Privacy Policy

RepStryde | Effective Date: January 1, 2025

1. Introduction & Scope

RepStryde ("we," "us," "our," or "Company") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our application, website, and services (collectively, the "Service").

This policy applies to all users:

Normal Users (Athletes/Trainees)
Fitness Trainers
Nutritionists

Jurisdiction-Specific Rights:

EU/EEA residents: GDPR rights apply (data subject rights, lawful basis, DPA)
California residents: CCPA rights apply (right to know, right to delete, opt-out)
Pakistan residents: Local data protection standards apply
Other jurisdictions: Applicable local laws apply

2. Data Controller & Contact

Data Controller: RepStryde Inc. Islamabad, Pakistan

Privacy Officer / Data Protection Contact: 📧 [email protected]

For EU residents (GDPR Data Protection Officer): 📧 [email protected]

3. Data We Collect

3.1 Account Registration Data

When you create a RepStryde account, we collect:

All Users:

Full name
Email address
Date of birth (for age verification and cycle tracking)
Password (hashed and encrypted)
Phone number (optional)
Country/timezone
Account type (Normal User, Trainer, or Nutritionist)

Fitness Trainers & Nutritionists (Additional):

Professional credentials/certifications
Specializations
Bio/about section
Profile photo
Years of experience
Business details (if applicable)

3.2 Fitness & Health Data

Workout Logs:

Exercise name, weight lifted, reps, sets, RIR (rate of perceived exertion)
Rest periods, tempo, notes
Date and time performed
Workout duration

Nutrition Data:

Foods logged with quantities
Macro nutrients (protein, carbs, fats, fiber)
Calorie intake
Meal times
Food images
Barcode scans

Body Metrics:

Current weight
Height
Body fat percentage (if logged)
Body measurements (chest, waist, hips, arms, legs, etc.)
Weight history
Measurement history

Progress Photos:

Images you upload showing physique progress
Timestamps and metadata
Optional notes

Menstrual Cycle Data:

Cycle start dates
Period duration
Cycle phase predictions
Symptoms logged
Flow intensity
This data is ALWAYS marked private and never shared with coaches unless explicitly enabled

3.3 Coach Connection Data

When you connect to a trainer or nutritionist:

Trainer/Nutritionist name and ID
Connection date
Data sharing preferences (what you allow them to see)
Communications and notes

Coaches can see:

Trainers: workout logs, body metrics, progress photos, general calendar
Nutritionists: meal logs, macro adherence, weight trends, progress photos
Both (if shared): menstrual cycle data (only if you enable)

3.4 Device & Technical Data

Device type (iOS, Android, Web)
Device ID / IDFA / AAID
Operating system and version
App version
IP address
Browser type
Crash logs and error reports
Feature usage patterns
Session duration

3.5 Communication Data

Messages and notes within the app
Support tickets and replies
Feedback and bug reports
In-app notifications
Email communications

3.6 Payment Data (if applicable in future)

Currently, RepStryde v1.0 is FREE. However, in future versions:

Payment method (credit card, PayPal, etc.)
Transaction history
Billing address
Subscription status

Payment processing is delegated to Stripe. We do NOT store full credit card numbers. See Section 6 for details.

3.7 Third-Party Data

We may receive data from:

Exercise database providers (movement names, GIFs)
Food database providers (nutrition information)
Analytics services (usage patterns)
Social media (if you link your account)

4. How We Use Your Data

4.1 Service Delivery (Primary Purpose)

We use your data to:

Create and maintain your account
Display your fitness logs and metrics
Track your progress
Generate personalized insights and analytics
Send your data to connected coaches (as you choose)
Respond to support requests
Process refunds (if applicable)

Legal Basis (GDPR): Contract performance (you agreed to use the Service)

4.2 Improving & Personalizing

We use data to:

Improve app features based on usage patterns
Customize your experience (UI preferences, units, theme)
Personalize recommendations (exercise suggestions, macro targets)
Optimize performance and fix bugs
Conduct A/B testing

Legal Basis (GDPR): Legitimate interest (improving our Service)

