Privacy Policy

Last updated: June 17, 2026

Table of Contents

  1. Introduction
  2. Products Covered
  3. Information We Collect
  4. How We Use Your Information
  5. Third-Party Services
  6. Data Storage and Security
  7. Data Retention
  8. Your Rights Under GDPR
  9. Your Rights Under CCPA
  10. Children's Privacy
  11. International Data Transfers
  12. Do Not Track Signals
  13. Third-Party Links
  14. Changes to This Privacy Policy
  15. Contact Us

1. Introduction

This Privacy Policy describes how fonszi Kft. ("Fonszi," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our products, services, and websites. By accessing or using any Fonszi product, you acknowledge that you have read and understood this Privacy Policy.

We are committed to protecting your privacy and handling your data transparently. This policy applies to all products and services operated by Fonszi, as listed below.

2. Products Covered

This Privacy Policy covers the following products and services:

Athletes and Fitness

  1. fonskii — Ski tracking app (iOS, Android)
  2. beloop — Professional workout timer (iOS, Android)

Design Tools

  1. Composa Pro Suite — Bidirectional Compose-to-Figma design bridge (Figma Plugin)
  2. Forge — Website-to-Figma conversion (Chrome Extension + Figma Plugin)
  3. Android Studio Plugin — Compose preview export to Figma (JetBrains IDE)

Developer Tools

  1. git-hook-suite — Centralized git hooks for KMP projects (CLI + Desktop)
  2. LocalTask AI — AI-powered bug analysis plugin for Android Studio

Website

  1. fonszi.com — Company website

3. Information We Collect

The types of information we collect vary by product category. We collect only the information necessary to provide and improve our services.

3.1 Mobile Applications (fonskii, beloop)

Data stored locally on your device:

  • Workout and session data (timer configurations, session history, personal records, athlete profiles, test results)
  • User preferences and app settings
  • Cached ski resort data (fonskii)
  • Session tracking data including GPS tracks, speed, distance, and elevation metrics (fonskii)

Location data (fonskii only):

fonskii uses GPS coordinates (latitude, longitude, altitude) and barometric pressure sensor data to track altitude, speed, distance, and vertical during ski sessions. Location data is collected only while a tracking session is active and is stored locally on your device as part of session history. We do not transmit raw location data to our servers.

During Buddy Sessions (real-time location sharing with friends), your GPS coordinates are streamed to our server for the duration of the session only (typically 2–4 hours). This data is automatically deleted when the session ends.

Account data (fonskii):

  • Email address — required for account creation and login.
  • Display name — user-provided, shown in buddy sessions.
  • Profile photo — optional, uploaded to our server.
  • Authentication tokens — stored securely on your device (Android: EncryptedSharedPreferences; iOS: Keychain).
  • Account data is stored on our server (api.fonszi.com) and can be permanently deleted via the in-app account deletion feature.

Device identifiers (fonskii):

  • Android: A stable device identifier (ANDROID_ID) is sent at login to enforce single-device sessions.
  • iOS: A randomly generated UUID is used for the same purpose.
  • We do not collect advertising identifiers (IDFA on iOS or GAID on Android) in fonskii.

Usage analytics:

  • Firebase Analytics collects anonymous usage data such as app opens, screen views, and feature usage patterns. This data cannot be used to identify you personally.
  • Firebase Crashlytics collects crash reports including stack traces, device model, and OS version to help us fix bugs. No personal information is included in crash reports.
  • Fonsitor (our custom error monitoring SDK) collects runtime errors with screen context and device information for bug detection. Reports do not contain personally identifiable information.

Advertising data (fonskii and beloop — free-tier):

  • Free-tier users see ads served by Google AdMob (interstitial ads after sessions, occasional banners). AdMob may collect device information (model, OS) according to Google's Advertising Privacy Policy.
  • Premium subscribers do not see ads.
  • fonskii does not collect or share your advertising identifier (IDFA/GAID).
  • iOS App Tracking Transparency (ATT): On iOS 14 and later, beloop presents Apple's App Tracking Transparency prompt before any advertising identifier is accessed. If you decline, only contextual (non-personalized) advertisements are served. You can change this permission at any time in your device Settings › Privacy & Security › Tracking.
  • Opt-out: On Android, you can opt out of personalized ads via Settings › Privacy › Ads on your device.

Map and weather data (fonskii):

  • Google Maps (Android) and Apple MapKit (iOS) are used to display maps. These services may collect data according to their own privacy policies.
  • Open-Meteo receives your approximate coordinates (latitude/longitude) to provide weather data during tracking. No user ID is sent.
  • Overpass API receives geographic bounding boxes to load piste and lift data for trail maps. No user ID is sent.

Activity export (fonskii):

  • Strava export is user-initiated: when you choose to share a session, the GPX file is sent to Strava via their API. You can also export sessions as GPX files locally.

Billing data:

  • Premium subscription status is managed by RevenueCat. Purchase tokens from Apple App Store or Google Play are forwarded to RevenueCat for subscription validation. No payment details (credit card, billing address) are collected by our apps — these are handled entirely by Apple or Google.

