Privacy policy.
Privacy Policy for Empowered By Science
Introduction
Health Hubb Pty Ltd (ACN 614 585 910, ABN 54 614 585 910), trading as Empowered By Science (referred to as “Empowered By Science”, “EBS”, “we”, “us” or “our”), operates an online coaching business providing exercise, nutrition, and mentoring services to clients in Australia and globally. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in the course of our business. It is prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and also incorporates relevant requirements of the EU/UK General Data Protection Regulation (GDPR) for users located in the European Union or United Kingdom. By using our services (including our website, coaching platform, and related tools), you agree to the handling of your personal information as described in this Privacy Policy and in our Terms of Service. This Privacy Policy forms part of and is to be read in conjunction with our Terms of Service (available on our website), and we mutually reference these documents to ensure your rights and obligations are clear.*
We are committed to respecting your privacy and safeguarding your personal, sensitive, and health information. This Policy provides a transparent explanation of our privacy practices – what information we collect, how we use and share it, how you can access or correct it, and what rights you have regarding your data. We encourage you to read this document carefully. If you have any questions, please contact us using the details provided in the Contact Us & Privacy Complaints section below.
Definitions
For the purposes of this Privacy Policy, the following definitions apply:
Personal Information: Under the Privacy Act, personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not. In practical terms, this includes any information that can identify you as a person. Examples include your name, contact details, date of birth, demographic details, and even opinions or notes about you that could identify you.
Sensitive Information: Sensitive information is a subset of personal information that is given a higher level of protection under privacy laws. It includes information or an opinion about an individual’s racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union membership, sexual orientation or practices, criminal record, health information, genetic information, or certain biometric data. We handle sensitive information with additional safeguards and will usually require your consent to collect it.
Health Information: Health information is a specific type of sensitive information related to an individual’s physical or mental health or disability, and to health services provided or to be provided. In our context, this covers any personal information collected in the course of providing you with exercise, nutrition, or other health-related coaching services. It may include details about your medical history, injuries or conditions, fitness metrics, dietary preferences or allergies, and other information about your health or well-being that you (or your guardian, if you are a minor) provide to us. We treat health information with the strictest confidence and in accordance with all applicable privacy laws.
For clarity, references to “Empowered By Science,” “EBS,” “we,” “us,” or “our” mean Health Hubb Pty Ltd trading as Empowered By Science. References to “you” or “client” mean any individual whose personal information we handle. This includes prospective, current, or former clients of our exercise, nutrition, or business coaching services, as well as visitors to our website and individuals subscribing to our communications or newsletters.
Collection of Personal Information
We only collect personal information that is reasonably necessary for our business functions and activities as an online coaching provider. The types of personal information we may collect include:
Identity and Contact Details: Information that identifies you, such as your name, email address, telephone number, postal address, and age or date of birth. If you register an account on our coaching platform or website, we will also collect your username or profile information.
Health and Fitness Information: Detailed information related to your health, fitness, and nutrition that you provide to help us tailor your coaching plan. This may include your health history, medical conditions or injuries, exercise experience, dietary habits, food preferences or allergies, body measurements, weight, fitness assessment results, progress photos, and other data about your physical or mental health. All such health information is considered sensitive personal data and is treated with extra care. We will only collect health information with your consent and for the purpose of providing our services (for example, designing a safe and effective workout or meal plan) .
Lifestyle and Goal Information: Information about your personal goals, lifestyle, schedule, and preferences relevant to designing your program. For example, we may ask about your occupation (if it affects your activity levels), sleep habits, stress levels, or specific objectives (e.g. “training for a marathon in 6 months”). This helps us customize our coaching to fit your life and targets.
Business Coaching Information: If you participate in our business coaching services (for fitness professionals or entrepreneurs), we may collect information related to your business or professional life. This can include your business name, your role or job title, business contact details, and information about your business goals, strategies, or performance. (Business-related information you share might not always be “personal information” under privacy law if it’s not about you as an individual. However, any personal details intertwined with your business coaching – for example, your personal views, experiences, or finances as a sole trader – will be treated as personal information and protected accordingly.)
Financial and Payment Information: When you pay for our services, we (or our payment processor) collect payment information. We use third-party payment processors (such as Stripe) to handle credit/debit card transactions. This means we do not store your full card details on our own systems. You will provide your payment details (card number, expiration, CVV, etc.) directly into the secure payment form, and Stripe processes the payment. We receive a confirmation and limited details (such as your name, email, billing address, the amount, date, and perhaps a transaction ID or the last four digits of your card). We keep records of transactions for invoicing and compliance (e.g. accounting and tax), but we never see or store your full card number or security code.
Platform Usage Data: When you use our online coaching platform or associated mobile app (for example, the EverFit app through which we deliver coaching programs), we collect data generated as you interact with the service. This includes workout logs, completion status of exercises, nutrition logs, check-in responses, messages or feedback you send via the platform, and other in-app activities. It may also include technical information like login times or device information. (Some of this may overlap with the Health and Fitness Information described above – for instance, your workout completion data is both platform usage data and fitness information.)
Third-Party Integration Data: With your permission, we may collect information via integrations with third-party fitness or health services that you choose to connect to our platform. For example, you might link a fitness tracker or app (such as Apple Health, Google Fit, MyFitnessPal, or a wearable device) to sync your data. If you do this, we could receive data like your daily step count, heart rate, sleep patterns, calorie intake/burn, or other metrics from those services. We will treat any imported data from such integrations as personal (and potentially health) information under this Policy. You can manage or revoke these integrations at any time through the third-party service or our platform settings.
Communications and Correspondence: We may keep records of communications you have with us. This includes emails you send us, SMS or instant messages, contact form submissions from our website, survey responses, or notes from phone calls or video consultations. For example, if you email a question or provide feedback, we will retain that email and our response. If you participate in a coaching call and we take notes or you send a chat message through a platform, that information is retained as part of your client record. We also track engagement with our communications; for instance, if we send a newsletter or announcement email, we might see whether you opened it or clicked on links (typically in aggregate form, not at an individual profiling level unless necessary to ensure you receive essential info).
Website Usage Data: When you visit our website or client portals, certain information is collected automatically via cookies and similar technologies. This may include your IP address, browser type, device type, pages you visited on our site, and the referring page that led you to our site. We generally do not use this data to identify you personally; it’s used in aggregate to analyze website traffic and improve user experience. Our website will notify you about the use of cookies when you first visit (and where required, obtain consent for certain cookies). You can control or block cookies through your browser settings. For more details, see any Cookies notice on our site (if applicable).
Other Information You Provide: You may choose to provide us with additional information in various contexts – for example, responding to an optional survey, giving a testimonial, entering a contest or giveaway, or providing feedback. We will collect and handle whatever information you choose to give us in those situations. If you fill out a feedback form or share a success story, we will use that information in line with this Policy (and if we want to share it publicly as a testimonial, we will ask your permission as noted below).
We do not require you to provide personal information that is not necessary for the purposes described. Whenever lawful and practical, you have the option to deal with us anonymously or under a pseudonym – for example, if you are making a general inquiry and not yet a client, you don’t have to give your full identity. However, due to the personalized nature of our coaching services, it is usually impracticable for us to serve you without knowing at least basic personal and health details. If you choose not to provide certain requested information (such as important health details or a way to contact you), we may not be able to enroll you as a client or provide the full range of services.
How We Collect Personal Information
We collect personal information through fair and lawful means. The main ways we gather information about you include:
Directly From You: In most cases, we collect information directly from you (or from your parent/guardian if you are under 18 – see Underage Clients section below). You provide personal, health, and contact information when you inquire about our services, sign up as a client, or fill out our intake questionnaires. This may happen through online forms (e.g. a sign-up or application form on our website), through the EverFit app during onboarding, via email or messaging when you communicate with us, or during consultations (by phone, video, or written responses). For example, when you join a coaching program, you’ll typically complete a detailed intake form about your health history and goals – all the data you enter is collected by us to design and deliver your program. Throughout your engagement, you might also provide updates or new information (for instance, notifying us of a new injury or completing a progress check-in form). By providing information to us, you consent to our collection and use of it for the relevant coaching purposes.
Through Our Coaching Platforms and Tools: We use third-party platforms and software to deliver our services. For instance, we use EverFit as our primary coaching app (for workouts, habits, messaging, etc.), Stripe for payment processing, Google Workspace/Microsoft 365 for email and office productivity, Dropbox or similar cloud storage for files, and an email marketing service (such as Mailchimp) for newsletters. When you interact with us via these platforms, some personal information is collected automatically by the platform or entered by you and then shared with us. For example, if you use the EverFit app, it will record your workout completions, which our coaches can see. If you pay an invoice online via Stripe, you enter your card details into Stripe’s form and Stripe provides us with your name, contact info, and payment confirmation. If you subscribe to our newsletter, our email service provider stores your email address and name on our behalf. In all these cases, the information is collected by the platform and then provided to us or accessible by us to use for the stated purposes (coaching, payment, communication, etc.).
Third-Party Integrations (with Your Consent): As noted under “Third-Party Integration Data,” you may choose to link external apps or devices to our coaching platform. We will only access those external data sources with your explicit permission. For example, if you connect your Fitbit or MyFitnessPal account, you’ll be asked to authorize that connection. Upon your authorization, we receive specific data (like your step count or food log) which we incorporate into your coaching plan or progress tracking. You are in control – if you later revoke permission or disconnect the app, we will stop receiving that data. You can manage integration settings either in the third-party app’s settings or by notifying us to help disconnect it.
Public or Third-Party Sources: In general, we do not collect personal information about you from public databases or third-party sources without your knowledge. The nature of our business is such that you provide information directly to us. We do not purchase marketing lists or scrape data from other sources. However, there are a few limited scenarios where we might obtain information indirectly: for example, if someone refers you to us and gives us your contact details to reach out, or in the context of business coaching, you might direct us to view information about your business on public websites or social media. If we receive personal information about you that we didn’t ask for (unsolicited), we will handle it in accordance with the Privacy Act – that is, we will decide if we could have collected it lawfully and if it’s necessary for our functions. If not, we’ll securely delete or de-identify it. If yes, we’ll treat it per this Policy. (For instance, if a fellow professional suggests you might like our service and provides your email, we would likely send a one-time note and refer you to this Policy, but not add you to any list without your consent.)
Clients Under 18 (Minors): We have special procedures for collecting information from minors. If you are under 18 years old, we require consent from a parent or legal guardian to collect your personal information and provide our services. Typically, the parent/guardian will fill out the intake forms on the minor’s behalf or co-sign the agreement. We may collect the child’s information via forms completed by the guardian or through conversations with the guardian. We take extra care with minors’ data – please see Underage Clients below for more details on how we handle children’s personal information. (If you are a parent/guardian providing information about a minor, you must ensure you have the authority to do so and that the information is accurate to the best of your knowledge.)