4.3 Safety & Legal Compliance

We use data to:

Detect and prevent fraud, abuse, and unauthorized access
Enforce Terms of Service and legal agreements
Comply with legal obligations (court orders, law enforcement requests)
Protect our legal rights and intellectual property
Investigate security incidents

Legal Basis (GDPR): Legal obligation and legitimate interest (protecting our users and business)

4.4 Marketing & Communications (with Consent)

We may use data to:

Send you product updates and feature announcements
Invite you to events or new features
Conduct surveys about your experience
Email you about offers or promotions (with consent)

Legal Basis (GDPR): Consent (you can opt-out anytime)

You can opt-out of marketing emails by:

Clicking "Unsubscribe" in any marketing email
Updating preferences in app settings
Emailing [email protected]

4.5 Aggregated/Anonymized Analytics

We use anonymized, aggregated data to:

Publish fitness trends ("average user lifts X kg")
Improve exercise database
Improve food database accuracy
Generate public reports and research
Benchmark user engagement

This data cannot identify you.

5. Data Sharing & Disclosure

5.1 Coach Access (Your Choice)

Normal Users choose what coaches can see:

You can connect to ONE trainer and ONE nutritionist
You control what data each coach can view
Coaches see only data you've explicitly shared
Disconnecting a coach immediately revokes access
Your historical data remains yours (coaches lose view-only access)

Trainers & Nutritionists see:

Client workout/nutrition data you shared
Progress photos and body metrics you shared
Notes and communications with you
They do NOT see your full personal information (email, phone, address, etc.)

5.2 Service Providers (Vendors)

We may share data with third-party vendors:

Exercise Database Provider

Company: [Exercise Database Provider, e.g., "ExerciseDB"]
Purpose: Provide exercise library with animations
Data shared: Exercise names, workout logs (anonymized)
Contract: Data Processing Agreement (DPA) in place
GDPR basis: Data Processors

Food Database Provider

Company: [Food Database Provider, e.g., "USDA FoodData Central"]
Purpose: Provide nutrition information
Data shared: Food searches, macro queries (anonymized)
Contract: DPA in place

Hosting Provider

Company: [e.g., "AWS, Google Cloud, Heroku"]
Purpose: Store and process your data
Data shared: All data (encrypted in transit and at rest)
Contract: DPA in place

Analytics Service

Company: [e.g., "Mixpanel, Amplitude"]
Purpose: Track app usage, crashes, features
Data shared: Device ID, session data (anonymized)
Contract: DPA in place
Opt-out: Available in app settings or analytics provider's opt-out page

Payment Processor (Future)

Company: Stripe
Purpose: Process subscription payments
Data shared: Billing details (NOT stored by us)
Contract: DPA in place
Stripe Privacy: https://stripe.com/privacy

All vendors are contractually bound to:

Process data only as instructed
Maintain confidentiality
Implement security measures
Comply with GDPR and applicable laws

5.3 Legal Obligations

We may disclose data if required by law:

Court orders or legal process
Law enforcement requests (MLAT, mutual legal assistance)
Government agencies (subpoenas, warrants)
National security investigations

We will:

Attempt to notify you before disclosure (unless prohibited)
Request the narrowest scope possible
Log all such requests

5.4 Business Transfer

If RepStryde is acquired, merged, or sold:

Your data may transfer to the new entity
The new entity must honor this Privacy Policy
You will be notified of changes

5.5 What We Do NOT Share

We do NOT:

Sell your personal data to advertisers or brokers
Share your health data with insurance companies
Share your data with unaffiliated third parties for marketing
Share your menstrual cycle data without explicit consent
Disclose coach connections without consent
Share trainer/nutritionist client lists publicly

6. International Data Transfers

6.1 Data Location

Primary Storage: Pakistan (our servers) Backup/Redundancy: Distributed cloud infrastructure (may include EU, US, other regions)

6.2 GDPR Transfers (EU/EEA residents)

If you're in the EU/EEA, your data is protected by:

Adequacy Decisions (if applicable to Pakistan)
Standard Contractual Clauses (SCCs) with data processors
Your explicit consent for transfers outside the EEA

We will provide details of our transfer mechanisms upon request.

