Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account & profile data — email address, preferred name, date of birth, biological sex, timezone, locale, and unit preferences (metric/imperial).
• Authentication credentials — passwords (hashed), or tokens obtained via Sign in with Apple or Sign in with Google.
• Fitness profile notes — free-text information you provide about your training history, goals, preferences, availability, injuries, equipment, lifestyle, nutrition, health conditions, and any other notes you choose to share.
• Workout data — exercise names, sets, repetitions, weight, rate of perceived exertion (RPE), reps in reserve (RIR), duration, distance, tempo, rest periods, set categories, failure flags, and workout notes.
• Planned workouts & programming — routines, mesocycles, training blocks, planned exercises, target prescriptions, and scheduling data.
• Metric measurements & targets — body-weight, height, body-composition measurements, and any other metrics you record, together with associated targets and deadlines.
• Chat messages — messages you send to the AI trainer feature, including any text, questions, or instructions.
• User feedback — feedback type, optional emotional state, and free-text feedback you submit.
• Media — images, videos, or audio files you upload.
• Mailing list — email address if you sign up to our mailing list.

1.2 Information from Apple HealthKit

With your explicit permission, we read and write data from Apple HealthKit, including:

• Workout sessions (activity type, start/end times, duration)
• Active energy burned (kilocalories)
• Walking, running, and cycling distance
• Workout route data (GPS coordinates, altitude, timestamps)

HealthKit data is used solely to provide and improve the Services. We do not use HealthKit data for advertising, marketing, or sale to third parties or data brokers, in accordance with Apple's HealthKit guidelines.

1.3 Location Data

When you record an outdoor workout and grant location permission, we collect precise GPS coordinates (latitude, longitude, altitude) via your device's location services, including in the background while a workout recording session is active. Route data is stored as part of your workout history. You may revoke location permission at any time through your device settings; doing so will prevent route tracking for future workouts.

We also collect your device's timezone and locale. We do not currently collect coarse city/region/country location data, though our systems support doing so in the future.

1.4 Device & Technical Data

• Device information — device model, device name, operating system version, app version.
• Push notification tokens — Apple Push Notification service (APNs) device tokens.
• Log & usage data — IP address, browser type and settings, referring URLs, pages viewed, features used, date/time stamps, error reports, and system activity.
• Session data — authentication session tokens and session metadata.

1.5 Payment & Subscription Data

Purchases are processed through Apple's App Store (via StoreKit) and managed by RevenueCat. We receive and store: subscription entitlements, expiry dates, your country and platform, app version at time of purchase, and RevenueCat customer attributes. We do not receive or store your credit card number, bank account details, or Apple ID password. Apple processes payment instruments directly.

1.6 Social Data

Mesos includes social features. When you use them, we collect and store:

• Public profile information — username, optional display name, optional bio, optional profile picture, follower and following counts, and (where you choose to make it public) your completed-workout history. Your profile is public by default; you can switch to a private profile in Settings → Profile.
• Follow graph — the list of users you follow, the list of users who follow you, and any pending follow requests sent to or received by you (used when your or their profile is private).
• Comments and reactions — text comments and emoji reactions you post on workouts you are entitled to see.
• Blocks — the list of users you have blocked. Blocks are private to you and are not shown to the user you block.
• Content reports — reports you submit about other users or their content (treated as confidential and used for moderation), and reports submitted by others about you or your content.
• Notifications — social notifications generated by these interactions (e.g. new follower, new comment), kept until dismissed or your account is deleted.

Visibility: the following are visible to other users when your account is public, or to your approved followers when your account is private: username, display name, profile picture, bio, follower / following counts, your completed workouts that you have not marked private, and the comments and reactions you post on others' workouts (visible to whoever can see the underlying workout). The following are private to you: your block list, the reports you submit, your privacy settings, and any content you have explicitly marked private.

2. Sensitive & Special-Category Data

Certain information we process may constitute "special category" data under UK GDPR and EU GDPR, or "sensitive personal information" under other privacy laws. This includes:

• Health data — workout performance, body measurements, injury notes, health condition notes, HealthKit data, and any health-related information you provide in chat or profile notes.
• Precise geolocation — GPS coordinates collected during workout recording.
• Biometric-adjacent data — biological sex and date of birth used for fitness calculations.

