Method Strength

Privacy Policy

Last updated: March 25, 2026

1. Controller and Contact Information

The controller responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and other applicable data protection laws is:

Stolzenburg Ventures UG (haftungsbeschränkt) c/o IP-Management #7306 Ludwig-Erhard-Straße 18 20459 Hamburg, Germany

Email: contact@methodstrength.app

We have not appointed a Data Protection Officer, as the conditions under Art. 37 GDPR in conjunction with Section 38 of the German Federal Data Protection Act (BDSG) are not met. For all data protection inquiries, please contact us at the email address above.

1.1 UK Representative

For users in the United Kingdom: In accordance with Article 27 UK GDPR, we are in the process of appointing a UK representative. Until a representative has been formally appointed, please direct any inquiries to the email address above.

1.2 Scope of This Policy

This Privacy Policy applies to all users of the Method Strength application (app.methodstrength.app), regardless of their location. This policy covers users in the European Economic Area (EEA), the United Kingdom (UK), the United States (US), Australia (AU), Canada (CA), and all other jurisdictions from which the application may be accessed.

Where this policy refers to "GDPR," this includes both the EU GDPR (Regulation 2016/679) and the UK GDPR (as incorporated into UK law by the Data Protection Act 2018), unless otherwise specified.

2. General Information on Data Processing

2.1 Scope

We only process personal data to the extent necessary to provide a functional application and our services. Personal data is generally only processed with the user's consent or where processing is permitted by applicable law.

2.2 Legal Bases for Processing

We process personal data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR): Where we have obtained the data subject's consent.
  • Contractual necessity (Art. 6(1)(b) GDPR): Where processing is necessary for the performance of a contract or pre-contractual measures.
  • Legal obligation (Art. 6(1)(c) GDPR): Where processing is necessary for compliance with a legal obligation.
  • Legitimate interests (Art. 6(1)(f) GDPR): Where processing is necessary for our legitimate interests, provided these are not overridden by the data subject's rights and freedoms.
  • Explicit consent for special categories (Art. 9(2)(a) GDPR): For health-related data (physical limitations), we rely on explicit consent.

2.3 Data Retention and Deletion

Personal data is deleted or restricted once the purpose of storage no longer applies. Data may be retained beyond this period where required by EU, UK, or national legislation. Data is also deleted when a statutory retention period expires, unless continued storage is necessary for the conclusion or performance of a contract.

3. Application Hosting

3.1 Vercel (Hosting and Content Delivery)

Our Progressive Web App (PWA) is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA).

Each time you access the application, the following data is automatically collected by the hosting provider:

  • IP address of the requesting device
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL
  • Requested URL
  • Data volume transferred
  • HTTP status code

This data is stored in server log files.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stable and secure provision of the application).

Retention period: Server log files are stored by Vercel in accordance with their privacy policy and deleted after a maximum of 30 days.

International transfer: Vercel processes data in the USA. Transfers are based on the EU-US Data Privacy Framework (DPF) adequacy decision under Art. 45 GDPR. Vercel is DPF-certified. Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR are in place as an additional safeguard. For UK users, transfers are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs.

More information: https://vercel.com/legal/privacy-policy

4. User Account and Authentication

4.1 Registration and Login (Supabase Auth)

Use of our application requires the creation of a user account. Authentication is provided by Supabase (Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992 / US infrastructure).

The following data is processed during registration:

  • Email address
  • Password (stored in encrypted/hashed form only)
  • Registration timestamp
  • Authentication tokens (session management)

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — registration is a prerequisite for using the application).

Retention period: Until the user account is deleted by the user or upon their request.

4.2 Third-Party Login (Social Login)

As an alternative to email/password registration, we offer the option to sign in via the following third-party providers:

4.2.1 Google Sign-In

When signing in via Google, you are redirected to a login page operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) or Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Upon your authorisation, Google transmits the following data to our application (via Supabase Auth):

  • Email address
  • Name (first and last name)
  • Profile picture URL
  • Google user ID (unique identifier)

We use this data solely to create and manage your user account. Your name and profile picture are not displayed in the application or otherwise processed unless you actively choose to do so. The Google user ID is used exclusively for identification during future logins.

