Bluethenics is committed to protecting the privacy of all users — including children. This policy explains what personal and health data we collect, why we collect it, how we protect it, and the rights you hold under applicable global laws including GDPR, CCPA/CPRA, and COPPA.
Bluethenics ("we," "us," or "our") is the operator of the Bluethenics fitness application and all associated services. For the purposes of applicable data protection law, Bluethenics acts as the data controller of your personal information.
This Privacy Policy applies to all users worldwide who access or use the Bluethenics application, including users aged 10 and above. Users aged 10–15 require verifiable parental or guardian consent as described in Section 10.
2. Data We Collect Health Data
We collect only what is strictly necessary to provide and improve the Bluethenics service. We practice data minimization — we never collect more than we need.
a) Account & Credential Data
Email address — provided by you at registration. Used for account authentication, password resets, and essential security communications only.
Password — stored exclusively as a secure cryptographic hash via Firebase Authentication (industry-standard bcrypt). We never store, access, or transmit your plain-text password under any circumstances.
Display name or username — optional, provided at your discretion during setup.
Unique user identifier — a Bluethenics-specific ID assigned by Firebase to securely associate your account with your data.
b) Health & Fitness Data Special Category — GDPR Art. 9
Body measurements, fitness goals, and personal progress data you voluntarily enter.
Progress photos, if you choose to upload them.
Any other health-related information you explicitly provide within the app.
Health data is special category data under GDPR Article 9 and is handled with the highest level of protection. We do not automatically infer or collect health data beyond what you voluntarily enter.
c) Device & Usage Data
Anonymized, aggregated app interaction data (e.g., session duration, feature usage, crash reports) used solely to improve performance. This data cannot be linked back to you individually.
Device type, OS version, and app version for technical support purposes.
d) Support Communications
If you contact us by email, we retain your email address and message content solely to respond to your inquiry.
e) Data We Do NOT Collect
Payment card numbers, Social Security numbers, government-issued ID, biometric identifiers, or precise real-time geolocation.
Contact lists, microphone, camera, or any device permission not explicitly required by a core app feature.
Behavioral data for advertising, tracking, or profiling of any kind.
3. Legal Basis for Processing GDPR
For users in the EEA, UK, and Switzerland, we process personal data under the following legal bases:
Contract performance (Art. 6(1)(b)): Processing account and credential data is necessary to provide the service you registered for.
Explicit consent (Art. 6(1)(a) & Art. 9(2)(a)): For special category health and fitness data, we rely on your explicit, freely given consent — or, for users under 16 in the EEA/UK, verifiable parental or guardian consent. You may withdraw consent at any time.
Legitimate interests (Art. 6(1)(f)): Anonymized usage analytics to improve app performance, where our interests do not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): Where required by applicable law to retain or disclose data.
For users under 13 in the United States, we obtain verifiable parental consent as required by COPPA before any personal information is collected. See Section 10 for full details.
4. How We Use Your Data
We use the data we collect strictly for the following purposes — no exceptions:
Creating and securely managing your Bluethenics account.
Authenticating your identity when you log in with your email and password.
Sending essential account-related emails (password resets, security alerts). We do not send marketing emails unless you explicitly opt in.
Displaying your personal workout history, statistics, and progress within the app.
Generating personalized fitness insights and tracking your goals.
Diagnosing and fixing technical issues and improving app performance.
Responding to support requests you initiate.
Complying with applicable legal obligations.
Your data is never used for advertising, behavioral profiling, or any commercial purpose beyond delivering the service. We do not sell, rent, or trade your data to any third party.
5. Data Sharing & Third-Party Disclosure
We do not sell or share your personal data with third parties for commercial purposes. Data is disclosed only in these limited circumstances:
Infrastructure Providers
Firebase (Google LLC): Handles email/password authentication (storing only secure password hashes), database storage, and anonymized analytics. Google acts as a data processor under a signed Data Processing Agreement (DPA) and is GDPR-compliant.
Google Cloud Platform (GCP): Provides secure data hosting and storage infrastructure, also covered under Google's DPA.
Legal Requirements
We may disclose data to comply with a valid legal obligation, court order, or governmental request, or to protect the safety of Bluethenics, our users, or the public.
Business Transfers
In the event of a merger, acquisition, or asset sale, user data may transfer to a successor entity. You will be notified in advance and your data rights will remain protected.
All providers are contractually required to process your data only as instructed, maintain appropriate security, and comply with GDPR and CCPA where applicable.
6. International Data Transfers GDPR
Your data may be stored on servers located in the United States, where Firebase and Google Cloud Platform infrastructure is operated. For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with Google LLC.
Google's supplementary technical safeguards for cross-border transfers.
Account, credential & health data: Retained while your account is active. Upon deletion, all data is permanently erased within 30 days.
Password hashes: Deleted within 30 days of account deletion alongside all other account data.
Support communications: Retained for up to 12 months after resolution, then permanently deleted.
Anonymized usage analytics: Retained for up to 24 months. Fully anonymized — cannot be linked to any individual.
Children's data: Deleted immediately upon verified parental request, or within 30 days of account deletion, whichever is sooner.
Legal hold: Certain data may be retained longer where required by applicable law or regulation.
