Privacy Policy

This Privacy Policy explains how Pretty Strong ("we", "us", "our") collects, uses, discloses, and protects your information when you use the Pretty Strong mobile app and related services (the "Service"). Please read this policy carefully. If you do not agree, do not use the Service.

If you have any questions, contact us at: evevictoriabyrne@gmail.com.

1. Who we are

• App: Pretty Strong by Eve Victoria ("Pretty Strong")
• Role: Data Controller for personal data processed via the app
• Contact: evevictoriabyrne@gmail.com
• Primary data hosting: Supabase (EU–West where available)

2. What we collect

We collect the minimum information necessary to provide coaching features and maintain account security. Depending on how you use the Service, this may include:

Account & Profile

• Full name, email address, password (hashed)
• Profile details configured by you (e.g., age), avatar
• Invitation status

Health & Fitness Data (special category data)

• Weekly check‑in data (photos, text answers)
• Measurements and weight (as configured during onboarding or check‑ins)
• Workout logs and completion data
• Nutrition logs and barcode scan results (via Open Food Facts)

Messaging & Media

• Messages between you and your coach
• Voice notes and media attachments (stored in Supabase Storage with signed URLs)

Device & Usage

• Device model, OS, app version
• Push notification token (for reminders/alerts, if enabled)
• Basic usage analytics needed to operate the Service

Sources of data include information you provide and operations within the Service.

3. Why we collect it (purposes and legal bases)

We process data to:

• Provide the Service and core features (workouts, check‑ins, progress, messaging, nutrition logging) – Contractual necessity
• Maintain accounts, authenticate users, and secure the platform – Legitimate interests and Contract
• Send reminders and alerts (workouts, check‑ins, messages) – Consent (push notifications) and/or Legitimate interests
• Display progress analytics and insights – Legitimate interests and/or Contract
• Provide support and fix issues – Legitimate interests
• Comply with legal obligations (e.g., accounting, regulatory requests) – Legal obligation

For special category data (e.g., health‑related data like check‑in photos, measurements, weight), we rely on your explicit consent at onboarding and where applicable inside the check‑in flow. You may withdraw consent at any time (see Section 9), though this may limit functionality.

4. How we store and protect your data

We take data security seriously and implement multiple layers of protection:

• Encryption: All data is encrypted in transit using TLS/SSL protocols and encrypted at rest in our database. Your passwords are hashed using industry-standard algorithms.
• Secure hosting: Data is hosted on Supabase infrastructure (PostgreSQL, Auth, Storage) with enterprise-grade security measures and regular security audits.
• Access controls: Row‑Level Security (RLS) policies ensure that you can only access your own data. Coaches can only access data for their assigned clients. All service roles follow the principle of least privilege.
• Media protection: Check‑in photos, avatars, and attachments are stored securely in Supabase Storage. Access is controlled through time‑limited signed URLs, ensuring media files cannot be accessed without proper authorization.
• Application security: We implement defensive input validation, secure authentication flows, and regular security reviews to protect against common vulnerabilities.
• Account security: We use secure authentication methods and recommend you use a strong, unique password. You can manage your account security settings within the app.

We continuously monitor and update our security practices to protect your information and maintain compliance with data protection standards.

5. How long we keep data (retention)

We retain data for as long as your account is active and for a reasonable period thereafter to support the Service, comply with legal obligations, resolve disputes, and enforce agreements. Where feasible, we de‑identify or aggregate data. If you request deletion, we will delete or anonymize personal data subject to lawful retention requirements and backup constraints.

6. When we share data

We do not sell your personal information. We may share limited data with:

Service providers (data processors):

• Supabase (hosting, database, storage, authentication)
• Expo (push notification delivery, if enabled)
• Open Food Facts (nutrition barcode lookups) – requests may include barcode data

• Coaches/admins associated with your account (access scoped by RLS and product UI)
• Legal/regulatory authorities where required by law or to protect rights/safety

International transfers: Some providers may process data in locations outside your country (including the UK/EU). We use appropriate safeguards, such as Standard Contractual Clauses, where required.

7. Cookies and similar technologies

The mobile app relies primarily on secure tokens and device storage rather than cookies. If a web interface is used, cookies may be used for session management.

8. Your choices

• App permissions: Camera, Photos/Library, Microphone are optional but required for related features (check-in photos, voice notes, barcode scanning).
• Notifications: You can enable/disable notifications in your device settings.
• Profile edits: You can update your name, avatar, and profile information in the app.

9. Your rights

Subject to applicable law (e.g., UK GDPR/EU GDPR), you have rights to:

• Access, correct, or delete your personal data
• Restrict or object to certain processing
• Data portability
• Withdraw consent (e.g., for health data or push notifications)
• Lodge a complaint with a supervisory authority (e.g., the UK ICO)

To exercise rights, use in‑app options (e.g., "Delete Account" request) or contact evevictoriabyrne@gmail.com. We may need to verify your identity.

10. Children's privacy

The Service is intended for individuals aged 13 and over. If we learn a child under 13 has provided personal data, we will delete it. If you believe this has occurred, contact us.

11. Changes to this Policy

We may update this Policy to reflect changes to our practices or for legal reasons. We will post the new effective date and, where appropriate, notify you in‑app. Continued use of the Service after changes constitutes acceptance.

12. Contact