We process this data only with your explicit consent, which you provide when you create an account, enable HealthKit integration, or grant location permissions. You may withdraw consent at any time (see Your Rights), though withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Services — create and manage your account, authenticate you, record and display your workouts, generate training plans, track your progress, and deliver AI-powered coaching.
• AI training features — construct prompts for our AI models using your profile data, fitness notes, workout history, and chat messages to generate personalised training advice, workout programming, and post-workout analysis.
• HealthKit integration — sync workout data between the Services and Apple Health to provide a unified fitness record.
• Route tracking — record and display GPS routes for outdoor workouts.
• Push notifications — send you notifications about AI responses, workout reminders, and service updates.
• Subscriptions & payments — manage your subscription status, verify entitlements, and process purchases.
• Communications — send transactional emails (account verification, password recovery), service announcements, and, where you have opted in, marketing communications.
• Analytics & improvement — understand how the Services are used, diagnose technical issues, and improve features and performance.
• Safety & security — detect and prevent fraud, abuse, and security incidents.
• Legal compliance — comply with applicable laws, regulations, and legal processes.

4. Legal Bases for Processing

If you are in the United Kingdom, European Economic Area, or Switzerland, we rely on the following legal bases under the UK GDPR / EU GDPR:

• Consent (Art. 6(1)(a) and Art. 9(2)(a)) — for processing health data, HealthKit data, precise location data, and marketing communications. You may withdraw consent at any time.
• Performance of a contract (Art. 6(1)(b)) — to provide the Services you have requested, including account management, workout tracking, AI coaching, and subscription fulfilment.
• Legitimate interests (Art. 6(1)(f)) — for analytics, service improvement, fraud prevention, and enforcing our terms. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with a legal obligation (e.g., tax, regulatory requests).
• Vital interests (Art. 6(1)(d)) — in rare circumstances where processing is necessary to protect someone's life.

5. Artificial Intelligence & Automated Processing

The Services include AI-powered features (the "AI Trainer") that use large language models provided by third-party AI providers (currently Anthropic and/or Amazon Web Services Bedrock). When you use these features:

• Your profile data, fitness notes, recent workout history, and chat messages are included in prompts sent to the AI provider to generate personalised responses.
• AI-generated responses, including the model's internal reasoning ("thinking" traces), tool calls, and outputs, are stored in our database as part of your conversation history.
• We record metadata about each AI interaction, including the model used, token counts, and estimated cost, for operational and billing purposes.

The AI features provide general fitness information and suggestions. They do not constitute medical advice, diagnosis, or treatment. You should consult a qualified healthcare professional before making decisions based on AI-generated content.

We do not use AI outputs to make decisions that produce legal effects or similarly significant effects on you without human involvement.

6. Sharing & Disclosure

We may share your personal information with the following categories of recipients:

We may also disclose your information:

• Legal requirements — to comply with applicable law, regulation, legal process, or enforceable governmental request.
• Rights protection — to enforce our Terms of Use, investigate potential violations, or protect against harm to the rights, property, or safety of Mesos, our users, or the public.
• Business transfers — in connection with a merger, acquisition, reorganisation, sale of assets, or bankruptcy, in which case your data may be transferred to the successor entity.
• With your consent — in any other circumstance where you have given explicit consent.

We do not sell your personal information to third parties. We do not share HealthKit data with third parties for advertising or marketing purposes.

7. International Transfers

Mesos Ltd is based in the United Kingdom. Your information may be transferred to, stored in, and processed in countries outside the UK and EEA, including the United States (e.g., when data is sent to AI providers or cloud infrastructure). Where such transfers occur, we rely on:

• UK and EU adequacy decisions where available;
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office and/or the European Commission;
• Other lawful transfer mechanisms under applicable data protection law.

You may request a copy of the relevant transfer safeguards by contacting us.

8. Cookies & Tracking Technologies

Our website may use cookies and similar technologies (web beacons, pixels) to maintain session state, remember preferences, and analyse usage. We may use Google Analytics to understand website traffic.

You can control cookies through your browser settings. For details, see our Cookie Notice.

