1. Who We Are
PHNX Personal Training ("PHNX", "we", "us", "our") is a sole proprietorship registered
in Singapore. We provide AI-assisted personal training, nutrition coaching, and wellness
services through our website (phnxpersonaltraining.com), Telegram Mini App, and mobile
application.
Our Data Protection Officer (DPO) is Fred Law. For all privacy-related enquiries,
data access requests, or complaints:
- Email: fred@phnxpersonaltraining.com
- Subject line: "Privacy Request — [your name]"
- We will acknowledge your request within 3 business days and respond substantively within 30 calendar days.
2. Scope of This Policy
This policy applies to all personal data collected through:
- Our marketing website (phnxpersonaltraining.com)
- The PHNX Telegram Mini App
- The PHNX mobile application (iOS/Android)
- Direct communications with your coach (Telegram, email)
- Connected third-party services you choose to link (Hevy, Strava, Google Calendar)
This policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore,
including amendments effective September 2023.
3. Why We Collect Your Data
We collect and use personal data for the following purposes:
- Service delivery: Designing and adjusting your training programmes, nutrition plans, and recovery recommendations
- AI-assisted coaching: Generating personalised programmes using AI models (see Section 6)
- Progress tracking: Monitoring body composition, workout performance, nutrition adherence, and recovery metrics over time
- Communication: Sending session reminders, coaching feedback, weekly reviews, and programme updates via Telegram
- Booking and scheduling: Managing training session availability and calendar coordination
- Payment processing: Collecting fees for coaching packages
- Product improvement: Understanding how you use our app to improve features and fix issues (via pseudonymous analytics)
- Marketing: With your separate consent, sending updates about new programmes or services
- Legal compliance: Meeting tax, accounting, and regulatory obligations under Singapore law
4. What Data We Collect
4.1 Identity and contact
- Name, email address, phone number (if provided)
- Telegram user ID, first name, and username (extracted from Telegram Mini App authentication)
4.2 Health and training data
- Body composition: weight, body fat percentage, muscle mass, InBody scan data
- Body composition and progress photos
- Workout logs: exercises, sets, reps, weight, RPE (Rate of Perceived Exertion)
- Nutrition: meal photos, food descriptions, macronutrient intake, calorie targets
- Recovery signals: sleep duration, heart rate variability (HRV), readiness scores
- Training preferences: goals, schedule, equipment access, injuries, medical conditions
4.3 Apple Health data (iOS app, optional)
- Heart rate and resting heart rate
- Sleep analysis (duration, stages)
- Active energy burned and step count
- Workout sessions recorded by Apple Watch
Apple Health (HealthKit) data is accessed only with your explicit permission, granted
per data type via the iOS system permission prompt. We have read-only access — we never
write to, modify, or delete data in your HealthKit store. Raw HealthKit data is queried
in real-time per session and is never stored on our servers. We persist only derived
metrics (e.g., recovery scores, sleep adherence trends) under the standard retention
rules in Section 9. See Section 10 for Apple Health-specific protections.
4.4 Payment data
- Name, email, and payment method (processed by Stripe)
- We never see, store, or have access to your full card number — Stripe handles this under PCI-DSS compliance
4.5 Usage and technical data
- App usage events (pseudonymous — tied to an internal identifier, not your name or email)
- Device type, operating system, app version
- IP address (marketing site only, for analytics and security)
- Browser type, referring URL, UTM campaign parameters (marketing site)
4.6 Telegram Mini App authentication
When you open our app via Telegram, Telegram sends us a signed data payload ("initData")
containing: your Telegram user ID, first name, last name, username, language code, photo URL,
authentication timestamp, and a cryptographic signature (hash).
What we keep: user ID (as your account identifier), first name, and username (for display and communication).
What we discard: photo URL, language code, and last name are not stored in our database.
Verification: We validate the hash using HMAC-SHA256 to confirm the data came from Telegram and has not been tampered with. We also check the authentication timestamp to prevent replay attacks.
5. How We Use Your Data
We use your personal data only for the purposes stated in Section 3. We do not sell,
rent, or trade your personal data to any third party.
AI generates programme suggestions and nutrition analysis. A human trainer reviews AI
output and can override recommendations before they are presented to you. We do not use
AI for decisions producing legal or similarly significant effects (e.g., medical diagnoses
or eligibility decisions). All AI processing is subject to the data sharing and retention
rules elsewhere in this policy.
