The controller within the meaning of the GDPR is:
Fastic GmbH Pappelallee 78/79 10437 Berlin Germany
Email: datenschutz@fastic.com Data protection postal address: Fastic GmbH, The Data Protection Officer, Pappelallee 78/79, 10437 Berlin
Mandatory information pursuant to Β§ 5 DDG (Legal Notice) is permanently accessible in the Fastic App under "Settings β Legal" and on www.fastic.com under /impressum.
Data Protection Officer:
ePrivacy GmbH BurchardstraΓe 14, 20095 Hamburg represented by Prof. Dr. Christoph Bauer and Stefanie Bauer
For questions about the processing of personal data, requests for access, rectification, erasure or withdrawal of consent, please contact us at any time by email at datenschutz@fastic.com or by post at the address above.
This Privacy Policy applies to the following services of Fastic GmbH:
Where a particular processing activity applies exclusively to one of these services, this is indicated in the respective section.
A separate privacy policy applies to the online prevention course at kurs.fastic.com, which is available on that website.
When you access our websites www.fastic.com and web.fastic.com or use the Fastic App, the following access data is collected automatically:
Purpose: Ensuring operation, error analysis, defence against attacks. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functioning service). In the event of security-relevant incidents, analysis involving personal identification may take place. Retention period: Log files are generally deleted automatically within up to 30 days, unless security-relevant events require longer retention.
Creator enquiries (www.fastic.com/de/creator): name, email, creator platform, username, reach, message. The data is transmitted to our own backend (Firebase Cloud Functions, region europe-west1) and used to process your enquiry. Legal basis: Art. 6(1)(f) GDPR.
Email enquiries: Data for answering your enquiry, if applicable linked to your customer account. Legal basis: Art. 6(1)(f) GDPR; for contractual enquiries Art. 6(1)(b) GDPR. We use Google Workspace and Freshdesk (customer support system) to handle enquiries.
The Fastic App and our websites are operated primarily on cloud infrastructure in the European Union. The following providers are used:
Where data is transferred to the USA, this is done on the basis of the EU Standard Contractual Clauses and, where necessary, supplementary technical measures (encryption). Legal basis: Art. 6(1)(f) GDPR and, for contractual services, Art. 6(1)(b) GDPR.
When you first launch the Fastic App, you complete an onboarding questionnaire. This is used to:
Data collected includes, among other things:
Legal basis:
After completing the questionnaire, an anonymous customer profile is created so that you can immediately use the free basic features. This profile contains only the information you provided during onboarding and a technical device identifier; it is not possible to identify you personally from this. You can discard the anonymous profile at any time by uninstalling the app.
You can permanently register the automatically created profile in the following ways. In all cases we process the data for the provision of the user agreement (Art. 6(1)(b) GDPR).
a) Registration by email
You receive a confirmation email with a magic link (Firebase Auth signInWithEmailLink). After clicking the link, an authentication token is stored server-side; no password is required.
Data processed: email address, token metadata, timestamp.
b) Registration via Google login You sign in with your existing Google account. Google transmits to us:
c) Registration via Apple Sign In You sign in with your Apple ID. Apple transmits to us:
d) Registration via Facebook login You sign in with your Facebook account. Meta transmits to us:
e) Registration via phone number You enter your phone number and receive a one-time PIN (OTP) by SMS via Firebase Authentication. Data processed: phone number, SMS delivery metadata, verification timestamp.
For all login methods, data is stored in the EU Firebase Authentication instance.
During use we store:
Legal basis: Art. 6(1)(b) GDPR for performance of the user agreement (free and paid features) and Art. 6(1)(f) GDPR for improving usability. For the processing of your meal photos and voice recordings, see Section V (AI features).
During an active fasting phase, we can display the remaining progress on your lock screen (iOS Live Activities, Android notifications). This display is active by default only when you have started a fasting phase and can be disabled in the device settings. Legal basis: Art. 6(1)(b) GDPR.
The Fastic App can, at your express request, import health and fitness data from external platforms and write data back to them. A connection is only established after your express consent (Art. 9(2)(a) GDPR) and the relevant system permission.
