Back to Limvia

Legal

Privacy Policy

Last updated: May 4, 2026

1. Controller

The controller responsible for the processing of personal data in this app is:

Cristian Cristea
Reichsbahnstr. 15
22525 Hamburg
Germany

Email: cristian.cristea.dev@gmail.com

2. General Information

This Privacy Policy explains which personal data is processed when you use Limvia, why it is processed, and what rights you have.

Limvia is an app for personal tracking of body weight, steps, nutrition, training, and sports activities. The app is intended for personal documentation and progress tracking only.

The app is a personal fitness and nutrition tracking tool and does not provide medical advice, diagnosis, or treatment.

3. Data We Process

When you use the app, we may process the following types of personal data.

Account data

  • Name
  • Email address
  • Encrypted password
  • Login and authentication data
  • Language, timezone, or similar settings

Contact and support data

  • Name, if provided
  • Email address
  • Message content
  • Date and time of the message
  • Technical or account-related context, where needed to handle the request
  • Internal admin notes or handling status, where used to process and document the request

Invitation and waitlist data

  • Name, if provided
  • Email address
  • Optional message submitted with an invitation request
  • Request, subscription confirmation, invitation, and acceptance status
  • Invitation token metadata, such as expiry and acceptance time
  • Brevo synchronization status, where used for double opt-in waitlist confirmation

Profile data

  • Height
  • Sex, if provided
  • Date of birth or year of birth, if provided
  • Personal goals, such as target weight, step goal, calorie goal, or training goal

Body, fitness, and activity data

  • Body weight
  • Body metrics
  • Progress data
  • Training entries
  • Activities such as running, strength training, walking, cycling, mobility, swimming, or other activities
  • Running distance, training duration, repetitions, weights, or similar training details
  • Step counts

Nutrition data

  • Food entries
  • Calories
  • Protein
  • Drinks or other voluntarily entered nutrition data
  • Entries marked as estimated

Technical data

  • IP address
  • Date and time of access
  • Browser and device information
  • Server log data
  • Session and security data
  • Cookie, session, and local storage consent or preference data
  • Error logs, where needed for operation and troubleshooting

4. Purposes of Processing

We process personal data to:

  • provide your user account
  • enable login and password reset
  • store your personal fitness, nutrition, body, and activity data
  • show daily, weekly, and progress summaries
  • show goals and progress toward goals
  • receive and respond to contact, feedback, and support requests
  • receive and manage invitation requests
  • operate an invitation-based access flow
  • manage double opt-in subscription confirmation for the waitlist
  • document support handling and communication history
  • investigate technical issues, misuse, or account-related questions
  • provide, secure, and maintain the app
  • detect and fix errors
  • prevent misuse and unauthorized access
  • comply with legal obligations, where applicable

5. Legal Bases for Processing

Where applicable, the processing is based on:

  • Art. 6(1)(b) GDPR, where processing is necessary to provide the app and user account
  • Art. 6(1)(a) GDPR, where you voluntarily provide optional personal data based on consent
  • Art. 9(2)(a) GDPR, where body, fitness, activity, health-related, or nutrition data may qualify as special-category data and processing is based on your separate explicit consent
  • Art. 6(1)(f) GDPR, where processing is necessary for security, troubleshooting, and reliable technical operation
  • Art. 6(1)(c) GDPR, where processing is necessary to comply with legal obligations

Acceptance of the Terms and Privacy Policy is separate from consent to process body, fitness, activity, health-related, and nutrition data. Before using tracking features, you may be asked to provide separate explicit consent for this processing.

Providing body, fitness, training, and nutrition data is voluntary. Some app features may not work or may be limited if you do not provide this data.

6. Body, Fitness, and Nutrition Data

The app processes data such as weight, body metrics, nutrition, training, and activity only for personal tracking and progress display.

This data is not used for medical diagnosis, medical treatment, or automated medical decisions.

You should not use the app as a substitute for medical advice or professional healthcare.

