Privacy Policy

1. Information We Collect

We collect the following categories of personal data:

Account Information

• Name, email address, username, and profile picture

Legal basis (GDPR): Contract · Retention: Until account deletion + 30 days · Source: You provide this directly

Fitness & Health Data

• Workouts, nutrition logs, body metrics, goals, and custom exercises

Legal basis (GDPR): Consent · Retention: Until account deletion or user-initiated erasure · Source: You provide this directly

Social Graph & Engagement

• Follows, follow requests, subscriptions, likes, and saves

Legal basis (GDPR): Contract · Retention: Until account deletion · Source: Your actions on the platform

Messaging Content

• Messages, conversations, and group memberships

Legal basis (GDPR): Contract · Retention: Until account deletion; backups purged within 90 days · Encryption: In transit (TLS) and at rest · Source: You provide this directly

Payment Information

• Last four digits of your card and payment processor tokens (we never see your full card number)

Legal basis (GDPR): Contract · Retention: 7 years (tax/accounting requirements) · Source: You provide this directly

Device & Usage Data

• IP address, user agent, device identifier, session logs, and crash reports

Legal basis (GDPR): Legitimate interest · Retention: 13 months · Source: Collected automatically

2. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data on the following legal bases, depending on the data category:

• Contract (Art. 6(1)(b)): Data necessary to provide the Service to you (account, messaging, subscriptions)
• Consent (Art. 6(1)(a), Art. 9(2)(a)): Health and fitness data, marketing communications, optional features
• Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement
• Legal obligation (Art. 6(1)(c)): Tax records, lawful requests from authorities

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Create and manage your account
• Process subscriptions and payments
• Enable social features (posts, comments, messaging, follows)
• Send you technical notices, support messages, and service updates
• Respond to your comments, questions, and support requests
• Monitor and analyze trends, usage, and activity to improve the Service
• Protect the safety, integrity, and security of the Service
• Comply with legal obligations

4. Information Sharing

We share personal data only as described in this Policy:

• Other users: Content you choose to make public on the platform
• Service providers: Third-party subprocessors that process data on our behalf (see Section 5)
• Legal requirements: When required by law, regulation, legal process, or government request
• Rights protection: When necessary to protect our rights, privacy, safety, or property
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets

We do not sell or rent your personal data to third parties.

5. International Transfers & Subprocessors

Palm Fitness operates from the United States. Personal data you provide may be transferred to and processed in countries other than your own. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for international transfers.

We use the following third-party service providers to operate the Service:

Each subprocessor is contractually bound to process personal data only on our instructions and in accordance with applicable data protection laws. We may add or change subprocessors from time to time; material changes will be reflected on this page.

6. Data Retention

We retain personal data for as long as your account is active and as described per data category in Section 1 above, or as required by applicable law (e.g., payment records for tax purposes). When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

7. Your Rights

You have the following rights with respect to your personal data, subject to applicable law:

Rights under GDPR / UK GDPR

If you are in the EU, UK, or EEA, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate or incomplete data (Art. 16)
• Erase your data ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time (Art. 7(3))
• Lodge a complaint with your local supervisory authority

Rights under CCPA / CPRA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information is collected about you and how it is used
• Delete personal information we have collected (subject to legal exceptions)
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share personal information)
• Limit use of sensitive personal information
• Non-discrimination for exercising your rights

Rights under LGPD (Brazil)

If you are in Brazil, under the Lei Geral de Proteção de Dados you have the right to: confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, information about the consequences of denying consent, and revocation of consent.

Rights under PIPEDA (Canada)

If you are in Canada, under the Personal Information Protection and Electronic Documents Act you have the right to access your personal information, challenge its accuracy, and withdraw consent subject to legal and contractual restrictions.

Rights under the Australian Privacy Principles

If you are in Australia, under the Privacy Act 1988 (Cth) you have the right to access and correct your personal information. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, contact us at privacy@palmfitness.app or visit your account privacy settings. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. In jurisdictions where the digital consent age is higher (up to 16 under GDPR), we require verifiable parental consent before processing personal data from a child.

If you believe we have collected personal data from a child without appropriate consent, please contact us at privacy@palmfitness.app and we will promptly delete it.

9. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate the Service and remember your preferences. Our Service uses the following cookies:

• sb-access-token (strictly necessary) — Supabase auth session, 1 hour, first-party
• sb-refresh-token (strictly necessary) — Supabase auth session refresh, 30 days, first-party

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. For users in the EU/UK, non-essential cookies are only set after you opt in. Rejecting non-essential cookies will not prevent you from using the core features of the Service.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by direct notice. Your continued use of the Service after a change constitutes acceptance of the updated Policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us:

• General inquiries: hello@palmfitness.app
• Privacy: privacy@palmfitness.app

You may also reach us through our contact page.