6. Who We Share Your Data With
6.1 Service providers (data processors)
These providers process data on our behalf, under our instructions and contractual
data protection obligations. They do not use your data for their own purposes.
| Provider | Purpose | Location |
| DigitalOcean | Infrastructure hosting (application server and managed PostgreSQL database) | Singapore |
| Anthropic (Claude) | AI programme generation and coaching analysis | USA |
| Google (Gemini) | AI food photo analysis (processed in real-time, not stored by Google) | USA |
| PostHog | Product analytics (pseudonymous usage events only) | EU (Frankfurt) |
| Stripe | Payment processing (PCI-DSS compliant) | USA |
| Hevy | Workout data sync (client-provided API key, read-only) | USA |
| Strava | Activity data sync (OAuth, read-only) | USA |
| Google Calendar | Session booking and scheduling | USA |
| Vercel | Marketing website hosting | USA (edge) |
6.2 Independent controllers we share data with
These entities are independent data controllers — they make their own decisions about
how they use data received from or through our services. We encourage you to review
their privacy policies directly.
| Controller | Why data is shared | Their privacy policy | Location |
| Telegram | Messaging platform and Mini App authentication (user ID, first name) | telegram.org/privacy | Multiple |
| Google (Analytics) | Marketing website usage analysis (via cookies on phnxpersonaltraining.com) | policies.google.com/privacy | USA |
| Meta (Facebook) | Advertising campaign measurement (via Meta Pixel on phnxpersonaltraining.com) | facebook.com/privacy/policy | USA |
Important distinction — pseudonymous vs anonymous: PostHog analytics data is
pseudonymous, not anonymous. Events are tied to an internal user identifier that could,
in principle, be linked back to your identity using our internal records. However, PostHog
never receives your name, email, or Telegram username. We treat this data as personal data
under the PDPA and apply appropriate safeguards.
7. Connected Services You Control
The following integrations are entirely optional. You choose whether to connect them,
and you can disconnect at any time.
7.1 Hevy (API key)
- You voluntarily provide your personal Hevy API key during onboarding or settings.
- We use it to read your workout logs (exercises, sets, reps, weight, RPE, timestamps).
- We never modify, delete, or write data to your Hevy account.
- Your API key is stored encrypted in our database.
- To disconnect: remove your key from settings, or regenerate it in Hevy (which invalidates the old key).
- Upon disconnection or account closure, the key and all synced data are deleted within 90 days.
7.2 Strava (OAuth)
- We request
activity:read scope only — the minimum needed. - We access: activity summaries (type, duration, distance, heart rate zones, timestamps).
- We do not access: GPS/route data, social features, segment data, or your profile photo.
- Synced data is used for coaching analysis (recovery modelling, cardio interference scoring).
- To disconnect: revoke access in our app settings or via Strava → Settings → My Apps.
- Upon disconnection, no new data is fetched. Existing synced data is retained for coaching continuity and deleted within 90 days of account closure.
7.3 Google Calendar (OAuth)
- We request calendar read/write scope for booking management only.
- We access: event titles, times, and attendee availability on the linked coaching calendar.
- We write: booking confirmations and session reminders.
- We never access: Gmail, Google Drive, Contacts, or any other Google service.
- To disconnect: revoke via Google Account → Security → Third-party apps, or disconnect from within our app.
- Calendar event references are deleted within 90 days of account closure.
8. Cross-Border Data Transfers
Your primary data is stored in Singapore (DigitalOcean SGP1 region). However, some
processing occurs overseas as described in Section 6. Under Section 26 of the PDPA,
we ensure that all overseas recipients provide a standard of protection comparable
to the PDPA through:
- EU (PostHog — Frankfurt): The EU's General Data Protection Regulation (GDPR) provides a comparable standard of protection.
- USA (Anthropic, Google, Stripe, Hevy, Strava, Vercel): Contractual data protection obligations via Data Processing Agreements (DPAs) and Terms of Service binding these processors to standards comparable to the PDPA.
- Multiple jurisdictions (Telegram): Minimal data sharing (user ID and first name only for authentication), with Telegram's own privacy commitments as supplementary safeguard.
We regularly review our processors' data protection practices. If a processor can no
longer meet comparable standards, we will cease transferring data to them and migrate
to a compliant alternative.
9. How Long We Keep Your Data
| Data Category | Retention | Reason |
| Training, nutrition, and health data | Duration of active membership | Required for ongoing service delivery |
| Account data after closure | Deleted within 90 days | Reasonable wind-down; allows account reactivation |
| Meal and body composition photos | Duration of membership + 90 days | Progress tracking, deleted with account |
| Product analytics (PostHog) | 12 months rolling | Pseudonymous; product improvement |
| Payment records (Stripe) | 7 years | Singapore Income Tax Act (Section 67) |
| Marketing leads | 24 months from last contact | Follow-up and re-engagement |
| Apple HealthKit raw data | Never stored; queried in real-time per session | Processed on-device or in-memory only |
| Derived health metrics (recovery scores, sleep trends) | Duration of active membership | Computed from HealthKit data; deleted with account |
| AI conversation logs (coaching chat, nutrition explanations) | Duration of active membership | Context continuity in ongoing coaching; deleted with account |
| Integration tokens (OAuth/API keys) | Revoked and deleted on disconnection or account closure | No longer needed once disconnected |
10. Apple Health (HealthKit) — Specific Protections
If you use our iOS app and grant access to Apple Health data, the following protections
apply in addition to all other safeguards in this policy:
- Never sold: Your HealthKit data is never sold to data brokers, advertisers, or any third party.
- Never used for advertising: HealthKit data is never used to serve ads, build advertising profiles, or target marketing.
