top of page

Privacy Policy

A legal disclaimer

Neoloop — Privacy Policy

Effective date: 24 September 2025

Who we are: Neoloop (“Neoloop”, “we”, “us”) is based in Barcelona, Spain, and offers a health & fitness app Fitura available worldwide,

Contact: info@fituraai.com

Neoloop is the data controller for the personal data described below.

 

1) What data we collect

We only collect the data needed to run our services, improve them, and (if you agree) market them.

  • Account & identity: name, email, password (hashed), country, language.
     

  • Profile: age/date of birth, height, weight, sex, activity level, goals.
     

  • Health & wellness logs (special category data): food intake, ingredients/recipes, nutrition, exercise/workouts, sleep/time stamps you log, and other wellness notes you choose to provide. This is “special category” health data and we process it only with your explicit consent.
     

  • Location data: approximate location from IP (necessary for security, fraud prevention, and localizing content); precise GPS location only if you opt-in for features that need it (e.g., route maps).
     

  • Device & usage: app version, device model/OS, performance and crash logs, cookies/SDK IDs, pages/screens used, time stamps.
     

  • Marketing preferences: newsletter opt-ins, push preferences.
     

  • Payments & subscriptions: handled by Apple/Google/Stripe (we receive confirmation/receipt metadata; we don’t see full card numbers).
     

  • User support content: messages, attachments, feedback.
     

We do not require you to provide health data to create an account. You can use basic features without adding sensitive info.

 

2) Why we process your data & legal bases (EU & UK)

We process your data for the purposes and legal bases below. Where data are special category health data, we rely on explicit consent (GDPR Art. 9(2)(a)) in addition to the stated Art. 6 legal basis. 

Purpose

Examples

Legal basis (Art. 6 GDPR / UK GDPR)

Provide the app

Create/secure your account; core logging & dashboards

Contract (to provide the service)

Personalize & track progress

Meal and workout insights, habit trends (with health data consent)

Contract + Explicit consent for health data (Art. 9(2)(a))

Safety & integrity

Detect abuse/fraud, secure authentication

Legitimate interests (security)

Improve the service

Analytics, crash diagnostics, A/B testing

Legitimate interests (product improvement)

Customer support

Respond to tickets, fix issues

Legitimate interests (support)

Marketing (optional)

Newsletters, in-app promos

Consent (opt-in; withdraw anytime)

Legal & compliance

Tax, accounting, responding to authorities

Legal obligation

You may withdraw any consent (including health or precise location) at any time in the app settings or by contacting us; this does not affect prior lawful processing.

 

3) Children & minimum age

  • EEA: if we rely on consent for an information society service, a child’s own consent is valid from age 16, although Member States may set a lower age down to 13 (e.g., Spain is 14). Where required, we will verify parental consent.
     

  • UK: a child’s own consent applies from age 13; below that, parental consent is required.
     

We do not knowingly allow under-age users to use consent-based features without the correct consent. If you believe a child has provided data without required consent, contact us.

 

4) Sharing your data

We don’t sell personal data. We share it with:

  • Service providers (processors): cloud hosting, analytics, crash reporting, messaging, payment platforms, customer support tools—bound by contracts (GDPR Art. 28) and only for our documented purposes.
     

  • Professional advisors & authorities: where legally required.
     

  • Business changes: in a merger, acquisition, or asset sale, we’ll notify you and ensure appropriate safeguards.
     

We’ll maintain an up-to-date list of key processors in-app or on our website.

 

5) International data transfers

We host and process primarily in the EEA/UK, but some providers may be located outside your country. When we transfer personal data internationally we use approved safeguards such as:

  • EU–US Data Privacy Framework (for certified US recipients), and Standard Contractual Clauses (SCCs) where needed. The EU adequacy decision for the Framework entered into force on 10 July 2023 and remains in force.
     

  • UK–US Data Bridge (for certified US recipients), and the UK IDTA/Addendum or other mechanisms where needed. The Data Bridge took effect 12 October 2023.
     

Copies of relevant transfer safeguards are available on request (subject to redactions).