8. Your Rights under GDPR GDPR
If you are in the EEA, UK, or Switzerland, you have the following rights over your personal data:
Right of Access
Request a copy of the personal data we hold about you (Art. 15).
Right to Rectification
Request correction of inaccurate or incomplete data (Art. 16).
Right to Erasure
Request deletion of your personal data — "right to be forgotten" (Art. 17).
Restrict Processing
Request that we limit how we process your data in certain circumstances (Art. 18).
Data Portability
Receive your data in a structured, machine-readable format (Art. 20).
Right to Object
Object to processing based on our legitimate interests (Art. 21).
Withdraw Consent
Withdraw consent to health data processing at any time, without penalty.
Right to Complain
Lodge a complaint with your national supervisory authority.
To exercise any right, email bluethenics01@gmail.com with subject line "Data Rights Request." We respond within 30 days (extendable by 2 months for complex requests, with notice). Identity verification may be required.
UK residents may contact the ICO at ico.org.uk. EU residents may find their DPA at edpb.europa.eu.
9. Your Rights under CCPA / CPRA CCPA
If you are a California resident, you have the following rights under CCPA as amended by CPRA:
Right to Know: Request disclosure of what personal information we collect, its sources, purposes, and any sharing.
Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for behavioral advertising. No action is needed, but you may confirm at any time.
Right to Limit Sensitive Data Use: Request that we limit use of your health data to only what is necessary to provide the service.
Right to Non-Discrimination: We will never penalize you for exercising CCPA rights.
To submit a CCPA request, email bluethenics01@gmail.com — subject line "CCPA Privacy Request." Response within 45 days (extendable by 45 days with notice).
Categories of Personal Information Collected (CCPA Disclosure)
Identifiers: Email address, unique user ID, optional display name.
Credentials: Hashed password (not readable by us or any third party).
Health & Fitness Data: Workout logs, body measurements, goals, progress data.
Internet / Network Activity: Anonymized, non-identifiable app usage data.
We do not collect Social Security numbers, financial information, biometrics, or government-issued ID.
10. Children's Privacy COPPAGDPR-K
Bluethenics is available to users aged 10 and above. We apply enhanced privacy protections for all users under 18, with strict legal requirements for those under 13 (US) and under 16 (EEA/UK).
Users Aged 10–12 (Under 13 — COPPA, United States)
We comply fully with the Children's Online Privacy Protection Act (COPPA). We will not collect any personal information from users under 13 in the United States without verifiable parental or guardian consent. Before registration, the child's parent or legal guardian must:
Provide verifiable consent by emailing bluethenics01@gmail.com with the subject line "Parental Consent — Child Registration", including their own name, the child's first name, and their relationship to the child.
Provide their own email address, which will be used as the primary contact for all account-related communications regarding the child's account.
Parent / Guardian Rights (COPPA): You have the right at any time to review your child's personal information, request its correction or deletion, and revoke your consent. Contact us at bluethenics01@gmail.com — subject line "Parental Request." We will respond within 5 business days.
In the EEA and UK, users under the age of 16 (or the applicable age of digital consent in their member state, which may be as low as 13 in some countries) require verifiable parental or guardian consent before we may process their personal data. We treat all EEA/UK users under 16 as requiring such consent and apply the same parental consent process described above.
Protections Applied to All Minor Users
We collect the minimum data necessary — no behavioral profiling, no advertising data, no unnecessary permissions for any user, especially minors.
We display no advertising within the app.
Minors' data is never shared with third parties beyond the infrastructure providers listed in Section 5.
Children's data is subject to the same security protections, retention limits, and deletion rights as adult data — with faster response times for parental requests.
If we discover we have inadvertently collected personal data from a child under 13 without verified parental consent, we will delete that data within 48 hours of discovery.
For any concern about a child's data, contact bluethenics01@gmail.com — we respond to all child-related data requests within 5 business days.
11. Data Security
Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
Encryption at rest: Data stored on Firebase and Google Cloud Platform is encrypted using AES-256.
Password security: Passwords are processed only as secure one-way hashes via Firebase Authentication. We never store, view, or transmit plain-text passwords.
Access controls: Stored personal data is accessible only to authorized personnel on a strict need-to-know basis.
Security monitoring: Firebase security rules and anomaly detection actively identify and flag unauthorized access attempts.
No system is entirely immune to security risks. In the event of a data breach likely to cause high risk to your rights and freedoms, we will notify you and the applicable supervisory authority without undue delay, as required by GDPR Articles 33 and 34.
12. Cookies & Analytics
The Bluethenics mobile application does not use browser cookies. Firebase Analytics may collect anonymized, aggregated usage data (feature engagement, session length) that cannot be linked to any individual user. This is used exclusively to improve app performance.
You may opt out of Firebase Analytics via your device's advertising ID or analytics settings, or by contacting us to request manual exclusion.
13. Changes to This Policy
When we make material changes to this Privacy Policy, we will:
Update the "Last updated" date below.
Notify users via in-app notification or email at least 14 days before changes take effect.
Seek renewed parental or user consent where legally required — particularly for any changes affecting how we process children's data.
Continued use of Bluethenics after the effective date constitutes acceptance of the updated policy.