Legal

Privacy Policy

Version 1.0

Last updated: 17 May 2026

1. Who We Are

PHNX Personal Training ("PHNX", "we", "us", "our") is a sole proprietorship registered in Singapore. We provide AI-assisted personal training, nutrition coaching, and wellness services through our website (phnxpersonaltraining.com), Telegram Mini App, and mobile application.

Our Data Protection Officer (DPO) is Fred Law. For all privacy-related enquiries, data access requests, or complaints:

2. Scope of This Policy

This policy applies to all personal data collected through:

This policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore, including amendments effective September 2023.

3. Why We Collect Your Data

We collect and use personal data for the following purposes:

4. What Data We Collect

4.1 Identity and contact

4.2 Health and training data

4.3 Apple Health data (iOS app, optional)

Apple Health (HealthKit) data is accessed only with your explicit permission, granted per data type via the iOS system permission prompt. We have read-only access — we never write to, modify, or delete data in your HealthKit store. Raw HealthKit data is queried in real-time per session and is never stored on our servers. We persist only derived metrics (e.g., recovery scores, sleep adherence trends) under the standard retention rules in Section 9. See Section 10 for Apple Health-specific protections.

4.4 Payment data

4.5 Usage and technical data

4.6 Telegram Mini App authentication

When you open our app via Telegram, Telegram sends us a signed data payload ("initData") containing: your Telegram user ID, first name, last name, username, language code, photo URL, authentication timestamp, and a cryptographic signature (hash).

What we keep: user ID (as your account identifier), first name, and username (for display and communication).
What we discard: photo URL, language code, and last name are not stored in our database.
Verification: We validate the hash using HMAC-SHA256 to confirm the data came from Telegram and has not been tampered with. We also check the authentication timestamp to prevent replay attacks.

5. How We Use Your Data

We use your personal data only for the purposes stated in Section 3. We do not sell, rent, or trade your personal data to any third party.

AI generates programme suggestions and nutrition analysis. A human trainer reviews AI output and can override recommendations before they are presented to you. We do not use AI for decisions producing legal or similarly significant effects (e.g., medical diagnoses or eligibility decisions). All AI processing is subject to the data sharing and retention rules elsewhere in this policy.

6. Who We Share Your Data With

6.1 Service providers (data processors)

These providers process data on our behalf, under our instructions and contractual data protection obligations. They do not use your data for their own purposes.

Provider Purpose Location
DigitalOcean Infrastructure hosting (application server and managed PostgreSQL database) Singapore
Anthropic (Claude) AI programme generation and coaching analysis USA
Google (Gemini) AI food photo analysis (processed in real-time, not stored by Google) USA
PostHog Product analytics (pseudonymous usage events only) EU (Frankfurt)
Stripe Payment processing (PCI-DSS compliant) USA
Hevy Workout data sync (client-provided API key, read-only) USA
Strava Activity data sync (OAuth, read-only) USA
Google Calendar Session booking and scheduling USA
Vercel Marketing website hosting USA (edge)

6.2 Independent controllers we share data with

These entities are independent data controllers — they make their own decisions about how they use data received from or through our services. We encourage you to review their privacy policies directly.

Controller Why data is shared Their privacy policy Location
Telegram Messaging platform and Mini App authentication (user ID, first name) telegram.org/privacy Multiple
Google (Analytics) Marketing website usage analysis (via cookies on phnxpersonaltraining.com) policies.google.com/privacy USA
Meta (Facebook) Advertising campaign measurement (via Meta Pixel on phnxpersonaltraining.com) facebook.com/privacy/policy USA

Important distinction — pseudonymous vs anonymous: PostHog analytics data is pseudonymous, not anonymous. Events are tied to an internal user identifier that could, in principle, be linked back to your identity using our internal records. However, PostHog never receives your name, email, or Telegram username. We treat this data as personal data under the PDPA and apply appropriate safeguards.

7. Connected Services You Control

The following integrations are entirely optional. You choose whether to connect them, and you can disconnect at any time.

7.1 Hevy (API key)

7.2 Strava (OAuth)

7.3 Google Calendar (OAuth)

8. Cross-Border Data Transfers

Your primary data is stored in Singapore (DigitalOcean SGP1 region). However, some processing occurs overseas as described in Section 6. Under Section 26 of the PDPA, we ensure that all overseas recipients provide a standard of protection comparable to the PDPA through:

We regularly review our processors' data protection practices. If a processor can no longer meet comparable standards, we will cease transferring data to them and migrate to a compliant alternative.

9. How Long We Keep Your Data

Data Category Retention Reason
Training, nutrition, and health data Duration of active membership Required for ongoing service delivery
Account data after closure Deleted within 90 days Reasonable wind-down; allows account reactivation
Meal and body composition photos Duration of membership + 90 days Progress tracking, deleted with account
Product analytics (PostHog) 12 months rolling Pseudonymous; product improvement
Payment records (Stripe) 7 years Singapore Income Tax Act (Section 67)
Marketing leads 24 months from last contact Follow-up and re-engagement
Apple HealthKit raw data Never stored; queried in real-time per session Processed on-device or in-memory only
Derived health metrics (recovery scores, sleep trends) Duration of active membership Computed from HealthKit data; deleted with account
AI conversation logs (coaching chat, nutrition explanations) Duration of active membership Context continuity in ongoing coaching; deleted with account
Integration tokens (OAuth/API keys) Revoked and deleted on disconnection or account closure No longer needed once disconnected

10. Apple Health (HealthKit) — Specific Protections

If you use our iOS app and grant access to Apple Health data, the following protections apply in addition to all other safeguards in this policy:

Raw vs derived data: Raw HealthKit data (heart rate samples, sleep stage records, step counts) is queried per session in real-time and is never stored on our servers. We compute and persist only derived metrics — such as recovery scores, sleep adherence trends, and readiness indicators — which are stored under the standard retention rules in Section 9 and deleted with your account.

11. How We Protect Your Data

We implement the following security measures:

No system is perfectly secure. If you discover a security vulnerability, please report it to fred@phnxpersonaltraining.com and we will investigate promptly.

12. Your Rights Under the PDPA

You have the right to:

To exercise any right, email fred@phnxpersonaltraining.com with "Privacy Request" in the subject line. We may verify your identity before processing requests.

There is no fee for access or correction requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline — but we will explain why.

13. What Happens When You Close Your Account

When you request account closure:

Immediately

Within 90 days

Retained beyond 90 days (legal obligation)

14. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

15. Cookies and Tracking Technologies

Marketing website (phnxpersonaltraining.com)

PHNX app (Telegram Mini App and mobile)

16. Children's Data

Our services are designed for adults aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected data from a minor without parental consent, we will delete that data promptly and notify the individual or their parent/guardian.

17. Changes to This Policy

We may update this policy from time to time. When we make material changes:

Continued use of our services after the notification period constitutes acceptance of the updated policy. If you do not agree with changes, you may close your account (see Section 13).

18. Contact and Complaints

For any questions, concerns, or requests relating to this policy or your personal data:

If you are unsatisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.

← Back to home