01What We Collect
For your account to work across devices and for Edwin to personalize your programming, these pieces of information are saved to our secure servers:
- Account information — Name, email address, and encrypted password.
- Subscription status — Whether your account is active and what membership you have.
- Onboarding answers — Age, gender, fitness goals, diet, injuries, and training preferences you provided during setup.
- Form check videos (optional) — Only if you explicitly submit a workout video for review. Visible only to Edwin Grant.
- Shared progress photos (optional) — Only photos you choose to share. Photos you take privately stay on your phone.
- Community posts (optional) — If you post in the Community, that post is public to other members by design. Everything else stays private.
- Anonymous usage data — App crashes and aggregate feature usage to fix bugs and improve the product. Never tied to your identity.
02How We Use It
- To personalize your training, mental, and spiritual programming.
- To review and respond to form check submissions you explicitly send.
- To deliver coaching messages and alignment reports if your membership includes them.
- To improve the app, fix bugs, and build features members actually want.
We will never sell, rent, or share your personal information with third parties for marketing purposes. Period.
03Security
Cloud data is stored in Supabase with industry-standard encryption — TLS in transit, AES-256 at rest. We use Row Level Security policies at the database level, which means one user physically cannot query another user's data, even if they tried. Each row is locked at the database to the user who created it.
Form check videos are stored in encrypted storage accessible only to Edwin Grant for coaching feedback.
04Who Can See What
(Your Coach)
05Camera & Gym Scanner
The AI Gym Scanner uses your device camera to detect gym equipment and personalize your workout. Images are processed to identify equipment types and then discarded. We do not store, share, or retain camera images after processing.
06Third-Party Services
- Apple App Store — For subscription management and payment processing.
- Supabase — Our secure database provider, protected by Row Level Security.
- Anonymous analytics — Aggregate app usage only, never tied to your identity.
07Your Rights
At any time you can:
- Access all of your personal data.
- Delete your account and all associated cloud data.
- Export your workout history and onboarding answers.
- Opt out of non-essential communications.
To exercise any of these rights, email hello@edwinstrong.com and we'll handle it within 30 days.
08Children's Privacy
Edwin Strong is not intended for users under 16 years of age. We do not knowingly collect data from children.
09Changes to This Policy
We may update this policy from time to time. When we do, we'll update the "Last updated" date at the top and — for significant changes — notify you through the app or via email.
10International Data Transfers
Edwin Strong is based in the United States. If you access the Service from outside the US, your information is transferred to and processed in the US.
For EU, UK, EEA, and Swiss users: We rely on the European Commission's Standard Contractual Clauses (SCCs) — Module 4 (controller-to-processor) — and supplementary technical measures (encryption in transit and at rest, Row Level Security at the database) to ensure adequate protections for data transferred outside the EEA.
Your health metrics — HRV, sleep, recovery, workout logs — remain on your device by architecture and are NOT transferred to our servers. Only operational data (account info, billing, support) is processed in the US.
11Subprocessors
A current list of our third-party data processors, the data they handle, their region, and the transfer mechanism in place is maintained at edwinstrong.com/subprocessors and updated within 30 days of any material change, per GDPR Art. 28.
EU/UK members may subscribe to subprocessor change notifications by emailing privacy@edwinstrong.com with subject line "Subprocessor list — subscribe."
12Contact & EU/UK Data Protection
Privacy Team: privacy@edwinstrong.com · response within 30 days
For EU, UK, EEA, and Swiss users:
- Acting Data Protection Officer (DPO): privacy@edwinstrong.com — a dedicated DPO is appointed when our EU active user count exceeds 10,000 per GDPR Art. 37 thresholds.
- EU Representative (GDPR Art. 27): appointed prior to our first €500 in EU revenue. Until then, all GDPR requests are handled directly by the acting DPO above.
- DPO inbox: dpo@edwinstrong.com
13EU/UK Rights & Legal Basis
Legal Basis for Processing (GDPR Art. 6):
- Contract — necessary to provide the Service
- Consent — marketing emails, non-essential cookies
- Legitimate Interests — analytics, fraud prevention, service improvement
- Legal Obligation — tax compliance, law enforcement requests
Your GDPR / UK DPA Rights:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / "Right to be Forgotten" (Art. 17)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Rights related to automated decision-making (Art. 22)
To exercise any of these rights, email dpo@edwinstrong.com with your request. We respond within 30 days. You also retain the right to lodge a complaint with your local data protection authority.