Privacy Policy
Last updated: March 2026
RobustHealth ("we", "us", "our") is a nonprofit fitness platform. This policy explains what data we collect, how we use it, and your rights. We do not sell your data and we do not run ads.
1. Data we collect
- Account data — name, email address, password (stored as a bcrypt hash, never plain text).
- Profile data — date of birth, height, sex, profile photo, unit preferences. Provided voluntarily to unlock features like macro calculations.
- Health & fitness data — nutrition logs, workout logs, biometrics (weight, body fat %, measurements), cardio activities, GPX routes, personal records. This data is yours and is only used to provide the service to you.
- Activity data — posts, comments, reactions, messages you send, friend connections.
- Payment data — premium membership and donation payments are processed by Stripe. We store only the charge ID and amount; your card details never touch our servers.
- Usage data — server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging.
2. How we use your data
- To provide and improve the platform.
- To send transactional emails (new messages, session reminders, billing receipts, password resets). You can opt out of non-essential emails in Account Settings.
- To calculate your contributor points and quarterly payouts if you contribute to the platform.
- To enforce our community guidelines and Terms of Service.
We do not use your data for advertising. We do not sell or share your data with third parties except as described below.
3. Third-party services
- Stripe — payment processing. Stripe's privacy policy applies to payment data.
- Cloudflare R2 — file storage for profile photos, coach certifications, and GPX route data.
- Resend — transactional email delivery.
- Strava — if you connect your Strava account, we receive activity data from Strava under Strava's API terms. You can disconnect at any time in Cardio settings.
4. Data retention
Your account data is retained for as long as your account is active. If you delete your account, your personal data is deleted within 30 days. Anonymised aggregate data (e.g. total platform activity counts) may be retained indefinitely.
5. Your rights
You can access, correct, or export your data at any time from your account settings. To request deletion of your account and data, contact us at the email below. If you are in the EU or UK, you have additional rights under GDPR/UK GDPR including the right to object to processing and the right to lodge a complaint with your supervisory authority.
6. Cookies
We use a single session cookie to keep you logged in. We do not use tracking cookies or third-party analytics cookies.
7. Security
Passwords are hashed with bcrypt. All data is transmitted over HTTPS. We enforce rate limiting on login and registration to prevent brute-force attacks. Security incidents are logged and reviewed.
8. Contact
Questions about this policy? Email privacy@robusthealthteam.com