Automatic Collection (Website Analytics & Cookies): As mentioned earlier, when you browse our website or use our online services, we may automatically collect technical data using cookies, web beacons, or similar technologies. A cookie is a small text file that a website may store on your device to remember your preferences or track activity. We use cookies to analyze usage of our site (e.g. which pages are visited most often) and to improve performance. This usage data might be considered personal information (for example, an IP address can identify a computer in some cases), but we generally only review it in aggregate form. You can control or disable cookies through your browser settings if you wish, noting that doing so might affect functionality (for instance, our site might not remember your preferences). We also honor any applicable requirements for cookie consent in jurisdictions that require it.
Unsolicited Information: If we receive personal information that we did not request (for example, you send us extra documents or someone emails us out of the blue with their data), we will handle it in line with the law. We will determine whether we could have legally collected the information and if it’s necessary for our activities. If not, we will securely delete or de-identify it. If yes (for example, you voluntarily provided additional health info that is useful for your coaching), we will keep it and protect it under this Policy. In any case, unsolicited information is afforded the same confidentiality as other information we hold.
No Collection of Sensitive Information Without Consent: We will not collect sensitive personal information (including health information) about you without your consent, unless an exception applies (such as a health or safety emergency or as required by law). By engaging our services and providing us with sensitive information (like health details), you are consenting to our collection and use of that information for the purposes outlined to you. We will make it clear when we are asking for sensitive information, and we will only use it for your benefit in the coaching context. (For example, we might ask about any medical conditions to ensure your exercise program is safe; by answering, you consent to that use.) In jurisdictions like the EU, this constitutes explicit consent to process sensitive data .
Use of Personal Information
We collect and hold personal information primarily to conduct our coaching services and business operations. We will only use your personal information for the purposes for which it was collected, for purposes that are directly related and within your reasonable expectations, or as otherwise permitted or required by law. The main purposes for which Empowered By Science uses personal information include:
Providing and Personalizing Coaching Services: The core use of your information is to design, deliver, and adjust our coaching services (exercise, nutrition, and any mentoring or business coaching) to suit you. We use your personal details, health information, lifestyle data, and goals to create customized training programs, meal plans, and advice. For example, we review your health history to avoid exercises that may aggravate an injury, use your fitness assessment results to set appropriate workout intensity, and consider your stated goals to keep your program on track. For business coaching clients, we use the information about your business and objectives to provide tailored guidance and strategies. In short, without your information, we cannot effectively coach you – so all relevant personal data is used to give you the safest, most effective, and personalized coaching experience.
Communication: We use your contact information (email, phone number, or messaging handles) to communicate with you regarding our services. This includes sending program materials and resources, scheduling sessions or calls, providing feedback on your workouts or food logs, and responding to your questions or requests. We also send routine reminders or check-ins – for example, an SMS reminder of a scheduled coaching call, an app notification that you have a new message or task, or an email if you haven’t logged in for a while. Communication is a vital part of our coaching, and we will use the communication method you prefer when possible. Additionally, we might contact you to notify about important changes, such as updates to this Privacy Policy or our Terms of Service, or information about any service interruptions or security issues if they arise .
Payment Processing and Administration: We use personal information to manage billing and payments for our services. For example, if you sign up for a paid program, we (through our payment processor) will use your payment details to charge the fees. We may use your name and email to send you invoices, receipts, or payment reminders. We maintain financial records (which include personal identifiers like your name and transaction history) to comply with accounting and tax laws. Rest assured, we do not use your financial information for anything other than processing your authorized payments and keeping appropriate business records.
Business Operations and Service Improvement: Internally, we may use personal information to analyze how our business and services are performing and to find ways to improve. This can include reviewing client progress data to evaluate the effectiveness of our programs, analyzing common feedback or questions to improve our coaching methods or materials, or tracking enrollment numbers to plan our resources. Where feasible, we use de-identified or aggregated data for these purposes – for example, calculating the average improvement in a fitness metric across all clients, or identifying trends in client engagement without focusing on individuals. If we ever look at an individual’s data for an internal improvement reason (say, studying one person’s journey as a case study to refine an approach), we do so confidentially and without disclosing personal details outside our team. Any use of data for research or analytics will respect your privacy and will not publicly identify you without your consent. (We may, for instance, publish aggregate outcomes like “our average client improves strength by X% in 3 months,” but we would not publicly share your personal results or story without permission.)
Direct Marketing (with Consent): We may use your contact details to send you promotional or educational communications, but only in accordance with your consent or applicable marketing laws. This includes emails or messages about new services, special offers, newsletters with fitness/nutrition tips, or upcoming events that we believe may interest you. If you are an existing client or have subscribed to our mailing list, we interpret that you have consented to receive such communications (implied or express consent, as required by the Spam Act 2003 (Cth) and APP 7). You always have the right to opt out of marketing messages – see the Direct Marketing Communications section below on how to unsubscribe. We will respect your choice and will not send you marketing material if you withdraw consent. (Also, we will not use sensitive information like your health data to target any marketing without your explicit consent.)
Testimonials and Success Stories (with Consent): If you provide us with a testimonial or feedback, or if you achieve notable results in our program, we may wish to share your success story to inspire others. However, we will always obtain your permission before using any personal or health information in a public testimonial. We are happy to anonymize your story if you prefer (e.g. using a pseudonym or just describing results without naming you). For example, we might say “Client X lost 10kg in 6 months” without identifying details, unless you agree that we can use your name or photo. Any such use will be discussed with you in advance and subject to your approval.
Compliance and Legal Obligations: We may use or disclose your information where required by law or necessary to comply with our legal obligations. This includes maintaining records as required by regulations (for instance, keeping client invoices for tax purposes, or keeping exercise program records if required under health service guidelines), and producing information if legally mandated by a court order, subpoena, or regulatory request. If we receive a lawful request for information (for example, from law enforcement or a regulatory body like the Office of the Australian Information Commissioner), we will verify its legitimacy and only provide the minimum data necessary . We also use personal information as needed to manage legal matters – for example, to investigate and address any complaints or disputes that might arise, to enforce our client agreement or Terms of Service, or to defend against any legal claims. In all cases, any use or disclosure for legal reasons will be limited to what is necessary and proportionate for that purpose.
Safety and Vital Interests: If we believe that using or sharing your information is necessary to protect someone’s life, health, or safety, we may do so in emergency situations. For instance, if you were in acute danger or a medical emergency during a training session or consultation and you were unable to communicate, we might share relevant health information with medical personnel. These situations are rare, and we would only disclose information to those necessary (like first responders) and only what is needed to help. This is in line with exceptions in privacy law that allow use/disclosure to prevent or lessen a serious threat to life or health. We will usually involve appropriate authorities or professionals and make a record of such disclosures.
Other Uses with Your Consent: If we ever need to use your personal information for a purpose not covered above, we will seek your consent first. We won’t assume we have your consent for something just because it’s broadly related – we will ask you clearly. For example, if we wanted to partner with another organization to offer a new program and it involved sharing some of your information with that partner, we would not do so unless you agreed. We endeavor not to use your data in any unexpected ways, but if a new scenario comes up, we will get your permission before proceeding.
(We do not engage in any kind of automated decision-making or profiling that has a legal or significant effect on you without human involvement. In other words, important decisions about your coaching – such as adjustments to your plan – are made by qualified human coaches, not solely by algorithms. We may use software tools to assist (for example, EverFit might suggest progress charts or nutrition targets), but a human coach reviews and interprets that information. If we ever introduce automated decision-making in the future for certain aspects, we will inform you and ensure it complies with any legal requirements.)
Disclosure of Personal Information
We treat the information you share with us as confidential. We will not sell, rent, or trade your personal information to unrelated third parties for their marketing or other independent uses. However, in the normal course of running our business, we do share your personal information with certain trusted third parties under strictly controlled circumstances. These include service providers that help us deliver our services, and other parties as required by law or with your consent. Below we outline the scenarios in which your information may be disclosed and to whom:
Service Providers (Data Processors): We use reputable third-party companies to support our operations and the provision of services. These providers act on our behalf and may handle or store personal information incidentally as part of their services. Key examples are:
Coaching Platform – EverFit: We use the EverFit application (web and mobile) to deliver and manage your fitness coaching program. This platform stores personal information such as your profile (name, email), your workout plans, exercise logs, progress metrics, and any messages or feedback exchanged. EverFit’s role is to host and organize this data for us; their staff do not access client content except as needed for technical support or maintenance, and they are contractually bound to keep it confidential. We have an agreement in place with EverFit to ensure they safeguard client data and only use it to provide the service to us. In essence, EverFit is a secure repository for your coaching data that our coaches use to work with you.
Payment Processor – Stripe: When you make payments to us (for example, paying for a coaching program or a subscription), we use Stripe to process your credit or debit card transactions. Stripe will receive your payment details and may store some of your information (such as your name, email, and billing address, and a record of the transaction). Stripe is PCI-DSS compliant (the industry standard for card security) and is contractually committed to secure handling of personal and financial data. We share with Stripe only the information necessary for processing payment (typically your name, contact info, and the amount to charge). We do not send them your health or coaching data. Stripe’s role is limited to processing payments and they do not use your info for other purposes. (For more details, you can refer to Stripe’s privacy policy available on their website.)
Cloud Storage and IT Infrastructure: We rely on cloud-based storage and infrastructure services (such as Dropbox, Google Drive, or Microsoft OneDrive/Azure) to store certain records and manage our documents. For example, we might keep a backup of your training program file or store administrative spreadsheets in a secure Dropbox or Google Drive folder. These cloud services may host data on servers outside Australia (see International Data Transfers below), but we apply security measures like encryption and access control to files stored there. Only authorized personnel (like your coach or our admin staff) are given access to these folders. Similarly, if we use Microsoft 365 or Google Workspace for email and office tools, personal information contained in emails or documents will be processed by those providers in the course of providing the service. We choose providers with strong security reputations and appropriate privacy commitments (for instance, Microsoft and Google publish transparency reports and adhere to international security standards). Our contracts or terms with them include privacy protections where possible.
Email & Marketing Platforms: If you subscribe to our newsletter or if we send out group communications, we use an email marketing platform such as Mailchimp (or a similar service, e.g. ActiveCampaign). These platforms store your name and email address (and possibly your country or preferences if we record that) for the purpose of managing mailing lists and sending emails. They act only per our instructions – for example, to distribute a newsletter we create. Every marketing email will include an unsubscribe link managed by the provider, which automatically updates our list when you opt out. We may also use an SMS service to send text message reminders or notifications; in that case, your mobile number and message content might pass through a telecommunications or SMS gateway provider. All such providers are required to handle your data securely and only use it for delivering our communications.