Google acts as an independent controller for the data processing that takes place on its platform (including the login page and management of your Google credentials).

International transfer: Google LLC is certified under the EU-US Data Privacy Framework (DPF). SCCs and, for UK users, the UK IDTA/Addendum are additionally in place.

More information: https://policies.google.com/privacy

4.2.2 Apple Sign-In

When signing in via Apple, you are redirected to a login page operated by Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) or Apple Distribution International Ltd. (Hollyhill Industrial Estate, Cork, Ireland). Upon your authorisation, Apple transmits the following data:

  • Email address (either your real email address or an Apple-generated, anonymised relay address via the "Hide My Email" feature)
  • Name (first and last name, provided only on first login, editable by the user before transmission)
  • Apple user ID (unique, app-specific identifier)

Apple allows users to hide their actual email address. In this case, we receive an Apple-generated relay address that forwards emails to your real address.

Apple acts as an independent controller for the authentication process.

International transfer: Processing takes place in the EU (Apple Distribution International Ltd., Ireland) and/or the USA. Apple is certified under the EU-US DPF. SCCs and, for UK users, the UK IDTA/Addendum are additionally in place.

More information: https://www.apple.com/legal/privacy/

4.2.3 Facebook Login

When signing in via Facebook, you are redirected to a login page operated by Meta Platforms Ireland Limited (Merrion Road, Dublin 4, D04 X2K5, Ireland) or Meta Platforms, Inc. (1 Hacker Way, Menlo Park, CA 94025, USA). Upon your authorisation, Meta transmits the following data:

  • Email address
  • Name (first and last name)
  • Profile picture URL
  • Facebook user ID (unique identifier)

We only request basic profile information and email address (scope: email, public_profile). We do not request access to any additional data (such as friends lists, posts, or other account information).

Meta acts as an independent controller for the data processing that takes place on its platform.

International transfer: Meta Platforms, Inc. is certified under the EU-US DPF. SCCs and, for UK users, the UK IDTA/Addendum are additionally in place.

More information: https://www.facebook.com/privacy/policy/

4.2.4 General Information on Social Login

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — login is a prerequisite for using the application). The choice of login method (email/password or social login) is at the user's discretion.

Scope of processing: Regardless of the chosen login method, we only store in our database the data required for account management (email address, authentication provider, provider user ID). Profile pictures and names are not permanently stored by us unless you actively incorporate them into your profile.

Unlinking: You may unlink your account from the third-party provider in the application settings and switch to email/password login. You may also revoke our application's access at any time via the account settings of the respective third-party provider.

We do not receive your password at the third-party provider or any data from your third-party account beyond the data listed above.

4.3 Profile Data and Onboarding

During the onboarding process and ongoing use, we collect the following profile data:

  • Year of birth
  • Gender
  • Training experience (beginner, intermediate, advanced)
  • Available equipment (home gym, commercial gym, minimal)
  • Training goals (muscle building, strength, fitness, recomposition)
  • Training frequency (days per week)
  • Preferred language (German/English)

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — this data is required to generate a personalised training plan).

4.4 Health-Related Data (Special Categories)

We collect information about physical limitations and health contraindications (e.g. knee, shoulder, or back problems). This data constitutes special category personal data within the meaning of Art. 9(1) GDPR.

The processing of this data is only permitted with your explicit consent under Art. 9(2)(a) GDPR. Consent is obtained during the onboarding process through an active confirmation (checkbox). This data is used exclusively for the purpose of safe training plan generation — specifically, to replace potentially dangerous exercises with safe alternatives based on your individual limitations.

Withdrawal of consent: You may withdraw your consent at any time with effect for the future by deleting your limitations in the application settings or by contacting us via email.

Retention period: Until deletion by the user or deletion of the user account.

5. Database and Data Storage

5.1 Supabase (PostgreSQL Database)

All user data (profile data, training plans, workout logs, feedback, reviews) is stored in a PostgreSQL database provided by Supabase, Inc.

The database is protected by Row Level Security (RLS). This means that each user can only access their own data — technical access to other users' data is prevented at the database level.

