Privacy & Cookies Policy

Effective date: September 2025

This Privacy & Cookies Policy explains how Mixed Fitness Arts LTD (“MFA”, “we”, “us”) collects, uses, shares, and protects personal data when you use our website at www.mfa.com (including subdomains) and our mobile/tablet applications and related services (together, the Services). It also explains your rights under the EU/EEA/UK data protection laws, including the General Data Protection Regulation (GDPR) and applicable ePrivacy rules.

By using the Services, you acknowledge that you have read this Policy.

1. Privacy act

If you reside in the UK or Switzerland, this Policy applies equally and references to the GDPR should be read as the UK GDPR or Swiss FADP as applicable.

2. What data we collect

2.1 Data you provide to us

  • Account data: name, email address, age confirmation (18+).
  • Profile data (optional): avatar, training preferences, goals.
  • User content: comments, posts, messages, workout logs you enter.
  • Support data: information you provide when contacting support.
  • Consents: cookie and marketing preferences, records of consent/withdrawal.

2.2 Data we collect automatically

  • Usage data: activity within the app/website (e.g., screens viewed, features used, session duration).
  • Device & technical data: IP address, device identifiers, OS and app version, language, time zone, crash reports, diagnostic logs.
  • Cookie/SDK data: identifiers placed by cookies on the website and Software Development Kits (SDKs) in the apps (see Section 7).

2.3 Data from third parties (where you choose to connect)

  • Single sign-on (SSO): if you use an identity provider (e.g., Apple/Google sign-in), we receive basic profile information as authorized by you.
  • Health/fitness integrations (optional): if you choose to connect a platform (e.g., Apple Health/Google Fit), we process only the categories you explicitly allow. You can disconnect at any time in the integration settings.
  • App stores: limited transaction/installation metadata provided by app stores (no payments are collected by MFA at this time).

Special categories of data. We do not require or intentionally collect special categories of data (e.g., health data revealing medical conditions). If you choose to enter information that could reveal such data (e.g., injuries in a notes field), you do so voluntarily and may delete it at any time.

We process personal data only when we have a legal basis.

  • Provide and operate the Services (create accounts, deliver workouts, recipes, playlists, community features, maintain security and performance).

    • Legal basis: performance of a contract (Art. 6(1)(b)) and/or our legitimate interests in operating the Services (Art. 6(1)(f)).

  • Communicate with you (service messages, security alerts, responses to support).

    • Legal basis: performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

  • Personalization (remember preferences, recommended content).

    • Legal basis: legitimate interests (Art. 6(1)(f)); where based on cookies/SDKs not strictly necessary, consent (Art. 6(1)(a)).

  • Analytics (measure usage, improve features, prevent abuse).

    • Legal basis: legitimate interests (Art. 6(1)(f)); where ePrivacy requires consent for analytics cookies/SDKs, consent (Art. 6(1)(a)).

  • Marketing (only if you opt in): newsletters or notifications about new content/features.

    • Legal basis: consent (Art. 6(1)(a)). You may withdraw consent at any time.

  • Compliance and enforcement (comply with legal obligations, enforce Terms, defend legal claims).

    • Legal basis: legal obligations (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

4. Cookies and similar technologies (ePrivacy)

We use cookies (small text files placed on your browser) and similar technologies (such as local storage, pixels, and SDKs in the apps) to:

  • enable essential functionality (e.g., secure login, load balancing),
  • remember preferences (e.g., language),
  • perform audience measurement and diagnostics, and
  • where permitted, deliver or measure marketing.

4.1 Types of cookies

  • Strictly necessary (essential): required for the site to function. These do not require consent.
  • Preferences (functional): remember your choices (e.g., language).
  • Analytics (performance): help us understand how the Services are used.
  • Marketing: used to deliver or measure advertising (we currently do not serve behavioral ads).

On first visit, you will see a cookie banner with options to Accept all, Reject non-essential, or Manage settings. You can change your choices at any time via Cookie Settings in the footer/app settings.

4.3 Cookie/SDK list (illustrative)

The specific cookies/SDKs we use may change. Below is an illustrative schema.

CategoryProviderPurposeData collectedRetention
EssentialMFA (first-party)Session management, securitySession ID, auth stateSession
PreferencesMFA (first-party)Language, cookie choicesPreference values6–12 months
Analytics[Analytics Vendor]Usage metrics, diagnosticsPseudonymous IDs, events, pages1–24 months
Crash reporting (SDK)[Crash Vendor]Stability, bug fixesDevice info, crash logs3–24 months
Marketing (if used)[Email Vendor]Campaign measurementEmail opens/clicks12–24 months

5. Who we share data with (recipients)

We share personal data only as necessary with:

  • Service providers (processors): hosting, analytics, crash reporting, email/SMS delivery, customer support tools, consent management platforms. We require processors to protect data and act only on our instructions.
  • Integration partners (you choose): health/fitness platforms or identity providers you connect.
  • Authorities or legal parties: where required by law or to protect rights, safety, or security.
  • Corporate transactions: in the event of a merger, acquisition, or sale of assets, subject to appropriate safeguards.

We do not sell personal data.

6. International transfers

If we transfer personal data outside the EEA/UK/Switzerland, we will ensure appropriate safeguards, such as EU Standard Contractual Clauses (SCCs), and where applicable the UK International Data Transfer Addendum. You can request a copy of relevant safeguards by contacting us at [email protected].

7. Data retention

We retain personal data only for as long as necessary for the purposes described above, including to comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:

  • Account data: for the life of the account and up to 24 months after closure (unless legal obligations require longer).
  • Usage/analytics data: 6–24 months (pseudonymized or aggregated where possible).
  • Support tickets: up to 36 months.
  • Cookie/SDK identifiers: per Section 4.3 or until you clear/reset them or withdraw consent.

We may retain anonymized/aggregated information indefinitely.

8. Your rights (EEA/UK/Swiss)

Subject to law, you have the right to:

  • Access your personal data and obtain a copy (Art. 15).

  • Rectify inaccurate data (Art. 16).

  • Erase data in certain circumstances (Art. 17).

  • Restrict processing (Art. 18).

  • Portability: receive data you provided in a structured, commonly used, machine‑readable format and transmit it to another controller (Art. 20).

  • Object to processing based on legitimate interests and to direct marketing (Art. 21).

  • Withdraw consent at any time where processing is based on consent (Art. 7(3)).

  • Complain to a supervisory authority (see Section 10).

To exercise rights:, email [email protected]. We may need to verify your identity. We aim to respond within one month (extendable in complex cases as permitted by law).

9. Children

The Services are intended for individuals 18+. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete such data.

10. Complaints

If you have concerns, email [email protected]. You also have the right to lodge a complaint with your local data protection authority.

11. Security

We implement technical and organizational measures to protect personal data, including encryption in transit, access controls, secure development practices, and staff training. No system is perfectly secure; you are responsible for keeping your credentials confidential and updating your devices and apps.

12. Automated decision-making

We do not engage in automated decision‑making, including profiling, that produces legal or similarly significant effects on you. If this changes, we will inform you and provide the required information and safeguards.

13. Do Not Track and signals

Some browsers offer “Do Not Track” (DNT) or similar signals. Our Services currently do not respond to such signals. Where legally required, we honor choices made through our consent banner and your Cookie Settings.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new Effective date, and provide additional notice where required by law. Your continued use of the Services after the update becomes effective signifies your acceptance of the changes.

15. Contact us

Mixed Fitness Arts LTD
Registered address: Nicosia 2062, Cyprus
Company/trade register no.: HE 471013
Contact: [email protected]

Terms & Conditions

WHAT’S POPULAR?