Privacy Policy

1. Introduction

This Privacy Policy ("Policy") explains how GoalPhysique ("GoalPhysique", "we", "us", "our") collects, uses, discloses and protects your personal data when you access goalphysique.com or any associated services, mobile applications or digital platforms (collectively, the "Service"). We are a sole trader established in the United Kingdom and act as the data controller for personal data processed under this Policy.

The Service provides a free online fitness assessment and a personalised one-off purchase programme (the "Paid Programme"). This Policy applies to users in the United Kingdom, the European Economic Area ("EEA") and the United States.

We are committed to processing your personal data transparently and in accordance with the UK GDPR, EU GDPR (together, "GDPR") and applicable US privacy laws including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").

2. Key Definitions

• Personal Data – any information relating to an identified or identifiable natural person.
• Sensitive Personal Data – personal data revealing health information, which we collect when you complete the Assessment.
• Processing – any operation performed on personal data such as collection, storage, use, disclosure or deletion.
• Controller – the entity that determines the purposes and means of processing personal data.
• Processor – a third party that processes personal data on behalf of the controller.

3. Personal Data We Collect

We collect the following categories of personal data:

• Account & Contact Data – email address, name (if provided) and unique user ID generated when you complete the Assessment or purchase the Paid Programme.
• Assessment Data – information you voluntarily supply about your lifestyle, health history, fitness level, dietary preferences and goals.
• Payment Data – the last four digits of your card number, expiry date, postal/ZIP code and transaction details. Full card details are handled exclusively by Stripe and never stored on our servers.
• Usage Data – log files, IP address, browser type, device identifiers, pages viewed, time spent and referral information collected automatically through cookies and similar technologies.
• Marketing Preferences – your choices regarding receiving promotional emails.
• Support Data – correspondence, feedback or survey responses when you contact us.

4. Legal Bases for Processing (UK/EU GDPR)

We rely on the following legal bases:

• Contractual Necessity – to provide the Service, including generating the free evaluation, processing payments and delivering the Paid Programme.
• Consent – for processing sensitive Assessment Data and sending you marketing communications. You may withdraw consent at any time.
• Legitimate Interests – to improve and secure the Service, prevent fraud, and respond to your enquiries, provided these interests are not overridden by your rights.
• Legal Obligation – to comply with applicable laws, tax and accounting requirements, or to respond to lawful requests from public authorities.

5. How We Use Your Personal Data

• To create and manage your Account.
• To generate your free evaluation and personalised Paid Programme.
• To process payments securely via Stripe and provide order confirmations.
• To deliver customer support and respond to enquiries.
• To send administrative messages (e.g. password resets, payment receipts).
• To send marketing emails where you have opted in (you can unsubscribe at any time).
• To analyse usage trends, measure performance and develop new features.
• To detect, investigate and prevent security incidents or fraud.
• To comply with our legal and regulatory obligations.

6. Marketing & Opt-Out

If you consent, we may send you fitness tips, special offers and updates about the Service. You can withdraw consent at any time by clicking the unsubscribe link in our emails or contacting us at support@goalphysique.com.

We do not sell your personal data to third parties. Where required by CCPA/CPRA we will honour “Do Not Sell or Share My Personal Information” requests.

7. How We Share Your Data

We disclose personal data only as necessary:

• Service Providers – payment processing (Stripe), email delivery providers under written contracts that require them to protect your data.
• Professional Advisers – lawyers, accountants and insurers where necessary for our business operations.
• Legal Authorities – where we are required to do so by law or to protect the rights, property or safety of GoalPhysique, our users or others.
• Business Transfers – in connection with any merger, sale or reorganisation, subject to confidentiality safeguards.

8. International Data Transfers

We are based in the UK but some of our processors (e.g. Stripe, analytics providers) are located in the United States. Where we transfer personal data outside the UK/EEA we ensure an adequate level of protection by implementing one of the following safeguards:

• UK/EU Standard Contractual Clauses approved by the UK ICO or European Commission;
• Participation in an approved certification scheme such as the EU-US Data Privacy Framework; or
• Another mechanism permitted under GDPR.

9. Cookies & Similar Technologies

We use essential cookies to enable core functionality and analytical cookies to understand how users interact with the Service. Where required, we obtain consent via our cookie banner. You can modify your browser settings to refuse cookies or alert you when cookies are being sent. However, some features of the Service may not function properly without them.

10. Data Security

We employ industry-standard technical and organisational measures, including encryption in transit, role-based access controls and regular penetration testing, to safeguard personal data. No method of transmission or storage is 100% secure; we therefore cannot guarantee absolute security.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Policy, including satisfying legal, accounting or reporting requirements. Assessment Data is retained for up to 3 years after your last interaction, unless you request earlier deletion. Transaction records are retained for 7 years in accordance with UK tax law.

12. Your Rights

You have the following rights, subject to certain limitations:

• Access – obtain a copy of your personal data.
• Rectification – correct inaccurate or incomplete data.
• Erasure – request deletion of your personal data.
• Restriction – limit our processing of your data.
• Portability – receive your data in a structured, commonly used format.
• Objection – object to processing based on legitimate interests or direct marketing.
• Withdraw Consent – where processing is based on consent.

California residents have additional rights under CCPA/CPRA, including the right to know, delete and correct personal information, and the right to limit the use of sensitive personal information. To exercise any of these rights, please contact us using the details below. We will not discriminate against you for exercising your rights.

13. Children

The Service is not directed at children under 16. If we learn that we have collected personal data from a child without appropriate consent, we will delete it promptly. Parents or guardians who believe their child has provided us with personal data may contact us to request deletion.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in law or our practices. We will indicate the effective date at the top of the Policy and, where material changes are made, provide reasonable notice via the Service or email.

15. Contact & Complaints

If you have any questions about this Policy or wish to exercise your rights, please email support@goalphysique.com.