Privacy Policy

Introduction

Welcome to Strength OS. This Privacy Policy explains how Human Digital Solutions Co., Ltd. ("we," "us," "our," or "Strength OS") collects, uses, discloses, and protects your personal data when you use our strength training and coaching platform, including our website, mobile applications (iOS and Android), and related services (collectively, the "Platform").

We are committed to protecting your privacy and complying with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Data Controller Information

If you have any questions about this Privacy Policy or how we handle your personal data, please contact our DPO using the contact information above.

2. Personal Data We Collect

We collect different types of personal data depending on how you use our Platform:

2.1 Information You Provide Directly

Account Registration:

• Email address (required)
• Password (encrypted and stored securely)
• First name and last name
• Date of birth

Profile Information:

• Body weight and height
• Timezone and language preferences
• Weight unit preferences (kg/lbs)
• Profile photo (optional)
• Emergency contact information (optional)

Health and Medical Information (Sensitive Data - Optional):

• Medical conditions and chronic illnesses
• Allergies and sensitivities
• Current medications
• Injury history and rehabilitation status
• Disability accommodations and limitations
• Range of motion restrictions
• Menstrual cycle tracking data (if enabled)
• Blood type (optional)
• Physician and insurance information (optional)

Training and Performance Data:

• Workout sessions and exercise logs
• Sets, repetitions, and weights lifted
• Performance metrics and progress tracking
• Training notes and feedback
• Progress photos and videos (optional)
• Competition results (optional)

Payment and Billing Information:

• Payment method details (last 4 digits, card brand, expiry date)
• Billing address
• Transaction history
• Subscription status and usage

Communications:

• Messages between coaches and athletes
• Support inquiries and correspondence
• Feedback and survey responses

2.2 Information Collected Automatically

Technical Data:

• IP address
• Device type and operating system
• Browser type and version
• Mobile device identifiers
• App version
• User agent string

Usage Data:

• Pages visited and features used
• Time spent on Platform
• Click patterns and navigation paths
• Login and logout times
• Session duration

Location Data:

• Timezone (explicit)
• General location based on IP address (not precise GPS location)

2.3 Information from Third Parties

• OAuth Authentication Providers: Google, Facebook, Apple, GitHub (Name, email, profile picture, provider User ID)
• Payment Processors: Transaction confirmation data and status updates

3. How We Use Your Personal Data

We use your personal data for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

• Create and manage your account
• Provide access to Platform features
• Enable training program management
• Facilitate coach-athlete relationships
• Store and display your workout data
• Generate progress reports and analytics

3.2 Health and Training Support (Legal Basis: Explicit Consent)

• Track your health and fitness progress
• Provide personalized training recommendations
• Monitor injury recovery and accommodations
• Support menstrual cycle-based training adjustments
• Enable disability-friendly exercise modifications

3.3 Communication (Legal Basis: Contract Performance, Consent)

• Send service-related notifications
• Deliver workout reminders and updates
• Enable messaging between coaches and athletes
• Respond to your inquiries and support requests
• Send important account and security notifications

3.4 Payment Processing (Legal Basis: Contract Performance, Legal Obligation)

• Process subscription payments
• Generate invoices and receipts
• Manage billing and refunds
• Comply with tax and accounting requirements

3.5 Platform Improvement (Legal Basis: Legitimate Interest, Consent)

• Analyze usage patterns and trends
• Improve Platform features and performance
• Develop new features and services
• Conduct research and analytics (using anonymized data)

3.6 Marketing (Legal Basis: Consent - Opt-in Only)

• Send promotional emails and offers
• Provide information about new features
• Share training tips and content
• Note: You can opt out of marketing communications at any time

3.7 Security and Fraud Prevention (Legal Basis: Legitimate Interest, Legal Obligation)

• Detect and prevent unauthorized access
• Investigate security incidents
• Prevent fraud and abuse
• Maintain audit logs for security purposes

3.8 Legal Compliance (Legal Basis: Legal Obligation)

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service
• Protect our rights and property

4. Legal Basis for Processing

Under the PDPA, we must have a legal basis to process your personal data. We rely on the following legal bases:

5. How We Share Your Personal Data

We do not sell your personal data. We only share your data in the following circumstances:

5.1 Within Strength OS

• Your Coach: If you have an assigned coach, they can access your profile, training data, and health information you choose to share.
• Tenant Administrators: If you're part of an organization (school, gym), administrators can access user management data.
• Support Team: Our support staff may access your data to resolve issues.