All health and fitness data is processed via the Vital service (Tryvital, Inc., USA; EU data residency active) as a unified integration layer. Vital acts as our data processor (DPA concluded, Standard Contractual Clauses for USA transfer). The following sources can be connected via Vital:
Sleep, weight, step, hydration, calorie expenditure and workout data.
Legal basis: express consent pursuant to Art. 9(2)(a) GDPR. You can disconnect at any time in the app settings or in the respective source system. Disconnection only takes effect for the future.
The website web.fastic.com serves as an independent onboarding and subscription platform. Users typically arrive at web.fastic.com directly via online marketing and complete a full onboarding process through to subscription β independently of the app. Downloading the Fastic App is only recommended after purchase.
The onboarding questionnaire on web.fastic.com is equivalent in content to the app questionnaire described in Section III.1. The same categories of data are collected β including special categories of personal data under Art. 9 GDPR (conditions, allergies, intolerances, pregnancy) β and the same legal bases apply as described there. You can withdraw your consent on web.fastic.com by deleting the relevant information in your profile or by deleting your account.
The data collected in the questionnaire is stored continuously β i.e. already while you are filling it in β in Firebase (Firestore, region europe-west1) under an anonymous user ID. This anonymous user ID is stored in local browser storage (IndexedDB) and persists after the browser is closed until you actively delete the browser storage. After registration, the questionnaire answers are linked to the permanent customer account. Without registration, the profile remains anonymous and contains only the questionnaire answers and the technical user ID. You can remove it at any time by clearing the browser data for web.fastic.com. Anonymous profiles that are not converted into a registered customer account within 30 days are deleted automatically.
Login on web.fastic.com takes place exclusively via a magic link sent by email (Firebase Authentication signInWithEmailLink) or via a one-time code (Custom Token). Data processed: email address, authentication token, timestamp.
Legal basis: Art. 6(1)(b) GDPR.
Subscriptions can be purchased and existing subscriptions managed (renewal, cancellation, dunning) on web.fastic.com. The data processed and payment service providers used correspond to Section VI. In addition, Statsig (see Section VIII.2) is used for dynamic selection of the Stripe account.
In the logged-in area of web.fastic.com (Profile β Settings) you can manage your consent to email and SMS marketing and unsubscribe from SMS notifications. Data processed: email address or phone number, selected preference, timestamp of change. Legal basis: Art. 6(1)(c) GDPR in conjunction with Β§ 7 UWG (obligation to document opt-outs).
The Fastic App offers AI-powered features such as automatic recognition of meals from photos, voice recordings and text entries. For this purpose we transmit input data to external AI providers acting as our data processors:
Data transmitted depending on the feature: meal photo, voice recording or its transcript (speech recognition runs on device), meal description, ingredients, contextual information from your profile (e.g. age, gender, weight, goal) to improve recognition.
Legal basis: Art. 6(1)(b) GDPR (provision of the purchased feature) and your consent pursuant to Art. 6(1)(a) GDPR. Where health context is transmitted, processing is based on Art. 9(2)(a) GDPR.
For the purchase of a paid subscription we process, depending on the payment method:
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Depending on your chosen payment method, your payment data is transmitted directly to the payment service provider or app store:
Apple and Google receipts are sent for verification to the Apple App Store Server API and Google Play Developer API respectively.
For prevention courses eligible for funding under Β§ 20 SGB V, we offer the option of submitting a reimbursement claim to your statutory health insurer. For this purpose we process:
Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (statutory retention obligations) and Art. 6(1)(f) GDPR (enforcement of claims).
Cookies are small text files stored on your device when you visit a website or use an app. Similar technologies such as Local Storage, Session Storage and IndexedDB serve comparable functions. We use these technologies for the following purposes:
You can delete cookies and local storage data at any time in your browser settings. Please note that deleting technically necessary cookies may impair the functionality of our services.
Before we carry out the consent-requiring processing activities described in this Section VIII, we obtain your consent via our consent and preference centres.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Β§ 25(1) TDDDG (storage of or access to information on end devices).
The specific implementation differs depending on the service:
In the Fastic App we use the Google User Messaging Platform (UMP) by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. This is part of our advertising stack (google_mobile_ads SDK) and complies with the IAB Europe Transparency & Consent Framework (TCF) Version 2.2.
