Stackdd

Privacy Policy

Last updated: 3 June 2026

This Privacy Policy explains how Certi Technologies Ltd ("we", "us", "our") collects, uses, shares and protects your personal data when you use the Stackdd PT mobile application (the "App") and the stackdd.store website (the "Site"), together the "Service".

We are the data controller for the personal data processed through the Service.

1. Who we are

  • Legal entity: Certi Technologies Ltd, trading as Stackdd
  • Registered office: <<<registered office address>>>
  • Company number: <<<UK company registration number>>>
  • ICO registration number: <<<ICO registration number — required for UK data controllers; register at ico.org.uk>>>
  • Privacy contact: privacy@stackdd.store
  • General support: support@stackdd.store

2. What data we collect

We collect the following categories of personal data:

2.1 Account and identity

  • Email address (from Apple Sign In or Google Sign In)
  • Display name (from Apple Sign In or Google Sign In)
  • Profile photo URL (Google only — Apple does not share photos)
  • Account identifiers issued by your sign-in provider
  • Profile photos you upload to the Service
  • Date of birth, sex, height, weight unit preference, training goal, training experience, equipment access (provided by you during onboarding)

2.2 Health and fitness data you provide

  • Self-reported body weight, body measurements
  • Daily check-in answers (sleep quality, energy level, hunger level, food preparation status, mood)
  • Weekly check-in answers (reflection, optional progress photos, optional measurements, optional flags)
  • Workout logs (sets, reps, weights, RPE, completion status, timestamps)
  • Meal logs (food items, macros, photos, timestamps)
  • Recipe interactions
  • Chat conversations with our AI coach feature ("Coach")

2.3 Apple HealthKit data

If you grant permission, we read the following data from Apple HealthKit:

  • Step count
  • Active energy burned
  • Workouts
  • Sleep analysis

We do not write any data back to Apple HealthKit. Use of HealthKit data is covered in detail in Section 7.

2.4 Payment data

When you subscribe through the App, payment is processed by Apple via in-app purchase. We do not receive your full payment card details. Apple shares with us a subscription identifier, plan type, transaction date, and renewal status.

When (in future) you subscribe via the Site, payment will be processed by Stripe. We will not store your full card details; Stripe will share a payment token, plan type, transaction date, and renewal status with us.

2.5 Technical and usage data

  • Device type, operating system version, App version
  • IP address (used only for security, fraud prevention, and approximate location for compliance — not stored beyond what is necessary)
  • Crash logs and error diagnostics
  • In-App actions necessary to provide features (e.g. which screens you viewed, which buttons you tapped) — we do not currently use third-party analytics

2.6 Cookies and similar technologies (Site only)

The Site uses strictly necessary cookies only. We do not use advertising, marketing, or analytics cookies at present. If this changes, we will update this Policy and obtain consent where required.

3. How we use your data

PurposeCategories usedLegal basis (UK GDPR)
Provide the Service (Coach guidance, training plans, meal logging, check-ins)All categoriesPerformance of contract (Article 6(1)(b))
Process subscriptions and paymentsAccount, paymentPerformance of contract
Generate AI Coach responses tailored to youAccount, health, training, food, Coach conversationsPerformance of contract
Maintain account security and prevent fraudAccount, technicalLegitimate interests (Article 6(1)(f)) — securing the Service
Respond to support requestsAccount, any data you share with supportLegitimate interests
Comply with legal obligationsAnyLegal obligation (Article 6(1)(c))
Send transactional emails (receipts, password changes, important Service notices)AccountPerformance of contract
Send marketing emailsAccountConsent (Article 6(1)(a)) — only if you opt in

For health-related data (sensitive personal data / "special category data" under Article 9 UK GDPR), our additional legal basis is explicit consent (Article 9(2)(a)), which you provide when you create an account and grant the relevant in-App permissions.

