Privacy Policy

FightLog App — GDPR-Compliant

At a Glance

No ads. No advertising, no advertising IDs.
No tracking. No analytics, no telemetry, no personal-data crash reporters.
No sharing. Your data is never sold or shared with ad networks.
EU hosting. Account and content data is stored on Supabase in Ireland.
You stay in control. Delete your account any time — we act on it within 30 days.

1. Data Controller

Nick Kuhlmey
c/o flexdienst – #20769
Kurt-Schumacher-Straße 76
67663 Kaiserslautern
Germany
Email: nk.mindset@gmail.com

2. What Data We Collect

2.1 Account data (email login)

When you sign up with an email address, we store your email and a hashed password. Password hashing is performed by Supabase Auth using bcrypt (industry standard). We never see your password in plain text.

2.2 Sign in with Apple, Google or Twitch (OAuth)

You can sign in via Apple, Google or Twitch. The respective provider sends FightLog a unique user ID and — depending on the provider — your email address and display name. We only store these items, no tokens or other profile data.

With "Sign in with Apple", you can choose to hide your email — in that case we receive an anonymized relay address from Apple. See each provider's privacy policy: Apple, Google, Twitch.

2.3 Profile data

You can optionally add a display name and a profile picture. Profile pictures are stored in Supabase Storage in the EU West (Ireland) region. Both can be changed or removed at any time from the app's settings.

2.4 Content data (sessions, matches, notes)

Every training and match input you make in the app — including sessions, match and set results, characters, opponent tags and notes — is stored in your account and is only visible to you.

2.5 Purchase and subscription data

Purchases and subscriptions are processed by RevenueCat. RevenueCat receives a pseudonymous user ID from Apple to sync your purchase status across devices. We never see credit card or payment data — this is handled exclusively by Apple.

2.6 Training reminders (notifications)

The training reminders are strictly local notifications. They are scheduled on your device by the operating system. We do not operate a push server and do not send marketing pushes. No push tokens are transmitted to our servers.

2.7 What we do not collect

FightLog contains no advertising, no analytics SDKs (no Firebase, no Mixpanel, no PostHog, no TikTok or Meta SDK), no personal-data crash reporters, and no tracking pixels. We do not collect device fingerprints, advertising IDs (IDFA / AAID), location data or contact lists.

3. Purpose & Legal Basis

Account, profile and content data are processed solely to provide the app's functionality (Art. 6(1)(b) GDPR — performance of a contract). Without this data the app cannot operate. Purchase data is processed to complete your purchase and to unlock paid features (same legal basis).

4. Processors & Third Parties

Supabase (account, content, profile images)

Your data is stored at Supabase. The database server runs in the EU West (Ireland) region and is therefore subject to European data protection law. No transfer to third countries takes place in regular operation. Supabase acts as a processor within the meaning of Art. 28 GDPR. More info: supabase.com/privacy.

RevenueCat (in-app purchases)

Purchases are technically processed by RevenueCat, Inc. (USA). RevenueCat receives a pseudonymous user ID and purchase metadata (product, timestamp, status), no real names and no payment data. Transfer to the USA is based on the EU Standard Contractual Clauses (Art. 46 GDPR). revenuecat.com/privacy.

OAuth providers (Apple, Google, Twitch)

When you sign in through an OAuth provider, that provider handles the sign-in itself and then forwards only the information described in 2.2 to us. The providers are independent data controllers for the sign-in process.

5. Data Retention

Your data is stored as long as your account is active. After you delete your account, all personal data is permanently deleted within 30 days. You can request deletion at any time in the app or by email to nk.mindset@gmail.com.

6. Your Rights

You have the following rights toward the data controller:

Right of access to your stored data (Art. 15 GDPR)
Right to rectification of incorrect data (Art. 16 GDPR)
Right to erasure of your data (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to data portability (Art. 20 GDPR)

Direct any request to nk.mindset@gmail.com. You also have the right to lodge a complaint with a data protection supervisory authority.

7. Changes to This Policy

We may update this Privacy Policy when the app, integrated services or legal requirements change. We will announce material changes. See the date below for the current version.

Last updated: June 8, 2026