Privacy Policy

Privacy Policy

Last Updated: February 10, 2026

Introduction

Welcome to phase.fitness ("we," "our," or "us"), a product of GrowthClan Inc. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our fitness application and services.

Information We Collect

Information You Provide

  • Account Information: Name, email address, password
  • Profile Data: Age, gender, fitness goals, workout preferences
  • Payment Information: Processed securely through Stripe (we do not store credit card details)
  • Workout Data: Exercise routines, sets, reps, weights, and progress tracked through fitness platform integrations

Automatically Collected Information

  • Usage Data: App interactions, features used, session duration
  • Device Information: Device type, operating system, unique device identifiers
  • Analytics Data: Aggregated usage statistics to improve our services

Third-Party Integrations

  • Fitness Platform Integrations: Workout and activity data synced from your connected fitness platforms (with your explicit authorization)
  • We only access data you explicitly authorize us to access
  • You can revoke any integration access at any time from your account settings

How We Use Your Information

We use your personal data to:

  • Provide and maintain phase.fitness services
  • Process your subscription payments (Free, Pro, or Elite tiers)
  • Sync your workout data with authorized fitness platforms
  • Import training data from connected platforms (with your authorization)
  • Generate personalized, periodized workout programs based on your complete training profile
  • Analyze your training load to prevent overtraining and optimize recovery
  • Improve app functionality and user experience
  • Send important service updates and notifications
  • Respond to your support requests
  • Comply with legal obligations

Important: Your fitness data from integrations is used exclusively for generating your personalized programs. We never use this data for advertising, marketing to third parties, or any purpose beyond improving your training experience.

Data Sharing and Disclosure

We do NOT sell your personal information. We may share data with:

Service Providers

  • Stripe: Payment processing (PCI-DSS compliant)
  • Fitness Platform Integrations: Training data synchronization (with your explicit consent via OAuth 2.0)
  • Analytics Services: Aggregated, anonymized usage data only

All service providers are bound by strict data processing agreements and security requirements.

Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal processes
  • Protect our rights and safety
  • Prevent fraud or security issues

Fitness Data Integrations

We integrate with fitness platforms to provide you with personalized workout programs based on your actual training data. Here's how we handle data from each integration:

Connected Fitness Platforms

Data Collected:

  • Workout history (exercises, sets, reps, weights, activities)
  • Training volume and frequency
  • Performance metrics (pace, heart rate zones, distances, durations)
  • Exercise preferences and progress data
  • Activity timestamps and patterns

Purpose: Generate comprehensive training programs that align with your actual training experience, capacity, and recovery needs. Analyze your total training load to create balanced programs that prevent overtraining and optimize performance.

Your Control: You can disconnect any fitness platform integration at any time from your account settings. Upon disconnection, we stop syncing new data but retain historical data necessary for program continuity unless you request deletion.

Data Processing Safeguards

  • Purpose Limitation: Integration data is used ONLY for generating personalized workout programs
  • No Cross-Sharing: We never share your data between different fitness platforms or with third parties
  • No Third-Party Sales: Your fitness data is never sold, rented, or shared with advertisers or data brokers
  • Encryption: All imported data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Data Minimization: We only import the minimum data necessary for program generation
  • Retention: Integration data is retained only while your account is active or as long as needed for service continuity

OAuth Security

All fitness platform integrations use industry-standard OAuth 2.0 authentication:

  • We never access your fitness platform passwords
  • You grant explicit, revocable permission for specific data access
  • Access tokens are securely stored and regularly rotated
  • You can monitor and revoke access at any time

Data Security

We take data security extremely seriously and implement enterprise-grade security measures to protect your information:

Infrastructure Security

  • Certified Infrastructure: Hosted on SOC 2 Type II and ISO 27001:2022-certified infrastructure
    • Hosting: Vercel (SOC 2 Type II, ISO 27001, HIPAA, PCI DSS compliant)
    • Database: Neon (SOC 2 Type II, ISO 27001:2022, ISO 27701:2019 compliant)
  • Continuous Monitoring: Multi-layered security architecture with 24/7 threat detection
  • Compliance: Full GDPR, CCPA, and HIPAA compliance standards

Data Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for all stored data
  • Key Management: Secure key rotation policies using AWS KMS and Azure Key Vault

Access Controls

  • Authentication: Enterprise-grade authentication system (Clerk) with:
    • Strong password enforcement (60-bit entropy minimum)
    • Optional two-factor authentication (2FA)
    • Session management and automatic timeout
  • Authorization: Role-based access control (RBAC) with principle of least privilege
  • Data Isolation: User data is fully segregated and pseudonymized

Security Practices

  • Regular Audits: Annual third-party security audits and penetration testing
  • Vulnerability Management: Continuous scanning and rapid remediation
  • Incident Response: 24/7 security operations center with defined response procedures
  • Access Logging: Comprehensive audit trails for all data access

Data Processing Limitations

  • Purpose Limitation: Your data is used exclusively for generating personalized workout programs
  • No Data Selling: We never sell, rent, or share your personal data for marketing purposes
  • Minimal Data Collection: We only collect data necessary for service functionality
  • Automatic Deletion: Data is automatically purged when no longer needed

However, no method of transmission over the internet is 100% secure. While we implement industry-leading security measures, we cannot guarantee absolute security.

Your Rights and Choices

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Data Portability: Export your workout data in standard formats
  • Opt-out: Unsubscribe from marketing communications
  • Revoke Integration Access: Disconnect any fitness platform integration at any time through your account settings or directly through the respective platform
  • Data Deletion from Integrations: Request deletion of all data imported from fitness integrations

To exercise these rights, contact us at privacy@growthclan.com or manage integration settings directly in your account dashboard.

Data Retention

We retain your data for as long as your account is active. If you delete your account:

  • Account data is deleted within 30 days
  • Workout history is permanently removed
  • Backup copies are deleted within 90 days
  • Payment records are retained as required by law (typically 7 years)

Cookies and Tracking

We use cookies and similar technologies to:

  • Maintain your login session
  • Remember your preferences
  • Analyze app usage (with your consent)

You can manage cookie preferences through our cookie consent banner.

Children's Privacy

phase.fitness is not intended for users under 13 years old. We do not knowingly collect data from children under 13. If we discover such data, we will delete it immediately.

International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure adequate protection through:

  • Standard contractual clauses
  • Privacy Shield frameworks (where applicable)
  • Equivalent data protection measures

Changes to This Policy

We may update this privacy policy periodically. We will notify you of significant changes via:

  • Email notification
  • In-app notification
  • Updated "Last Updated" date at the top of this policy

Continued use of phase.fitness after changes constitutes acceptance.

Third-Party Links

Our app may contain links to third-party services. We are not responsible for their privacy practices. Please review their policies separately.

Contact Us

For privacy-related questions or requests:

GrowthClan Inc.
Email: privacy@growthclan.com
General Inquiries: info@growthclan.com
Address: 2261 Market Street, San Francisco, CA 94114, United States
EIN: 37-2173633

Legal Basis for Processing (GDPR)

For EU/UK users, we process your data based on:

  • Contract Performance: Providing phase.fitness services
  • Consent: Analytics, marketing, third-party integrations
  • Legitimate Interests: App improvement, fraud prevention
  • Legal Obligations: Tax, accounting, legal compliance

California Privacy Rights (CCPA)

California residents have additional rights:

  • Right to know what personal information is collected
  • Right to deletion
  • Right to opt-out of sale (we don't sell data)
  • Right to non-discrimination

Contact us to exercise these rights.

Governing Law: This policy is governed by California law.

Questions? We're here to help. Contact us anytime at privacy@growthclan.com.