Privacy Policy
Last updated: April 2026
1. Who We Are
- Charlotte Pacey Fitness (sole trader — Charlotte Pacey)
- Chalkhill Drive, Sherburn in Elmet, LS25 6RF
- Data controller for the purposes of UK GDPR
- Contact: hello@charlottepaceyfitness.com
2. What Data We Collect
| Data | Purpose |
|---|---|
| Email address | Account creation, login, purchase receipts |
| Name | From Google Sign-In, if provided |
| Profile photo URL | From Google Sign-In, if provided |
| Purchase records | Date, amount, Stripe transaction ID |
| Workout progress | Which workouts completed, video position |
| Device and browser information | Security and error tracking |
3. How We Use Your Data
- Contract performance: providing access to purchased content, processing payments
- Legitimate interest: improving the service, security monitoring, error tracking
- Consent: marketing emails (if applicable)
We do not sell your data to third parties.
4. Third-Party Data Processors
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing | Email, payment details | stripe.com/privacy |
| Supabase | Authentication and database | Email, auth tokens | supabase.com/privacy |
| Bunny.net | Video streaming | IP address, viewing data | bunny.net/privacy |
| Cloudflare | Bot protection (Turnstile) | IP address, browser fingerprint | cloudflare.com/privacypolicy |
| Vercel | Hosting | IP address, request logs | vercel.com/legal/privacy-policy |
| Vimeo | Video hosting (promotional) | IP address, viewing data | vimeo.com/privacy |
| Beehiiv | Email marketing | Email address | beehiiv.com/privacy |
| Sentry | Error tracking (consent required) | Device info, error context (no PII) | sentry.io/privacy |
5. Cookies
We use essential cookies only at launch:
- Supabase auth session cookie - functional, required for login
- Cookie consent preference - stored in localStorage, not a cookie
Non-essential cookies may be added in future (analytics, marketing). These will require your consent via our cookie consent banner.
6. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:
- Right to access your personal data
- Right to rectification (correct inaccurate data)
- Right to erasure (delete your account and all data)
- Right to restrict processing
- Right to data portability
- Right to object to processing
To exercise any of these rights, contact hello@charlottepaceyfitness.com.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
7. Data Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- Purchase records: retained for 6 years (UK tax law requirement, HMRC).
- Workout progress: deleted with account.
- Error logs: retained for 90 days.
8. Data Security
- All data transmitted over HTTPS.
- Passwords hashed (Supabase handles auth security).
- Payment data handled by Stripe (PCI DSS Level 1 compliant) - we never store card details.
- Row Level Security on database (Supabase RLS).
9. International Transfers
Some processors (Supabase, Stripe, Sentry) may process data outside the UK. These transfers are covered by Standard Contractual Clauses or UK adequacy decisions.
10. Children
This service is not directed at children under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email. The last updated date at the top of this page will be revised accordingly.
See also: Terms & Conditions