Privacy Policy

Block One Fitness (ABN 19 291 354 211), trading as Block One (“we,” “our,” or “us”), is based in Perth, Western Australia. We are committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our mobile application.

Block One uses artificial intelligence (AI) to provide coaching, workout generation, and training recommendations. When you interact with AI features:

• •Your fitness profile, workout history, and conversation messages are sent to Anthropic (Claude AI) and OpenAI for processing
• •AI responses are generated based on your data and are not reviewed by humans
• •Conversation history is stored locally on your device for continuity. Conversation metadata and content are also logged server-side for abuse monitoring, debugging, and service improvement. These logs are automatically deleted after 90 days. Anthropic does not retain data beyond request processing. OpenAI may retain data for up to 30 days for abuse monitoring
• •AI recommendations are general fitness guidance, not medical or professional advice
• •If you connect Apple Health, summary health metrics (e.g., 7-day HRV average, sleep duration, resting heart rate) may be included in AI coaching context to provide recovery-aware training recommendations. Only summary values are sent, never raw Apple Health data streams

You can use the app without AI features. Your workout data is still collected for core functionality (tracking, progress charts, personal records) regardless of whether you use AI coaching.

AI interaction logs are permanently deleted when you delete your account, as described in Section 10.

We use your personal information for the following purposes:

• •Providing and maintaining app functionality
• •Tracking your fitness progress and personal records
• •Generating AI-powered coaching and recommendations
• •Calculating a readiness-to-train score based on sleep, heart rate variability, and training load
• •Providing recovery-aware AI coaching and workout recommendations
• •Improving our services and user experience
• •Sending important account and service notifications

We will not use your personal information for direct marketing without your consent, in accordance with the Spam Act 2003 (Cth).

Your primary data is stored securely using industry-standard encryption on Supabase infrastructure hosted in Sydney, Australia (AP Southeast-2). Some third-party services (Anthropic, OpenAI, Deepgram, RevenueCat, Resend, Sentry, PostHog) may process data on servers located in the United States. By using the app, you consent to the transfer of your data to overseas servers where necessary, in accordance with APP 8. We take reasonable steps to ensure overseas recipients handle your data consistently with the APPs.

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure as required by APP 11.

Local data on your device is encrypted using MMKV storage and protected by your device's security features.

Apple Health data remains on your device at all times. It is read from Apple's HealthKit framework, cached locally in encrypted storage (MMKV) for display purposes, and is never transmitted to Supabase or any external server. Summary health metrics (e.g., readiness score, sleep duration) may be sent to Anthropic and OpenAI as part of AI coaching context but are not stored beyond request processing by Anthropic. OpenAI may retain data for up to 30 days for abuse monitoring.

We share data with the following third-party services to provide app functionality:

• •Supabase: authentication and data storage
• •Anthropic (Claude AI): AI coaching and recommendations
• •OpenAI: AI coach chat, photo scanning, and daily insights
• •Deepgram: voice-to-text transcription
• •RevenueCat: subscription management
• •Resend: transactional emails (verification codes and password resets only)
• •Sentry: crash reporting and error monitoring
• •PostHog: product analytics (screens viewed, features used, button interactions, device type, OS version, app version). Anonymous analytics collection begins when you first open the App, before account creation, to help us understand how the onboarding experience performs. PostHog does not receive workout content, exercise data, health or fitness metrics, AI conversation content, HealthKit data, or any health-related information. PostHog does not use customer data for training AI models and acts as a data processor under our instruction only. Event data is hosted on PostHog Cloud US (AWS, United States) and retained until deleted by us
• •Apple: authentication (Apple Sign-In) and on-device health data access via HealthKit (no data shared with Apple beyond what HealthKit manages locally)

We do not sell your personal information. Data shared with third parties is limited to what is necessary for their specific service function.

We may integrate additional analytics tools in the future to improve the App. This Privacy Policy will be updated before any such integration is activated.

Under the Australian Privacy Principles, you have the right to:

• •Access your personal information (APP 12)
• •Request correction of inaccurate information (APP 13)
• •Delete your account and associated data
• •Export your workout history
• •Opt out of AI-powered features
• •Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

To exercise these rights, contact us using the details below or use the relevant features in the app's Settings menu.

If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights regarding your personal data.

• •Legal basis for processing: we process your data on the basis of contractual necessity (to provide the app), legitimate interests (security, fraud prevention, service improvement), and consent (marketing emails and optional analytics)
• •Right of access: request a copy of all personal data we hold about you
• •Right to rectification: correct inaccurate personal data
• •Right to erasure: request deletion of your account and data
• •Right to restrict processing: limit how we use your data
• •Right to data portability: export your data in a machine-readable format (available via Settings)
• •Right to object: opt out of processing based on legitimate interests

Your data is transferred to the United States for processing by our AI providers (Anthropic, OpenAI), analytics (PostHog), and infrastructure (Supabase). We rely on Standard Contractual Clauses (SCCs) to safeguard these transfers.

To exercise your GDPR rights, contact support@blockone.fit. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

• •Right to know: request what personal information we collect, use, and disclose
• •Right to delete: request deletion of your personal information
• •Right to opt out of sale or sharing: Block One does not sell your personal information. We share data with service providers (listed in Section 6) solely to operate the app
• •Right to non-discrimination: we will not treat you differently for exercising your privacy rights

To exercise your CCPA rights, contact support@blockone.fit or use the account deletion and data export features in Settings. We will respond within 45 days.

We retain your personal information for as long as your account is active or as needed to provide you with the app's services. If you delete your account, we will delete or de-identify your personal information within 30 days, except where retention is required by law.

Certain usage count records (tracking how many AI features you used per month) are retained after account deletion with your user ID removed. These records are retained solely to prevent abuse of free tier limits. They do not contain your messages, workout data, or AI interaction content, but may retain your email address for anti-abuse identification purposes.

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. Notifications will be made as soon as practicable after we become aware of the breach.

Block One is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information.

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or via email. Your continued use of the app after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to make a privacy complaint, please contact us at:

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.