The TCF is an industry-wide standard of the Interactive Advertising Bureau (IAB) Europe by which advertising and analytics service providers uniformly declare their processing purposes and legal bases. The list of participating providers is known as the Global Vendor List (GVL), which is maintained and regularly updated by IAB Europe.
When you first use our app in a country of the European Economic Area or the United Kingdom, or when the GVL has been updated, the consent banner is displayed automatically. There you can decide individually for each processing purpose and each vendor whether you consent.
Your selection is stored in a standardised TCF string on your device and automatically read by all participating providers so that they respect your choice.
The banner displays several hundred providers per processing purpose (as of 2026: approximately 1,000 providers in the GVL in total). This list includes all providers registered with IAB Europe that could theoretically participate in an ad auction via our advertising mediation. The fact that a provider appears on the list does not mean that provider receives data from you. Data transmission only occurs if (1) you have consented and (2) the provider is actually involved in an ad served to you. The directly relevant recipients in practice are the services named individually in Sections VIII.2 to VIII.6.
TCF v2.2 distinguishes the following standardised purposes:
| No. | Purpose | Typical legal basis per provider | |---|---|---| | 1 | Store and/or access information on a device | Consent | | 2 | Use limited data to select advertising | Consent or legitimate interest | | 3 | Create profiles for personalised advertising | Consent | | 4 | Use profiles to select personalised advertising | Consent | | 5 | Create profiles to personalise content | Consent | | 6 | Use profiles to select personalised content | Consent | | 7 | Measure advertising performance | Consent or legitimate interest | | 8 | Measure content performance | Consent or legitimate interest | | 9 | Apply market research to generate audience insights | Consent or legitimate interest | | 10 | Develop and improve services | Consent or legitimate interest | | 11 | Use limited data to select content | Consent or legitimate interest |
Additionally, so-called Special Purposes (security, technical delivery) exist for which no consent is required under the TCF.
You will notice in the banner that providers declare "Legitimate Interest" as a legal basis for certain purposes (Art. 6(1)(f) GDPR). The choice of this legal basis is declared by the respective provider itself in the GVL. You nonetheless have the right at any time to object to processing based on legitimate interest by deactivating the corresponding toggle in the banner.
We do not share your data if you object β regardless of the legal basis the provider has declared.
You can withdraw your consent at any time with effect for the future or adjust your selection by navigating to the following path in the app:
Profile β Settings β Privacy β Data Settings
The lawfulness of processing carried out before withdrawal remains unaffected.
Users with an active Plus subscription do not see the consent banner for advertising purposes, as within the Plus subscription no personalised advertising is served and no advertising profile is created. Mandatory processing for the provision of contracted services (Sections III to VII) is unaffected by this.
We document the time and content of your consent in order to be able to demonstrate it in accordance with our accountability obligation (Art. 7(1) GDPR). The data stored for this purpose is retained for the duration of the consent and for up to three years after withdrawal or last update.
When you first visit www.fastic.com, you receive a notice about the consent-requiring services we use, with the option to accept or reject them in full. If you reject, the consent-requiring services β in particular Google Analytics 4, Meta Pixel and the AppsFlyer Smart App Banner β are not loaded.
Your selection is stored locally in your browser (Local Storage). You can adjust your selection at any time by deleting the locally stored website data in your browser settings; the notice will then appear again on your next visit.
Exception β first-party reach measurement: Independently of your consent, our hosting provider Vercel collects aggregated website visits as part of first-party reach measurement ("Vercel Analytics") without cross-user profiling. This processing is carried out on the basis of our legitimate interest in ensuring and optimising website operation (Art. 6(1)(f) GDPR).
When you first visit web.fastic.com, you receive a notice about the consent-requiring services we use, with the option to accept or reject them in full. If you reject, the consent-requiring services β in particular Google Analytics 4, Meta Pixel, TikTok Pixel and Hotjar β are not loaded.
Your selection is stored locally in your browser (Local Storage). You can adjust your selection at any time by deleting the locally stored website data in your browser settings; the notice will then appear again on your next visit.