7. Registration and User Account

To use the app, you need a user account. Account creation may require an invitation. During invitation request, registration, and account use, we process data such as your name, email address, invitation status, and password.

The app is intended for users who are at least 16 years old. Users under 16 may not create an account or use the app.

Passwords are not stored in plain text.

Your email address is used for login, important account functions, password reset, and security-related messages.

8. Password Reset and Email Delivery

If you request a password reset, we send an email containing a password reset link.

We use Resend for transactional email delivery, including password reset emails and invitation emails.

We may use Brevo to manage the invitation waitlist and double opt-in subscription confirmation before access is granted.

Provider:

Resend
Resend, Inc.
2261 Market Street #5039
San Francisco, CA 94114
United States

Waitlist provider:

Brevo
Sendinblue GmbH
Köpenicker Straße 126
10179 Berlin
Germany

For these purposes, your email address, email subject, technical delivery data, email content, invitation request status, and subscription confirmation status may be processed.

9. Contact and Support Messages

If you contact us through a contact form, support form, or by email, we process the information you provide in order to receive, review, and respond to your request.

This may include your name, email address, message content, date and time of the message, and related technical or account information where needed to handle your request.

Contact and support messages may be reviewed by the app administrator for support, troubleshooting, security, documentation, and follow-up purposes.

The legal basis is Art. 6(1)(b) GDPR where the request relates to your user account or use of the app, and Art. 6(1)(f) GDPR where processing is necessary for support, documentation, troubleshooting, security, or legitimate communication handling.

Contact and support messages are stored only as long as necessary to handle the request, document the communication, resolve follow-up questions, or protect legitimate interests.

10. Hosting and Technical Operation

The app is hosted on Heroku.

Provider:

Heroku
Salesforce, Inc.
Salesforce Tower
415 Mission Street, 3rd Floor
San Francisco, CA 94105
United States

When you access the app, Heroku may process technical data required to deliver, operate, and secure the app.

The app database is also operated through Heroku or Heroku-managed infrastructure, where applicable.

11. Content Delivery Network and Frontend Resources

The app uses jsDelivr to load technical frontend resources required for the display and functionality of the user interface.

When you access the app, your browser may connect to jsDelivr servers. For this purpose, technical data such as your IP address, browser information, requested file, referrer URL, and date and time of access may be processed.

This processing is necessary to deliver the app interface reliably and securely. The legal basis is Art. 6(1)(f) GDPR, our legitimate interest in providing a secure, stable, and functional app.

Provider:

Prospect One
Królewska 65A/1
30-081 Kraków
Poland

12. Cookies, Sessions, and Local Storage

The app uses technically necessary cookies and browser storage technologies to operate the app and remember your choices.

Technically necessary cookies

The app uses technically necessary cookies or similar technologies to:

  • keep you signed in
  • manage secure sessions
  • provide security features
  • protect forms and requests

Local storage

The app uses local storage in your browser to remember technical preferences and interface choices.

This may include:

  • your cookie or analytics consent choice
  • whether certain interface sections, such as exercise details, are expanded or collapsed

Local storage remains on your device until it is deleted by you, your browser, or the app. You can delete local storage through your browser settings.

Analytics cookies

We may use Google Analytics to understand how the app is used and to improve the service. Google Analytics is provided by Google Ireland Limited. Google Analytics is optional and is only loaded after you give consent.

If you give consent, your browser may connect to Google servers, including through googletagmanager.com or google-analytics.com, to load analytics scripts and process usage data.

You can reject analytics cookies. You can also change or withdraw your choice later through Cookie settings.

We do not use marketing or tracking cookies unless this is clearly stated in this Privacy Policy and consent has been obtained where legally required.

Analytics provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

13. Server Logs and Security

When you access the app, server log data may be processed, including:

  • IP address
  • date and time
  • requested URL
  • browser and device information
  • technical error data

This data is processed to operate the app securely, analyze errors, and prevent misuse.

Server logs are stored only as long as necessary for security, troubleshooting, and operation.

14. Recipients and Processors

Personal data is not sold.