3.2 Figma Plugins (Composa, Forge)

Figma file data:

When you use our Figma plugins, the plugin reads data from your Figma files (nodes, styles, layout properties, design tokens, text content) to perform analysis, generation, or conversion operations. This data is processed entirely within the Figma Plugin sandbox and your local browser environment. We do not transmit your Figma file contents to external servers.

Chrome Extension data (Forge only):

The Forge Chrome Extension reads the DOM structure and computed styles of the active browser tab to extract layout, typography, color, and component information for Figma conversion. This data is processed locally in your browser and transferred to the Figma plugin via clipboard. We do not transmit page content to external servers.

Usage analytics and billing:

  • Plugin usage statistics and subscription status are managed through Figma Payments. Figma processes billing and provides us with aggregated, anonymized usage data.

3.3 Backend Services

Authentication data:

  • Email address and securely hashed password when you create an account.
  • Secure tokens for session management.
  • Optional two-factor authentication secret (encrypted at rest).

Error reports:

If you use products with error monitoring enabled, error reports are submitted to our servers. These reports include: error messages, stack traces, log levels, platform identifiers, app version, and device type. Reports are deduplicated using content hashing. They do not contain personally identifiable information.

License and API keys:

  • Application identifiers and API keys for monitored applications. These are associated with your account.

3.4 Website (fonszi.com)

Cookie-free analytics (Umami):

fonszi.com uses Umami, a privacy-focused, cookie-free analytics tool that we self-host at analytics.fonszi.com. Umami collects only anonymous, aggregate data: page views, referrer URLs, browser type, device type, country (derived from IP, which is never stored), and UTM campaign parameters. Umami does not use cookies, does not track users across sessions, does not collect personal information, and does not share data with any third party. All data is stored on our own infrastructure. You cannot be identified from this data. This approach is GDPR and CCPA compliant by design.

Contact form data:

  • If you contact us via email or a contact form, we collect your email address and the content of your message.

3.5 Data We Do NOT Collect

Across all Fonszi products, we do not collect:

  • Phone number or physical address
  • Contacts or address book
  • Photos, camera, or microphone access (except user-initiated profile photo upload)
  • Browsing or search history
  • Biometric data (only a "biometric login enabled" flag is stored locally)
  • Financial data or payment details (handled by Apple, Google, or RevenueCat)
  • Advertising identifiers (IDFA / GAID) in fonskii

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing services: To operate, maintain, and deliver the features and functionality of our products.
  • Improving products: To understand usage patterns, diagnose technical issues, and improve performance and user experience.
  • Customer support: To respond to your inquiries and resolve issues.
  • Security: To detect, prevent, and address fraud, abuse, and security incidents.
  • Billing: To process subscriptions and purchases through our payment partners.
  • Advertising: To display advertisements in ad-supported mobile applications (via Google AdMob).
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.
  • Communications: To send service-related notifications (e.g., security alerts, product updates). We do not send marketing emails unless you have opted in.

5. Third-Party Services

We use the following third-party services that may process your data. Each service operates under its own privacy policy:

Service Purpose Data Processed Privacy Policy
Firebase Analytics (Google) Usage analytics for mobile apps Anonymous usage events, device info, app version Google Privacy Policy
Firebase Crashlytics (Google) Crash reporting for mobile apps Crash logs, device model, OS version, stack traces Google Privacy Policy
Google AdMob (Google) Advertising in ad-supported mobile apps Advertising ID, ad interaction data Google Privacy Policy
RevenueCat Subscription management for mobile apps Purchase receipts, subscription status, anonymous user ID RevenueCat Privacy Policy
RevenueCat Payment processing & subscription management (plugins/desktop) Payment details (processed by RevenueCat; we do not store card data) RevenueCat Privacy Policy
Figma Payments Billing for Figma plugins Subscription status, usage tier Figma Privacy Policy
Polar.sh Payments for developer tools and templates Purchase details, email address Polar.sh Privacy Policy
Open-Meteo Weather data for fonskii Approximate coordinates (latitude/longitude) Open-Meteo Terms
Overpass API (OpenStreetMap) Trail map data for fonskii Geographic bounding boxes Overpass API
Google Maps / Apple MapKit Map display in fonskii Map viewport, tile requests Google / Apple
Strava (optional) Activity export from fonskii GPX file (user-initiated) Strava Privacy Policy
Fonsitor (Fonszi) Runtime error monitoring Error messages, screen context, device info First-party (see this policy)
Cloud hosting provider Cloud hosting for our backend services Backend data (database, application logs) Available upon request
Apple App Store Distribution and billing for iOS apps Purchase and subscription data Apple Privacy Policy
Google Play Store Distribution and billing for Android apps Purchase and subscription data Google Privacy Policy

6. Data Storage and Security

6.1 Storage Locations

  • On-device storage: The majority of user data (workout sessions, timer configurations, athlete profiles, design file data) is stored locally on your device. We prioritize on-device storage to minimize data exposure.
  • Cloud storage: Account data (email, hashed password) and error monitoring reports are stored in a secure cloud-hosted database.
  • No sale of personal data: We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All communications between our applications and servers use HTTPS with modern encryption.
  • Authentication: Secure token-based authentication with expiration and rotation for API access.
  • Password security: User passwords are securely hashed using industry-standard algorithms. We never store passwords in plaintext.
  • Two-factor authentication: Optional two-factor authentication is available for account security.
  • Rate limiting: API endpoints are protected by rate limiting to prevent brute-force attacks and abuse.
  • Error report deduplication: Error reports are deduplicated using content hashing to minimize data stored.
  • Principle of least privilege: Our applications request only the minimum permissions necessary for their functionality.

