FitJourney is an all-in-one AI-powered fitness tracking app that lets you log workouts, track meals with photo scanning, monitor body measurements, take progress photos, and connect with a supportive fitness community. It includes AI coaching, workout benchmarks, and achievement badges.

How does AI meal tracking work?

Simply take a photo of your meal and our AI instantly estimates calories, macros (protein, carbs, fat), and nutrients. You can also search our food database or scan barcodes for packaged foods.

Is FitJourney free to use?

FitJourney offers a 7-day free trial with full access to all features. After the trial, plans start at $9.99/month. The social features including posting, commenting, and liking are available to all users.

Can I track both cardio and strength workouts?

Yes! FitJourney supports all workout types including strength training with sets, reps, and weight tracking, cardio with distance and pace tracking, HIIT, flexibility, sports, and more. It automatically tracks personal records and calculates training volume.

Does FitJourney have a social community?

Yes! FitJourney includes a full social fitness community where you can share progress photos, post updates, join challenges, follow friends, and participate in group messaging. All social features are free for all users.

FitJourney - Track Your Fitness, Share Your Progress

Name: FitJourney
Price: 9.99 USD
Author: FitJourney

1Purpose and Scope

This policy establishes the procedures FitJourney follows in the event of a personal data breach, as required by GDPR Article 33, the FTC Health Breach Notification Rule (16 CFR Part 318), CCPA/CPRA, UK Data Protection Act 2018, Australia Privacy Act 1988, Brazil LGPD, and other applicable data protection laws. A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Given that FitJourney processes health data (body measurements, dietary information, fitness activity) classified as special category data under GDPR Article 9, any breach involving this data is treated with the highest severity level.

2. Notification Timelines

Jurisdiction	Authority Notification	Individual Notification
EU (GDPR)	72 hours to supervisory authority	Without undue delay if high risk
US (FTC Health Breach)	60 days to FTC	60 days to affected individuals
US (CCPA/CPRA)	As required by state AG	Most expedient time possible
UK (DPA 2018)	72 hours to ICO	Without undue delay if high risk
Australia (Privacy Act)	30 days to OAIC	As soon as practicable
Brazil (LGPD)	Reasonable time to ANPD	Reasonable time
Canada (PIPEDA)	As soon as feasible to OPC	As soon as feasible
India (DPDP Act)	Without delay to DPB	Without delay

FitJourney commits to notifying the relevant supervisory authority within 72 hours of becoming aware of a breach (the strictest common standard), and affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

3Incident Response Procedure

Phase 1: Detection and Containment (0-4 hours)

Identify the nature and scope of the breach
Contain the breach to prevent further data loss
Preserve evidence for forensic investigation
Activate the incident response team
Document initial findings in the breach register

Phase 2: Assessment and Risk Evaluation (4-24 hours)

Determine the categories and volume of data affected
Assess the risk level (low, medium, high, critical)
Identify affected data subjects and their jurisdictions
Evaluate whether health/special category data is involved
Determine notification obligations per jurisdiction

Phase 3: Notification (24-72 hours)

Notify relevant supervisory authorities with required details
Prepare individual notification communications
Notify affected individuals via email and in-app notification
If 500+ individuals affected (US): notify prominent media outlets
Notify sub-processors if their systems were involved

Phase 4: Remediation and Review (72+ hours)

Implement corrective measures to prevent recurrence
Conduct post-incident review and lessons learned
Update security measures and policies as needed
Provide follow-up communications to affected individuals
Update the breach register with final assessment

4. Breach Severity Classification

Level	Description	Response
Critical	Health data, body images, or financial data exposed to unauthorized parties	Immediate containment, authority + individual notification within 72h
High	Personal identity data (name, email) or social data (messages, follows) exposed	Authority notification within 72h, individual notification if high risk
Medium	Anonymized or aggregated data exposed, or encrypted data with key intact	Internal investigation, authority notification if risk to individuals
Low	System metadata or non-personal operational data exposed	Internal logging and review, no external notification required

5. Notification Content

All breach notifications to individuals will include, at minimum:

A description of the nature of the breach in clear, plain language
The name and contact details of our data protection contact
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach
Specific categories of personal data affected (especially if health data)
Recommendations for individuals to protect themselves
Information about the right to lodge a complaint with a supervisory authority

6Breach Register

FitJourney maintains an internal breach register documenting all security incidents, regardless of whether they trigger notification obligations. The register records the facts of the breach, its effects, and the remedial action taken. This register is available to supervisory authorities upon request, as required by GDPR Article 33(5).

7Sub-Processor Breach Obligations

Our sub-processors (Stripe, AWS S3, TiDB Cloud, Umami Analytics) are contractually obligated to notify FitJourney of any data breach without undue delay. Upon receiving such notification, FitJourney will assess the breach and fulfill its own notification obligations as described above. See our Data Processing Agreement for details on sub-processor obligations.

8. Security Contact

To report a security vulnerability or data breach, contact us at:

[email protected]

We operate a responsible disclosure policy. Security researchers who report vulnerabilities in good faith will not face legal action. We aim to acknowledge all security reports within 24 hours and provide an initial assessment within 72 hours.

9Policy Review

This breach notification policy is reviewed annually and updated whenever there are material changes to our data processing activities, applicable laws, or organizational structure. All staff with access to personal data receive training on breach identification and reporting procedures.

Data Breach Notification Policy