Analytics Tools: We use analytics services like Google Analytics on our website to understand and improve website traffic and user experience. These tools use cookies or similar methods to collect information about how users interact with our site (e.g., pages viewed, time spent, browser type). The information collected is generally aggregated and does not identify you personally; however, things like IP addresses or device IDs are processed by the analytics provider and in some jurisdictions those can be considered personal data. We do not see individual user profiles from Google Analytics – only aggregated reports (e.g., “100 people visited the site this week, 60% from mobile devices”). We treat any analytics data that could theoretically be linked to an individual as personal information and protect it accordingly. Google (and similar providers) are themselves subject to strict privacy obligations. (Google Analytics data may be stored overseas; we have set it to anonymize IPs where possible. You can opt out of Google Analytics by using a browser add-on if you wish.)
Professional Advisors: We may share necessary information with our professional advisors – such as lawyers, accountants, auditors, or insurers – when we require their services. For instance, our accountant might see your name and transaction amounts in our financial records while preparing our tax returns, or our lawyer might review an incident that involved your data to provide us with legal advice. We only disclose what is necessary for the advisor to perform their role, and we ensure that these professionals are obliged to keep your information confidential (by law and/or under contract). They will not use your information for any purpose other than advising us or providing the contracted service.
Employees and Contractors: Empowered By Science is a small operation; currently, a tertiary-qualified Exercise Scientist and Nutritionist (the owner) serves as the head coach. We may also have a small team of assistants or subcontractors (such as an additional coach, dietitian, or administrative support) who help deliver services. Any staff or contractors who need access to personal information to do their job will be allowed such access, but strictly on a “need-to-know” basis. For example, if we hire an assistant to help schedule sessions, they will have access to your name and contact details but not necessarily to your detailed health information. All employees and contractors are subject to confidentiality obligations either via their employment contract or a separate confidentiality agreement. We provide training and guidance to our team on privacy compliance. They understand that they must handle client data in line with this Policy and applicable laws. If any staff member were to violate these obligations, we would take appropriate action (up to termination of employment/contract).
Parent or Guardian (for Minor Clients): If the client is under 18, we consider the parent or legal guardian who consented to the service as having rights to access the minor’s information. We may share the child’s progress and relevant personal information with their parent/guardian. For example, a parent who signs up their 16-year-old for coaching will receive updates about the child’s performance or any concerns. We generally involve both the minor (if they are mature enough to engage in the coaching discussions) and the parent in communications. The parent or guardian can request information about the child’s coaching at any time. We handle a minor’s information with great care, balancing the child’s privacy with the guardian’s responsibility. (See Underage Clients for more details on how we handle children’s data and parental involvement.)
Third Parties Authorized by You: There might be situations where you explicitly ask us to share your information with someone else. We will do this only with your direction or consent. For example, if you are working with a physiotherapist or doctor and want us to send them your workout plan or a progress report, we will do so with your permission. Similarly, if you are participating in a group coaching or accountability program and you agree that some information can be shared with the group or a partner, we will make sure you understand what will be shared and get your consent. In short, if you say “I want person X to receive my info,” we will treat that as permission (after verifying as needed) and fulfill your request.
Legal Requirements and Protection of Rights: We may disclose personal information when required by law or when we have a good-faith belief that such action is necessary to: comply with legal obligations, protect and defend our rights or property, act in urgent circumstances to protect personal safety, or investigate and address violations of our terms or the law. For instance, if we receive a court order or notice from a regulatory authority compelling us to provide certain data, we will comply after ensuring the request is valid. Another example is that we might disclose information to law enforcement if we suspect fraud or other illegal activity (as allowed by law). Also, if required for an audit or by the Australian Taxation Office, we might have to provide records that include personal information (e.g. proof of payments for a particular client as part of an audit). In all cases, we will only disclose what is necessary and will document the disclosure. If appropriate and lawful, we might also inform you that such a request or disclosure occurred.
Business Transfers: In the unlikely event that Empowered By Science (Health Hubb Pty Ltd) undergoes a major business change – such as a merger, acquisition by another company, or sale of some or all business assets – the personal information we hold may be transferred as part of that transaction. For example, if another company acquires us or invests in our business, they would typically take possession of client data as part of the continued operation of the services. In such a case, we will ensure your information remains protected. Any successor will be bound to the terms of this Privacy Policy (or terms that are at least as protective of your privacy). We will notify you of any transfer of ownership that affects your personal information, by posting a notice on our website or contacting you directly, and we will give you an opportunity to inquire about the details or even opt-out if practical. If you do not wish to continue with the new entity, we will provide options such as deleting your data if feasible. No transfer will take place if the new owner cannot adhere to the commitments made herein regarding your personal information.
No Unauthorized Third-Party Marketing: We will never sell or provide your personal details (such as your name or contact information) to outside companies for their own marketing purposes without your explicit consent. You will not get emails or calls from some other company because of information you gave us, unless you have explicitly opted in to such an arrangement. (If in the future we run a joint promotion with a partner and you choose to sign up, that would be an example of consenting to third-party communication, but we would make it clear and it would be your choice.)
Use of De-Identified Information: We may share aggregated or de-identified data (information that has been stripped of personal identifiers so that it cannot be linked to you) for various purposes, and we do not consider this personal information. For example, we might publish a statistic like “Our average client improved their 5km run time by 15% after 12 weeks” or “90% of clients report increased energy levels”, or we might share average outcomes with a research collaborator or in marketing material. Such information will not identify any individual. We may also internally share or utilize de-identified datasets to improve our programs. Before sharing any data publicly, we ensure it’s aggregated to a level that individual privacy is protected.
We take steps to ensure that any third party we disclose personal information to (as described above) handles that information securely and only for the purposes we’ve specified. We have contracts or agreements with many of our service providers that legally require them to protect your data and keep it confidential. However, please note that when you directly provide information to a third-party platform we use (such as EverFit or Stripe), your information is also handled according to that third party’s own privacy policy. For example, information you enter into the EverFit app is governed by EverFit’s terms and privacy policy in addition to ours. We encourage you to review the privacy policies of such providers if you want to understand how they manage your data. If you need help locating or interpreting any third-party privacy policy, feel free to ask us.
Underage Clients (Children and Minors)
We recognize the importance of protecting the privacy of children and minors, especially when they are engaging in health, fitness, or personal development services. Our services are primarily designed for adults, but we may coach individuals under 18 (minors) with parent or guardian involvement and consent. This section explains how we handle personal information when the client is under 18:
Parental/Guardian Consent: If you are under 18 years of age, we require consent from your parent or legal guardian before we collect your personal information or provide you with coaching services. This consent is usually obtained during the sign-up process. For example, a parent or guardian will sign our coaching agreement on behalf of the minor (or jointly with the minor) and explicitly agree to this Privacy Policy’s terms. We may ask the parent/guardian to provide proof of their relationship to the child and their authority to consent. Without verified parental consent, we will not knowingly collect or retain personal information from a minor.
Guardian Involvement: We encourage parents or guardians to be appropriately involved in the coaching process. Typically, a parent/guardian will be our primary point of contact for administrative matters (like payments and scheduling) and may also assist the minor in providing information (for instance, filling out the health questionnaire on behalf of a younger child). Depending on the minor’s age and maturity, our coaches might communicate directly with the minor for day-to-day coaching interactions (especially for older teenagers who can responsibly participate), but the parent/guardian will be kept in the loop. The guardian has the right to access information about the child’s progress and participation. We consider the parent/guardian to be a “responsible person” for the purposes of exercising the child’s privacy rights (as recognized under the Privacy Act), meaning they can request access, correction, or even deletion of the child’s information on the child’s behalf, as appropriate.
Nature of Information Collected (Minors): For clients under 18, we collect largely the same type of information as for adults – health and fitness details, personal goals, etc. We take care to collect information in a manner appropriate to the child’s age. For example, we might ask a teenager to provide information about their own fitness experience in their own words, whereas for a younger child we would rely on the parent’s description of the child’s health and habits. We may collect additional details like an emergency contact (if not the parent) and the child’s physician’s information, to be prepared in case any health issue arises during training.
Use of Information (Minors): We use a minor’s personal information strictly for providing the coaching service and ensuring the child’s safety and well-being in that context. We do not use children’s personal data for any purposes unrelated to the service. In particular, we do not market to minors. Any general marketing communications we send are intended for adult recipients. If a minor or their guardian subscribes to a newsletter, we assume the guardian is supervising that subscription. We also do not profile minors for marketing or share their information with third parties for marketing. Essentially, a child client’s data is used to coach them (and communicate with them/parents) and for necessary administration only.
Privacy of the Minor: We respect the privacy of our younger clients while balancing the need for parental oversight. Within our team, only coaches or staff who are directly involved in the minor’s coaching will have access to the minor’s data. We will not disclose a minor’s information to anyone outside our organization except as described in this Policy (e.g., to our service providers for the purposes of providing the service, or if required by law, or with parent/guardian consent). We also take into account the minor’s own perspective: if the minor is old enough to have a say (for example, an older teenager), we will, where feasible, communicate our privacy practices to them as well and even seek their assent for certain uses of data in addition to the guardian’s consent. We want to educate young clients about privacy and respect their personal boundaries, while of course keeping the guardian fully informed.
Accounts and Platform Use: If our coaching platform (like EverFit) requires an individual login, and the client is under 18, we handle account setup with caution. In many cases, we create the minor’s account using the parent’s contact email as the primary email on file (or add the parent as a co-user or cc on communications). If the platform allows a separate login for the minor (which might be useful for, say, a 17-year-old who is actively engaging with their program), we advise that the parent supervise the minor’s use of the platform. We also adhere to any age restrictions that third-party platforms impose. For instance, if EverFit or another tool has a minimum age (often 13 due to COPPA in the US or similar rules), we will not create logins for children below that age; instead, we would have the parent manage the account or find an alternative method to deliver the content. We strive to ensure compliance with any child-specific privacy regulations (such as the U.S. Children’s Online Privacy Protection Act, COPPA, if it were applicable due to a platform’s involvement) whenever dealing with under-13 users.
Withdrawal of Consent: A parent or guardian can withdraw their consent for our collection or use of a minor’s information at any time. If consent is withdrawn, we will stop providing services to the minor (since we cannot coach a child without processing their personal and health information) and we will deal with the information as requested – for example, deleting it – provided that doing so does not conflict with any legal retention requirements. We may need to retain certain data for a period even after services end (see Data Retention below), such as basic records of coaching for professional or legal obligations. If that’s the case, we will inform the guardian what information must be retained and for how long. We will not keep anything we don’t need to.
Children Under 13: Our online coaching services are generally targeted at adults and mature teens. We do not typically offer individual online coaching directly to children under 13. In the unusual event that we consider coaching a younger child (e.g., a family-based nutrition program that involves a child, or a special training program for kids with heavy parental involvement), this would be done with extensive parental supervision and consent, and in compliance with any additional child privacy laws or requirements. For example, if we were to work with a 12-year-old on healthy eating habits, the parent would be the primary participant logging data and communicating, with the child’s input as appropriate, and any online accounts would likely be set up in the parent’s name. If any jurisdictional laws set stricter rules for handling data of children (such as requiring parental consent up to a certain age, or limiting types of data collected), we will abide by those rules. But as a general rule, if you are under 13, we would only engage with you via your parent/guardian, and primarily through them.