7. Data Retention

  • Session tracking data (fonskii): Stored locally on your device until you delete it within the app or uninstall the app.
  • Account data: Retained for as long as your account is active. You can permanently delete your account and all associated data via the in-app account deletion feature. Upon account deletion request, we will delete your account data within 30 days, except where retention is required by law.
  • Avatar images (fonskii): Retained until you remove them via in-app profile settings or delete your account.
  • Analytics data: Firebase Analytics data is retained for 14 months, after which it is automatically deleted. You can opt out via your device settings.
  • Crash reports: Fonsitor error reports are retained for 90 days (automatic expiry). Firebase Crashlytics data is retained indefinitely by Google.
  • Buddy session data (fonskii): Ephemeral — automatically deleted when the session ends (2–4 hours maximum).
  • On-device data: Data stored locally on your device (sessions, settings, preferences) is retained until you delete it within the app or uninstall the application.
  • Billing records: Transaction records are retained as required by applicable tax and financial regulations.

8. Your Rights Under GDPR (European Economic Area Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): You may request deletion of your personal data, subject to legal retention requirements.
  • Right to restrict processing: You may request that we limit the processing of your personal data under certain circumstances.
  • Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) for transfer to another service provider.
  • Right to object: You may object to the processing of your personal data for direct marketing or where processing is based on legitimate interests.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your member state.

Legal bases for processing: We process personal data under the following legal bases:

  • Performance of a contract: To provide the services you have requested (e.g., account creation, subscription management).
  • Legitimate interests: To improve our products, ensure security, and prevent fraud.
  • Consent: For personalized advertising in mobile apps, where applicable. The fonszi.com website uses cookie-free analytics (Umami) that requires no consent.
  • Legal obligation: To comply with tax, financial, and other regulatory requirements.

To exercise any of these rights, please contact us at dev@fonszi.com. We will respond to your request within 30 days.

9. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
  • Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal compliance, transaction completion).
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but you may contact us to confirm this at any time.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected (preceding 12 months):

  • Identifiers (email address, IP address, device identifiers)
  • Internet or electronic network activity (usage analytics, crash reports, pages visited)
  • Geolocation data (approximate, via IP; precise, only in fonskii with your permission)
  • Commercial information (subscription and purchase history, processed by third-party billing providers)

Categories of personal information sold: None. We do not sell personal information.

Categories of personal information shared for cross-context behavioral advertising: None.

To exercise your rights, contact us at dev@fonszi.com or submit a request via our website. We will verify your identity before fulfilling your request and will respond within 45 days.

10. Children's Privacy (COPPA)

Our products and services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at dev@fonszi.com, and we will delete the information from our systems.

For users in the European Economic Area, the applicable age threshold may be higher (up to 16 years, depending on the member state) in accordance with the GDPR.

11. International Data Transfers

If you are accessing our services from outside the jurisdiction where our servers are located, please be aware that your data may be transferred to, stored, and processed in a different jurisdiction, where data protection laws may differ from those in your region.

For users in the EEA, UK, or Switzerland, we rely on the following transfer mechanisms as applicable:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with our third-party service providers

12. Cookies and Do Not Track

Cookies: The fonszi.com website does not set any cookies. Our analytics tool (Umami) is entirely cookie-free and does not use localStorage, sessionStorage, or any browser fingerprinting techniques. We use only essential browser features (such as localStorage) for site functionality preferences like cookie consent banners. If we introduce non-essential cookies in the future, we will update this policy and provide a consent mechanism before setting them.

Do Not Track: Our website respects Do Not Track (DNT) signals. Umami, our analytics provider, is privacy-first by design and does not track individual users across sessions or websites. No personal data is collected regardless of DNT settings.

Our products and website may contain links to third-party websites, services, or applications (e.g., app store listings, GitHub repositories, Figma Community). We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our products, practices, or applicable laws. When we make material changes:

  • We will update the "Last Updated" date at the top of this policy.
  • We will post the revised policy on our website at https://fonszi.com/privacy.
  • For material changes that significantly affect your rights, we will provide notice through in-app notifications, email (if you have an account), or a prominent notice on our website.

We encourage you to review this Privacy Policy periodically. Your continued use of our products after any changes constitutes acceptance of the revised policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

fonszi Kft.
Email: dev@fonszi.com
Website: https://fonszi.com

We will respond to all privacy-related inquiries within 30 days.

Copyright 2026 fonszi Kft. All rights reserved.