 

6) Data retention

We keep data only as long as necessary for the purposes above:

  • Account & profile: for your account lifetime; if you delete your account we aim to delete or irreversibly anonymize within 30 days, with limited backups retained for up to 90 days.
     

  • Health logs & location: until you delete them or delete your account (or earlier, if you withdraw consent).
     

  • Analytics & logs: typically 12–24 months (shorter for raw identifiers where feasible).
     

  • Marketing: until you opt-out; we suppress your email to respect your choice.
     

  • Legal records: as required (e.g., tax).
     

 

7) Your rights (EEA & UK)

You can exercise the rights of access, rectification, erasure, restriction, objection, and data portability, and the right to withdraw consent at any time. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. To exercise, use in-app tools or email privacy@neoloop.app.

You may lodge a complaint with your local authority:

  • Spain: Agencia Española de Protección de Datos (AEPD).
     

  • UK: Information Commissioner’s Office (ICO).
     

(We’ll always try to resolve issues directly first.)

 

8) Cookies & SDKs

We use necessary cookies/SDKs for security and core features. With your consent, we use analytics/measurement SDKs and (optionally) marketing cookies to understand usage and improve the app. You can manage your preferences in the app or device settings. See our Cookie/SDK Notice for details (providers, purposes, retention).

 

9) Security

We implement technical and organizational measures including encryption in transit, hardened infrastructure, access controls, least-privilege, periodic audits, and incident response. No method is 100% secure; if we detect a breach affecting your data, we will notify you and regulators when required.

 

10) AI features & automated processing

We use algorithms to generate insights (e.g., nutrition breakdowns, suggested workouts). These do not make decisions with legal or similarly significant effects. You can switch off certain personalization features in settings or avoid providing health data.

 

11) Third-party links

If the app links to third-party sites or app stores, their privacy practices apply. Please review their policies.

 

12) Changes to this Policy

We’ll post updates here and in-app. Material changes will be highlighted, and where required, we’ll ask for your consent again (e.g., for new uses of health or location data).

 

13) How to contact us

  • General & privacy requests: privacy@neoloop.app
     

  • DPO: dpo@neoloop.app
     

  • Postal: Neoloop, [Insert full Barcelona address], Spain
     

  • UK Representative (if applicable): [Insert name/contact], UK
     

 

Neoloop — GDPR/UK GDPR Compliance Statement (for partners & due diligence)

Controller: Neoloop, Barcelona, Spain.

Primary laws: EU GDPR (Reg. 2016/679), Spanish LOPDGDD (Organic Law 3/2018), UK GDPR & Data Protection Act 2018.

Special category data: We process health-related data (nutrition, exercise, weight) only with explicit consent (GDPR Art. 9(2)(a)/UK GDPR). We provide granular, revocable consent controls in-app. 

Records & assessments:

  • Article 30 ROPA maintained.
     

  • DPIA completed for health, location, and analytics features; re-reviewed upon major changes.
     

  • LIA (Legitimate Interest Assessment) for security and product analytics where used without special category data.
     

Transparency: Public Privacy Policy (above) covers processing purposes, legal bases, data sharing, transfers, retention, rights, and contacts.

Age controls: We apply age-appropriate design and consent gating per GDPR Art. 8 (EEA 16—Member State variations down to 13; Spain 14) and UK rules (13) with reasonable verification of parental consent where required. 

Data transfers: EEA↔US via EU–US DPF (for certified recipients) and/or SCCs; UK↔US via UK–US Data Bridge and/or IDTA/Addendum; periodic re-assessment of recipients and Schrems-II style TIAs. Recent court rulings have upheld the EU–US DPF, improving legal certainty. 

Security: Encryption in transit, scoped at rest, secrets management, role-based access, logging/alerting, vulnerability management, vendor due diligence, and incident response (72-hour regulator notice & prompt user notice where required).

Sub-processors: Cloud infrastructure, analytics, diagnostics, messaging, payments, and support tools under Art. 28 DPAs with confidentiality, security, and deletion commitments. Current list available on request and via in-app notice.

Breach & rights handling: Documented procedures for access/erasure/portability within statutory timeframes; verified identity checks; breach assessment and notification per EU/UK rules.

Contact points: info@fituraai.com
 

bottom of page