trainer is responsible for honouring this within one calendar month (UK GDPR Art 12).
3. Lawful basis (UK GDPR)
Contract — we process account, profile, and payment data to provide the service you signed up for.
Legitimate interest — aggregated analytics so you can see how your profile performs.
Legal obligation — tax and accounting records related to subscription billing.
4. Sub-processors
We share data with the following third parties:
Clerk — authentication and account management
Stripe — subscription billing and Stripe Connect for trainer payouts
Cloudflare R2 — file storage for uploaded media
Resend — transactional email
Where these providers are based outside the UK or EEA, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
5. Your rights
Under UK GDPR you have the right to access, correct, delete, export, or restrict processing of your personal data. You can:
Delete your account from your dashboard settings — this removes your profile, links, programmes, uploads, and analytics data.
Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
6. Retention
Active account data is retained while your account is open. After account deletion, we keep billing records for 7 years to meet UK tax law and delete the rest in line with the categories below. Anonymous free-download submissions (where the visitor did not opt in to marketing) are retained while the trainer's account is active so we can re-send the file on request; you can ask us to delete them sooner at privacy@fittbio.com. Analytics events are pruned on request — we don't yet run automated retention on this data, and we'll update this section when we do.
7. Cookies
We use three categories of cookies and similar technologies. The analytics and advertising categories are strictly opt-in — nothing is set or loaded until you click "Accept" on the cookie banner.
Essential — session cookies set by Clerk to keep you logged in. Always active; necessary for the service. Lawful basis: contract and legitimate interest.
Analytics (first-party) — profile views, link clicks, and social clicks on public trainer pages. Visitor IP addresses are SHA-256 hashed before storage. Loaded only with your consent. Lawful basis: consent.
Advertising (Facebook Pixel) — used to measure the performance of our advertising and reach similar audiences. The pixel script is not loaded until you consent. If you revoke consent after accepting, refresh the page to fully unload the pixel. Lawful basis: consent.
You can change your preferences at any time using the Cookie Settings link in the page footer, or here:
8. Changes to this policy
We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.