Data Policy

Last updated: 27 May 2026

1. Purpose of This Policy

This Data Policy explains how Pact collects, categorises, uses, and protects data generated through the Pact platform. It is intended for Gym Owners, Coaches, and Members who want to understand the specific types of data Pact handles and how that data supports both the core service and Pact's broader commercial activities.

This policy supplements the Pact Privacy Policy and should be read alongside it.

2. Data Categories

Pact handles three distinct categories of data, each with different ownership, access, and usage rights.

2.1 Gym Content

Data created and uploaded by Gym Owners and Coaches in the course of running their gym on Pact.

Daily programming and workout structures (Series A, B, C, strength, conditioning)
Prescribed weights and 1RM percentage targets
Coach posts and announcements
Gym-specific settings and configurations

Ownership: The Gym retains ownership of Gym Content. Access: Visible to Members associated with the Gym. Pact accesses Gym Content only to provide the Service. On termination: Available for export for 30 days, then deleted. 2.2 Member Data

Data generated by individual Members through their use of Pact.

Workout results (sets, reps, weights, scores, times, notes)
Personal bests (PBs) and PB history
Training goals and goal progress
Session feedback (energy ratings, difficulty flags, written feedback)
Rest day logs and weekly activity patterns
Community interactions (comments, reactions)
Privacy preferences (public or private results)
Recommendation preferences (opt-in/opt-out status)

Ownership: Members retain ownership of their personal training data. Access: The Member's associated Gym (Owners and Coaches) can access Member Data for coaching and programming purposes. Members control visibility of results via their privacy settings. Portability: Member Data travels with the Member if they transfer to another Gym on Pact. Members may request a data export at any time. On account deletion: Personal data deleted within 30 days, except where retention is required by law. 2.3 Platform Data

Aggregated, de-identified data derived from activity across the platform that cannot reasonably be used to identify any individual Member or Gym.

Examples of Platform Data:

Average training frequency across gym types
Most common training goals by region or gym category
Aggregated energy and feedback trends across training modalities
Equipment and movement popularity trends
Seasonal training pattern analysis
Benchmark data for gym engagement metrics

Ownership: Pact owns all Platform Data. Usage: Pact may use Platform Data for any lawful commercial purpose, including service improvement, industry research, benchmarking, and informing brand partnerships. Platform Data will never be re-identified.

3. How Data Supports the Core Service

The core Pact service uses Gym Content and Member Data to:

Display daily programming to Members
Enable Members to log workout results, track PBs, and set goals
Generate coaching insights and engagement signals for Gym Owners
Detect disengagement patterns, below-target performance, and feedback flags
Power the gym community feed (activity, PBs, goals, coach posts)
Send transactional notifications (login codes, PB achievements, goal completions)

4. How Data Supports Commercial Activities

4.1 Platform Data (No Individual Consent Required)

Pact uses Platform Data (aggregated, de-identified) to:

Understand training trends and market opportunities
Provide aggregate insights to potential brand partners (e.g. "65% of users on our platform train 3+ times per week")
Develop industry benchmarks that Gyms and the broader fitness industry can benefit from
Inform product development and feature prioritisation

No individual Member or Gym can be identified from Platform Data.

4.2 Personalised Recommendations (Opt-in Required)

Pact may surface personalised product recommendations to Members who have opted in. This uses individual Member Data to provide contextual, relevant suggestions.

Example: A Member who has logged multiple high-intensity sessions in a week and reported low energy may see a recommendation for an electrolyte or recovery product from a Pact brand partner.

Key protections:

Requires explicit opt-in consent from the Member
Members can opt out at any time in their account settings
Recommendations are surfaced within the Pact platform by Pact - not by the brand partner directly
Brand partners do not receive personally identifiable Member information unless the Member explicitly chooses to engage (e.g. redeeming an offer that requires sharing contact details)
Opting out has no impact on the Member's access to or experience of the core Service

4.3 What Pact Does Not Do

We do not sell individual personal information to third parties
We do not share Member Data with brand partners without explicit Member consent
We do not use Member health-related feedback for insurance, employment, or eligibility decisions
We do not allow brand partners to directly access or query Member Data
We do not serve third-party advertising within the platform

5. Data Shared with Gyms

Gym Owners and Coaches have access to Member Data for Members associated with their Gym. This includes:

Workout results and logging activity
PBs and goal progress
Session feedback and energy ratings
Activity patterns and consistency metrics
Disengagement signals (e.g. days since last log)

Gyms may not export, sell, or share individual Member Data with third parties outside the Gym's coaching and operational purposes. The relationship between Pact and each Gym regarding Member Data processing is governed by the Data Processing Agreement.

6. Data Isolation Between Gyms

Pact operates a multi-tenant architecture with row-level security (RLS) ensuring that each Gym can only access data for its own Members. A Gym cannot view, query, or access Member Data from another Gym.

If a Member transfers between Gyms, their personal training data moves with them. The previous Gym loses access to that Member's data upon transfer.

7. Data Retention Summary

Active accounts: data retained for the life of the account
Deleted Member accounts: personal data deleted within 30 days
Terminated Gym accounts: data available for export for 30 days, then deleted
Platform Data: retained indefinitely (cannot identify individuals)
Recommendation consent records: retained for the life of the account plus 12 months after deletion for compliance purposes

8. Data Security

Pact implements the following measures to protect data:

All data transmitted via TLS/HTTPS encryption
Row-level security (RLS) policies audited across all database tables
OTP-based authentication (no stored passwords)
Role-based access controls (Owner, Coach, Member)
Hosted on Supabase (SOC 2 compliant infrastructure) and Vercel

We regularly review and update our security practices as the platform grows.

9. Your Rights

Members and Gym Owners have the following rights regarding their data:

Access: Request a copy of the data Pact holds about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your account and associated personal data
Portability: Request an export of your training data
Opt-out: Withdraw consent for personalised recommendations at any time
Complaint: Lodge a complaint with Pact or with the Office of the Australian Information Commissioner

To exercise any of these rights, contact legal@pactfitness.xyz.

10. Changes to This Policy

We may update this Data Policy from time to time. Material changes will be communicated via email or through the Service at least 14 days before taking effect.

11. Contact

Pact Fitness (ABN 21 104 678 352)

Email: legal@pactfitness.xyz

Location: Perth, Western Australia