For the services named in Sections 2 to 6 below, we obtain your consent where required by law via the mechanisms described in Section VIII.1. Where a service processes data on the basis of your consent and you have not consented, we do not transmit data to that service. The services listed below represent the subset of TCF providers actually actively used by us as well as further services used exclusively for the website.
| Service | Platform | Provider / Location | Data Processed | Retention | |---|---|---|---|---| | Firebase Analytics / Google Analytics for Firebase | App | Google Ireland Ltd. (EU); potentially USA via SCC | Pseudonymous user ID, events, screen views, IP (truncated), device info, app version, language, country | up to 14 months | | Google Analytics 4 | Website (www + web) | Google Ireland Ltd. (EU); potentially USA via SCC | Pseudonymous client ID, page views, session duration, referrer, IP (truncated), device and browser information, approximate geolocation | up to 14 months | | Firebase Performance | App | Google Ireland Ltd. | Trace data, network latencies, app start times | see Firebase Analytics | | Firebase Crashlytics | App | Google Ireland Ltd. | Crash stack traces, pseudonymous user ID, device model, OS version, breadcrumbs | 90 days | | Firebase Remote Config / A/B Testing | App | Google Ireland Ltd. | Experiment buckets, feature flag states | until end of experiment | | Amplitude | App + Website (web.fastic.com) | Amplitude, Inc. (USA, EU-U.S. Data Privacy Framework; SCC as fallback) | Pseudonymous user ID, events, user properties | up to 24 months | | Vercel Analytics | Website (www + web) | Vercel Inc. (USA, SCC) | Aggregated page views, approximate geolocation, referrer; no cross-user profiling | up to 30 days | | Statsig | Website (web.fastic.com) | Statsig, Inc. (USA, SCC) | Pseudonymous user ID, experiment buckets, feature flag states, page views | until end of experiment | | Sentry | Website (web.fastic.com) | Functional Software, Inc. d/b/a Sentry (USA, SCC) | Error stack traces, pseudonymous session ID, browser and OS version, URL at time of error | 90 days |
| Service | Platform | Provider / Location | Data Processed | Retention | |---|---|---|---|---| | UXCam | App | UXCam, Inc. (USA, SCC) | Pseudonymised recording of screen interactions (tap heatmaps, navigation paths). Sensitive fields (passwords, payment data, free notes) are masked before recording. Recordings take place only within the first 12 days after onboarding (data minimisation). | 30 days | | Hotjar | Website (web.fastic.com) | Hotjar Ltd. (Malta / EU) | Pseudonymised recording of mouse movements, clicks and scroll behaviour (heatmaps, session recordings). Sensitive fields (payment data, passwords) are masked before recording. | 90 days | | Amplitude Session Replay | Website (web.fastic.com) | Amplitude, Inc. (USA, EU-U.S. Data Privacy Framework; SCC as fallback) | Pseudonymised recording of browser interactions (clicks, scroll behaviour, navigation flow) for onboarding funnel analysis. Sensitive input fields are masked before recording. | 90 days |
| Service | Platform | Provider / Location | Data Processed | Retention | |---|---|---|---|---| | AppsFlyer (App SDK) | App | AppsFlyer Ltd. (Israel, adequacy decision) | IDFA (iOS) / GAID (Android) with consent, AppsFlyer ID, install referrer, ad click/conversion events, deep link parameters | up to 24 months | | AppsFlyer Smart App Banner (Web SDK) | Website | AppsFlyer Ltd. (Israel, adequacy decision) | Pseudonymous web visitor ID, referrer, click parameters (utm_, fbclid, gclid, af_sub), browser and device information; linking with subsequent app install for marketing attribution | up to 24 months | | Appstack | App | Appstack Inc. (USA, SCC) | Apple Search Ads attribution data, pseudonymous device ID | up to 24 months | | Apple SKAdNetwork / AdAttributionKit | App | Apple Distribution International Ltd. | Anonymised install postbacks (no direct personal reference) | see Apple |
| Service | Platform | Provider / Location | Data Processed | |---|---|---|---| | Meta Pixel | App + Website (all) | Meta Platforms Ireland Ltd. (EU) / Meta Platforms Inc. (USA, SCC) | Tracking ID, IP, device and browser information, events (page view, lead, conversion), email address for certain conversion events; possible linking with existing Meta profile or "shadow profile" | | MoEngage | App | MoEngage, Inc. (USA, SCC; EU data residency available) | Pseudonymous user ID, email, push token, IDFA status, subscription status, onboarding progress, fasting activity (started/completed), app level, weight goal progress, A/B experiment assignments β for controlling personalised in-app and email communications | | Google Ads / DoubleClick | App + Website (all) | Google Ireland Ltd. | Conversion tracking, remarketing data | | TikTok Pixel | Website (web.fastic.com) | TikTok Technology Limited (Ireland) / TikTok Inc. (USA, SCC) | Pseudonymous user ID, IP, device and browser information, events (page view, conversion), possibly hashed email | | TikTok Embed (embedded videos) | Website (www.fastic.com) | TikTok Technology Limited (Ireland) / TikTok Inc. (USA, SCC) | When embedded TikTok videos load: IP address, device and browser information |