- Never shared without explicit consent: HealthKit data is not disclosed to any third party without your specific, informed consent for each instance of sharing.
- Never stored in iCloud: HealthKit data is processed locally on your device or transmitted directly to our server via encrypted connection. It is never written to iCloud, iCloud Drive, or any Apple cloud service by our app.
Raw vs derived data: Raw HealthKit data (heart rate samples, sleep stage records,
step counts) is queried per session in real-time and is never stored on our servers.
We compute and persist only derived metrics — such as recovery scores, sleep adherence
trends, and readiness indicators — which are stored under the standard retention rules
in Section 9 and deleted with your account.
11. How We Protect Your Data
We implement the following security measures:
- All data in transit is encrypted via TLS 1.2+
- Database storage is encrypted at rest (DigitalOcean managed encryption)
- API authentication via HMAC-validated Telegram initData (client app) and JWT tokens (admin)
- Integration API keys and OAuth tokens stored encrypted
- Access restricted to your assigned trainer and system administrators
- Regular security updates and dependency auditing
- No plain-text passwords — authentication is via Telegram identity or magic link
No system is perfectly secure. If you discover a security vulnerability, please
report it to fred@phnxpersonaltraining.com and we will investigate promptly.
12. Your Rights Under the PDPA
You have the right to:
- Access: Request a copy of the personal data we hold about you (PDPA Section 21). We will provide this within 30 calendar days.
- Correction: Request correction of any inaccurate or incomplete data (PDPA Section 22). We will correct and notify relevant third parties within 30 calendar days.
- Withdrawal of consent: Withdraw consent for any or all purposes at any time (PDPA Section 16). Note: withdrawing consent for core service delivery purposes may mean we can no longer provide coaching services to you. We will explain the consequences before processing your withdrawal.
- Data portability: Request your data in a structured, commonly used format (JSON or CSV) for transfer to another service provider.
- Deletion: Request deletion of your account and associated data. We will process this within 90 days, subject to legal retention obligations (see Section 9).
To exercise any right, email fred@phnxpersonaltraining.com with "Privacy Request" in the subject line. We may verify your identity before processing requests.
There is no fee for access or correction requests. If a request is manifestly unfounded
or excessive, we may charge a reasonable fee or decline — but we will explain why.
13. What Happens When You Close Your Account
When you request account closure:
Immediately
- We delete our copy of your OAuth tokens for Strava and Google Calendar, immediately stopping all data fetching from your accounts. To fully revoke our app's access on the third-party side, you must do so from your Strava settings (Strava → Settings → My Apps) or Google Account settings (Google Account → Security → Third-party apps with account access).
- Your Hevy API key is deleted from our database
- You lose access to the app and all coaching services cease
Within 90 days
- All training programmes, workout logs, and coaching data — deleted
- Body composition data and progress photos — deleted
- Nutrition logs and meal photos — deleted
- Your Telegram user ID mapping and profile — deleted
- Integration keys and synced data from Hevy/Strava — deleted
- PostHog user profile — deleted or fully anonymised
Retained beyond 90 days (legal obligation)
- Payment records and invoices — 7 years (Singapore Income Tax Act, Section 67)
- PDPA access/correction request logs — retained as required by the PDPC for audit compliance
14. Data Breach Notification
In the event of a data breach that is likely to result in significant harm to affected
individuals, we will:
- Notify the Personal Data Protection Commission (PDPC) within 3 calendar days of becoming aware of the breach (PDPA Section 26D)
- Notify affected individuals as soon as practicable if the breach is likely to result in significant harm
- Take immediate steps to contain and remediate the breach
- Document all breaches (including those not meeting the notification threshold) in our internal breach register
15. Cookies and Tracking Technologies
Marketing website (phnxpersonaltraining.com)
- Google Analytics 4 (via Google Tag Manager) — website usage analysis
- Meta Pixel — advertising campaign measurement
- These services use cookies. You can opt out via browser settings or the Google Analytics opt-out add-on.
PHNX app (Telegram Mini App and mobile)
- PostHog — pseudonymous product analytics (EU-hosted, Frankfurt)
- No advertising cookies or pixels are used in the app
- No data is shared with advertising networks from within the app
16. Children's Data
Our services are designed for adults aged 18 and above. We do not knowingly collect
personal data from anyone under 18 years of age. If we become aware that we have
collected data from a minor without parental consent, we will delete that data
promptly and notify the individual or their parent/guardian.
17. Changes to This Policy
We may update this policy from time to time. When we make material changes:
- We will notify active clients via Telegram message at least 14 days before changes take effect
- The "Last updated" date and version number at the top of this page will be revised
- Previous versions are available on request by contacting our DPO
Continued use of our services after the notification period constitutes acceptance
of the updated policy. If you do not agree with changes, you may close your account
(see Section 13).
18. Contact and Complaints
For any questions, concerns, or requests relating to this policy or your personal data:
If you are unsatisfied with our response, you may lodge a complaint with the
Personal Data Protection Commission (PDPC) of Singapore at
www.pdpc.gov.sg.