Privacy Policy

1. Who we are

wait, what. AG (we, us) is the data controller for the processing of personal data in connection with the FYT product, the website getfyt.co (including subdomains that point to the same static site), the web application at app.getfyt.co, and related services, unless a separate written agreement (e.g. B2B) states otherwise.

Contact (privacy): hello@getfyt.co

Registered office (to be completed from the commercial register): [insert full address, canton, Switzerland] · UID: [insert CHE-xxx.xxx.xxx]

2. Scope

This policy describes how we process personal data of users, visitors, and business contacts. It applies when you use FYT, browse getfyt.co, join a waitlist, or communicate with us. If you are an employee of a business customer, your employer’s instructions and contract may also apply.

Why we ask

We aim to collect and use the minimum needed to operate FYT, your account, and the product features you enable. In the mobile and web app, you can change optional processing (for example AI-powered coaching, product analytics, and third-party visibility) in Settings. A plain-language, offline copy of the app Privacy Policy (including a “Why we ask” and “AI in FYT” section) is available in the app under Settings → Legal.

AI and automated insights

When you turn on AI features, prompts are processed through a gateway (e.g. OpenRouter) to third-party language models. We do not use your content to train those providers’ public base models. Output is for self-insight and coaching, not medical, legal, or clinical decisions. You can turn AI off in the app; assessments and your profile can still work without it. For full detail, see the in-app Privacy Policy, section 3, “AI in FYT”.

3. What data we process

Depending on how you use FYT, we may process in particular:

• Account and profile: e.g. name, email, authentication identifiers, language, preferences, and content you create in the product.
• Assessment and product data: responses, scores, and derived profile information you choose to provide or generate in FYT.
• Technical and usage data: e.g. IP address, device and browser type, approximate location (derived from IP), timestamps, logs, security signals, and in-app or product analytics events.
• Marketing and communications: e.g. email address and related metadata when you join a waitlist, subscribe to updates, or contact us.
• Support: content of messages and attachments you send to us.

We do not use FYT to make automated decisions with legal or similarly significant effects for you unless we describe such processing separately and, where required, provide a suitable legal basis and human review options.

4. Purposes and legal bases

We process personal data for the following purposes, relying where applicable on the legal bases under the FADP and, for persons in the EEA/UK, the GDPR:

Purpose	Typical legal basis (indicative)
Providing, operating, and improving FYT; account management	Performance of a contract; overriding legitimate interests (e.g. security, product improvement), where allowed
Security, abuse prevention, and debugging	Overriding legitimate interests; legal obligations
Product analytics (e.g. PostHog) on app and, if enabled, marketing site	Overriding legitimate interests; consent where required for non-essential cookies or similar
Waitlist and email about FYT	Consent, or pre-contractual steps at your request, as applicable to your case
Compliance, legal claims, and government requests	Legal obligations; legitimate interests; legal claims

Where we rely on consent, you may withdraw it at any time with effect for the future. Withdrawal does not affect processing that was lawful before withdrawal.

5. Recipients and subprocessors

We use trusted service providers who process data on our instructions. We enter into data processing agreements where required. The following categories of recipients are relevant (non-exhaustive; specific vendors may change; we will update this section when we materially change the stack):

Category	Role	Typical location / transfer
Supabase	Database, authentication, edge functions for parts of the backend	Per project settings; we select regions and DPA options appropriate to the product. May involve transfers outside Switzerland/EEA subject to appropriate safeguards (e.g. SCC, adequacy).
Vercel	Hosting and delivery of the static site getfyt.co; edge logs	Global edge network; DPA with Vercel; may include US or other locations per Vercel’s terms.
PostHog (EU instance)	Product analytics; marketing site may use the same or a separate project key; session recording is off on the default marketing configuration we ship	EU cloud; see PostHog’s DPA and subprocessors list.
Email provider (e.g. Resend or similar)	Transactional and operational email	Per provider; may be US/EU; governed by the provider DPA.

We may also disclose data if required by law, to protect rights and safety, or in connection with a corporate transaction (e.g. merger), subject to confidentiality and legal requirements.

6. International transfers

Where we transfer personal data to countries without an adequacy decision, we use appropriate safeguards such as the EU/EEA/Swiss Standard Contractual Clauses and supplementary measures as required by your risk assessment. You may request a copy of the relevant mechanisms where the law provides for it.

7. Retention

We keep personal data only as long as needed for the purposes above, including statutory retention periods. In particular: account and product data for the life of the account and a reasonable period after closure (e.g. backups, disputes); waitlist and marketing data until you unsubscribe, object, or we remove it in line with this policy; logs for a limited period for security and operations. Specific retention windows may be documented in our internal register of processing activities (ROPA).

8. Security

We implement appropriate technical and organisational measures having regard to the state of the art, the risk, and the nature of the data. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9. Your rights

Subject to applicable law, you may have the right to:

• request access to the personal data we hold about you;
• request rectification of inaccurate data;
• request erasure or restriction of processing in certain cases;
• request data portability where processing is based on contract or consent and is automated;
• object to processing based on legitimate interests, and to direct marketing at any time;
• withdraw consent where processing is consent-based;
• lodge a complaint with a supervisory authority (e.g. in Switzerland: the Federal Data Protection and Information Commissioner, FDPIC; in the EEA: your local authority).

To exercise your rights, contact hello@getfyt.co. We may need to verify your identity. You will not be discriminated against for exercising your rights.

10. Website, cookies, and the marketing site

Our public pages on getfyt.co are primarily static. If we use analytics (e.g. PostHog) on the marketing site, we may use cookies or similar technologies (e.g. local storage) to distinguish visitors. Whether you need a cookie banner or prior consent under ePrivacy or national laws depends on your traffic, use case, and counsel’s advice. This policy should be read together with any cookie notice or consent tool you implement.

11. Children

FYT is not directed at children under 16 (or the minimum age in your country). We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.

12. Changes

We may update this policy. We will post the new version on this page and adjust the “Version” and date. Where required, we will notify you in the product or by email. Continued use after a material change may be treated as notice where the law allows.

13. Contact

Questions about this policy: hello@getfyt.co