Privacy Policy
Effective Date: 01/09/2025 | Last Updated: 01/09/2025
1. Introduction
Welcome to ProArc. We are committed to protecting and respecting your privacy. This Privacy Policy explains how Shin Fitness ("ProArc," "we," "us," or "our") collects, uses, stores, and shares your personal information when you use our application, website, and associated services (collectively, the "Service").
For the purpose of the UK General Data Protection Regulation (UK GDPR), the data controller is ProArc of Shin Fitness, 124 City Road, London, EC1V 2NX, United Kingdom.
This policy should be read in conjunction with our Terms of Service.
2. Information We Collect
We collect and process personal data necessary to provide and improve our Service. This includes:
- Identity and Profile Data: Your first and last name, and other profile information you provide.
- Contact Data: Your email address.
- Financial Data: Subscription status and billing history. We use a third-party processor (Stripe) for payments, and we do not store your payment card details.
- Special Category: Health and Fitness Data: This is sensitive information essential for the Service to function, including your age, gender, weight, fitness experience, performance metrics (e.g., running times, strength personal bests), goals, and workout feedback.
- Special Category: Location Data: GPS coordinates, routes, and elevation data from workout files you choose to upload.
- Physiological Training Data: Heart rate, power output, and cadence data from workout files you choose to upload.
- Technical Data: Your IP address, device information, and other metadata from your browser or device when you use the Service.
3. How We Use Your Data and Our Lawful Basis for Processing
Under UK GDPR, we must have a valid lawful basis to process your personal data. The table below outlines our purposes and legal bases for processing.
| Purpose of Processing | Type of Data | Lawful Basis under UK GDPR |
|---|---|---|
| To create and manage your account and provide the core features of the Service. | Identity, Contact, Financial | Performance of a Contract |
| To generate your personalised fitness program and provide workout suggestions. | Health & Fitness, Physiological | Performance of a Contract and Explicit Consent |
| To analyse your workout performance and provide insights and feedback. | Health & Fitness, Physiological, Location | Performance of a Contract and Explicit Consent |
| To process your subscription payments and manage your account status. | Financial, Contact, Identity | Performance of a Contract |
| To communicate with you about your account, service updates, or support queries. | Contact, Identity | Performance of a Contract and Legitimate Interests |
| To improve the Service, troubleshoot issues, and enhance our AI models. | Technical, Health & Fitness (Anonymised) | Legitimate Interests |
A Special Note on Health, Physiological, and Location Data: This is "special category data" requiring a higher level of protection. By providing this data to use the core features of our Service, you give your explicit consent for us to process it for the specific purposes of creating your program and analysing your performance. You have the right to withdraw this consent at any time.
4. Data Sharing and Third Parties
We do not sell your personal data. We share it with trusted third-party service providers only to the extent necessary to make our Service possible. These include:
- Cloud Infrastructure Provider (Supabase): Provides our core database, user authentication, and file storage infrastructure.
- Payment Processor (Stripe): Processes all subscription payments.
- Cloud and AI Service Provider (Google): We use cloud and AI services for certain features, such as analysing workout data to provide you with performance insights.
We have data processing agreements in place with these providers to ensure your data is protected.
5. Data Security
We take the security of your data very seriously. We implement appropriate technical and organisational measures to protect it, including:
- Strict data access controls to ensure you can only access your own data.
- Secure user authentication systems.
- Data encryption both in transit (using TLS) and at rest.
6. Data Retention and Deletion
We retain your personal data for as long as your account is active.
- User-Controlled Deletion: You can delete individual activity records and other data at any time through the app.
- Account Deletion: You can delete your entire account at any time. When you do so, we will delete or irreversibly anonymise your personal data within 30 days, except for limited records we must retain to comply with legal, regulatory, tax, accounting, or fraud-prevention obligations (e.g., invoices and payment records), or where retention is otherwise permitted by law (e.g., to establish or defend legal claims). We will restrict access to any retained records to the minimum necessary purpose, and we will delete them once those obligations end (for example, many UK tax records must be retained for up to 6 years).
- Third-Party Processors: Some records (for example, payment records processed by Stripe) are stored by our service providers on our behalf. We instruct them to retain only what is necessary, and to delete or anonymise data in line with our retention rules and their legal obligations.
7. Your Data Protection Rights
Under UK law, you have the following rights in relation to your personal data:
- The right to be informed: To be told how we use your data.
- The right of access: To request a copy of the personal data we hold about you.
- The right to rectification: To request that we correct any inaccurate personal data.
- The right to erasure: To request that we delete your personal data.
- The right to restrict processing: To request that we limit the processing of your data.
- The right to data portability: To receive your personal data in a structured, commonly used, and machine-readable format.
- The right to object: To object to our processing of your data where we are relying on legitimate interests.
- The right to withdraw consent: You can withdraw your explicit consent for us to process your special category data at any time. Please note that if you do so, we will be unable to provide the core features of the Service.
To exercise any of these rights, please contact us at hello@proarc.app.
8. International Data Transfers
Some of our third-party service providers are based outside the UK. When we transfer your data to these providers, we ensure that it is protected by appropriate legal safeguards, such as Standard Contractual Clauses (SCCs) or an Adequacy Decision, as required by UK GDPR.
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through an in-app notification.
10. How to Complain
If you have any concerns about our use of your personal information, you can make a complaint to us at the contact details below. You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO).
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
11. Contact Us
If you have any questions about this Privacy Policy, please contact us at: