FITview
Language

Privacy Policy

Date: May 25, 2026 · This Privacy Policy applies to the FITview web application, accessible via the domain listed above.

1. Data Controller

The data controller responsible for the processing of personal data within the scope of this application, as defined by the GDPR, is:

Guido Leifhelm
Leifhelm Medien
Schrievers Brede 29
59269 Beckum
Germany
Phone: +49 151 17613688
Email: info@leifhelm-medien.de

For complete provider information, see Legal Notice.

2. Overview

FITview is a closed B2B application for fitness studios.

Personal data is collected and processed only to the extent necessary for the operation of the application and the functions explicitly activated by the user.

3. Hosting and Server Logs

The application is hosted on a server operated within the European Union (Germany). When pages are accessed, the server processes the following data to ensure operation and to defend against attacks:

  • IP address
  • Date and time of the request
  • URL and methods accessed
  • HTTP status code
  • User-Agent (browser identifier)
  • Referrer (referring page)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation). Server logs are deleted or anonymized after a maximum of 30 days.

4. Cookies and Local Storage

The application uses only technically necessary cookies and data in the browser's local storage (LocalStorage):

  • Session cookie (NextAuth) – HttpOnly, SameSite=Lax, maintains the login session. Deleted upon logout.
  • OAuth state cookie – short-lived, used exclusively for CSRF protection during Facebook login.
  • Contest cookie qr_game_played_<studio>_<campaign> – set as soon as a visitor has participated in a QR contest. Lifespan 24 hours, SameSite=Lax. Purpose: exclusively anti-abuse (one entry per browser per day), no tracking, no profile creation.
  • LocalStorage – stores UI preferences (selected language, light/dark mode, expanded sections). No personal data.

A cookie consent banner is not required, as only technically necessary cookies are used (§ 25 (2) No. 2 TDDDG).

5. Account and Studio Data

The following data is processed to provide the application:

  • Account Data: Email address, password (stored exclusively as a cryptographic bcrypt hash), role (Studio / Admin), time of last login, individual language and display settings.
  • Studio Data: Studio name, public slug, time zone, logo image file, class schedule content (class names, rooms, times, background images), display configurations, QR contest content, story template settings.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract – provision of the agreed software service).

6. Meta Integration (Facebook & Instagram)

At the studio's express request, FITview can be connected to Facebook Pages and Instagram Business Accounts to automatically post story content featuring the daily class schedule. The connection is optional and can be disconnected at any time.

6.1 Data Collected

When connecting a Meta account, the following data is transmitted to FITview:

  • Meta user ID and display name of the connecting user
  • List of Facebook Pages to which the user has access (ID, name, profile picture)
  • List of Instagram Business accounts linked to these Pages (ID, username, profile picture)
  • Page access tokens for each selected Facebook Page
  • Long-lived user access token of the connecting user

6.2 Purpose

The data is used exclusively to automatically publish the story template generated in the Studio on behalf of the selected Page(s). No automated reading, analysis, or posting of other content takes place.

6.3 Requested Permissions (Scopes)

  • pages_show_list – Retrieve a list of Facebook Pages accessible to the user
  • pages_read_engagement – Read basic information about the Pages (name, profile picture)
  • pages_manage_posts – Publish Story content on behalf of the Page
  • instagram_basic – Detect linked Instagram Business accounts
  • instagram_content_publish – Upload and publish story content to the Instagram account
  • business_management – Detect the Business account structure for correct listing of pages

6.4 Storage and Security

Access tokens are encrypted on the server side with AES-256-GCM before being stored. The master key is stored exclusively as a server environment variable and is not stored in the database. The database is hosted in the European Union (Germany).

6.5 Retention Period

The Meta connection remains active until it is actively disconnected by the Studio (using the "Disconnect" button in the app) or until Meta revokes the authorization (e.g., if the user deauthorizes the app in their Facebook settings). In both cases, tokens, account lists, and post history are immediately removed from the database.

6.6 Data Transfer to Third Countries

Story content is published via the Meta Graph API. In this process, the rendered story image and the access tokens are transmitted to Meta Platforms Ireland Ltd. or to the group companies responsible for the Meta platforms in the U.S. Meta is certified under the EU-U.S. Data Privacy Framework. Meta's privacy policy: https://www.facebook.com/privacy/policy/.

6.7 Disconnection and Data Deletion

  1. In FITview: In the app, go to "Integrations → Facebook & Instagram → Disconnect." All stored tokens and account links are deleted immediately.
  2. Via Facebook: Remove the app in the Facebook settings under "Apps and Websites." Meta then automatically sends a deletion request to FITview; all data pertaining to this user is removed on the server side.
  3. Explicit Data Deletion Request: If you submit an explicit request via Meta's services, Meta will forward it to our Data Deletion Callback. You will then receive a confirmation code and can view the status at /datenschutz/loeschung/<code>.

Legal basis for the Meta integration: Art. 6(1)(a) GDPR (consent through active connection) and Art. 6(1)(b) GDPR (performance of the contract for the booked "automatic story posting" feature).

7. Public Studio Pages and QR Code Contest

Some content of the application is publicly accessible without logging in—specifically the public class schedule views (e.g., /<studio>/kursplan or /<studio>/class-schedule), the public display views (/<studio>/display), and the QR contest (/<studio>/gewinnspiel).

7.1 View-Only Pages

No data is entered on the class schedule and display views. Only the technically necessary data described in Section 3 (Hosting and Server Logs) is processed. Indexing by search engines is disabled (robots: noindex, nofollow).

7.2 Data Processing in the QR Code Sweepstakes

The QR prize draw works without an account, without an email address, without a name, and without any other participant master data. There is no entry form—participation occurs solely by clicking on a virtual card. If a prize is won, a random prize ID (e.g., ABC12345) is displayed in the browser; it serves exclusively to redeem the prize at the studio on-site.

To prevent manipulation and multiple entries, we process the following technical data:

  • IP address of the participant, in the QrGamePlayAttempt table. Purpose: Limiting participation to one entry per IP address, day, and campaign. Retention period: 24 hours, followed by automatic deletion. No profiling takes place.
  • Hash of a short-lived game token (SHA-256, not plain text) in QrGameConsumedPlayToken. Purpose: One-time use of each game move (protection against automated repetition). Storage duration: 2 hours.
  • Honeypot field and minimum response time comparison – evaluated exclusively in the browser and during gameplay; no permanent storage.
  • Optional: "Cloudflare Turnstile" bot protection – see Section 7.3.
  • Winning record in QrGameWin: random winning ID, timestamp, and (updated later by the studio) prize value. These fields contain no personal references; the studio may delete them in bulk.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a fair contest process free of abuse).

7.3 Cloudflare Turnstile (bot protection)

FITview uses the "Cloudflare Turnstile" service to protect against automated entries. When the contest page is accessed, a JavaScript snippet is loaded from challenges.cloudflare.com. Turnstile checks in the background whether the entry originates from an actual browser and, for this purpose, transmits in particular the IP address, user agent, anti-bot signals, and a one-time token to Cloudflare. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare is certified under the EU-US Data Privacy Framework. Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in effective protection against automated entries).

7.4 Organizer and Terms of Participation

The respective fitness studio, as the organizer, is responsible for the specific details of a given contest (prize, terms of participation, drawing, prize distribution). The terms of participation are displayed in the game window below the cards. Leifhelm Medien operates solely the technical platform.

8. Other Services Used

  • Email Delivery: System notifications (password reset, announcements, inbox messages) are sent via the transactional service Brevo (Sendinblue GmbH). Provider: Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Brevo. Data transmitted: Recipient's email address, recipient's name, subject line, and content of the email. Privacy Policy: https://www.brevo.com/de/datenschutz/. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery).
  • QR code generation: Performed server-side using the open-source library qrcode. No external QR API is called; the generated images are stored locally on our server.
  • OpenStreetMap maps / external fonts: Are not used in the application. All fonts (Geist Sans, Geist Mono) are delivered exclusively locally from our own server.
  • Analytics tools (Google Analytics, Plausible, Matomo, etc.) are not used.

9. Your rights as a data subject

You have the right at any time to:

  • Access the personal data stored about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Withdrawal of consent with future effect
  • Filing a complaint with a data protection supervisory authority, e.g., the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia

Please direct inquiries to info@leifhelm-medien.de.

10. Retention Period

Personal data will be deleted as soon as the purpose of processing no longer applies and there are no conflicting statutory retention periods (e.g., under commercial or tax law). Account data will be deleted if the studio terminates the service or an account remains inactive for more than six months. Inbox conversations and announcements are automatically deleted 90 days after their last activity.

11. Changes to this Policy

This Privacy Policy may be updated to reflect current technical or legal developments. The version available at this URL is always the authoritative one.

12. Image Credits and Third-Party Content Used

Some of the icons used in FITview come from the Flaticon library and are used in accordance with their license terms for free use with attribution. Icon creators: various authors on Flaticon.com.

Emoji graphics on public display views are sourced from the OpenMoji project and are licensed under CC BY-SA 4.0.

The application itself is based on open-source components (including Next.js, React, Prisma, Tailwind CSS, and NextAuth). These components do not process user data for third parties and are executed locally on our server.