Back to Signup

Privacy Policy

Last Updated: April 11, 2026

How We Protect Your Data

  • Encrypted connections: All data transmitted over HTTPS with TLS encryption
  • Payment security: Card details handled entirely by Stripe—we never see or store them
  • Database security: Row-level access controls ensure you only see your own data
  • Data ownership: You can export or delete your data at any time

1. Introduction

This Privacy Policy is issued on behalf of Chain Brothers Pty Ltd, ABN 50 652 630 398 (the “Company,” “we,” “us,” or “our”) and governs all our products, including Build Stability, and our corporate websites. We are committed to protecting your privacy and ensuring that your personal information is handled in a safe and responsible manner. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fitness business management platform (“the Platform”), available via web browser and mobile applications.

For the purposes of applicable privacy and data protection laws, Build Stability is the data controller for your account information (such as your name, email, and billing details). When you use the Platform to store information about your own clients, you are the data controller for that client data, and we act as a data processor on your behalf.

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy. This policy is designed to comply with applicable privacy laws including the Australian Privacy Act 1988, New Zealand Privacy Act 2020, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

2. Information We Collect

Personal Information:

  • Name, email address, phone number, and business information
  • Billing and payment information (processed securely through Stripe)
  • Client data and fitness information you input into our platform
  • Account credentials and authentication information

Technical Information:

  • IP address, device type, browser type, and operating system
  • Usage data, including pages visited, features used, and time spent
  • Cookies and similar tracking technologies
  • Log files and error reports

3. How and Why We Use Your Information

We only use your information when we have a valid reason to do so. The table below explains our purposes and the legal basis we rely on for each (as required under GDPR and UK GDPR):

Service Provision (Legal basis: Contract):

We need to process your data to deliver the service you signed up for.

  • Provide, operate, and maintain our fitness management platform
  • Process payments and manage subscriptions
  • Deliver customer support and respond to inquiries
  • Send important service-related communications (e.g. downtime notices, billing updates)

Platform Improvement (Legal basis: Legitimate Interest):

We have a legitimate interest in improving our platform, and we balance this against your privacy rights.

  • Analyze usage patterns to improve our services
  • Develop new features and functionality
  • Conduct research and analytics (using anonymized data only)
  • Prevent fraud and ensure platform security

Marketing (Legal basis: Consent):

We will only send you marketing communications if you have opted in. You can withdraw consent at any time.

Legal Compliance (Legal basis: Legal Obligation):

We may need to process your data to comply with tax, accounting, or other legal requirements.

4. Information Sharing and Disclosure

We Do NOT Sell Your Data

We do not sell, trade, or rent your personal information to third parties for marketing or advertising purposes. We do not “share” your personal information for cross-context behavioral advertising (as defined under California's CCPA/CPRA).

Limited Sharing:

We only share your information in the following limited circumstances:

  • Service Providers: Trusted third parties who assist in platform operations (e.g. Stripe for payment processing, Supabase for data hosting). These providers are contractually required to protect your data and can only use it to provide services to us.
  • Legal Requirements: When required by law, court order, or to protect the rights, safety, or property of Build Stability, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets. If this happens, we will notify you before your data is transferred and becomes subject to a different privacy policy.
  • With Your Consent: When you explicitly consent to sharing

AI-Powered Analytics and Client Profiling

Our Platform uses AI to analyse your business data and provide actionable insights. These features process data you have already entered into the Platform:

Engagement Scoring: We calculate engagement scores for your clients based on session attendance patterns, booking frequency, and cancellation history. These scores help you identify clients who may need additional attention.

Churn Prediction: We analyse client behaviour patterns (such as declining attendance, reduced booking frequency, and session cancellations) to predict which clients may be at risk of leaving. This is automated profiling as defined under GDPR Article 22.

AI Assistant: Our conversational AI assistant can access your business data (schedules, client records, revenue, session notes including RPE and injury notes) to answer questions and generate insights. Data is processed by our AI service provider (OpenAI) as described below.

Legal Basis: We process this data under our legitimate interest in providing you with business intelligence features that are core to the Platform (GDPR Article 6(1)(f)). For health-adjacent data such as injury notes and RPE, we rely on your explicit consent at the point of data entry (GDPR Article 9(2)(a)).

Your Rights: You have the right to object to automated profiling and to request human review of any automated decision. Contact us at privacy@buildstability.com.