5.2 Third-Party Service Providers

We share data with trusted service providers who help us operate the Platform:

• Authentication Services: Google, Meta (Facebook), Apple, GitHub.
• Payment Processors: Stripe, PayPal, PromptPay, Omise.
• Communication Services: Email delivery (SendGrid/AWS SES), SMS providers, Push notification services (Firebase, APNs).
• Infrastructure Providers: Amazon Web Services (AWS) - Hosting in Thailand region, Content Delivery Networks (CDN).

All third-party processors have signed Data Processing Agreements (DPAs), are contractually obligated to protect your data, and must comply with PDPA requirements.

5.3 Legal Requirements

We may disclose your data if required by law to comply with legal obligations, respond to valid requests, or protect safety and security.

5.4 Business Transfers

If Strength OS is involved in a merger or acquisition, your data may be transferred with prior notification.

6. International Data Transfers

Your personal data is primarily stored on servers located in Thailand (AWS Thailand region). Some service providers may process data in the United States, European Union, or Singapore.

Safeguards: We use Standard Contractual Clauses (SCCs), Data Processing Agreements, and encryption (TLS 1.3 at rest and in transit) to ensure PDPA-level protection for international transfers.

7. Data Retention

We retain your personal data only as long as necessary for the purposes described:

Account Deletion: You can request account deletion at any time. After a 30-day grace period, all personal data is permanently deleted, except what is required for legal compliance.

8. Your Rights Under PDPA

As a data subject under Thailand's PDPA, you have the following rights:

• Right to Access (Section 30): Request a copy of your personal data.
• Right to Data Portability (Section 31): Receive your data in a structured, machine-readable format.
• Right to Rectification (Section 32): Correct inaccurate or incomplete data.
• Right to Erasure (Section 33): Request deletion of your personal data ("Right to be forgotten").
• Right to Restriction (Section 34): Request temporary suspension of processing.
• Right to Object (Section 35): Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent (Section 19): Withdraw consent for any consent-based processing.
• Right to Lodge a Complaint: File a complaint with the Personal Data Protection Committee (PDPC).

To exercise these rights, use your account settings or contact [email protected]. We respond to most requests within 30 days free of charge.

9. Consent Management

We obtain your consent for Service Use (Required), Health Data (Optional - Explicit), Marketing (Optional), and Analytics (Optional).

Management: You can manage your consents at any time in Account Settings → Privacy → Consent Management. Withdrawal of consent is as easy as giving it and takes immediate effect.

10. Children's Privacy

Under Thailand's PDPA, users under 20 years of age require parental consent. We collect date of birth during registration and initiate a parental consent process via email for those under 20. Parents retain full rights to access, manage, or delete their minor's data.

11. Security Measures

We implement comprehensive technical and organizational measures:

• Technical: TLS 1.3 encryption, AES-256 field-level encryption for health data, JWT authentication, and Web Application Firewalls (WAF).
• Organizational: Annual staff training, Incident Response Plans, and regular external security audits.
• Breach Response: We notify the PDPC within 72 hours and affected users without delay in case of a high-risk breach.

12. Cookies and Tracking Technologies

We use Essential cookies (required for function), and optional Functional, Analytics, and Marketing cookies.

Control: Manage your choice in Settings → Privacy → Cookie Preferences. Disabling essential cookies will prevent Platform use.

13. Automated Decision-Making

We use limited automation for security (fraud detection) and training recommendations. We do not make fully automated decisions that significantly affect you without human oversight.

14. Changes to This Policy

We may update this policy to reflect changes in practices or laws. Material changes will be notified via email or platform banner with at least 30 days notice.

15. Contact Us

Complaints can be filed with our DPO or the Thailand Personal Data Protection Committee (PDPC) at https://www.pdpc.or.th.

Appendix: Glossary