Data processed:

  • Profile data (see Section 4)
  • Training plans (exercises, sets, repetitions, weights)
  • Workout logs (exercises performed, actual weights and repetitions, RPE values, duration)
  • Post-workout feedback (session rating, problems, energy level, qualitative tags)
  • Weekly and monthly AI reviews
  • Subscription and payment status (tier, Stripe customer ID, subscription status)

Legal basis: Art. 6(1)(b) GDPR (contractual necessity).

Retention period: Until deletion of the user account. After deletion, all personal data is removed from the database and all backups within 30 days.

International transfer: Supabase operates infrastructure in the USA. Transfers are based on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, supplemented by technical safeguards (encryption in transit and at rest). For UK users, the UK IDTA/Addendum applies.

More information: https://supabase.com/privacy

5.2 Local Data Storage (IndexedDB / Dexie.js)

Our application uses the browser-based technology IndexedDB (via the Dexie.js library) to store training data locally on your device. This enables offline use of the application — in particular, logging workouts without an active internet connection.

Locally stored data includes:

  • Active and past training plans
  • Workout logs
  • AI feedback and reviews
  • Synchronisation queue (data not yet transmitted to the server)

This data only leaves your device during synchronisation with our database (Supabase) when an internet connection is available.

Legal basis: Art. 6(1)(b) GDPR (contractual necessity) and Art. 6(1)(f) GDPR (legitimate interest in offline functionality).

Deletion: You may delete locally stored data at any time via your browser settings (clear website data) or by uninstalling the PWA.

6. AI-Powered Training Planning (Claude API)

6.1 Purpose and Functionality

A core feature of our application is the AI-powered creation and adaptation of personalised training plans. For this purpose, we use the API of Anthropic, PBC (548 Market Street, PMB 90375, San Francisco, CA 94104, USA) — specifically, the Claude Sonnet language model.

The AI is used for the following purposes:

  • Generation of an initial, personalised training plan upon registration
  • Post-workout feedback with micro-adjustments (weights, repetitions)
  • Weekly reviews (pattern recognition, volume adjustments)
  • Monthly reviews (long-term progression, programme changes)

6.2 Data Transmitted to Anthropic

For each AI call, the following data is transmitted to the API:

  • Training experience and goals
  • Available equipment
  • Physical limitations (if provided)
  • Training frequency
  • Current and past workout data (exercises, weights, repetitions, RPE values)
  • Qualitative tags and notes from workouts
  • Language setting (German/English)

The following data is expressly not transmitted: email address, name, year of birth, or any other directly identifying information. Data is minimised to the extent necessary for training plan generation before transmission.

6.3 Processing by Anthropic

Anthropic processes the transmitted data solely for the purpose of generating the requested training recommendation. In accordance with Anthropic's API Terms of Service:

  • Data submitted via the API is not used to train AI models
  • Data is retained for a maximum of 30 days for security and abuse detection purposes
  • Data is not shared with third parties beyond the contractually agreed purposes

We have concluded a Data Processing Addendum (DPA) with Anthropic governing the processing in accordance with Art. 28 GDPR.

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — AI-powered training planning is an essential component of the service). Where health-related data (limitations) is processed: Art. 9(2)(a) GDPR (explicit consent).

International transfer: Anthropic processes data in the USA. Transfers are based on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR in conjunction with the DPA. Additional technical safeguards apply (encryption in transit, minimised datasets, 30-day retention limit). For UK users, the UK IDTA/Addendum applies.

More information: https://www.anthropic.com/privacy

7. Payment Processing (Stripe)

7.1 Purpose

For the processing of paid subscriptions (Pro Monthly, Pro Annual, Lifetime), we use the payment service provider Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) and, within Europe, Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin 2, Ireland).

7.2 Data Processed

Payment processing is handled entirely through Stripe Checkout — a hosted payment page operated by Stripe. At no point do payment details (credit card numbers, bank details) reach our servers.