Data may be shared with service providers necessary to operate the app, including:

  • Heroku, for hosting, database, and technical infrastructure
  • Resend, for transactional email delivery
  • Brevo / Sendinblue GmbH, for invitation waitlist management and double opt-in subscription confirmation
  • jsDelivr / Prospect One, for delivery of technical frontend resources
  • Google Ireland Limited, for analytics, if you consent to analytics cookies
  • error monitoring or logging providers, if used

These providers process data only as required to provide their services.

15. Transfers Outside the EU/EEA

Some service providers may process personal data outside the European Union or European Economic Area. Heroku and Resend are providers based in the United States. Brevo / Sendinblue GmbH is based in Germany and may use subprocessors or infrastructure outside the EU/EEA where legally permitted. If you consent to analytics, Google Analytics may involve processing by Google Ireland Limited and Google LLC, including possible processing in the United States. jsDelivr / Prospect One is based in Poland but may use globally distributed CDN infrastructure.

Such transfers take place only where an appropriate legal basis exists, such as:

  • an adequacy decision by the European Commission
  • Standard Contractual Clauses
  • additional contractual and technical safeguards
  • another legally permitted basis

16. Storage Period

Personal data is stored only as long as necessary for the purposes described in this Privacy Policy.

Account, fitness, body, training, and nutrition data is generally stored as long as your user account exists.

Invitation requests and invitation records are stored only as long as necessary to manage access, document subscription confirmation, prevent abuse, and protect legitimate interests.

Contact and support messages are generally stored for as long as necessary to handle the request, document the communication, resolve follow-up questions, or protect legitimate interests. They may be deleted earlier if they are no longer needed.

After account deletion, personal product data is deleted or anonymized unless legal obligations or legitimate reasons require further storage.

Technical logs are stored only for a limited period where necessary for security, troubleshooting, or operation.

Backups are retained for a limited period, typically 7-30 days. Deleted data may remain in encrypted backups until backup rotation. Backups are not used for normal product processing.

17. Account Deletion

You can request deletion of your account.

After your request, your account is scheduled for deletion. Final deletion takes place after a 30-day waiting period, unless you cancel the deletion request before that period ends.

During the pending deletion period, normal access to the app may be restricted.

After the waiting period, personal product data is deleted or anonymized, including:

  • body data
  • weight entries
  • training data
  • activity data
  • running data
  • step counts
  • nutrition entries
  • goals

A minimal deletion record may be retained, such as the time of request, time of deletion, and a reduced technical reference, where this is necessary for documentation, security, or legal defense.

18. Data Export

You may request or download a copy of your stored data where this feature is provided.

The export may include:

  • profile data
  • body data
  • weight entries
  • training data
  • activity data
  • step counts
  • nutrition entries
  • goals

19. Your Rights

Under the GDPR, you may have the following rights:

  • right of access to your personal data
  • right to rectification of incorrect data
  • right to erasure of personal data
  • right to restriction of processing
  • right to data portability
  • right to object to certain processing
  • right to withdraw consent with effect for the future
  • right to lodge a complaint with a data protection supervisory authority

To exercise your rights, contact:

cristian.cristea.dev@gmail.com

20. Withdrawal of Consent

Where processing is based on consent, you may withdraw your consent at any time with effect for the future.

If you withdraw consent for body, fitness, activity, health-related, or nutrition data, tracking features may no longer be available. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

The lawfulness of processing before withdrawal remains unaffected.

21. Required Data

Some data is required to use an account, especially your email address and password.

Other data, such as weight, nutrition, training, goals, or body data, is voluntary. Without this data, some features may not work or may be limited.

22. Automated Decision-Making

There is no automated decision-making within the meaning of Art. 22 GDPR.

The app may show simple calculations and summaries based on the data you enter, such as calories, training volume, progress, or trends. These are provided for personal information only.

23. Changes to This Privacy Policy

This Privacy Policy may be updated if app features, service providers, or legal requirements change.

The current version is available in the app or on the website.