No Consent / Misrepresentation: If we discover that we have unknowingly collected personal information from a child under 18 without the necessary parental consent (for instance, if a minor pretends to be an adult and signs up on their own, or if a consent form was falsified), we will take prompt action to delete that information and terminate the service. We strongly urge that children do not attempt to use our services without parental involvement. If anyone becomes aware that a minor’s information was provided to us without authorization, please notify us immediately. We will investigate and, if confirmed, will purge the data and stop any further contact with the minor (aside from perhaps a notice that they cannot use the service without a guardian).
Our goal with underage clients is to create a safe, positive environment that supports their development and goals, while involving parents or guardians to protect their interests. We handle minors’ data with utmost care and in compliance with all legal obligations. If you are a parent/guardian or a young client and have any questions or concerns about how we handle minors’ information, please contact us. We are always willing to explain our practices and take any steps necessary to ensure comfort and compliance in these situations.
Special Provisions for Business Coaching Clients
In addition to fitness and nutrition coaching, Empowered By Science occasionally provides business coaching or mentoring services (for example, advising fitness professionals on their business or helping entrepreneur clients). We understand that information shared in a business coaching context can be sensitive – it might include proprietary business information, strategies, financial data, or other confidential material. We treat our business coaching clients’ information with the same confidentiality as personal information, and in some ways even more stringently due to its proprietary nature. The following provisions highlight how we protect information specific to our business coaching clients:
Non-Disclosure to Third Parties: We will not disclose your business-related information to any third party without your explicit consent, except under circumstances that mirror those described elsewhere in this Policy (e.g., if required by law or to protect rights, as with other personal data). Business coaching often involves discussing internal details of your business operations. We regard these discussions and any documents you share (business plans, financial statements, client lists, etc.) as highly confidential. Unlike fitness coaching – where we might internally discuss generalized client progress trends – each business coaching client’s situation is unique and often proprietary. We therefore keep your business information strictly within our organization. If we ever need to consult an outside expert or partner as part of helping you (for example, you ask us to coordinate with your accountant or you want an external specialist’s input), we would only do so with your permission and we would ensure that such third party is under a suitable non-disclosure obligation.
No Conflict of Interest: We are mindful of conflicts of interest in business coaching. If we coach multiple clients who operate in similar spaces or even competing businesses, we keep each client’s information segregated and do not share insights from one client with another. Each client’s strategy, ideas, and data remain confidential to that client. If any potential conflict of interest arises (for instance, if one client’s business goals could overlap or conflict with another’s), we will disclose it to the affected clients and discuss how to manage it – which could include assigning a different coach or implementing an information barrier – or, if needed, declining or discontinuing an engagement to maintain integrity. We want each business coaching client to trust that their sensitive information will not be used to benefit anyone else, even inadvertently.
Secure Handling of Business Information: Business coaching session notes, materials you provide, and our communications about your business are stored securely using the same or higher level of protection as other personal data. If you provide documents (e.g. spreadsheets, marketing plans) or we create notes about your business strategies, these will be stored in our secure cloud storage or CRM, with access limited to your coach and essential staff. We often mark these files as “confidential” or segregate them in a folder accessible only to the coach/owner. If you stop business coaching with us, we will archive your business information securely. We do not delete it immediately (in case you return or for record-keeping needs), but once archived it is not accessed unless necessary for a specific reason (like you re-engaging our services, or you request a copy). Of course, you retain the right to request deletion of this information as well (subject to legal requirements), just as with other personal data.
Testimonials and References (Business Context): We understand that business coaching clients may be more hesitant to share that they had coaching or to reveal details about business changes publicly. We will never use your business’s name, your name, or your results in our marketing or communications without your explicit permission. If you do provide a testimonial or allow us to cite your success, we will agree with you on what can be shared. For instance, you might allow us to say “I doubled my client base after coaching with EBS – Jane D., Gym Owner” or you might prefer it to be anonymous. We will follow your preferences strictly. Internally, we might acknowledge that we have worked with certain types of businesses for credibility purposes (for example, telling a prospective client that we have experience coaching gym owners or nutrition start-ups, possibly mentioning generalized outcomes). But we will not reveal identifiable details unless you have agreed to serve as a reference. Even when pitching our services to others, any examples from past clients will be anonymized (unless we have your consent to name you as a reference that a potential client can contact). Your business trust in us is paramount.
Confidentiality Commitment: Our duty of confidentiality to business coaching clients is not only a professional ethic but also often contractual. We treat business coaching discussions and materials as private and sensitive. While our communications are not protected by a legal privilege (as attorney-client communications would be), we aim to honor them with similar respect. Our standard coaching agreement includes a confidentiality clause specifically addressing business information. We are also willing to sign a separate Non-Disclosure Agreement (NDA) if you require one for peace of mind – our default approach is already to keep your business information confidential, but we recognize some clients have corporate policies that require formal NDAs. We have no issue signing such documents as long as they are reasonable. In summary, you should feel as safe discussing your business challenges with us as you would discussing personal health information – we guard both closely.
Application of Privacy Laws: It’s worth noting that some of the information in business coaching might not be “personal information” (for example, data about your company’s revenue isn’t personal data if it doesn’t identify an individual). However, we often deal with a mix of business and personal info (e.g., the owner’s perspective, personal goals intertwined with business). Regardless, we choose to handle all client-provided information with care and ethics. Any personal information involved in business coaching (like your personal contact details or biography as the business owner) is fully protected under the APPs and GDPR just like any other client data. If you are an EU/UK client, any personal data in your business coaching records is handled in compliance with GDPR requirements (lawful basis, rights to access, etc.). For non-personal business data, even though privacy laws may not strictly apply, we still treat it confidentially as described. We also avoid any conflicts or disclosures that could harm your business interests.
In summary, whether you come to us for improving your health or improving your business, the information you share is safe with us. We fully appreciate that trust and confidentiality are crucial in a coaching relationship. If you have any specific concerns about confidentiality (especially in the business context), please discuss them with us – we are happy to accommodate reasonable requests such as heightened data security measures or signing additional agreements. Our aim is to give you peace of mind so you can focus on getting the most out of the coaching experience.
International Data Transfers
Empowered By Science is based in Australia, but many of the tools and services we use are cloud-based and may involve storing or processing data on servers in other countries. In today’s digital environment, it’s common for personal information to “travel” or be accessible internationally, especially given the global nature of software services. We want to be transparent that your data may be transferred or stored overseas, and explain how we handle such transfers in accordance with Australian law and global standards like the GDPR.
Some examples of where your data might be stored or transmitted internationally:
Our coaching platform EverFit and our email marketing service (e.g. Mailchimp) likely host data on servers in the United States (and possibly other locations) by default. This means information you input into EverFit (workouts, profile info, etc.) or that we store in Mailchimp (your email address, name, and newsletter activity) will be processed and stored in the U.S.
Our payment processor Stripe is a global company – when you make a payment, data may be routed through or stored in the U.S. or other countries as needed to process the transaction (Stripe has data centers globally). Stripe also sometimes uses servers in Europe for EU transactions, etc., but as an Australian business using Stripe, we anticipate some data ending up in the U.S.
Cloud storage providers like Dropbox, Google, or Microsoft often use a network of data centers around the world (the U.S., Europe, Asia, etc.) to ensure availability and backups. For instance, if we upload a file with your program to Dropbox, that file could be stored in a U.S. data center or replicated across several regions for redundancy.
If you are located outside Australia (say, in the EU, UK, or elsewhere), the data you provide is obviously transmitted to Australia when we receive it, and we will access and handle it here in Australia to deliver the service to you.
Cross-Border Data Protection: We are mindful that when personal information moves out of Australia, it could be subject to different legal systems. Australian privacy law (APP 8) requires us to take steps to ensure that overseas recipients do not breach the Australian Privacy Principles in relation to your information. Similarly, the GDPR imposes strict rules on transferring personal data outside the EU/UK. Below are key steps we take to safeguard your data when it’s transferred internationally:
Choosing Reputable Providers: We use service providers with strong privacy and security reputations. Many of our major providers (Google, Microsoft, Stripe, etc.) are large companies that adhere to international security standards and privacy frameworks. For example, providers like Microsoft and Google often certify under schemes like ISO 27001 for information security. Stripe and Mailchimp include GDPR-compliant contractual clauses (Standard Contractual Clauses, or SCCs) in their terms for data transfers. We perform due diligence by reviewing their privacy policies and data protection commitments. We prefer providers that we know implement robust measures and, where applicable, have signed up to cross-border data protection mechanisms.
Contractual Safeguards: Wherever feasible, we have agreements or accept terms of service with our providers that include privacy protections. Many of these agreements state that the provider will handle personal data in accordance with standards equivalent to the APPs and/or GDPR. For instance, our contract with EverFit or the terms of Mailchimp contain provisions on confidentiality, data use limitations, and security. They also often include the European Commission’s Standard Contractual Clauses (SCCs) for any EU personal data transfers, binding the provider to protect EU data even on U.S. servers . By incorporating such clauses or terms, we ensure that there are legal obligations on the foreign recipient to safeguard your information.
Consent for Overseas Disclosure: Australian Privacy Principle 8.1 can be satisfied if we reasonably believe the overseas recipient is subject to laws or schemes comparable to Australian standards, or if we obtain your consent after informing you that APP protections may not apply. In our case, we are informing you here and obtaining your consent that your personal information may be stored or processed in overseas locations as required for our use of global platforms. By using our services and providing us with your information, you consent to us transferring your personal information to these overseas service providers for the purposes described in this Policy . We believe this consent is informed, as we have listed the types of providers and countries involved. If you have concerns about any specific overseas transfer, you are welcome to discuss them with us. Note that if you do not want your data to leave Australia, we may be limited in providing our services because many modern software tools operate internationally. We can explore alternatives, but there may be functionality trade-offs.
GDPR Transfers (EU/UK users): If you are in the EU or UK, we will ensure that any transfer of your personal data outside the European Economic Area (EEA) or UK is done in compliance with Chapter V of the GDPR. Typically, this means: we will only send your data to a country that has been officially deemed to have “adequate” data protection laws, or we will use a valid transfer mechanism such as the Standard Contractual Clauses (SCCs) or an approved certification scheme, or another GDPR-compliant method. For example, Mailchimp (based in the U.S.) includes SCCs in its Data Processing Addendum, which cover EU data leaving Europe . We remain liable under GDPR for protecting your data even when it’s processed by our vendors overseas, and we take that responsibility seriously.
Security in Transit: Regardless of location, whenever we transfer personal data, we use encrypted channels. Our website and apps use HTTPS (SSL/TLS) for data entry and retrieval, meaning data is encrypted while traveling over the internet. Similarly, when we upload data to cloud services or send to a provider’s API, those transmissions are encrypted. This reduces the risk of interception when data crosses borders digitally.