Data processed by Stripe:

  • Payment method (credit card details, bank account details, etc.)
  • Billing address (for VAT calculation via Stripe Tax)
  • Email address (for payment confirmations)
  • Transaction amounts and timestamps
  • Subscription status (active, cancelled, past due)

Data stored on our side:

  • Stripe customer ID (anonymous reference)
  • Subscription tier (Free, Pro, Lifetime)
  • Subscription status
  • Subscription expiry date

7.3 Stripe Customer Portal

For self-service management of your subscription (cancellation, payment method changes, invoice history), we use the Stripe Customer Portal. When accessing the portal, you are redirected to a page hosted by Stripe.

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — processing of the subscription agreement).

International transfer: Stripe is certified under the EU-US Data Privacy Framework (DPF). Payment processing within the EU is primarily handled by the Irish subsidiary (Stripe Payments Europe, Ltd.). SCCs are additionally in place. For UK users, the UK IDTA/Addendum applies.

Retention period: Stripe retains payment data in accordance with statutory retention obligations (particularly tax and commercial law: up to 10 years). Our reference data (Stripe customer ID, subscription status) is retained until deletion of the user account.

More information: https://stripe.com/privacy

8. Image Delivery (ImageKit)

For the delivery of exercise images in our exercise library, we use the content delivery network (CDN) service ImageKit.io (ImageKit Private Limited, India / global CDN infrastructure).

Each time an exercise image is loaded, your IP address is transmitted to ImageKit for the purpose of delivering the image. No user-related profiles are created; these are purely static image assets without personalised content.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the performant delivery of media content via CDN).

International transfer: ImageKit may process data in various countries as part of CDN operations. Transfers are based on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. For UK users, the UK IDTA/Addendum applies.

More information: https://imagekit.io/privacy-policy

9. Rate Limiting (Upstash Redis)

To protect against abuse and to enforce usage quotas (particularly for AI features), we use Upstash (Upstash, Inc., USA) as a Redis database.

Data processed:

  • User ID (anonymised internal identifier)
  • API call counters per time window
  • Timestamps of recent calls

No substantive usage data (training plans, workout data) is stored in Upstash.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against abuse and enforcement of fair usage quotas).

Retention period: Rate-limiting data is automatically deleted after the relevant time window expires (maximum 30 days).

International transfer: Upstash operates infrastructure in the USA. Transfers are based on SCCs under Art. 46(2)(c) GDPR. For UK users, the UK IDTA/Addendum applies.

More information: https://upstash.com/privacy

10. Web Analytics (Plausible Analytics)

We use Plausible Analytics (Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia) for statistical analysis of the use of our application.

Plausible Analytics is a privacy-friendly analytics tool that:

  • Does not set cookies
  • Does not collect personal data
  • Does not store IP addresses
  • Is fully GDPR-compliant and operates without requiring consent
  • Processes data exclusively in the EU (Germany, Estonia)

Analysis is based on aggregated, anonymous data points such as page views, session duration, referrer, and device type. It is technically impossible to trace any data back to individual users.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in statistical analysis to improve the service).

No cookie consent required: Since Plausible does not set cookies and does not process personal data, no consent via a cookie banner is required under the ePrivacy Directive or applicable national implementations.

More information: https://plausible.io/data-policy

11. Service Worker and PWA Functionality (Serwist)

Our application uses a service worker (via the Serwist library) that provides the following functions:

  • Caching: Static resources (HTML, CSS, JavaScript, images) are cached locally on your device to enable use of the application without an internet connection.
  • Background synchronisation: Workout data recorded offline is automatically synchronised when an internet connection becomes available.
  • Automatic updates: The service worker updates the application in the background without requiring reinstallation.

The service worker does not process any personal data beyond the local storage described in Section 5.2. All cached data remains on your device and is managed through standard browser functionality.

Legal basis: Art. 6(1)(b) GDPR (contractual necessity — offline functionality is an essential component of the PWA).