If you do not have an active subscription, ads are served via the following networks. Non-personalised advertising (without the use of device identifiers) is shown on the basis of our legitimate interest (Art. 6(1)(f) GDPR). Personalised advertising β i.e. the use of IDFA (iOS) or advertising ID (Android) for behaviour-based targeting β only takes place if you have given your consent:
AppLovin MAX and Google AdMob conduct a real-time auction ("header bidding") for each ad impression, in which the TCF providers listed in our CMP can participate. Individual providers only participate to the extent that you have consented via the CMP. The direct mediation adapters activated in our configuration typically include: Meta Audience Network, Google Ad Manager, Google Ads, InMobi, ironSource, BidMachine, Fyber, Unity Ads.
Each of these partners processes device identifiers (IDFA/GAID, if consented), IP address, approximate location and ad interactions when an ad is served.
A complete and up-to-date list of advertising partners is available in the CMP ("Data Settings").
On iOS, the App Tracking Transparency (ATT) dialog mandated by Apple is shown to you before ads are served for the first time. If you do not grant permission, the IDFA will not be used for ad personalisation; conversion measurement then takes place exclusively anonymously via Apple SKAdNetwork / AdAttributionKit. On Android, you can reset or disable your advertising ID at any time in the Google system settings.
Legal basis: Art. 6(1)(b) GDPR for transactional communications; Art. 6(1)(a) GDPR for marketing communications (newsletter, marketing SMS); withdrawal possible at any time.
If you purchase the Fastic App through one of our partners, we transmit entitlement and usage status data to the following with your consent:
For Wellhub, the following data provided by the partner is processed by us: partner user ID, email address, first and last name, country of origin, entitlement status. For other partners: pseudonymous partner user ID, entitlement status.
Where data is transferred to countries outside the EU/EEA without an adequacy decision (in particular the USA), we conclude the EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 with the respective recipients and supplement these β where required β with additional technical measures (encryption, pseudonymisation).
A copy of the relevant safeguards is available upon request from the controller (contact details see Section I).
We process your personal data only for as long as is necessary to achieve the stated purposes or as required by statutory retention obligations (in particular Β§ 257 HGB, Β§ 147 AO β 6 to 10 years).
In particular, the following periods apply:
You can delete your account at any time in the app under "Settings β Account β Delete Account" or on web.fastic.com under "Profile β Delete Account". Deletion takes place server-side and covers your personal data stored in our systems. Where third-party service providers maintain independent copies of data in connection with our processing (e.g. payment service providers, CRM providers), deletion takes place there in accordance with the respective retention periods of those providers or upon your separate request. Statutory retention obligations (in particular invoice and tax data, 6β10 years) remain unaffected.
You have the following rights against us:
You can obtain information about the data stored about you by contacting datenschutz@fastic.com; you will receive it as an encrypted ZIP file (see also the in-app feature "Export my data").
Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of a balancing of interests pursuant to Art. 6(1)(f) GDPR; this also applies to profiling based on those provisions. In that event, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
You have the right to object at any time to the processing of your personal data for direct marketing purposes, with the result that your data will no longer be processed for those purposes.
Last updated: 12 June 2026