Despite all measures, it’s important to note that once information is in another country, it could be subject to the laws of that country. For example, data stored in the US might, in rare cases, be lawfully accessed by US government agencies under their laws. We have no reason to believe this will happen in context of your data, but we acknowledge it as a possibility with any international storage. Our policy is to resist any unlawful or overreaching request for personal data, whether from foreign or local authorities. Unless prohibited by law, we would inform affected individuals if we ever were compelled to disclose data to a government.
If you would like more information about cross-border data transfers – such as exactly which countries your data might go to, or copies of the relevant safeguards (e.g., SCCs) – please contact us. We understand that international data flow is complex, and we’re happy to provide additional details to give you comfort about how your data is handled overseas.
(In summary: we do use overseas services, but we work only with those who meet high standards, and we employ legal mechanisms and consents to ensure your privacy continues to be protected even when your data leaves Australia.)
Direct Marketing Communications
From time to time, Empowered By Science may send you direct marketing communications to inform you about our services, news, updates, offers, or educational content (such as fitness tips or nutrition guides) that we think may be of interest to you. These communications could be via email, SMS/text message, instant messaging, or via other electronic means. In some cases, we might send postal mail or make a phone call for marketing, though that is less common. We are mindful of our obligations under laws like the Australian Spam Act 2003 (Cth) and APP 7 regarding direct marketing, as well as the preferences of our clients.
Our approach to direct marketing respects your choices and privacy:
Consent-Based Marketing: We will only send you marketing communications if we have the appropriate consent or lawful basis to do so. Typically, when you sign up for our services or newsletter, you will be providing either express consent (e.g., ticking a box to receive updates) or implied consent (if you gave us your contact details and context suggests you would like to hear from us, as allowed by Spam Act rules). For example, if you sign up as a client, it is reasonable for us to send you information about similar services or upgrades. If you subscribe to a “free tips” newsletter, you expect to get those emails. We do not send “unsolicited commercial electronic messages” in violation of spam laws – every message we send is either requested or agreed to by you, or is exempt under the law (such as purely transactional messages). If at any time we require explicit consent (for instance, some jurisdictions or channels require an opt-in), we will obtain it.
Unsubscribe/Opt-Out: Every marketing email we send will contain a clear “unsubscribe” link or instructions to opt out. This allows you to instantly remove yourself from that mailing list. For SMS messages, we may provide a keyword like “STOP” that you can reply with to opt out of future texts. You can also always opt out by contacting us directly (email or phone) and requesting to be removed from marketing lists. We will process opt-outs as quickly as possible. Under Australian law, we honor unsubscribe requests within 5 business days for emails (usually much sooner), and for SMS we typically remove you almost immediately (SMS systems are often real-time or within minutes) . There is no charge for you to unsubscribe beyond the standard cost of sending the opt-out message (if any). Once you opt out, we will cease sending you promotional content via that channel.
No Third-Party Marketing Spam: As noted earlier, we do not sell your information to other companies to market to you. That means when you get communications from us, it’s because you’re in our database as someone who has engaged with EBS, not because we gave your email or number to another company. If we ever collaborate with a partner for a special event or offer, you would be informed and have a choice in whether you want to hear from that partner. We won’t hand over your contact info to them unless you say so.
Customization of Content: We may tailor the marketing content you receive based on information you have given us, to ensure it’s relevant. For example, current clients might receive a monthly newsletter with coaching tips, whereas former clients might receive a note about a new program that might interest them, and people who just signed up to a mailing list but never purchased might get a welcome series of emails. We might also use your stated interests or goals to send more targeted content. This kind of profiling for marketing is fairly basic and done in-house – for instance, segmenting our mailing list by “people interested in nutrition” vs “people interested in business coaching.” It does not involve sharing data with advertisers or tracking you across other sites.
Frequency: We aim to strike a balance in how often we contact you. We know no one likes to be bombarded. Generally, we might send an email newsletter at most once a week (more often likely monthly or biweekly), and occasional announcement emails if we launch something new or have a special offer. SMS messages, if you opt for them, will be infrequent and likely reserved for important updates or limited-time announcements. We will not call you for marketing purposes unless you’ve indicated phone is acceptable and even then it would be rare (perhaps to invite local clients to an event). Our goal is quality over quantity – to send you information you find useful, not to clutter your inbox.
Transactional vs. Marketing Communications: Please note that if you opt out of marketing communications, we may still send you transactional or service-related communications as needed. For example, if you are currently a client, we will still email you about your program, appointments, billing issues, or changes to our terms/privacy policy that affect you . Stopping marketing emails will not stop these essential communications. If you are no longer a client and have opted out, you shouldn’t receive anything further except perhaps a final confirmation or administrative message if needed.
In summary, we conduct our direct marketing in a respectful and lawful manner. We give you control over what you receive, and we honor your choices promptly. If you ever feel you’re getting something you didn’t sign up for, please let us know and we’ll rectify it. We want our communications to be welcomed and valuable, not a nuisance.
(If you have specific preferences – e.g., “email me but don’t text” or “send me nutrition tips but not business offers” – you can inform us and we will do our best to accommodate. Your preferences and privacy are important to us.)
Data Security Measures
We take data security very seriously and implement a range of measures to protect your personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure. While no method is 100% foolproof, we strive to follow industry best practices and continuously improve our safeguards. Below are some key components of our data security approach:
Secure Storage: Personal information we hold is stored in secure operating environments. Physical documents (if any) are kept in locked cabinets or secure office locations accessible only to authorized personnel. Digital personal data is stored on secure servers or trusted cloud services that employ strong security protocols. We use access controls (like passwords and user permissions) to prevent unauthorized access to databases. For example, our EverFit coaching platform and cloud storage accounts are protected by strong, unique passwords and whenever possible, two-factor authentication (2FA) – meaning even if a password were compromised, an attacker would need a second factor (like a code from our phone) to get in. Access to client data on these systems is limited to those who need it.
Encryption: We use encryption technology to protect personal information, both in transit and at rest where applicable. Our website and web services use HTTPS (SSL/TLS encryption), which means that any data you enter on our site (like form submissions) or that we transmit is encrypted while traveling over the internet. Within our systems, sensitive databases or files are encrypted when feasible. For instance, if we maintain a local backup of client data on a hard drive, we encrypt that drive or file so that it can’t be read without the decryption key. When sending particularly sensitive information via email (say, a document containing health details), we may use encrypted email or password-protected files. In short, we try to ensure that if data somehow falls into the wrong hands, it remains unintelligible and protected by encryption.
Access Control and Staff Training: Internally, we enforce a strict need-to-know policy. Only team members who need access to personal information to perform their duties are granted access. Each authorized user has their own login credentials – we do not share accounts among staff. We maintain logs or records of access when possible (especially for sensitive systems) to monitor who accessed what data and when. In addition, we train our staff and any contractors on the importance of privacy and security. They are instructed on proper data handling practices, such as not downloading client data to unsecured personal devices, not emailing sensitive data to personal accounts, recognizing phishing attempts, etc. Any breach of our data protection protocols by staff would result in disciplinary action. By fostering a culture of security awareness, we reduce the risk of human error leading to a breach.
Anti-Malware and System Security: We protect our digital environment from malware, viruses, and hacking. Our computers and devices are equipped with reputable antivirus/anti-malware software that is kept up to date. We apply security updates and patches to our operating systems and applications regularly to fix any known vulnerabilities. Our cloud service providers also maintain robust security infrastructure – for example, major providers have firewalls, intrusion detection systems, and 24/7 monitoring in their data centers. We avoid using unsecured public Wi-Fi when accessing sensitive information; if it’s necessary (e.g., working while traveling), we employ a VPN to encrypt the connection. These steps help prevent unauthorized access through network attacks or malicious software.
Regular Backups: We perform regular backups of critical data (such as client program data and important documents) to ensure we can recover information in case of hardware failure, accidental deletion, or other loss. Backups are stored securely, often encrypted and off-site (for instance, on a secure cloud backup service or an encrypted external drive stored safely). We treat backup media with the same care as live data – meaning if client files are backed up to a physical drive, that drive is encrypted and locked away. Backups are essential for data availability and integrity, which are part of security. By having backups, we can restore your information if something goes wrong, minimizing disruption to our services and to you.
Third-Party Security Measures: When we entrust data to third-party providers (like EverFit, Stripe, Dropbox, etc.), we rely on their security measures as well. We choose vendors who are known for robust security. For example, Stripe is Level 1 PCI-DSS compliant, which is the highest standard for payment data security. Many of our providers have external certifications or audits (ISO standards, SOC reports) that attest to their security. We stay informed about the security features they offer. Where available, we enable additional security options – such as enabling 2FA on our admin accounts for those services, setting up alerts for new device logins, etc. We also review their documentation or whitepapers on data protection. In short, we don’t just assume they’re secure – we configure and use their services in the most secure way possible and keep an eye on updates or changes that could affect security.
Data Anonymization and Minimization: A principle we follow is to collect and keep only what we need. By minimizing the amount of personal data we have, we reduce risk. Whenever we can, we use anonymized or pseudonymized data, especially for analytics or internal research. For example, if we are analyzing general trends in client progress, we might remove names or use client ID codes instead of real identities. If we no longer need certain personal identifiers for our purposes, we might strip them out and just keep non-identifiable data. This way, even if there were a leak of that particular dataset, it wouldn’t tie back to you. We also avoid storing highly sensitive info unless absolutely necessary. For instance, we don’t store your full credit card info at all (that stays with Stripe), and we encourage clients not to send extremely sensitive personal documents unless needed.
Payment Security: We’ve touched on this before, but to reiterate: we do not directly hold your sensitive payment card details. By using external secure payment gateways, we offload the storage of credit card numbers to specialists who focus solely on payment security. Stripe, for example, tokenizes card data (meaning we receive a random token, not your actual card number, to reference the transaction) . On our end, any records of transactions contain at most the last 4 digits of your card or a Stripe customer ID – not enough to compromise your account. This significantly reduces the risk associated with payment information. Our website’s payment forms (if any) or invoice links are served over secure connections, and Stripe’s elements are embedded securely. In short, we ensure the payment process is locked down by industry standards so that your financial info remains secure.
Device Security: Any devices we use to access personal data (such as laptops, tablets, or smartphones) are secured with passwords, PINs, or biometric locks. We configure devices to auto-lock after a short period of inactivity. We also have the capability to remotely wipe devices if they are lost or stolen, to prevent data on them from being accessed. We avoid storing personal data on portable drives or USB sticks; if we ever must, those are encrypted. Basically, we try to ensure that even if a physical device falls into the wrong hands, the data on it remains protected. We also separate personal and business use of devices as much as possible to reduce cross-over risks.
