Privacy policy
Last updated: 2026-04-18
Important notice
This privacy policy is provided for transparency about how [Your legal entity name, e.g. Example Fitness Ltd] (“we”, “us”, “our”) processes personal data when you use MatFit (the “Service”). It is intended to align with common practice under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. It does not constitute legal advice. Before relying on it for a live product, you should have it reviewed by a UK-qualified solicitor or privacy professional and adapt it to your exact processing activities, contracts, and subprocessors.
Who we are
For the purposes of UK data protection law, the controller of your personal data is:
- Organisation: [Your legal entity name, e.g. Example Fitness Ltd]
- Company number: [Companies House number, if applicable]
- Registered address: [Registered office address, full UK address]
- Privacy contact: privacy@yourdomain.example
If we are required to register with the Information Commissioner’s Office (“ICO”), our registration number is [ICO registration number, or remove reference in body]. If we are exempt from registration, this sentence should be removed after legal review.
Scope
This policy applies to personal data we process about individuals who visit our website, create an account, or otherwise use the Service. It does not apply to information about companies or other legal entities, except where those relate to identifiable individuals (for example a sole trader).
The Service is operated from the United Kingdom and is primarily intended for users in the UK. If you access the Service from elsewhere, we may still process your data as described here, and you may also have rights under other laws depending on your location.
Personal data we collect
We may collect and process the following categories of personal data:
Account and authentication
- Identifiers and contact details you provide or that are collected via our authentication provider (for example name, email address, and an internal user identifier).
- Authentication events and security-related signals needed to protect accounts.
Profile, preferences, and onboarding
- Display name and in-app preferences (for example units, theme, accessibility-related settings, notification preferences).
- Onboarding information you choose to provide, such as activity level, training goals, time available for sessions, preferred difficulty, and self-reported physical limitations or injuries you tell us about to tailor recommendations.
Programme, workouts, and progress
- Programmes you start or follow, schedule information, completion status, and related timestamps.
- Workout session data such as duration, counts of exercises completed or skipped, and optional notes you add to a session.
- Fitness test results you log (for example scores and timings for tests offered in the product).
Technical and usage data
- Device and connection data typically found in server logs (for example IP address, approximate location derived from IP, browser type, referring URLs, date and time of requests).
- Essential cookies and similar technologies required for security, load balancing, and to keep you signed in, as described under “Cookies and similar technologies”.
We do not sell your personal data. We do not use your data for third-party behavioural advertising as part of the Service unless we introduce that in future and update this policy and our consent mechanisms accordingly.
How and why we use personal data (lawful bases)
Under UK GDPR we must have a “lawful basis” for each processing purpose. We rely on the following, depending on the activity:
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Providing and operating the Service (accounts, programmes, workouts, syncing your data) | Performance of a contract with you (Article 6(1)(b)) |
| Security, fraud prevention, abuse detection, enforcing our terms | Legitimate interests (Article 6(1)(f)) — we balance these against your rights |
| Service improvement, analytics that do not require consent under PECR where applicable | Legitimate interests (Article 6(1)(f)) or consent where required |
| Compliance with legal obligations (for example responding to lawful requests) | Legal obligation (Article 6(1)(c)) |
| Non-essential cookies or similar technologies (if we add them) | Consent (Article 6(1)(a)), where required by law |
Where we rely on legitimate interests, you may object to processing as explained under “Your rights”. We will stop unless we demonstrate compelling grounds that override your interests or we need the data for legal claims.
Health-related and special category data
Some information you may provide in MatFit could be treated as more sensitive under UK GDPR — for example self-reported injuries or limitations, or certain fitness measurements — because it may reveal information about your health or physical condition (“special category” data under Article 9 UK GDPR).
Where we process such data, we do so because you choose to provide it for a clear purpose connected to the Service, and — where required — on the basis of explicit consent (Article 9(2)(a)), which you can withdraw at any time (see “Your rights”). You are not obliged to provide this information, but some features (such as tailored programme suggestions) may work less well without it.
Product note: ensure your onboarding or data-collection screens collect explicit consent in a way that meets ICO guidance (clear, specific, affirmative action) if you rely on consent for this category of data.
Profiling and programme recommendations
The Service may use automated logic to suggest or rank training programmes for you based on factors such as your activity level, available time, goals, preferred difficulty, and self-reported limitations. This is a form of profiling under UK GDPR (evaluating personal aspects about you). It uses rule-based scoring rather than solely machine-learning models.
This profiling does not produce legal effects or similarly significant effects on you within the meaning of UK GDPR Article 22 based solely on automated processing. You can typically still browse and select programmes without accepting a recommendation. If we change this in future, we will update this policy.