6.3 California Consumer Privacy Act (CCPA)

If you're a California resident:

You have the right to know what data we collect
You have the right to delete your data
You have the right to opt-out of certain disclosures
You have the right to non-discrimination for exercising CCPA rights

See Section 10 for how to exercise these rights.

7. Data Retention

7.1 Active Account

While your account is active, we retain:

All your fitness logs, meal logs, and metrics indefinitely
All personal data needed to operate your account
Communications and support history

7.2 Deleted Accounts

When you delete your account:

Your profile is marked inactive within 30 days
Your personal data (name, email, phone) is deleted within 90 days
Your fitness logs and meal logs are deleted within 6 months
Backups are purged within 12 months
Legal/tax records may be retained for 7 years

7.3 Legal Holds

If we're under legal investigation, we may retain data longer to comply with law.

7.4 Coach Access After Deletion

If a coach was connected to you when you delete your account:

Coaches lose access to your data
Their cached data (in their own systems) may remain unless they delete it
Historical notes coaches made about you may remain in their records

8. Data Security

8.1 Security Measures

We implement:

Encryption in Transit: TLS/SSL (HTTPS) for all connections
Encryption at Rest: AES-256 encryption for sensitive data
Database Security: SQL injection prevention, parameterized queries
Access Controls: Role-based access, principle of least privilege
Password Security: Bcrypt hashing with salt (passwords never stored in plain text)
API Security: API key authentication, rate limiting, CORS policies
Code Security: Regular security audits, dependency scanning

8.2 Incident Response

If a data breach occurs:

We investigate within 24-48 hours
Affected users are notified within 72 hours
We comply with GDPR/CCPA breach notification requirements
We cooperate with law enforcement if necessary

8.3 Your Responsibility

You must:

Keep your password confidential
Log out on shared devices
Use strong, unique passwords
Not share your account with others
Report suspicious activity immediately

9. Cookies & Tracking

9.1 Cookies We Use

Essential Cookies:

Session ID (keeps you logged in)
CSRF token (prevents cross-site attacks)

Analytics Cookies:

User ID (to track your engagement)
Session duration
Feature usage
Anonymized device ID

Preference Cookies:

Language preference
Theme preference (dark/light)
Units preference (metric/imperial)

9.2 Third-Party Cookies

We use cookies from:

Google Analytics — usage tracking
Mixpanel — feature analytics
Stripe — payment processing (future)

9.3 Cookie Opt-Out

You can:

Disable cookies in your browser
Use privacy mode/incognito
Opt-out of analytics in app settings
Use privacy tools (Privacy Badger, uBlock Origin)

9.4 Web Tracking

Our website and app may use:

Web beacons (pixel tracking)
Local storage
IndexedDB (offline sync storage)
None of these identify you without a logged-in session

10. Your Rights & Data Subject Access

10.1 GDPR Rights (EU/EEA)

If you're in the EU/EEA, you have:

Right to Access: Request a copy of all data we hold about you Right to Rectification: Correct inaccurate data Right to Erasure: Request deletion ("right to be forgotten") Right to Restrict Processing: Limit how we use your data Right to Data Portability: Get your data in a portable format Right to Object: Object to marketing, profiling, or automated decision-making Right to Withdraw Consent: Withdraw consent for email marketing anytime

10.2 CCPA Rights (California)

If you're a California resident, you have:

Right to Know: Request what personal data we collect, use, share, sell Right to Delete: Request deletion of your personal data Right to Opt-Out: Opt-out of personal data "sale" (we don't currently sell, but you can opt-out of future sales) Right to Correct: Correct inaccurate personal data Right to Limit Use: Limit use of personal data to service provision Right to Non-Discrimination: We will not discriminate if you exercise your rights

10.3 How to Exercise Your Rights

To request data access, deletion, or exercise GDPR/CCPA rights:

Email: [email protected]
Subject: "[GDPR/CCPA Request] [Your Name] [Right Type]"
Include:
- Your full name
- Account email
- Specific request (access, deletion, portability, etc.)
- Reason (optional)

Response Timeline:

GDPR: 30 days (extendable to 60-90 days for complex requests)
CCPA: 45 days (may extend by 45 days)
Non-EU/CCPA requests: 30 days

Verification: We will verify your identity by:

Matching email to registered account
Requesting additional proof if necessary
We will not disclose data to unverified requesters

11. Children's Privacy

11.1 Minimum Age

RepStryde is not intended for children under 13 (COPPA compliance). Users under 18 require parental/guardian consent.