Monitoring and Testing: We periodically review our security measures and update them in response to new threats. This includes staying informed about cybersecurity news or threats in the industry and being alert for phishing emails or suspicious activity. We monitor access logs where available; for example, if an unusual login to our systems is detected (like an attempt from a foreign country that we don’t operate in), we investigate immediately and take action (such as changing passwords or revoking tokens). While we don’t have a formal “penetration testing” team, we do utilize available tools (many cloud services have security checkup tools) to scan for potential vulnerabilities. We also encourage a mindset of “trust but verify” – meaning we trust our systems and people, but we also verify through audits or oversight that everything is working as it should.
Data Breach Response Plan: In the unlikely event of a data breach – for example, unauthorized access to our systems, a hacking incident, or accidental data exposure – we have a plan in place to respond swiftly. Our breach response plan includes steps to: contain the breach (stop further data loss), assess the extent of damage and the types of information involved, notify the affected individuals and authorities as required, and prevent future incidents by addressing the cause. Under the Australian Notifiable Data Breaches (NDB) scheme, if a breach occurs that is likely to result in serious harm to any individuals, we are legally required to notify those individuals and the Office of the Australian Information Commissioner (OAIC) . We are prepared to do so. Similarly, if a breach involves personal data of EU/UK individuals, we will follow GDPR’s breach notification requirements (which generally require notification to authorities within 72 hours and to individuals if there’s high risk to them). We sincerely hope never to experience a serious breach, but we have drills and templates ready so that we can act quickly and transparently if it happens. Our priority in such a scenario would be to mitigate any harm (e.g., advise you to change passwords if relevant, secure identity protection if needed, etc.) and to learn and improve from the incident.
We also want to note your role in keeping your information safe. For example, if you have a login to our coaching platform or any online account with us, please keep your username and password confidential. Use a strong, unique password and change it periodically. We will never ask you for your password via email or phone – if you get a message asking for that, it’s likely fraudulent. Be cautious of phishing attempts that look like they come from us; when in doubt, contact us directly through our official channels.
In summary, we employ a multi-layered security strategy to guard your personal information against threats. From technical safeguards like encryption and firewalls to administrative measures like training and policies, and physical protections for any hard copy data, we aim to cover all bases. We also regularly reassess our security in light of new technology and risks. If you have specific questions about our security practices or if you have discovered a potential vulnerability in our systems, please reach out to us – we welcome the feedback and will act promptly. Your data security is our responsibility, and we work hard to merit the trust you place in us by sharing your information.
Data Retention and Destruction
We will retain your personal information only for as long as it is necessary to fulfill the purposes for which we collected it, or as required by law and our professional obligations – whichever is longer. In practice, this means different types of information may be kept for different lengths of time, depending on what it’s used for and the legal context. We outline our general data retention approach below:
Active Clients: While you are an active client (meaning you are currently receiving coaching/services from us), we retain all the personal information relevant to providing those services. Your data is actively used to guide your program, so we keep it readily accessible. This includes historical information you’ve provided (like your initial intake answers) and ongoing records of your progress and communications. We find it important to have your history on hand to tailor your coaching effectively over time.
Former/Inactive Clients: If you cease using our services (for example, you complete your program or decide to cancel), we generally move your data into an “inactive” or archived status but do not immediately delete it. It is common practice (and often prudent) to retain client records for a certain period even after service ends. Our default retention period for client records is at least 7 years from the date of last interaction. We have several reasons for choosing a seven-year period: (1) Under Australian professional guidelines, health records are often advised to be kept for 7 years for adults (and longer for minors) – for instance, health practitioners commonly keep records 7 years after last contact (or until a child turns 25) . We align with this standard to err on the side of caution. (2) Business and financial records (invoices, receipts, communications) need to be kept around 5–7 years to satisfy tax and accounting obligations in Australia (the ATO, for example, generally requires records for 5 years after a transaction, but other regulations recommend 7). (3) Seven years also covers most statutes of limitation for potential legal claims – meaning if any issue were to arise or if you had a complaint years later, having the records helps resolve it. In summary, retaining records for ~7 years balances legal, professional, and operational considerations . Of course, if you return as a client before that time, having your history helps us serve you better.
Legal Requirements for Specific Data: Certain types of data may have their own mandatory retention periods dictated by law. For example: Financial records (like payment transactions and invoices) must be kept for a minimum of 5 years under tax law, and many businesses keep them for 7 years to cover all jurisdictions. If we ever keep records of any incidents or injuries (say a client gets hurt and we document it), we might keep that as long as needed for insurance and liability purposes, which could be several years or indefinitely if a claim is ongoing. Under GDPR for EU clients, there isn’t a fixed period set by law, but GDPR does require that we not keep personal data longer than necessary. Our retention periods are based on necessity and legal standards as noted. We do not keep data “just in case” indefinitely – there is a rationale for the timeframe.
End of Retention Period: Once the applicable retention period has elapsed, and we have no further legitimate need or legal obligation to keep your personal information, we will take steps to securely destroy or permanently de-identify that information. Secure destruction for physical records might mean cross-cut shredding or incinerating documents. For electronic records, it means permanently deleting files from our systems (and ensuring they are not recoverable) or using secure erasure tools for drives. We may also anonymize data instead of outright deletion, especially if the data itself has ongoing utility without personal identifiers. For instance, we might remove your name and contact info from a dataset of fitness outcomes and keep the anonymized stats for analysis. Anonymization is effectively a form of destruction of personal data because it irreversibly delinks it from you. In any event, after the retention period, your information will no longer be in a form that identifies you.
Archiving of Data: During the retention period for inactive clients, we typically move personal information into a less accessible state (archive) rather than keeping it live in our active systems. Archived data is still secure and can be retrieved if needed, but it’s not in front of us day-to-day. This reduces the chances of accidental use or modification. Only if there’s a reason – for example, you return for another program and it’s helpful to review your old data, or you request a copy of your records – would we retrieve the archive. Archiving might involve moving files to a separate encrypted folder or exporting and then deleting them from the active database, retaining the export securely. We do this to minimize exposures while still retaining the info as required.
Deletion Upon Request: (This is linked to your rights, but we mention it here in context of retention.) You have the right to request deletion of your personal information at any time, as detailed in the Access, Correction & Deletion section. If you request that we delete your data and we have no overriding legal requirement or other lawful reason to keep it, we will comply and securely erase your information, even if it’s within our normal 7-year retention window. For example, if you were a client two years ago and ask us to delete your records, and there’s no law forcing us to keep them longer, we will honor that (we might keep a skeletal record that services existed for accounting, but nothing more, if even that). If there are pieces we absolutely must retain (say, a record of a payment for our tax filings), we will let you know and we will isolate that data and not use it for any other purpose. In effect, a deletion request may override our default retention policy, subject to legal allowances.
Backups and Residual Copies: It’s worth noting that when we delete data from our primary systems, it might still exist in our backups or archives for a certain period until those backups are overwritten or updated. For instance, if we delete your record today, last week’s backup might still have it, but that backup will eventually cycle out according to our backup retention schedule. We have rolling backups that are eventually deleted or overwritten, typically within a few weeks or months. During that interim, the data is not readily accessible and we treat it as “deleted” (meaning we wouldn’t restore it unless absolutely needed for some disaster recovery). All backup media are secured. In short, even after deletion from live systems, remnants might linger in system caches or backups, but they will be purged in due course through our normal backup management processes. We will ensure that any such residual data remains protected and is not put back into active use.
Anonymized Data Retention: Sometimes, rather than deleting data entirely, we may choose to anonymize it (remove personal identifiers) and retain the anonymized information indefinitely. For example, we might keep aggregated statistics on client outcomes (without names attached) to help us track overall effectiveness of our programs over many years. Anonymized data is no longer “personal information” since it cannot be linked to any individual, so retaining it doesn’t impact your privacy. We find value in maintaining some historical statistics to observe long-term trends, but this can be done without retaining your identifiable info.
Special Rules for Minors’ Data: As mentioned in the Underage Clients section, if the client was a minor, the recommended retention period by many standards in Australia is until the child turns 25 years old (which could be longer than 7 years if they were, say, 16 at service end) . We generally follow that guideline for health-related records. So if we coached a 15-year-old, we might keep their records for 10 years (until they’re 25) to align with medical record best practices. However, if a parent or the now-adult child requests deletion earlier and we have no legal reason to refuse, we would consider that and likely comply. The extended timeline is a default out of caution, not an absolute unless legally mandated by state laws (some states have specific laws for minors’ health records). We would communicate with the requesting party about any constraints.
To summarize, our retention policy is designed to meet legal requirements, support our business needs, and respect your privacy. We do not keep personal information longer than we genuinely need it. When it is time to dispose of personal data, we do so securely and thoroughly. If you have any questions about how long we keep a particular type of information or if you want us to consider a special retention or deletion request for your data, you are welcome to contact us. We will explain our policies and try to accommodate reasonable requests where possible.
Access, Correction & Deletion of Personal Information
You have significant rights when it comes to accessing and managing your personal information that we hold. We strive to keep your personal data accurate and up-to-date, and we want to facilitate your ability to review and correct it. Below we outline how you can exercise your rights to access your data, correct any inaccuracies, and delete your data, as well as discuss other related rights (especially for EU/UK individuals under GDPR).
Right to Access
You have the right to request a copy of the personal information we hold about you. This is often called an “access request” or, under GDPR terminology, a Data Subject Access Request (DSAR). You can initiate this by contacting us (see Contact Us section below) and letting us know what information you would like to access. You do not have to give a reason for your request, but to help us fulfill it effectively, you can specify the scope if you wish (for example, “I’d like a copy of all my health data from 2021” or “I want all emails and notes related to my coaching program”).
Verification: For your privacy and security, we will need to verify your identity before releasing personal data. If you email us from the address we have on file for you and request data, we may still take an extra step such as asking you to confirm a secondary piece of information or sending a confirmation code, especially if the data is sensitive. The idea is to ensure we don’t accidentally give your data to someone else pretending to be you.
How We Provide Access: Once your request is clarified and your identity verified, we will gather the information and provide it to you in a suitable format. Usually, we will provide your data in electronic form – for instance, via a secure PDF document or in a common file format like Excel/CSV for data exports, delivered to you by email or a secure download link. If you prefer a hard copy (printed documents), we can arrange that too. We will also explain the records to you if it’s not self-explanatory (for example, if we use codes or abbreviations internally, we’ll help interpret them).
Timeframe: We aim to respond to access requests within a reasonable time. Under Australian law, a “reasonable” time is generally within 30 days. Under GDPR, we are generally required to respond within 1 month, though that can be extended by an additional 2 months if the request is complex (we would inform you if an extension is needed). In practice, most requests are fulfilled well within a month. If for some reason we anticipate it taking longer (maybe you requested all communications and we have to pull archives), we will let you know the cause of delay and the expected completion.
