Fit FactoryFit Factory
Back to app

Privacy Policy

Last updated 16 June 2026

This Privacy Policy explains how Fit Factory (“we”, “us” or “our”) collects, uses, shares and protects personal information when you use the Fit Factoryplatform (the “Platform”). We are committed to handling your information in accordance with applicable data-protection law, including South Africa’s Protection of Personal Information Act, 2013 (POPIA) and, where it applies, the EU/UK General Data Protection Regulation (GDPR).

1. Roles: who controls your data

For account, billing and platform-operation data, Fit Factory acts as the responsible party (POPIA) / controller (GDPR).

For the client data a coach manages through the Platform (workouts, nutrition, check-ins, notes and messages), the coach determines how that information is used and is the responsible party / controller for it; Fit Factory acts as an operator (POPIA) / processor (GDPR) processing it on the coach’s behalf. If you are a client, please also refer to your coach for how they use your information.

2. Information we collect

You provide directly

  • Account details — name, email address, password, and (for coaches) business name, phone, bio and social links.
  • Fitness & health data — workouts, exercises, sets/reps/weights, body measurements, weigh-ins, photos, habits, nutrition plans and check-in responses.
  • Communications — messages between coaches and clients, and any support requests you send us.
  • Billing details — handled by our payment providers; we receive limited information such as subscription status and the last four digits of a card. We do not store full card numbers.

Collected automatically

  • Technical data — device, browser, IP address and log data needed to operate and secure the Platform.
  • Cookies — see our Cookie Policy.

From connected wearables & health services (optional)

If you choose to connect a wearable or health account — currently Oura, Whoop or Fitbit — we receive health and activity data from that provider through their API, with your explicit authorisation, to power features such as automatically filling in your daily habits and sharing your progress with your coach. Depending on the provider and the access you grant, this may include steps and active energy, sleep, resting heart rate and heart-rate variability, and body weight.

This connection is optional and off by default, and we request read-only access. You can disconnect at any time from your wearables settings in the Platform, or by revoking access in your provider account — after which we stop syncing new data. The access tokens for these connections are stored securely and restricted to the background-sync process; they are never exposed to your coach or other users. Data we receive from a provider is used solely to provide these features and is handled under this Policy, and your use of each provider remains subject to that provider’s own terms and privacy policy.

Some fitness and health information may be considered “special” or “sensitive” personal information. We process it only to provide the Platform’s core features to you and the coach or clients you are connected with, and on the lawful bases described below.

3. How and why we use your information

  • To provide, maintain and improve the Platform and its features.
  • To create and manage your account and authenticate you.
  • To enable coaching: connecting coaches and clients and sharing the relevant data between them.
  • To process subscriptions and payments and send related notices.
  • To send service, invite and transactional emails and (where enabled) push notifications.
  • To provide support and respond to your requests.
  • To keep the Platform secure, prevent abuse and comply with legal obligations.

4. Lawful basis for processing

Where GDPR or POPIA applies, we rely on one or more of the following bases:

  • Performance of a contract — to deliver the Platform you (or your coach) signed up for.
  • Consent — for optional features such as push notifications and certain emails; you may withdraw consent at any time.
  • Legitimate interests — to secure, operate and improve the Platform, balanced against your rights.
  • Legal obligation — to comply with applicable laws (for example, tax and accounting).

5. Sharing your information

We do not sell your personal information. We share it only as needed to run the Platform:

  • Between coaches and their clients, as inherent to the service.
  • With the sub-processors listed below, who process data on our instructions under appropriate contractual safeguards.
  • Where required by law, to protect rights and safety, or in connection with a business transfer.

Sub-processors

ProviderPurposePrivacy
SupabaseDatabase, authentication and file storagePolicy
RailwayApplication hostingPolicy
StripePayment processing (coach & platform billing)Policy
PayPalOptional payment processing for coach billingPolicy
ResendTransactional & invite email deliveryPolicy

6. International transfers

Some sub-processors may store or process data outside your country (for example, in the United States or the European Union). Where we transfer personal information across borders, we take steps required by POPIA and GDPR — such as relying on providers that offer an adequate level of protection or appropriate safeguards like Standard Contractual Clauses.

7. Data retention

We keep personal information for as long as your account is active and as needed to provide the Platform, comply with legal obligations, resolve disputes and enforce our agreements. When data is no longer required, we delete or anonymise it. You can request deletion as described below; note that a coach may retain a copy of client data they control under their own obligations.

8. Your rights

Subject to applicable law, you have the right to:

  • access the personal information we hold about you;
  • correct inaccurate or incomplete information;
  • request deletion of your information;
  • object to or restrict certain processing;
  • withdraw consent where we rely on it;
  • request a portable copy of information you provided; and
  • lodge a complaint with a supervisory authority — in South Africa, the Information Regulator; in the EU/UK, your local data-protection authority.

To exercise any of these rights, contact us at fitfactoryct@gmail.com. If you are a client, some requests may need to be directed to your coach as the responsible party for your coaching data.

9. Security

We use technical and organisational measures appropriate to the risk — including encryption in transit, access controls and row-level database security — to protect personal information. No system is perfectly secure, but we work to protect your data and to notify affected users and regulators of any breach as required by law.

10. Children

The Platform is not intended for children under 16. We do not knowingly collect personal information from children under 16 without appropriate consent. If you believe a child has provided us information, contact us and we will take appropriate steps.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and update the “last updated” date, and will notify you of material changes where required.

12. Contact

For privacy questions or to exercise your rights, contact us at fitfactoryct@gmail.com.