Privacy Policy

Who we are

Finished Fitness is operated by ABC AUSTRIAN BUSINESS COMPANY LIMITED, a private limited company registered in England and Wales (company number 10894419), registered office at 99a High Road, Beeston, Nottingham, England, NG9 2LH. For privacy enquiries, contact privacy@finishedfitness.com.

We are the data controller for personal data you give us directly. Coaches who use our platform to manage clients are independent data controllers for their own clients' data.

What we collect

You give us directly

• Account info: email address, password (stored hashed), name, role (member or coach).
• Profile: age, weight, goal weight, training days per week, experience level, profile photo (optional).
• Training data: workout logs, exercise history, nutrition logs, body measurements, water intake.
• Coaching data: if you're a coach, the client invitations and notes you create. If you're a client, what your coach assigns to you.
• Payment info: we don't see your card details. PayPal handles all payments; we only receive a subscription ID and your PayPal account email.

Automatically

• Sign-in records: timestamps, browser session ID (HttpOnly cookie used to enforce one device per account).
• Server logs: IP address, browser type, pages visited, errors. Kept for 30 days.

Why we use it (lawful bases under UK GDPR)

• To provide the service (Article 6(1)(b), contract): authentication, syncing your training data, billing, customer support.
• To improve the product (Article 6(1)(f), legitimate interests): anonymous aggregate analytics, debugging.
• To send transactional emails (Article 6(1)(b)): password resets, billing receipts, subscription notices.
• Marketing (Article 6(1)(a), consent): only if you opt in. You can opt out any time.

Who we share data with

We share only the minimum necessary, only with these processors:

• Supabase (database + auth, hosted in [REGION, e.g. eu-west-1]) — stores your account and training data.
• Vercel (hosting) — serves the app; sees IPs in server logs.
• PayPal (payments) — handles your subscription. Their privacy policy applies to payment details.
• Google (only if you sign in with Google) — receives your email + name from Google as the OAuth provider.
• Your coach (only if you accept a coach invite) — they see your workouts, weight, measurements, and notes you write for them. You can leave anytime.

We never sell personal data. We never share it for third-party marketing.

How long we keep it

• Account data: until you delete the account, then up to 30 days in backups.
• Workout / nutrition history: same as account.
• Billing records: 6 years (UK HMRC requirement under the Companies Act 2006).
• Server logs: 30 days.

Your rights (UK GDPR)

You can ask us to:

• Show you a copy of what we hold about you (right of access).
• Correct anything that's wrong (rectification).
• Delete your account and personal data (erasure).
• Export your data in a portable format (portability).
• Stop us from processing your data (object / restrict).

Email privacy@finishedfitness.com with your request. We respond within 30 days. If you're unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk.

International transfers

Some processors (e.g. PayPal) may move data outside the UK/EEA. When they do, we rely on the UK's International Data Transfer Agreement or the equivalent EU SCCs to keep the data protected.

Cookies

We use only the cookies strictly necessary to run the app:

• sb-* — Supabase authentication.
• ff_session_id — one-device-at-a-time enforcement.
• NEXT_LOCALE — remembers your language preference.

No analytics cookies. No advertising cookies.

Changes to this policy

We'll update the "Last updated" date above when this changes. For material changes affecting your rights, we'll email you before they take effect.

Contact

Privacy questions: privacy@finishedfitness.com. General support: support@finishedfitness.com.