Any Fees: In most cases, we will not charge you any fee for providing access to your personal information. We believe it’s part of our service to you. However, if a request is unusually onerous – for example, if you request a very large volume of records that are difficult to collate – the law allows us to charge a reasonable fee for the administrative costs. This is rare and we’d discuss it with you first. We won’t charge for just sending an email or two. If, say, hundreds of pages need photocopying, we might ask reimbursement for copying costs. Again, we’ll be transparent about any potential fee.
Exceptions – When We Might Refuse Access: There are certain limited circumstances where we might not be able to grant you access to some or all of your information. Privacy laws recognize these exceptions to protect various interests. For example, we might refuse access if:
– Granting access would pose a serious threat to life, health or safety of any individual (for instance, if a medical professional advised that certain information should not be disclosed to the patient because it could cause serious harm, though this is uncommon in our context).
– It would unreasonably impact another person’s privacy (e.g., releasing an email thread that contains personal info about another client or a third party). We might redact others’ info and provide the rest.
– The request is frivolous or vexatious (e.g., repeated requests for the same information without good reason).
– The information relates to existing or anticipated legal proceedings and wouldn’t be accessible via the legal discovery process.
– Giving access would reveal our internal commercially sensitive decision-making process or a legally privileged document (again, not typical for us, but a possibility if, say, there was an investigation or legal advice documented).
If we refuse access for any reason, we will provide you with a written explanation of the reasons (to the extent we can legally do so) and inform you of any recourse you have (such as complaining to the OAIC). We might also be able to offer you a summary of the content if full access is problematic.
In summary, we will do everything we can to provide you with your data when you ask. It belongs to you in the ethical sense, and often in the legal sense you have a right to it. We have no intention of ever unfairly denying access.
Right to Correction
We want to ensure that the personal information we have about you is accurate, up-to-date, complete, and not misleading. If you believe any information we hold is incorrect or incomplete, you have the right to request a correction.
How to Request a Correction: Simply contact us and tell us what information needs to be changed and why. This could be as straightforward as “my phone number has changed, please update it to X” or “I noticed my birth date is wrong in your records, it should be Y”. If it’s something like an update to your health status (e.g., a new medical condition or you’ve recovered from one), let us know so we can note that. In most cases, we will not require any evidence for routine updates (we take your word for spelling of name, change of address, etc.). If the correction is something that’s not obviously within your knowledge or control – for example, you dispute a note we made saying “client was advised to see a doctor on Jan 10” – we might discuss it further or ask for more context.
Verification and Evidence: We might need to verify your identity for significant changes, similar to an access request, to ensure someone else isn’t trying to alter your data. If the change is something like correcting your date of birth or name, we might ask for a document or ID copy just to be sure (because those can affect identity verification later). If you claim that some information is wrong and it’s not clearly a factual item we can verify (for instance, you believe a comment in your file was unfair or incorrect in context), we’ll talk it through.
Implementing Corrections: Once we agree on the correction, we will update our records accordingly as soon as practicable. If the incorrect information was shared with a third party (and it’s necessary to update them – for example, if your name was wrong on a registration we made on EverFit’s system), we will either inform them of the correction or provide you with means to do so (sometimes it’s faster for you to update your profile in a shared platform). We will let you know once we have made the correction.
If We Disagree or Can’t Fulfill: In the unlikely case we cannot make the change you request, we will explain why. For instance, say you wanted us to change a professional opinion or an assessment note that we made – we might not alter the original record if it was true at the time (e.g., “Coach’s note: client appeared unwell on 5th session” – if that was genuinely the coach’s observation, we might not erase it even if you feel fine now, because it was a contemporaneous note). However, if we won’t change something you contest, the Privacy Act gives you the right to have a statement attached to the record indicating that you dispute its accuracy . So we would, for example, append a note to that record saying “Client disputes this note, stating they felt fine and attribute it to lighting making them look unwell” or whatever the context is. That way, anyone viewing the record will see your side of the story too. Under GDPR, you always have the right to rectification, so we would find a way to accommodate that by either changing the data or, if not possible (for reasons like it being an opinion), noting your objection.
We’re committed to accuracy. Keeping your information correct not only is your right, it helps us do our job better (we don’t want to be working off wrong info!). So please don’t hesitate to ask for corrections.
Right to Deletion (Erasure)
Under certain circumstances, you have the right to request that we delete the personal information we hold about you. GDPR explicitly provides the “right to be forgotten” (right of erasure) for individuals , and even outside of GDPR, as a customer-centric practice, we generally honor deletion requests when we no longer need the data.
Making a Deletion Request: You can contact us at any time to request that we delete some or all of your personal information. For example, you might do this if you have stopped using our services and want all your data removed from our systems. Or perhaps you initially consented to share some sensitive data and now you withdraw that consent and want it erased.
When We Will Delete: We will comply with a deletion request provided that: (a) the data is no longer needed for the purpose it was collected (or you have withdrawn consent and we have no other lawful basis to keep it), and (b) no law or legitimate interest compels us to retain it. In other words, if there’s no strong reason for us to hold onto the data, we’ll delete it as you asked. For instance, if you were never actually a paying client and only subscribed to our newsletter, and you now unsubscribe and ask deletion, we can easily delete your contact info from our list. If you were a client and your program ended, and you ask to delete your profile and logs, we can do that unless something like a legal requirement prevents complete deletion (like we might need to keep an invoice record for accounting). If we must retain certain pieces of information, we’ll let you know (e.g., “We’ll delete everything except we will keep invoice #123 for tax records until X date, after which that too will be deleted.”).
Partial Deletion: You don’t always have to ask for all data to be deleted. You can specify particular information to remove. For example: “Please delete the progress photos I uploaded,” or “please delete the nutrition diary entries, but you can keep the workout logs.” We will accommodate such requests in the same manner – removing the specified items from our systems (again, barring any reason those need to be kept). If something is intertwined (maybe deletion of one piece inherently means deletion of another), we’ll explain and figure it out with you.
Effect on Services: If you request deletion while still actively using our services, please understand that it may impact our ability to continue providing those services. For example, if you ask us to delete all your health information but you’re in the middle of a coaching program, we won’t have the necessary background to safely coach you, so we may have to terminate or pause the service. Generally, we’ll assume a deletion request means you’re aware of this and either are finished with the service or are okay with the consequences. We might double-check with you if the request comes unexpectedly mid-service (“Are you sure? If we delete this, we can’t continue coaching effectively.”). But we respect your rights – if you insist, we will comply and find a way to either continue in a very limited capacity or end the engagement.
Process of Deletion: When we delete electronic records, we remove them from our active databases and (as feasible) from backups (with the caveat mentioned earlier that backups might take a bit to cycle out, but we isolate that data). We can provide confirmation once deletion is completed – usually an email stating that we have deleted the requested data. If you need formal confirmation (like a certificate of deletion), let us know and we can arrange a brief letter or statement.
Limits and Refusals: The “right to be forgotten” is not absolute. We may refuse a deletion request if retaining the data is necessary for certain reasons, such as: compliance with a legal obligation (e.g., we have to keep transaction records for financial auditing), public interest (for example, data needed for public health reasons, though unlikely here), establishment or defense of legal claims (if a legal dispute is in progress, we would keep evidence). Another example under GDPR: if a client had made a complaint or exercise of free expression that’s on record, we might keep that record. In practice, for our context, the common reasons to refuse deletion would be legal compliance or unresolved issues. If we do decline to delete something, we will explain to you why and exactly what we are retaining . We might also instead of outright refusing, offer to pseudonymize or heavily restrict the data so it’s effectively not used.
Overall, if you want your data gone, our default is to say “Yes, we’ll take care of it”. We have no interest in holding onto your personal info without reason.
Other Rights (for EU/UK Individuals)
If you are an individual located in the European Union or United Kingdom (or in some cases other jurisdictions with similar laws), you have additional rights under the GDPR (or UK GDPR/Data Protection Act) beyond access, correction, and deletion. We are committed to upholding these rights as well, and even for non-EU clients, we aim to give everyone a comparable level of control when feasible. Here are those additional rights and how we address them:
Right to Restrict Processing: You have the right to ask us to limit the processing of your personal information in certain circumstances. This means we could store your data but not actively use it until the restriction is lifted. Situations where this applies include: if you contest the accuracy of the data (you can request restriction while we verify it), if you believe our processing is unlawful but you don’t want full deletion, or if you have objected to processing (see Object right below) and we are determining whether our grounds override yours. If you exercise this right, we will mark the data as “restricted” and refrain from using or sharing it (aside from storing it or using it for things like legal claims) until the issue is resolved . We’ll notify you before lifting a restriction.
Right to Data Portability: This right entitles you to obtain the personal data you’ve provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another service provider if technically feasible . In simple terms, you can ask for your data in a format that you could give to another fitness or coaching provider. Typically, this applies to data processed by automated means under your consent or a contract. In our case, that could be, for example, your workout history, progress metrics, profile info that you input, etc. If you request this, we would likely provide a CSV or Excel file with your relevant data, or potentially a PDF summary, depending on what’s most appropriate. If feasible, and you request, we could even send it directly to another provider (though often it’s simpler to give it to you to pass on). We support data portability as it fosters customer choice and competition – it’s your data about you, after all.
Right to Object: You have the right to object to our processing of your personal information in certain cases, particularly when we are processing based on legitimate interests or performing a task in the public interest/exercise of official authority (which doesn’t really apply to us), or if we were processing for scientific/historical research or statistical purposes (also unlikely in a personal way). The most relevant scenario is you can object to direct marketing at any time – and as we’ve covered, we will immediately honor that (unsubscribe you). If you object to processing for other reasons – say you’re not comfortable with us using your data for any analytics or service improvement – we will consider your objection. Under GDPR, if you object to processing based on our legitimate interests, we must stop processing unless we have compelling legitimate grounds that override your interests, or it’s needed for legal claims . In practice, if an EU client said “I object to you using my data even for internal improvement analysis,” we would likely just honor it and exclude their data from any such analysis because it’s not worth contesting. We might have a harder time if someone objected to processing that is essential (like “I object to you processing my health data at all” while still expecting service – that we’d resolve by either persuading them or ending service). We’ll communicate and find a solution.
Right not to be subject to Automated Decisions: GDPR gives individuals the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on them. As noted, we do not make any decisions about you in a fully automated way that have significant impact. Everything important in our coaching (what plan you get, how we respond to your progress) involves human judgment. So this right is already respected by default in our operations . If that ever changes, we will let affected clients know and ensure such processing is done in compliance (including possibly obtaining consent if required and providing an opt-out if appropriate).
Right to Withdraw Consent: If we rely on your consent to process any of your personal information, you have the right to withdraw that consent at any time . This will not affect the lawfulness of any processing we did up to that point based on consent, but it means we’ll stop the consent-based processing going forward. For example, if you gave consent for us to use your before/after photos in marketing and then change your mind, we will stop using them in new marketing and, if feasible, cease further distribution (we can’t retract something already published beyond our control, but we can cease further use). Similarly, as mentioned earlier, if you consented to share health info and then withdraw, we may have to stop providing service, but we will comply with the withdrawal for future processing.