The mobile application does not use cookies. It uses standard platform APIs (Keychain, UserDefaults) to store session tokens and preferences locally on your device.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Services. Specifically:

• Account & workout data — retained for the lifetime of your account. See 9.1 for what happens when you delete your account.
• Social data — retained for the lifetime of your account. Comments and reactions you have posted on other users' workouts are deleted with your account.
• AI conversation history — retained for the lifetime of your account to maintain conversation context.
• Operational logs — retained for up to 12 months for debugging and security purposes, then deleted or anonymised.
• Subscription records — retained as required for tax and accounting obligations (typically up to 7 years under HMRC rules).
• Content reports — reports submitted to or about your account are retained for our legitimate interest in trust and safety, typically up to 24 months from resolution, or longer where required for an ongoing investigation or legal matter.
• Mailing list data — retained until you unsubscribe.

9.1 Account Deletion

You can delete your account at any time using the Delete Account button in the app, under Settings → Account. When you do:

• Your account record, profile, workout history, comments, reactions, follow graph, blocks, and other personal data are permanently removed from our active systems immediately.
• Your authentication identity (managed via Ory Kratos) is deleted so the account cannot be signed back in to.
• Anonymised or aggregated data derived from your account (which can no longer be linked to you) may be retained for analytics, research, and product improvement.
• Routine system backups may retain residual copies for up to 30 days before they are overwritten in the normal course of operation.
• Records we are legally required to keep — including subscription, tax, and accounting records — are retained for the legally required period (typically up to 7 years), after which they are deleted or anonymised.
• Comments, reactions, or other content that other users have already received before deletion may remain visible to those users; the underlying account is removed and your identifier is disassociated where reasonably possible.
• Subscription cancellation through Apple is separate. Deleting your Mesos account does not, on its own, cancel an Apple App Store subscription — please cancel that in your Apple ID settings.

You can also request deletion by emailing support@trainwithmesos.com from the address associated with your account.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including encryption in transit (TLS), hashed credentials, access controls, and secure cloud infrastructure. Authentication sessions are managed through Ory Kratos with industry-standard security practices. Sensitive tokens are stored in the iOS Keychain.

However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Services at your own risk. You are responsible for maintaining the confidentiality of your account credentials.

11. Children

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take reasonable steps to delete it promptly. If you believe a child has provided us with personal information or that a Mesos account belongs to someone under 18, please report it from inside the app using the in-app report flow, or contact us at support@trainwithmesos.com.

12. Your Rights

12.1 UK / EEA / Switzerland

Under applicable data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — request that we restrict processing in certain circumstances.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Object — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — withdraw consent at any time where processing is based on consent.
• Complain — lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.

12.2 California (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

• Know what personal information we collect, use, and disclose.
• Request deletion of your personal information.
• Opt out of the "sale" or "sharing" of personal information — we do not sell or share your personal information as defined by the CCPA.
• Non-discrimination for exercising your rights.

12.3 Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing. We will honour verifiable requests in accordance with applicable state law.

12.4 Exercising Your Rights

The fastest way to exercise the right to erasure / right to delete your personal information is the in-app Delete Account button under Settings → Account. For other rights — access, rectification, restriction, portability, objection, or withdrawal of consent — contact us at support@trainwithmesos.com. We will respond within the timeframe required by applicable law (typically 30 days for UK/EEA, 45 days for US state laws). We may need to verify your identity before processing your request.

13. US State-Specific Disclosures

In the preceding 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act:

• Identifiers — name, email, device identifiers, IP address.
• Personal information under Cal. Civ. Code § 1798.80(e) — name, physical characteristics (height, weight).
• Protected classification characteristics — sex, date of birth.
• Commercial information — subscription and purchase history.
• Internet or network activity — browsing history, app usage data.
• Geolocation data — precise GPS coordinates during workout recording.
• Sensory data — uploaded photos, videos, or audio.
• Professional or employment-related information — not collected.
• Education information — not collected.
• Inferences — fitness level, training preferences, and personalised recommendations derived from your data.
• Sensitive personal information — health data, precise geolocation.

We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

14. Changes to This Policy

We may update this Policy from time to time. The updated version will be indicated by the "Last updated" date at the top of this page and will be effective immediately upon posting. If we make material changes, we will notify you by email or through a prominent notice in the Services. Your continued use of the Services after any changes constitutes acceptance of the updated Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Policy or our data practices, please contact us:

• Mesos Ltd
• Company number: 16733044 (England & Wales)
• Email: support@trainwithmesos.com

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.