12. Cookies and Similar Technologies

12.1 Overview

Our application uses exclusively technically necessary cookies and storage technologies:

| Technology | Purpose | Retention | Consent required | |---|---|---|---| | Supabase Auth Token | Authentication / session management | Until logout | No (technically necessary) | | IndexedDB (Dexie.js) | Offline data storage | Until manual deletion | No (technically necessary) | | Service Worker Cache | Offline availability of the application | Until cache update | No (technically necessary) | | Language preference (next-intl) | Storage of selected language (DE/EN) | Until manual change | No (technically necessary) |

12.2 No Tracking Cookies

We do not use tracking, advertising, or marketing cookies. No fonts are loaded from external services (such as Google Fonts) — all fonts are delivered locally via the application (self-hosted via next/font).

13. International Data Transfers

Some of our service providers process data outside the European Economic Area (EEA) and the United Kingdom (UK). The following table provides an overview of international transfers and their respective legal bases:

| Service Provider | Location | Data Type | Transfer Mechanism | |---|---|---|---| | Vercel, Inc. | USA | Server logs, IP addresses | EU-US DPF + SCCs + UK IDTA | | Supabase, Inc. | USA | User data, training data | SCCs + technical measures + UK IDTA | | Anthropic, PBC | USA | Training data (anonymised) | SCCs + DPA + technical measures + UK IDTA | | Stripe, Inc. | USA/Ireland | Payment data | EU-US DPF + SCCs + UK IDTA | | Upstash, Inc. | USA | User ID, counters | SCCs + UK IDTA | | ImageKit Pvt. Ltd. | India/Global | IP address (CDN requests) | SCCs + UK IDTA | | Google LLC | USA/Ireland | Auth data (email, name, ID) | EU-US DPF + SCCs + UK IDTA | | Apple Inc. | USA/Ireland | Auth data (email, name, ID) | EU-US DPF + SCCs + UK IDTA | | Meta Platforms, Inc. | USA/Ireland | Auth data (email, name, ID) | EU-US DPF + SCCs + UK IDTA |

EU-US Data Privacy Framework (DPF): The DPF was recognised as providing an adequate level of data protection by an adequacy decision of the European Commission on 10 July 2023 under Art. 45 GDPR. In September 2025, the General Court of the European Union dismissed an annulment action against the DPF. We continuously monitor the regulatory development of the DPF and maintain SCCs as a fallback mechanism.

UK transfers: For transfers from the UK, we rely on the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office (ICO). Where a service provider is certified under the EU-US DPF, this provides additional assurance, though it does not constitute a formal UK adequacy mechanism.

Transfers to other countries: For transfers to countries outside the EEA and UK that do not have an adequacy decision (e.g. India for ImageKit CDN operations), we rely on SCCs supplemented by technical measures as appropriate.

14. Your Rights as a Data Subject

14.1 Rights Under GDPR and UK GDPR

You have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR): You may request information about whether and what personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or the completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data, provided the legal requirements are met.
  • Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data where processing is based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.

14.2 Exercising Your Rights

To exercise your rights, please contact us via email: contact@methodstrength.app

We will process your request without undue delay and in any event within one month.

14.3 Account Deletion

You may delete your user account at any time in the application settings. Upon deletion:

  • All personal data in the database (Supabase) is deleted
  • All locally stored data (IndexedDB) is cleared upon next synchronisation
  • The Stripe customer ID is decoupled from your profile (payment data at Stripe is subject to statutory retention obligations)

14.4 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority under Art. 77 GDPR if you believe that the processing of your personal data is unlawful.

Our lead supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Ludwig-Erhard-Str 22, 7. OG 20459 Hamburg, Germany Phone: +49 40 428 54 4040 Email: mailbox@datenschutz.hamburg.de Website: https://datenschutz-hamburg.de

For UK users: You may also lodge a complaint with the Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom Phone: +44 303 123 1113 Website: https://ico.org.uk

15. Security Measures

We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to ensure a level of security appropriate to the risk:

  • Encryption: All data transmissions are encrypted via TLS/HTTPS.
  • Access control: Row Level Security (RLS) at the database level ensures that users can only access their own data.
  • Password hashing: Passwords are never stored in plaintext; they are stored exclusively as cryptographic hashes (bcrypt).
  • Data minimisation: Data transmitted to the Claude API is minimised to what is necessary for training plan generation (no identifying attributes).
  • Webhook verification: Stripe webhooks are verified through cryptographic signature verification before any data is processed.