Right to Lodge a Complaint with a Supervisory Authority: If you’re in the EU or UK and believe we have infringed your data protection rights, you have the right to complain to your country’s Data Protection Authority (DPA) or the UK Information Commissioner’s Office (ICO) . We would, of course, prefer to resolve any issue directly with you, and we strongly encourage you to contact us first so we can address your concerns. But it is your right to seek help from regulators. For instance, a client in Germany could contact the Bavarian Data Protection Authority if we were established there, or for an Irish client, the Irish DPC, etc. We are registered in Australia, which is outside the EU, but under GDPR an EU citizen can still complain locally and their DPA can coordinate with us or with the OAIC in Australia. We are committed to cooperating with any such official investigations or inquiries and to comply with whatever outcome they determine.
We apply these principles of user rights broadly. This means even if you’re not in the EU, you can still ask many of the same things (and our own Privacy Act has near equivalents for some of them, like access and correction). We aim to treat all clients fairly and transparently regardless of location .
How to Exercise Your Rights
Exercising any of your privacy rights (access, correction, deletion, objection, etc.) is as simple as reaching out to us with your request. You can contact us via email, phone, or mail as provided in the Contact Us section. For efficiency, written requests (email or mail) are often best, so we have a clear record of what you need.
In your request, it helps to be as specific as possible about what you want. For example, “I would like a copy of all the personal data you have on me” is fine – we’ll interpret that broadly. But if you only care about a subset, stating that can speed things up (e.g., “Can you send me the workout logs and progress notes from my program in 2020?”). If you’re exercising multiple rights at once (say, you want a copy of data and also to delete some records), just be clear on each point.
We will respond and act on your request as quickly as we can, generally well within the 30-day timeframe (or 1 month for GDPR). If for some reason we cannot meet that timeframe (maybe the request is complex), we will inform you of the delay and the reason, and give a new expected timeline.
Cost: We do not charge for most requests, as noted. Only in exceptional cases (excessive or manifestly unfounded requests, which we rarely if ever expect to get) might we charge a reasonable fee or refuse, as allowed by law, and we’d explain why.
We will let you know the outcome of your request – e.g., “Your data has been deleted,” or “We have corrected X and Y as you asked,” or if we refused some part, we will provide the reason and how you can escalate the matter if you disagree (such as contacting the OAIC or relevant DPA).
Importantly, we will never penalize or retaliate against you for exercising your privacy rights. We won’t refuse service just because you accessed your data or asked us to delete something (unless, as explained, deletion makes service impossible – that’s a practical issue, not retaliation). We value your trust and our relationship, and we view these rights as fundamental aspects of that.
If anything in this section is unclear or you need assistance in making a request (not everyone is familiar with the terminology – you don’t have to use phrases like “rectification” or “object” formally; just tell us in plain language what you want), we are here to help. Your control over your information is a priority for us, and we are committed to facilitating that control in a transparent and user-friendly way.
Contact Us & Privacy Complaints
Contacting Us: If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please do not hesitate to reach out. We are here to help and to answer any queries you might have. The best way to contact us is through our Privacy Officer (or the business owner responsible for privacy compliance). You can contact us via any of the methods below:
This is our dedicated privacy inbox. Please include your name and, if you are an existing client, some identifying detail like your username on our platform or the program you are in, plus a brief description of your question or request.
Phone: +61 (0)4XX XXX XXX (example number)
You can call us during business hours (Australian Western Standard Time, AWST). If we are unavailable, please leave a voicemail with your name, contact number, and the nature of your inquiry. We will return your call as soon as possible.
Postal Mail: Privacy Officer – Empowered By Science, Health Hubb Pty Ltd, [Street Address], [City] ACT 2602, Australia.
(Use our actual business postal address here.) If you send us a letter, kindly provide a return address or email so we can respond. Note that postal inquiries will naturally take longer to receive and reply to due to mailing times.
We aim to respond to all legitimate communications promptly, typically within a few business days. If you contact us by mail or need a more detailed response, it might take a bit longer, but we will acknowledge receipt of your query as soon as we can.
Privacy Complaints: If you believe that we have not handled your personal information in accordance with this Privacy Policy or applicable privacy laws, we want to know about it and we want to fix it. Your feedback and complaints give us a chance to resolve issues and improve. Here’s how we handle privacy-related complaints:
Lodge Your Complaint with Us First: Please send a written complaint to our Privacy Officer (via email or postal mail as listed above). In your complaint, include as much detail as possible about the issue. For instance, what happened, when it happened, who you dealt with (if relevant), and what you believe was not proper. The more specifics you provide, the easier it will be for us to investigate and address the problem. If you prefer not to write, you can call and speak to us, but we might still ask you to follow up in writing so we have a clear record. Rest assured, we will take your complaint seriously no matter how it’s lodged.
Acknowledgment: We will acknowledge that we received your complaint, generally within 5 business days. Usually, we’ll send an email or letter back saying we’ve received it and that we’re looking into it. If any part of your complaint is unclear, we might ask you for clarification at this stage.
Investigation: Our Privacy Officer (or a delegate not directly involved in the matter) will investigate the complaint. This could involve reviewing relevant documents, checking system logs, speaking with staff members who were involved, and reviewing what our obligations are. We will treat the matter confidentially and fairly. If needed, we might reach out to you during the investigation to gather more information.
Resolution & Outcome: After investigating, we will write back to you with the outcome. If we find that we did indeed fail to meet our obligations or your expectations, we will apologize and tell you how we plan to rectify the situation. This might include remedial steps such as fixing an error, changing a process so it doesn’t happen again, or in some cases offering you a solution (like credit for any loss or simply assuring it’s corrected). If we believe we did not actually breach any law or duty (perhaps it was a misunderstanding), we will explain our perspective as well. In either case, we strive to ensure you fully understand our response. We aim to resolve most complaints within 30 days. If it’s going to take longer (for example, if it’s complex and we need legal advice or input from a third-party provider), we’ll notify you of the delay and provide a revised timeline.
Further Action if Unsatisfied: If you are not satisfied with our response or the way we handled your complaint, you have the right to escalate the matter to external authorities:
For Australian residents: You can contact the Office of the Australian Information Commissioner (OAIC). The OAIC is the regulator that oversees privacy law in Australia. They can be reached at oaic.gov.au (where you can find an online complaint form) or by phone at 1300 363 992. The OAIC typically expects that you attempted to resolve the issue with us first (which is why we encourage you to come to us, and you’ve done so). The OAIC can investigate and make determinations. We will fully cooperate with any OAIC investigation.
For EU/UK residents: You have the right to lodge a complaint with your local Data Protection Authority (DPA) or the UK Information Commissioner’s Office (ICO), depending on where you live. For example, if you’re in the UK, the ICO can be contacted via ico.org.uk or by phone (+44 303 123 1113). If you’re in an EU country, you can find your DPA’s contact on the European Data Protection Board’s website (each country has its own, e.g., CNIL in France, Datatilsynet in Denmark, etc.). We are committed to cooperating with DPAs as well, and because we are based outside the EU, typically the Australian OAIC and the EU DPA might coordinate. Regardless, you absolutely have this avenue if you feel we haven’t resolved your concern.
For individuals in other jurisdictions (e.g., perhaps someone in a country with their own privacy regulator), you may have similar rights to contact a local authority. We will work with any official body that approaches us about a privacy issue.
No Retaliation: Rest assured, raising a privacy concern or complaint will not affect the service we provide you or result in any retaliation. We do not penalize anyone for asserting their privacy rights or making a complaint. Our goal is to maintain your trust. If you’re a current client and you complain, we’ll continue to treat you with the same respect and dedication as before (actually, even more, because we want to fix things). If you’re a former client, we of course wouldn’t “retaliate” in any case, but we certainly wouldn’t blacklist you or anything of that sort. Complaints help us improve; we view them constructively.
Other Inquiries: If you have questions about privacy that aren’t a complaint – say you want more information about something or you have suggestions – you can contact us the same way. We welcome feedback and will do our best to provide the info you need. For example, maybe you’re curious how a certain third-party provider handles data, or you want advice on enhancing your account security – feel free to ask.
In summary, we are reachable and accountable. We want to ensure you feel heard and confident about how we manage your information. Your privacy is a priority for us, and open communication is key to maintaining that.
Changes to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. As our business evolves, or as privacy laws are amended, we might need to tweak the Policy to ensure it remains accurate and compliant. If we do so, we will notify users in the following ways:
Posting the Revised Policy: We will always post the latest version of the Privacy Policy on our website (and any other relevant platform, such as within our coaching app if it has a policy section). We will update the “Last Updated” date at the bottom so you can immediately see that it has changed. We encourage you to review our Policy periodically to stay informed about how we protect your information.
Notification of Significant Changes: If we make any material changes – that is, changes that substantially affect your rights or the way we handle your personal info – we will take additional steps to notify you. For example, we may send an email to all active clients or users outlining the changes, or we might provide an in-app or pop-up notice when you log in. We might also put a prominent notice on our website’s homepage about the Policy update. The exact method may depend on the nature of the change and how we normally communicate with you (email is typical).
Consent for Changes when Required: In certain cases, if changes to the Policy involve new purposes for processing that require consent, or if law specifically requires renewed consent, we will seek your consent. For instance, under GDPR if we were to start processing data in a way that you originally didn’t agree to and that isn’t covered by another lawful basis, we would not do so without getting your opt-in. An example might be if one day we decided to collect a new category of sensitive information for a new feature – we’d update the Policy and likely have you check a consent box for that new collection if required.
Examples of Major vs. Minor Changes: To give you an idea, a significant change might be something like: we start collecting a new kind of personal information (say, genetic data for a DNA-based fitness program); or we decide to share data with a new category of partner (like if we partnered with a research institution); or perhaps we were acquired by another company which would then assume the data responsibilities – these kinds of things we would clearly highlight to you. Minor changes might include: editorial updates, clarifications of wording, reorganizing sections for readability, or updating our contact info. Minor tweaks that don’t materially change how we handle data might not be broadcasted via email, but the updated Policy will be on the site.
Version History: We maintain previous versions of our Privacy Policy (or at least a log of changes). If you ever have a question about what changed from an earlier version, you can contact us and we can provide a summary or a copy of the old Policy. We might even keep an archive accessible on our website (some companies do that for transparency).
Your continued use of our services after a Policy update will be taken as acceptance of the new terms, to the extent permitted by law . We say “to the extent permitted by law” because if a law requires explicit consent for a certain change, then mere continued use might not suffice and we’d get that consent explicitly. But generally, if you keep using our website/services after the effective date of the updated Policy, we will assume you have read and agreed to the changes.
If you ever have concerns or questions about a change in the Policy, please reach out to us. We prefer to clarify than to have any misunderstanding.
Last Updated: November 28, 2025.