Available on iOSEffective Date: April 5, 2026
We Fast Together ("WFT", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").
I. DATA CONTROLLER
For the purposes of applicable data protection laws (including the GDPR), the data controller is:
We Fast Together
Email: privacy@wefasttogether.com
For privacy inquiries, data access requests, or to exercise your rights under GDPR or CCPA, contact us at the email above.
II. INFORMATION WE COLLECT
A. Information You Provide Directly
- Account Data: Name, email address, display name, and authentication credentials.
- Fasting Data: Fasting schedules, goals, start/end times, and completion status.
- Community Data: Chat messages, reactions, team participation, and reports you submit.
- Feedback: Bug reports, feature requests, and support messages.
- Settings & Preferences: Timezone, notification preferences, fasting preferences, and display settings.
B. Health Data (Optional, via Apple HealthKit)
With your explicit permission, we may read and/or write:
- Step Count
- Active Energy Burned (Calories)
- Active Minutes (Exercise Time)
- Dietary Water
- Body Weight
HealthKit access is optional. You can revoke it at any time in your device Settings > Health > Data Access.
C. Information Collected Automatically
- Device Data: Device model, operating system version, and app version.
- Usage Data: Feature interactions, session duration, and crash reports.
We do NOT collect: precise location, contacts, photos, microphone/camera data, browsing history, or advertising identifiers.
III. HOW WE USE YOUR INFORMATION
| Purpose | Data Used | GDPR Lawful Basis |
|---|---|---|
| Provide fasting tracking | Account, Fasting | Contract performance |
| Community features (chat, teams) | Account, Community | Contract performance |
| Display health metrics | HealthKit data | Explicit consent |
| Account authentication | Account | Contract performance |
| Safety & moderation | Community, Account | Legitimate interest |
| Service improvements | Usage, Device | Legitimate interest |
| Subscription management | Account | Contract performance |
| Support & communication | Account, Feedback | Contract / Legitimate interest |
We do NOT use your Health Data for advertising, marketing, or data mining. Health data is used solely to provide app features you have opted into.
IV. CATEGORIES OF PERSONAL INFORMATION (CCPA)
Under the California Consumer Privacy Act (CCPA/CPRA), we disclose the following categories of personal information collected in the preceding 12 months:
| Category | Examples | Sold? | Shared for Ads? |
|---|---|---|---|
| Identifiers | Name, email, user ID | No | No |
| Internet activity | App usage, feature interactions | No | No |
| Biometric / Health | Weight, steps, calories (via HealthKit) | No | No |
| Sensory data | None collected | N/A | N/A |
| Geolocation | Timezone only (no GPS) | No | No |
| Professional info | None collected | N/A | N/A |
| Inferences | Fasting streaks, completion rates | No | No |
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
V. DISCLOSURE OF INFORMATION
We do not sell your personal data. We may share information with:
- Service Providers: Trusted third parties who assist in operating our app, bound by data processing agreements.
- Legal Requirements: When required by law, court order, or government request.
- Business Transfers: In the event of a merger, acquisition, or asset sale.
- Safety: To protect the rights, property, or safety of WFT, our users, or the public.
Data Processors / Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, realtime | United States |
| Apple (App Store / StoreKit) | Subscription billing, HealthKit | United States |
| Vercel | Website hosting | United States |
VI. DATA RETENTION
We retain your data only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Fasting history | Until account deletion |
| Chat messages | Deleted when the associated fast event is removed during routine cleanup |
| Health data (HealthKit) | Stored on device only; synced metrics until account deletion |
| Water & activity logs | Until account deletion |
| Crash reports & analytics | 90 days |
| Support/feedback messages | 1 year after resolution |
| Deleted account data | Purged within 30 days of deletion request |
VII. COOKIES & TRACKING
Mobile App: The WFT iOS app does not use cookies or third-party tracking SDKs. We do not participate in ad networks or cross-app tracking. Our app's NSPrivacyTracking is set to false.
Website: Our website (wefasttogether.com) may use essential cookies for functionality. We do not use advertising cookies or third-party trackers on our website.
Do Not Track / Global Privacy Control: We honor GPC (Global Privacy Control) and DNT (Do Not Track) signals. When detected, we disable any non-essential data collection.
VIII. YOUR RIGHTS
A. All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Delete your account and all associated data directly in the app (Settings > Data Management).
- Export: Export your data through the app (Settings > Export All Health Data).
- Opt-out: Revoke HealthKit permissions at any time in device Settings.
B. European Economic Area (GDPR, Art. 15-22)
If you are in the EEA, you additionally have the right to:
- Data portability (receive your data in a structured, machine-readable format)
- Restrict processing
- Object to processing based on legitimate interest
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local data protection authority
C. California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information is collected and how it is used
- Delete personal information collected from you
- Opt-out of the sale or sharing of personal information (we do not sell or share)
- Non-discrimination for exercising your privacy rights
- Correct inaccurate personal information
- Limit use and disclosure of sensitive personal information
To exercise any of these rights, contact privacy@wefasttogether.com. We will respond within 45 days (CCPA) or 30 days (GDPR).
D. Nevada Residents
Nevada residents may opt out of the sale of personal information. We do not sell personal information, but you may submit a request to privacy@wefasttogether.com.
IX. INTERNATIONAL DATA TRANSFERS
Your information is processed and stored in the United States. If you are located outside the United States, your data is transferred internationally. We rely on:
- Standard Contractual Clauses (SCCs): As adopted by the European Commission for transfers from the EEA.
- Data Processing Agreements: With all sub-processors listed in Section V.
By using the Service, you consent to the transfer of your information to the United States and other countries that may have different data protection laws than your jurisdiction.
X. CHILDREN'S PRIVACY
The Service is rated 18+ on the App Store and is primarily intended for adults. Users under 18 may only use the Service with verifiable parental or legal guardian consent. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 in the EEA (GDPR) without parental consent. If we learn that we have collected information from a child without appropriate consent, we will promptly delete it.
If you believe a child has provided us with personal information without proper consent, please contact us at privacy@wefasttogether.com.
XI. DATA SECURITY
We implement commercially reasonable technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-Level Security (RLS) policies ensuring users can only access their own data
- Authentication via Supabase Auth with secure session management
- Regular security audits of database policies and functions
No system is 100% secure. We cannot guarantee absolute security but will notify affected users and relevant authorities within 72 hours of discovering a data breach, as required by GDPR Article 33.
XII. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Effective Date" at the top and, where practicable, providing notice through the Service. Your continued use after changes constitutes acceptance of the revised policy.
XIII. CONTACT US
If you have questions about this Privacy Policy or wish to exercise your privacy rights:
- Privacy inquiries: privacy@wefasttogether.com
- General support: support@wefasttogether.com