Privacy Policy
Privacy Policy
Effective Date: 1 March 2026 Version: 2.0.0
IronMentor (Pty) Ltd ("IronMentor," "we," "us," or "our") is committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the South African Protection of Personal Information Act (POPIA), and other regional privacy regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.
1. Data Controller
IronMentor (Pty) Ltd Cape Town, South Africa Email: privacy@ironmentor.io
For GDPR inquiries, contact our Data Protection Officer at dpo@ironmentor.io.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Email address, name, password | Account creation and authentication |
| Health & Fitness Data (Special Category) | Medical history, injuries, medications, allergies, heart conditions, surgical history, family health history | Personalised exercise programming and safety screening |
| Emergency Contact Data | Name, phone number, relationship | Safety during training |
| Fitness Profile | Training goals, experience level, available equipment, body measurements | Programme design and progress tracking |
| Payment Data | Billing information (processed by PayFast) | Subscription management |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device Information | Device model, OS version, app version | Compatibility and debugging |
| Usage Data | Feature usage, session frequency, workout completion | Service improvement |
| Performance Data | Workout results, form scores, personal records | Progress tracking |
2.3 Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Strava (optional) | Activity summaries (if you connect your account) | Workout logging and sharing |
| Google Sign-In (optional) | Email address, name | Simplified authentication |
3. Lawful Basis for Processing (GDPR Art. 6 & Art. 9)
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account management | Performance of contract | Art. 6(1)(b) |
| Exercise programme delivery | Performance of contract | Art. 6(1)(b) |
| Health data processing | Explicit consent | Art. 9(2)(a) |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| AI form analysis | Explicit consent | Art. 6(1)(a) + Art. 9(2)(a) |
| Usage analytics | Legitimate interest | Art. 6(1)(f) |
| Legal compliance | Legal obligation | Art. 6(1)(c) |
| Marketing communications | Consent | Art. 6(1)(a) |
Special Category Data (Art. 9): Your health and medical information is classified as "special category" data under GDPR. We process this data only with your explicit consent, which you provide during onboarding. You may withdraw this consent at any time (see Section 8), though this will affect our ability to provide personalised exercise programming.
4. How We Use Your Information
We use your information to:
- Provide our services — Create and manage your account, deliver personalised exercise programmes, track your progress, and provide AI-powered form analysis.
- Ensure your safety — Screen for medical conditions that may affect exercise safety, adapt programmes to your limitations, and contact emergency contacts if needed.
- Process payments — Manage subscriptions and billing through our payment provider (PayFast).
- Improve our services — Analyse usage patterns to improve the app experience and AI coaching accuracy.
- Communicate with you — Send service-related notifications, programme updates, and (with your consent) marketing communications.
- Comply with legal obligations — Maintain records required by law, respond to legal requests, and fulfil regulatory requirements.
5. Automated Decision-Making & AI Processing (GDPR Art. 22)
IronMentor uses artificial intelligence to:
- Analyse exercise form from video recordings and sensor data
- Generate personalised exercise programmes based on your fitness profile and goals
- Score workout performance and provide coaching feedback
These AI-generated recommendations are advisory and do not constitute medical advice. You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects. A human coach validates AI training methodology, and you may request human review of any AI-generated recommendation by contacting support@ironmentor.io.
6. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service delivery |
| Health & fitness data | Duration of account | Programme personalisation |
| Workout history | Duration of account | Progress tracking |
| Payment records | 7 years after transaction | Tax and legal compliance |
| Legal consent records | Indefinite (anonymised after account deletion) | Proof of consent (GDPR Art. 7) |
| Medical waiver records | Indefinite (anonymised after account deletion) | Legal compliance |
| Usage analytics | 2 years (aggregated) | Service improvement |
| Support communications | 3 years | Quality assurance |
When you delete your account, all personal data is permanently erased except legal consent and medical waiver records, which are anonymised (user identity removed) and retained to demonstrate that consent was obtained.
7. Data Sharing & Transfers
7.1 Service Providers
We share data with trusted service providers who process data on our behalf:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and data storage | Cape Town (af-south-1) | AWS Data Processing Addendum, ISO 27001 |
| PayFast | Payment processing | South Africa | PCI-DSS Level 1 |
| Anthropic / OpenAI | AI model inference (anonymised prompts) | United States | Data Processing Agreement, no training on user data |
7.2 Cross-Border Transfers
Your primary data is stored in AWS Cape Town (af-south-1). For EU users, data will be stored in the EU region. When data must be transferred internationally (e.g., AI processing), we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where available
- Supplementary measures including encryption in transit and at rest
7.3 We Never
- Sell your personal data to third parties
- Share your health data with insurers, employers, or advertisers
- Use your personal data for AI model training without explicit consent
- Share your data with other users without your permission
8. Your Rights
Under GDPR (EU Users)
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all your personal data | Settings > Privacy & Data > Export Data |
| Rectification (Art. 16) | Correct inaccurate personal data | Edit Profile in app |
| Erasure (Art. 17) | Delete your account and all associated data | Settings > Account > Delete Account |
| Restrict Processing (Art. 18) | Limit how we use your data | Contact dpo@ironmentor.io |
| Data Portability (Art. 20) | Receive your data in machine-readable format | Settings > Privacy & Data > Export Data |
| Object (Art. 21) | Object to processing based on legitimate interest | Contact dpo@ironmentor.io |
| Withdraw Consent (Art. 7) | Withdraw consent for health data processing | Contact dpo@ironmentor.io |
| Lodge Complaint | File complaint with supervisory authority | See Section 8.3 below |
Under POPIA (South African Users)
You have the right to: access your data, correct it, request deletion, object to processing, and lodge a complaint with the Information Regulator (inforeg.org.za).
8.1 Data Export
You can export all your personal data at any time through the app (Settings > Privacy & Data > Export Data). The export includes your profile, workout history, personal records, badges, and all other associated data in JSON format.
8.2 Account Deletion
You can permanently delete your account through the app (Settings > Account > Delete Account). This will: - Permanently delete all your personal data, workout history, and fitness profile - Anonymise (but retain) legal consent and medical waiver records for compliance - Cancel any active subscriptions - This action cannot be undone
8.3 Supervisory Authority
If you are in the EU, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
9. Data Security
We implement technical and organisational measures to protect your data:
- Encryption at rest: All sensitive personal data (email, name, health data, payment tokens, OAuth credentials) is encrypted using AES-256-GCM at the application layer, in addition to AWS-managed encryption at the storage layer.
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2+.
- Access controls: Role-based access with multi-factor authentication for administrative access.
- Audit logging: All access to personal data is logged for security monitoring.
- Regular security reviews: We conduct periodic security assessments of our systems.
10. Children's Privacy
IronMentor is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes: - We will notify you through the app - You will be asked to review and accept the updated policy - The "Effective Date" at the top will be updated - Previous versions remain available for reference
12. Contact Us
For privacy-related inquiries:
- Email: privacy@ironmentor.io
- Data Protection Officer: dpo@ironmentor.io
- Support: support@ironmentor.io
Last Updated: 1 March 2026 Version: 2.0.0