AI Service Provider - OpenAI Content Sharing

Important: When you use our AI-powered features (including workout plan generation, the AI assistant, engagement scoring, and churn prediction), we share certain data with OpenAI, L.L.C. (“OpenAI”) for processing. These features are part of the core Platform experience.

What We Share:

  • Workout plan data (exercises, sets, reps, training metrics)
  • Fitness goals and training preferences
  • Equipment availability and training experience level
  • Client first names (required for the AI assistant to reference clients in conversation)
  • Session notes, RPE data, energy/mood/pain tags, and injury context (when using the AI assistant)
  • Client engagement scores and attendance patterns (when using AI analytics)
  • Scheduling data such as appointment times and status (when using the AI assistant)
  • Revenue summaries (for business administrators using the AI assistant)

What We DO NOT Share:

Contact information is systematically stripped from all data before it reaches OpenAI:

  • Email addresses (yours or your clients')
  • Phone numbers
  • Payment or billing details (card numbers, bank accounts)
  • Account credentials or authentication data

Purpose: OpenAI may use this workout data to develop and improve their AI models and services, as governed by OpenAI's Content Sharing Agreement and Business Terms.

Your Choice: The AI workout generation feature is optional. If you prefer not to share workout data with OpenAI, simply do not use the AI-powered features. All other platform features work without any data being sent to OpenAI. Do not include sensitive, confidential, or proprietary information in AI-generated workout plans.

5. Data Security

Security Measures:

  • Encryption for data transmission and storage using industry-standard protocols
  • Secure authentication and access controls for all user accounts
  • Regular software updates and security patches
  • Secure hosting through trusted cloud providers with enterprise-grade infrastructure
  • Limited access to personal data on a need-to-know basis
  • Secure development practices and code review processes

Note: While we implement industry-standard security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

6. Data Breach Notification

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority or privacy commissioner within the timeframes required by law (typically 72 hours for EU/UK GDPR, 30 days for Australia)
  • Notify affected users without undue delay where the breach is likely to cause serious harm
  • Provide clear information about what happened, what data was affected, and what steps you can take
  • Take immediate steps to contain and remedy the breach

7. Your Rights and Choices

Your Privacy Rights:

Depending on where you are located, you may have the following rights under applicable privacy laws (including GDPR, UK GDPR, CCPA, the Australian Privacy Act, the NZ Privacy Act, and PIPEDA):

  • Access: Request copies of your personal data
  • Correction: Correct inaccurate or incomplete data
  • Deletion: Request deletion of your personal data
  • Portability: Export your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where we rely on your consent, you can withdraw it at any time (this won't affect anything we did before you withdrew)

Right to Complain:

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority. For example: the Office of the Australian Information Commissioner (OAIC), the UK Information Commissioner's Office (ICO), the Office of the Privacy Commissioner of New Zealand, your EU Member State supervisory authority, or the Office of the Privacy Commissioner of Canada.

Self-Service Data Controls

We believe you should control your data without waiting for support. From Settings → Account & Privacy:

  • Export: Download your data instantly in JSON format by category (Profile, Clients, Programs, Appointments, Billing)
  • Delete: Business owners can permanently delete their account and all associated data (requires confirmation)

No data lock-in. No support tickets. Your data, your control.

Marketing Communications:

  • Opt-out of marketing emails using unsubscribe links
  • Manage communication preferences in your account settings
  • Contact us directly to update your preferences

8. Data Retention

Retention Periods:

  • Paid Account Data: Retained while your account is active. If your subscription expires, you have 90 days of read-only access to your data, and after 120 days of inactivity we may permanently delete it. See the Terms of Service section 4 for the full cancellation and retention policy.
  • Free Trial Data: If you start a free trial and do not convert to a paid plan, we retain your trial account for 90 days after the trial ends, then permanently delete it. We send warning emails before deletion.
  • Client Data: Retained while the trainer's account is active. Deleted within 90 days of account deletion, unless the trainer exports it first.
  • Explicit Account Deletion: When a trainer chooses to delete their account, the data is scheduled for deletion at the later of 14 days from the request or the end of their current paid period. The trainer can undo any time before that date.
  • Marketing Consent Data: If you opted in to marketing emails at signup (GDPR-compliant explicit consent), we may retain your name and email in a separate marketing contacts list even after your account is deleted, so we can continue to send you product updates. You can unsubscribe and request full deletion at any time by emailing privacy@buildstability.com. Non-consented users have their name and email deleted with the rest of their account data.
  • Payment Records: Retained for 7 years after the transaction, as required for tax and accounting purposes.
  • Usage & Analytics Data: Retained for up to 2 years, then deleted or anonymized. Aggregated, non-identifiable statistics may be retained indefinitely for product improvement.
  • Support Correspondence: Retained for 2 years after resolution.