4. Who we share your data with

We share personal data with the following third parties ("sub-processors") strictly for the purposes described below:

Sub-processorPurposeLocationData transferred
Supabase, Inc.Database, authentication, file storageUSAAll categories stored server-side
OpenAI, L.L.C.AI Coach response generation and meal photo analysisUSACoach conversations, USER_STATE context (training, nutrition, check-in data), meal photos (when scanned)
Apple Inc.Sign In with Apple, in-App purchase processing, push notifications, HealthKit (on-device only)USA / IrelandAccount identifier, subscription status
Google LLCSign In with GoogleUSAEmail, name, photo URL
RevenueCat, Inc.Subscription management and entitlementUSASubscription identifier, plan, status
Stripe Payments UK LtdWeb-based payment processing (planned, not yet active)UK / USAPayment token, transaction data
Email service providerTransactional emails<<<region — e.g. UK or EU if using Postmark, USA if SendGrid>>>Email, name, message content
Crash reporting providerDiagnostic logs (planned)<<<region>>>Device data, error data

We do not sell your personal data to anyone. We do not share your personal data with advertisers or data brokers.

5. International transfers

Some of our sub-processors are located outside the United Kingdom. When we transfer personal data outside the UK, we rely on one of the following safeguards:

  • A UK adequacy decision (e.g. EU adequacy bridge for EEA transfers)
  • The International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses
  • Other lawful mechanisms permitted under UK GDPR

You can request a copy of the relevant safeguards by emailing privacy@stackdd.store.

6. How long we keep your data

  • Account data: retained while your account is active. Deleted within 30 days of account closure, except where we are required to retain it (e.g. tax records — 6 years).
  • Health, training, food, and Coach data: retained while your account is active. Deleted within 30 days of account closure.
  • Photos (progress and meal): retained while your account is active. Deleted within 30 days of account closure.
  • Payment records: retained for 6 years to comply with UK tax law.
  • Support correspondence: retained for 2 years after the matter is closed.
  • Anonymous/aggregated data: may be retained indefinitely as it no longer identifies you.

You may request deletion of your account and data at any time — see Section 9.

7. Apple HealthKit — specific terms

This section is provided in accordance with Apple's HealthKit requirements and applies in addition to the rest of this Policy.

  • We read step count, active energy, workouts, and sleep analysis from Apple HealthKit, only after you grant explicit permission through the iOS system prompt.
  • We use this data solely to:
    • Display your activity in the App home screen
    • Inform Coach guidance (e.g. "your steps are below target — pull that lever before adding cardio")
    • Calculate streaks and adherence
  • We do not use HealthKit data for advertising or marketing.
  • We do not sell HealthKit data.
  • We do not share HealthKit data with third parties except where strictly necessary to provide the Service to you (i.e. our database and AI Coach context).
  • We do not use HealthKit data for any purpose other than providing health and fitness features.
  • You can revoke HealthKit permissions at any time through iOS Settings → Privacy & Security → Health → Stackdd PT.

8. AI Coach — what you should know

  • Your Coach conversations and a structured summary of your training, food, weight, and check-in data are sent to OpenAI's API for processing.
  • OpenAI processes this data on our behalf under a Data Processing Agreement.
  • OpenAI does not use your data to train their public models when processed via the API in this manner.
  • Coach responses are generated by an AI and are not medical, clinical, or professional advice. See our Terms of Service for the full disclaimer.

9. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure ("right to be forgotten") — ask us to delete your data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — withdraw consent you have previously given (this does not affect the lawfulness of processing before withdrawal)
  • Complain — lodge a complaint with the Information Commissioner's Office (see Section 13)

To exercise any of these rights, email privacy@stackdd.store. We will respond within one month.

You can delete your account in-App via Settings → Account → Delete account, which triggers deletion of your data within 30 days.

10. Security

We protect your data using:

  • TLS encryption in transit
  • Encryption at rest for stored data
  • Row-Level Security on our database (you can only access your own data)
  • Authenticated, owner-only access to your photos via Supabase Storage policies
  • Industry-standard authentication via Apple Sign In and Google Sign In
  • Regular access reviews of staff and sub-processors

No system is 100% secure. If we become aware of a data breach affecting your rights, we will notify you and the Information Commissioner's Office without undue delay and in line with our legal obligations.

11. Children

The Service is not intended for and is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact privacy@stackdd.store and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you via the App or by email before the changes take effect. The "Last updated" date at the top of this Policy reflects the latest version.

13. Contact and complaints

Privacy queries and rights requests: privacy@stackdd.store

General support: support@stackdd.store

Postal address: Certi Technologies Ltd <<<registered office address>>>

If you are unhappy with how we have handled your personal data, you have the right to complain to:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Web: https://ico.org.uk/make-a-complaint/

This Policy was last reviewed on 3 June 2026. Certi Technologies Ltd, trading as Stackdd.