Privacy Policy
Last updated: 17 June 2026
This policy explains what personal data ATLAS ("we", "us"), operated by [your registered company name], collects, why, and your rights. It is written for UK/EU users under the UK GDPR and is provided for users of our website and mobile apps (the "Service").
1. Who we are
ATLAS is a fitness coaching platform. The data controller is [your registered company name], [registered address]. For any privacy request, contact [privacy@yourdomain].
2. Information we collect
- Account — email address, name, and authentication identifiers (via our auth provider).
- Health & fitness data you provide — height, weight, age, sex, goals, activity level, workouts and sets, meals, daily readiness check-ins, habits, and any progress photos or technique videos you upload.
- A brief wellbeing screening at intake, used solely to keep targets safe.
- Usage data — pages used, features engaged, and AI request counts (for cost and abuse limits).
- Payment data — handled entirely by our payment processors; we never see or store your card details.
3. How we use your data
To provide the Service: calculate safe nutrition and training targets, generate AI guidance, track progress, run the community, process subscriptions, and keep the app secure. We also use aggregate, non-identifying analytics to improve the product. We do not sell your personal data.
4. AI features & your data
Meal estimates and coaching replies are processed by Anthropic (Claude); exercise-form videos are processed by Google (Gemini). Only the content needed for the request is sent. Uploaded videos are analysed and not stored by us — we keep only the text feedback. These providers process the data under their API terms and do not use it to train their models. AI output is an estimate and is not medical advice.
5. Who we share data with (processors)
We use trusted processors to run the Service: authentication, database hosting, AI providers (Anthropic, Google), payment processing (Stripe and, for in-app purchases, Apple/Google), email/notifications, and cloud hosting. Each acts under contract and only on our instructions.
6. Legal bases & your rights
We process data to perform our contract with you, with your consent (e.g. health data and marketing), and for our legitimate interests (security, product improvement). Under UK GDPR you may request access, correction, deletion, portability, or restriction of your data, and you may object to processing or withdraw consent at any time. To exercise any right, email [privacy@yourdomain]. You can also complain to the UK ICO.
7. Retention
We keep your data while your account is active and for a reasonable period afterwards to meet legal, tax, and safety obligations, then delete or anonymise it. You can request deletion at any time.
8. Security
We use encryption in transit, access controls, and reputable infrastructure providers. No system is perfectly secure, but we work to protect your data and will notify you of a breach where required by law.
9. Age
The Service is strictly for users aged 18 and over. We age-gate at signup and do not knowingly collect data from minors.
10. International transfers
Some processors are outside the UK/EU. Where data is transferred, we rely on appropriate safeguards such as Standard Contractual Clauses.
11. Changes & contact
We may update this policy and will post the new date here. Questions? Email [privacy@yourdomain].
This document is a starting template and not legal advice. Please have it reviewed by a qualified solicitor before launch.