top of page
Shifted white logo

Privacy Policy

Privacy Policy (UK GDPR / EU GDPR)
 

1) Who we are and how to contact us

Shifted.Fitness is provided by Shifted.Labs Ltd ("we", "our", "us"). We are the data controller for personal data processed in connection with our app and website.
Contact: hello@shifted.fitness
Postal: 64 Bell Street, London, NW1 6SP, United Kingdom

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). If you are in the EEA, you may also complain to your local supervisory authority. We will cooperate with them.
 

EEA Representative (Article 27 GDPR): Because we are UK‑based and offer services in the EEA, we may be required to appoint an EU representative. We will update this section with details once appointed.
 

2) Scope

This policy covers personal data we process when you use the Shifted.Fitness mobile/web app, our website, support channels, and related services (collectively, the “Services”).
 

3) The data we collect

We collect and process the following categories of data (exact fields vary by feature and your choices):

  • Account & Identity Data: name, email, password or auth tokens, country/region, app store IDs.

  • Profile & Preferences: training goals, experience level, equipment access, dietary preferences, sleep patterns, cycle phase, wellness inputs, and similar information you choose to provide to personalise workouts and nutrition.

    • Health/Wellness Data (special category): Some profile data may reveal health information (e.g., symptoms, cycle data, injuries). We only process such data with your explicit consent and solely to provide personalisation and support.

  • User‑Generated Content: short exercise videos/photos you upload for form feedback and progress tracking. We host these on Cloudinary and delete them within ~24 hours of upload.

  • In‑App Interactions: messages/questions you submit to our coaching features (including AI‑assisted chat), feature usage events, and preferences.

  • Device & Technical Data: device model, OS, app version, IP address, language, crash logs, diagnostics, and basic analytics necessary to run and secure the Services.

  • Communications: support requests, feedback, survey responses.

  • Pseudonymous Identifiers: in‑app User ID that ties your profile, events, and content together to deliver the service (not publicly visible), and app/store identifiers as applicable.
     

We do not deliberately collect data from children (see Section 12).
 

4) How we use your data (purposes)

We use personal data to:

  1. Provide and personalise training and nutrition plans and app features.

  2. Offer AI‑assisted coaching (see Section 7) to answer your questions and generate tailored guidance.

  3. Process your uploads (video/photos) for quick analysis and feedback, then delete media from our media host within ~24 hours.

  4. Maintain safety and security, including fraud and abuse prevention, and to protect our users and Services.

  5. Operate, maintain, and improve the Services, including troubleshooting, support, and product analytics.

  6. Communicate with you, such as service updates, security alerts, and—with your consent—optional marketing.

  7. Comply with legal obligations and enforce our Terms.
     

5) Our legal bases (UK GDPR / EU GDPR)

Depending on the context, we rely on:

  • Performance of a contract (to deliver the app, account, and core features you request).

  • Consent (for: processing health/wellness data; certain optional analytics/marketing; push notifications where consent is required). You can withdraw consent at any time in‑app or by contacting us.

  • Legitimate interests (to keep the service secure, prevent abuse, measure basic service performance, and improve features in privacy‑preserving ways). We balance these interests against your rights and expectations.

  • Legal obligations (to comply with applicable laws/regulatory requests).
     

6) Sharing your data

We do not sell your personal data. We share data only with:

  • Service providers (processors) who help us run the Services under written contracts, including confidentiality and data protection terms. Key providers currently include:

    • Adalo (app/database hosting and infrastructure)

    • Netlify Functions (serverless backend execution for app features)

    • Cloudinary (temporary media hosting for your video/photo uploads; auto‑deletion target ~24h)

    • OpenAI (AI processing to generate responses to your questions)

    • (If used) crash reporting, error monitoring, and basic analytics tools

  • Professional advisers (legal/financial) under confidentiality.

  • Authorities when required by law or to protect rights, safety, and security.

We require our processors to only process data on our instructions, implement appropriate security, and support our compliance.
 

7) AI features and your data

When you ask questions or use AI‑powered features, we send the relevant parts of your inputs (and, where needed, profile context) to our AI provider to generate a response. We aim to minimise what is sent and configure provider settings to enhance privacy where available.

  • Training: We instruct our AI provider not to use your data to train public models where a control is offered.

  • Quality & Safety: We may retain limited logs to operate the feature safely and to address abuse, errors, or misuse.

  • Important: AI may occasionally make mistakes or produce content that is incomplete; please treat outputs as general guidance only (see the medical disclaimer in our Terms).
     

8) International transfers

We are UK‑based and some providers are located outside the UK/EEA. Where data is transferred internationally, we rely on approved transfer mechanisms (e.g., UK IDTA, EU Standard Contractual Clauses, and/or adequacy decisions) and implement additional safeguards where appropriate.
 

9) Data retention

  • Account & Profile Data: kept while you have an account and for a reasonable period afterwards (e.g., to manage queries, exercise/defend legal claims, or comply with law). We then delete or anonymise.

  • Health/Wellness Data: retained only as long as needed for the personalisation purpose or until you withdraw consent or delete your account.

  • Videos/Photos: deleted from Cloudinary within ~24 hours of upload. (Operational logs or cached thumbnails may persist briefly in backups.)

  • Support/Comms & Technical Logs: retained for reasonable operational periods.
     

You can request deletion at any time (see Section 11).
 

10) Security

We implement administrative, technical, and organisational measures appropriate to the risk, such as encryption in transit, access controls, least‑privilege practices, and provider due diligence. No method of transmission or storage is 100% secure.

​

11) Your rights

Under UK/EU data protection law you may have the right to:

  • Access your data and receive a copy;

  • Correct inaccurate data;

  • Delete your data;

  • Restrict or object to certain processing;

  • Data portability for data you provided; and

  • Withdraw consent where processing is based on consent.

To exercise your rights, contact hello@shifted.fitness. We may need to verify your identity. We aim to respond within one month of receipt (and may extend by up to two months for complex requests). Deletion requests can remove account content; you can alternatively request us to delete historic data while keeping your account active. You also have the right to lodge a complaint with the ICO or your local authority.
 

12) Children and minimum age

The Services are not directed to children. You must be at least 16 in the UK/EEA (or the age of digital consent in your country) and at least 13 elsewhere to use the Services. If you are under 18, you should only use the Services with a parent/guardian’s involvement. If we learn we have collected data from a child contrary to this section, we will delete it.
 

13) Cookies and similar technologies

If you use our website, we may use cookies or similar technologies for essential operations and, with your consent where required, for analytics/experience improvements. Details are in our Cookie Policy.
 

14) Changes to this policy

We will update this policy from time to time. Material changes will be notified in‑app or by email where appropriate.

bottom of page