Privacy Policy

SHIFT is the controller of the personal data processed through the Service. Reach the privacy team at support@shift.fitness.

We collect only what we need to run the Service:

• Account data: name, email, password hash, profile photo, birth date, height, weight.
• Training data: 1RMs, workout history, session logs, phase selection, RPE, notes.
• Subscription data: tier, status, renewal date. Payment details are handled by Stripe — we never see your card number.
• Communications: messages to and from your coach, problem reports, and any attachments you send.
• Device and usage data: device type, app version, session timestamps, IP address, and basic analytics events used to detect account sharing and improve the product.

• provide and personalize your training programs;
• operate your subscription and process payments;
• allow your coach to plan and review your training;
• protect the Service against abuse, including detecting shared or compromised accounts;
• respond to your support requests and problem reports;
• send essential service messages (e.g., security alerts, billing notices). Marketing emails are sent only with your consent.

We process personal data under the following bases: performance of a contract (delivering the Service you subscribed to), legitimate interest (security, fraud prevention, product improvement), consent (marketing, optional features), and legal obligation (tax, accounting, responding to lawful requests).

We share data only with processors that help us run the Service, and only to the extent needed:

• Supabase — database, authentication, file storage.
• Stripe — subscription billing and payments.
• Hosting and email providers — infrastructure and transactional email delivery.

We do not sell your personal data. We do not share training data with advertisers.

Some of our processors are located outside the European Economic Area. When data is transferred internationally we rely on Standard Contractual Clauses or equivalent safeguards approved under GDPR.

Account and training data are kept for as long as your account is active. When you delete your account we erase or anonymize your data within 30 days, except where we are required to keep records for tax, accounting, or legal reasons (typically up to 7 years for financial records).

You can access, correct, export, restrict, or delete your personal data, and object to certain processing. You can also withdraw consent for marketing at any time. To exercise these rights email support@shift.fitness. You also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) or your local supervisory authority.

We use a minimal set of first-party cookies and local storage to keep you signed in and remember your preferences. We may use privacy- respecting analytics to understand how the Service is used in aggregate. We don't run third-party advertising trackers.

Passwords are hashed. Media files are served through signed, time-limited URLs. Access to production data is restricted to staff who need it. No system is perfect — if you suspect a security issue, email support@shift.fitness.

The Service is not directed at children under 16. If you believe a child has created an account, contact us and we'll remove it.

We'll update this policy as the Service evolves. Material changes will be notified through the app or by email.