11.2 Parental Controls

Parents/guardians can:

Request access to their child's account
Request deletion of their child's data
Restrict data sharing with coaches
Monitor their child's activity (with their child's knowledge)

11.3 Parental Consent

If your child uses RepStryde:

You grant permission for us to collect their data
You understand the risks of fitness tracking and body metrics
You accept responsibility for their account

Contact [email protected] for parental controls.

12. Privacy Policy Updates

We may update this Privacy Policy at any time. Changes are effective when posted.

Material changes will be notified:

Via email to your registered address
Via in-app notification
You will have 30 days to review

Continued use of RepStryde after changes indicates acceptance.

Last update: January 1, 2025

13. Specific Scenarios & FAQs

13.1 What happens if I disconnect from my trainer?

Your trainer loses access to your shared data immediately
Your historical data remains with you
Your trainer cannot see your new workouts
Your trainer's notes about you remain in their records
You can reconnect later with a new invite code

13.2 Can trainers share my data with their own coaches?

No. Trainers must not share your personal data with other coaches without your explicit consent. This violates the trust relationship and these Terms.

13.3 Is my cycle data ever shared?

No, unless you explicitly enable it. Cycle data is always marked private and requires your consent to share.

13.4 Can I download my data?

Yes. You can:

Export your workout logs as CSV/PDF
Export your nutrition logs as CSV
Export your metrics and progress photos
Request a complete data dump: [email protected]

13.5 What about fitness photos? Can they be shared with others?

Only if you upload them and share them via the platform. Your photos are not shared without explicit action from you.

13.6 Can I opt-out of analytics?

Yes. You can opt-out of analytics tracking in app settings. Some essential analytics (crashes, errors) cannot be opted-out of for safety.

13.7 Is my data HIPAA-covered?

No. RepStryde is not a HIPAA-covered entity. Your data is NOT protected under HIPAA. However, we provide GDPR and CCPA protections.

14. Third-Party Links

RepStryde may contain links to third-party websites (fitness articles, nutrition sites, etc.).

We are not responsible for:

Third-party privacy practices
Third-party data collection
Third-party content or policies

Read their privacy policies before sharing data.

15. Contact & Questions

For privacy questions or concerns:

Privacy Officer: 📧 [email protected]

GDPR Data Protection Officer (EU): 📧 [email protected]

Mailing Address: RepStryde Inc. Islamabad, Pakistan

Response Time: 5 business days

16. Additional Information by Jurisdiction

16.1 Pakistan Residents

You are subject to:

Pakistan's digital privacy practices
Applicable local data protection laws
This Privacy Policy (which supersedes conflicting local practices where enforceable)

16.2 EU/EEA Residents

You are subject to GDPR. Additionally:

You have data subject rights listed in Section 10.1
Transfers outside EEA are protected by Standard Contractual Clauses
You have the right to file a complaint with your Data Protection Authority
Your DPA is: [Your Country's Data Protection Authority]

16.3 California Residents

You have CCPA rights (see Section 10.2). Additionally:

You may not be discriminated against for exercising your rights
You can authorize an agent to request on your behalf
We acknowledge opt-out signals (like GPC browser signals) where applicable

17. Final Acknowledgment

By using RepStryde, you acknowledge:

You have read this Privacy Policy
You understand how your data is collected and used
You consent to the practices described herein
You are responsible for keeping your login credentials confidential

Privacy Policy Version: 1.0 Effective Date: January 1, 2025 Last Revised: January 1, 2025

For the latest version, visit: www.repstryde.app/privacy

Questions about this document? Contact us at [email protected].