16. Children and Minors

Our application is directed at adults (in particular persons aged 40 and above). We do not knowingly collect personal data from children under the age of 16 (or under the age of 13 in jurisdictions where this is the applicable threshold). If we become aware that personal data of a child has been collected without the consent of a parent or guardian, we will delete such data without undue delay.

17. Additional Information for California Residents (CCPA/CPRA)

This section applies to residents of California, USA, and supplements the information provided in this Privacy Policy with additional disclosures required under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA").

17.1 Categories of Personal Information Collected

In accordance with CCPA definitions, we collect the following categories of personal information:

| Category | Examples | Business Purpose | |---|---|---| | Identifiers | Email address, user ID, provider user ID | Account creation and management | | Internet or network activity | IP address, browser type, pages visited | Application hosting and analytics | | Professional or employment-related information | Not collected | — | | Health information | Physical limitations, contraindications | Safe training plan generation | | Geolocation data | Not collected | — | | Commercial information | Subscription tier, payment history (via Stripe) | Subscription management | | Inferences | AI-generated training recommendations, performance patterns | Personalised training planning |

17.2 How We Use Personal Information

We use personal information for the following business purposes:

  • Providing, maintaining, and improving our application
  • Generating personalised, AI-powered training plans
  • Processing payments and managing subscriptions
  • Communicating with you about your account
  • Detecting and preventing fraud and abuse
  • Complying with legal obligations

17.3 Sale and Sharing of Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months.

We do not share your personal information for cross-context behavioural advertising purposes. We do not engage in targeted advertising.

17.4 Your Rights Under CCPA

As a California resident, you have the following rights:

  • Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
  • Right to delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to correct: You may request that we correct inaccurate personal information.
  • Right to opt out of sale/sharing: As we do not sell or share your personal information, this right does not apply in practice. However, should this change in the future, we will provide a "Do Not Sell or Share My Personal Information" link.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, please contact us at: contact@methodstrength.app

We will verify your identity before processing your request. We aim to respond to verified requests within 45 days.

17.5 Sensitive Personal Information

Under CCPA, health information (physical limitations) constitutes sensitive personal information. We use this information solely for the purpose of providing you with safe, personalised training plans. We do not use sensitive personal information for any purpose other than performing the service you have requested.

17.6 Data Retention

We retain personal information for as long as your account is active or as needed to provide you with our services. For specific retention periods per data type, please refer to the relevant sections of this Privacy Policy.

17.7 Authorised Agent

You may designate an authorised agent to make requests on your behalf under CCPA. To do so, you must provide the authorised agent with written permission and verify your identity directly with us.

18. Additional Information for UK Users

18.1 UK GDPR

Following the United Kingdom's withdrawal from the European Union, the UK GDPR (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) applies alongside the Data Protection Act 2018.

Your rights under the UK GDPR are substantially equivalent to those under the EU GDPR as described in Section 14 of this Privacy Policy.

18.2 UK International Transfers

Transfers of personal data from the UK to countries outside the UK are governed by the UK GDPR and the Data Protection Act 2018. For transfers to the USA, we rely on the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs, as approved by the ICO. For transfers to EEA countries, these are covered by the UK adequacy regulations.

18.3 UK Supervisory Authority

The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO). Contact details are provided in Section 14.4.

19. Additional Information for Australian Users

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to access and correct the personal information we hold about you. If you believe that we have breached the APPs, you may lodge a complaint with us at contact@methodstrength.app. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

We will take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, complete, and up to date. Cross-border disclosure of your personal data (including to the USA) is conducted in accordance with APP 8, with safeguards as described in Section 13 of this Privacy Policy.

20. Additional Information for Canadian Users

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, you have the right to access, correct, and withdraw consent for the processing of your personal information. We collect, use, and disclose personal information only for the purposes identified in this Privacy Policy and with your knowledge and consent.

If you have questions or complaints regarding our handling of your personal information, please contact us at contact@methodstrength.app. If your complaint is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

21. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the legal landscape or changes to our services and data processing activities. The current version is always available in the application under "Privacy." In the event of material changes, we will notify you via the application or by email.