Deletion:

After the retention period expires, we will securely delete or anonymize your personal data. Some data may be retained longer only where required by law (e.g. tax records).

9. International Data Transfers

Our servers and service providers may be located in countries other than your own (including the United States and Australia). When we transfer your data internationally, we put appropriate safeguards in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for EU/UK transfers
  • Reliance on adequacy decisions by relevant authorities where available
  • Contractual protections with all service providers requiring them to protect your data to the same standard as this policy

You can contact us at the email below for more information about the specific safeguards we use for international transfers.

10. Cookies and Tracking Technologies

Types of Cookies:

  • Essential Cookies: Required for platform functionality and security. These cannot be disabled.
  • Analytics Cookies: Help us understand usage patterns and improve services. You can opt out of these.
  • Preference Cookies: Remember your settings and preferences. You can opt out of these.

Cookie Consent:

When you first visit our web platform, we will ask for your consent before setting any non-essential cookies. You can change your cookie preferences at any time through our cookie settings, or by adjusting your browser settings. Disabling certain cookies may affect some platform features.

Google Analytics & Data Collection (Web Only):

Google Analytics is used on our web platform only. Our iOS and Android apps do not include Google Analytics or any third-party tracking SDKs.

On our web platform, we use Google Analytics to understand how our Service is used. Google Analytics collects information such as how often users visit this site, what pages they visit when they do so, and what other sites they used prior to coming to this site. We use this information only to improve our platform.

Google's ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser or installing the Google Analytics Opt-out Browser Add-on.

11. Mobile Applications (iOS & Android)

Our iOS and Android apps collect only the data necessary to provide the service:

  • Account credentials (email, password) for authentication
  • Workout and program data you create or are assigned
  • Booking and scheduling information
  • Profile information (name, photo) you choose to provide

No Tracking on Mobile

Our mobile apps do not collect data for tracking purposes, do not use advertising identifiers (IDFA/GAID), and do not share data with third-party advertisers. Google Analytics and all other third-party analytics SDKs are completely absent from our mobile apps.

Data Deletion from Mobile:

You can request deletion of your data at any time through the app's Settings → Account & Privacy page, or by contacting us at privacy@buildstability.com. Business owners can permanently delete their account and all associated data directly from within the app.

12. Children's Privacy

Our services are designed for use by businesses and their adult clients. We do not knowingly collect personal information from children under 16 (or under 13 in the United States). If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete it promptly. If you believe a child has provided us with their information, please contact us at privacy@buildstability.com.

13. Third-Party Links

Our Platform may contain links to third-party websites or services (e.g. Stripe, social media). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website with a new “Last Updated” date
  • Sending email notifications for significant changes
  • Displaying prominent notices in our platform

Where required by law (for example, under GDPR), we will seek your consent before making material changes that affect how we use your data. For minor or clarifying changes, your continued use of our services after the updated policy is posted constitutes acceptance.

15. Governing Law

This Privacy Policy is governed by the laws of Queensland, Australia. However, nothing in this policy limits your rights under the privacy laws of your own country. If there is any conflict between this policy and the mandatory privacy laws that apply to you, those laws will take priority.

16. Contact Information

Privacy Inquiries

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@buildstability.com

Privacy Rights Requests

To exercise your rights under GDPR, UK GDPR, CCPA, the Australian Privacy Act, the NZ Privacy Act, or PIPEDA, please contact us at the email above with “Privacy Rights Request” in the subject line. We will respond within the timeframe required by applicable law (typically 30 days, or 45 days under CCPA).

Compliance Statement

This Privacy Policy is designed to comply with applicable privacy laws including the Australian Privacy Act 1988, New Zealand Privacy Act 2020, Canada's PIPEDA, the UK GDPR, the EU GDPR, and the California CCPA/CPRA. We are committed to protecting your privacy and handling your data responsibly.