Cookies and similar technologies
We use cookies, local storage, and similar technologies where necessary for the Service to function — for example to maintain your session, protect against misuse, and remember essential preferences.
The Privacy and Electronic Communications Regulations (“PECR”) and related rules may require consent for non-essential cookies or similar technologies. Today the Service is described as using essential technologies linked to authentication and core functionality. If we add analytics, advertising, or other non-essential technologies, we will update this policy and, where required, provide a consent mechanism before those technologies are used.
Recipients, subprocessors, and categories of recipients
We use trusted third parties who process personal data on our instructions (subprocessors) or who process data as independent controllers in their own right. These may include:
- Clerk, Inc. — authentication and identity services for user accounts.
- Convex, Inc. — cloud database and backend infrastructure used to store and process application data.
- Vercel Inc. (or another hosting provider we use) — hosting and delivery of the web application, edge and serverless execution, and related infrastructure logging.
We may also share data with professional advisers, insurers, or authorities where required by law or to protect rights and safety.
A list of key subprocessors may be published separately or provided on request. Subprocessors are bound by contractual terms requiring them to protect personal data appropriately.
International transfers
Some of our subprocessors are based outside the United Kingdom or store or access data from outside the UK. Where we transfer personal data from the UK to countries that do not have an adequacy regulation under UK law, we implement appropriate safeguards such as the ICO’s International Data Transfer Agreement (“IDTA”), the UK Addendum to the EU Standard Contractual Clauses, or other mechanisms approved under UK GDPR, as described in our agreements with those providers.
You may contact us to request further information about safeguards we rely on for specific transfers.
Retention
We keep personal data only for as long as necessary for the purposes described in this policy, including to provide the Service, resolve disputes, enforce agreements, and meet legal, accounting, and reporting requirements.
- Account and authentication data: retained while your account is active. After you delete your account, identifiers and related account records needed for security, dispute handling, or legal compliance may be held for a limited further period where the law requires it; this does not extend to workout history, fitness tests, or other activity data once those have been removed from our primary systems as described below.
- Workout history, session progress, and fitness test results: retained for as long as your account exists so we can show progress, history, and baseline trends. If you use reset profile in the app, we delete workout history, programme enrolments, fitness tests, and in-progress session drafts while keeping your sign-in account. If you delete your account, we delete these records from our primary database together with your MatFit profile; they are not kept for a separate “cooling off” period once deletion succeeds. A short residual period in backups or provider logs may still apply.
- Subscription and billing records: if you take out a paid subscription, our payment provider generates invoices, receipts, and payment records (the provider is typically the primary place to download copies). We may retain references to your subscription status and an audit-style record of billing-related events in our systems to run the Service and meet legal, tax, and accounting obligations. Retention may extend beyond account closure where the law requires it.
- Server logs: typically retained for a limited period for security and diagnostics, unless a longer retention is justified.
- Self-service export and deletion: from the in-app Preferences screen you can download a structured copy of MatFit-held data (JSON) and delete your account, which removes MatFit profile and activity data from our primary systems as described above, including subscription status snapshots and billing-event summaries we store for your account (where applicable). Your payment processor may still hold invoices and payment history under its own retention rules. Account deletion also removes your sign-in identity through our authentication provider; a short residual period in backups or provider logs may still apply, as above.
When data is no longer needed, we delete or anonymise it in line with our internal procedures and subprocessors’ capabilities.
Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures may include encryption in transit, access controls, separation of environments, and staff training. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
Your rights
Subject to conditions and exemptions in UK GDPR, you may have the right to:
- Access — request a copy of personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data in certain circumstances.
- Restriction — ask us to restrict processing in certain circumstances.
- Data portability — receive certain data in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means. Where available, you can use Export My Data in Preferences to obtain a JSON export of MatFit-held fields.
- Object — object to processing based on legitimate interests or for direct marketing (we do not use your data for third-party direct marketing as described in this version of the policy).
- Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise these rights, contact us using the details in Who we are. We may need to verify your identity before responding. You also have the right to lodge a complaint with the ICO:
Automated decision-making
We do not use solely automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of UK GDPR Article 22. Programme recommendations are assistive and described under “Profiling and programme recommendations”.
Children
The Service is not directed at individuals under 16 years old, and we do not knowingly collect personal data from children below that age. If you believe we have collected data from a child, please contact us and we will take steps to delete it. You should confirm the appropriate minimum age and any parental consent requirements with your legal adviser.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will take reasonable steps to notify you (for example by email or an in-app notice) where appropriate. The “Last updated” date at the top of this page shows when this version was published. Continued use of the Service after changes may be subject to your acceptance where required by law.
Contact
For any questions about this privacy policy or our processing of personal data, use the contact details in Who we are (including email and postal address).