Privacy Policy | StateByStep

1. Data Controller

The data controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Provimedia GmbH
Weidenweg 12
74321 Bietigheim-Bissingen
Germany

Managing Director: Alexander Weipprecht
Email: info@provimedia.de
Phone: +49 (0)7142-3442727

2. Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing:

Types of Data Processed

Master data (e.g., names, addresses)
Contact data (e.g., email, phone numbers)
Content data (e.g., text entries, photographs)
Usage data (e.g., pages visited, access times)
Meta/communication data (e.g., IP addresses)
Health-related data (fitness tracking, body measurements)

Categories of Data Subjects

Users (e.g., website visitors, users of online services)

Purposes of Processing

Provision of the app and its features
Responding to contact inquiries
Security measures
Administration and response to inquiries

3. Legal Basis

Below is an overview of the legal bases of the GDPR on which we process personal data:

Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
Contract Performance (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party.
Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller.

Special Category: Health Data
Fitness and health data (weight, body measurements, workouts, meals) are processed exclusively based on your explicit consent (Art. 9(2)(a) GDPR), which you provide during registration.

4. Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements and the state of the art to ensure a level of security appropriate to the risk:

SSL/TLS encryption for all data transmissions
Secure password storage with bcrypt hashing
Optional two-factor authentication (2FA)
Regular security updates
Server location in Germany (EU)
Access restrictions and logging

5. Your Rights

As a data subject, you have various rights under the GDPR:

Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and access to this data.

Right to Rectification (Art. 16 GDPR)

You have the right to request the completion or correction of inaccurate personal data concerning you.

Right to Erasure (Art. 17 GDPR)

You have the right to request that personal data concerning you be deleted without undue delay. In the app: Settings → Danger Zone → Delete Account

Right to Restriction (Art. 18 GDPR)

You have the right to request restriction of processing of your data.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format.

Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing on grounds relating to your particular situation.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

6. Cookies

We use exclusively technically necessary cookies that are essential for the operation of the website:

Cookie Name	Purpose	Duration
`linkedfit_session`	Session management, login status	7 days

We do not use:

Tracking cookies
Advertising cookies
Third-party analytics cookies
Social media tracking pixels

7. Registration and Account

When registering an account, we collect the following data:

Email address - For account management and notifications
Username - Publicly visible identifier
Password - Stored encrypted (bcrypt)
Display name (optional) - Publicly visible
Language setting - For localized content
Registration date - For account management

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Storage duration: Until account deletion by the user

8. Fitness and Health Data

As a fitness app, we process special categories of personal data (health data according to Art. 9 GDPR):

Body data: Weight, height, body measurements
Workouts: Type, duration, intensity
Nutrition data: Meals, calories, macronutrients
Progress photos: Body images for documentation
Goals: Fitness and weight goals

Legal basis: Explicit consent (Art. 9(2)(a) GDPR), granted during registration by accepting the privacy policy.

Withdrawal: You can withdraw your consent at any time by deleting your account (Settings → Danger Zone). Processing until then remains lawful.

9. Uploads and Media

When you upload images (profile picture, meal photos, progress photos):

Images are stored on our servers in Germany
EXIF data (location, camera information) is automatically removed during upload
Images are public or private depending on privacy settings

Storage duration: Until manual deletion by the user or account deletion

10. Hosting

We host our website with the following provider:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

The host automatically collects information in server log files that your browser transmits:

IP address
Browser type and version
Operating system used
Referrer URL
Time of server request

This data is not merged with other data sources.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) - Website provision and security

Log file storage duration: 7 days

11. Third-Party Services

OpenAI (AI Nutrition Analysis)

For the optional AI-based nutritional analysis of meal photos, we use the OpenAI API. The following data is transmitted to OpenAI (USA):

The uploaded photo of the meal
No personal data (no account, no name)

Legal basis: Consent (Art. 6(1)(a) GDPR) - Use of AI analysis is completely optional.

OpenAI Privacy: https://openai.com/privacy

Note: You can also record meals manually without AI analysis.

Tailwind CSS (CDN)

We load the CSS framework Tailwind from a Content Delivery Network (CDN). Your IP address is transmitted to the CDN provider.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) - Performance optimization

12. Data Deletion

Data processed by us is deleted as soon as it is no longer necessary for its purpose and there are no legal retention obligations.

Account deletion: Via Settings → Danger Zone you can delete your account and all associated data yourself. Deletion is irrevocable within 30 days.

Individual content: Workouts, meals, photos and other content can be deleted individually at any time.

13. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services. The new privacy policy will then apply to your next visit.

Last updated: 2026-03-01