JustCountUF — version 1.0

Security & GDPR Policy

Last updated: Jan 20, 2026 Applies to app, backend, databases, and internal handling.

1. Purpose and scope

This policy describes how JustCountUF protects personal data and complies with the requirements of the GDPR. The policy applies to the entire JustCount app, backend, databases, and all internal handling of data.

2. Roles and responsibilities

Data Controller

JustCountUF, Robotvägen 4, 721 36 Västerås, Sweden.

Responsibilities

  • Ensure that processing complies with the GDPR.
  • Decide on changes to this policy.

Technical Lead

  • Responsible for security in the app, servers, and databases.
  • Ensures that the procedures in this policy are implemented in practice.

All personnel with access to personal data must

  • be familiar with this policy
  • follow instructions regarding security and confidentiality

3. Personal data processed internally

We process the following categories of data:

Account information

  • name
  • username
  • email address
  • hashed password (with salt)

Profile and settings

  • age or year of birth
  • gender, if provided by the user
  • training goals
  • language, time zone, and other settings

Training and progress data

  • workouts, exercises, weights, repetitions, sets
  • date, time, and duration
  • statistics and history

Health and medical information

  • injuries, rehabilitation, and limitations
  • notes about pain or physical strain
  • other medical information entered by the user

Technical data

  • device type, operating system, app version
  • IP address and usage-related logs
  • crash logs and performance data

Communication

  • support cases, emails, and feedback
  • responses to surveys related to the app

This list must be updated when new data types are introduced.

4. Legal basis and sensitive data

Legal bases used:

  • Contract, to deliver the app’s functionality.
  • Consent, for health data and use of data for research.
  • Legitimate interest, for logging, security, and internal analysis.
  • Legal obligation, where law requires storage or disclosure.

Health data is a special category of personal data. Such data requires explicit consent from the user. Consent must be documented and must be possible to withdraw via the app settings or by contacting us.

5. Technical security measures

Passwords

  • Passwords are never stored in plain text.
  • Passwords are stored as salted hashes using modern algorithms.
  • No developer or administrator can retrieve passwords from the database.

Communication

  • All communication between the app and backend must use encrypted connections (HTTPS/TLS).
  • Certificates must be kept up to date.

Databases and servers

  • Only authorized accounts have access to the database.
  • Access is logged.
  • Default passwords must not be used.
  • Updates and security patches must be installed regularly.

Backups

  • Database backups must be performed according to a fixed schedule.
  • Backups must be stored encrypted.
  • Access to backups is restricted to technical leads.

Logging

  • Logins, errors, and unusual events are logged.
  • Logs must not contain passwords or unnecessary health data.
  • Logs are used for troubleshooting and security monitoring.

6. Organizational measures

Access control

  • Access is granted only to individuals who need the data for their work.
  • The principle of least privilege must apply.
  • Permissions are reviewed regularly.

Confidentiality

  • Individuals with access to personal data must comply with confidentiality requirements.
  • Data must not be shared in chats, private emails, or other uncontrolled channels.

Training

  • Individuals with technical or administrative responsibilities must be familiar with basic GDPR requirements.
  • This policy must be communicated during onboarding.

7. Data processors and third parties

When external providers are used for hosting, storage, email, analytics, or similar services:

  • data processing agreements must be in place in accordance with the GDPR
  • the provider must maintain a reasonable level of information security
  • personal data must not be used for the provider’s own purposes

A register of all data processors must be maintained internally, describing services, data types, and processing location (EU/EEA or third country).

8. Research and sale of data

We sell or share training and health data for research purposes only when:

  • the user has provided explicit consent
  • data is anonymized or aggregated as far as possible
  • names, email addresses, and passwords are not shared

Internal procedures must describe:

  • how data is anonymized or pseudonymized
  • how consent is verified before data export
  • how data sharing is logged and documented

9. Retention periods and deletion

General principle

  • Data must not be stored longer than necessary for its purpose.

When a user closes their account

  • Account and profile data is deleted or anonymized within a reasonable time.
  • Training and health data is deleted or anonymized, unless legal requirements apply.

Backups

  • Deletion in backups follows the backup retention routine.
  • Backup access is used only for recovery after incidents.

An internal record of retention periods must be maintained for each data category.

10. Incident management

A personal data incident may include:

  • unauthorized access to the database
  • loss of devices containing personal data
  • major technical failures that risk integrity or confidentiality

In the event of a suspected incident, the following must occur immediately:

  1. Stop ongoing leakage or errors if possible.
  2. Document the incident, time, and affected systems.
  3. Assess the risk to data subjects.
  4. Decide whether notification to the Swedish Authority for Privacy Protection (IMY) is required.
  5. Inform affected users if legal requirements are met.

A simple incident log must be maintained with date, incident type, actions taken, and outcome.

11. User rights

Internal procedures must exist to handle user requests regarding:

  • right of access
  • rectification
  • erasure
  • restriction of processing
  • data portability
  • withdrawal of consent

All such requests must:

  • be documented
  • be answered within the legally required timeframe
  • be handled through technical and administrative backend procedures

12. Review and updates

This policy must be reviewed at least once per year, and whenever:

  • new features affecting personal data are introduced
  • new technology is implemented
  • new legal or regulatory requirements arise

The Data Controller decides on updates. The Technical Lead implements changes in systems and procedures.

This document constitutes JustCountUF’s internal guidelines for security and GDPR compliance.