Privacy Policy

Last updated: February 20, 2026

1. Introduction

This Privacy Policy explains how PTbase ("we," "us," or "our") collects, uses, and protects your personal information when you use our personal trainer client relationship management platform (the "Service").

By using PTbase, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you register for PTbase, we collect:

  • Email address
  • Name
  • Password (stored securely using industry-standard encryption)
  • Phone number (optional, required for SMS features)
  • Business information (business name, address, phone)

2.2 Client Data

As a personal trainer using PTbase, you may store information about your clients, including:

  • Names and contact information (email, phone, address)
  • Health and fitness data (measurements, body composition, fitness goals)
  • Session history and attendance records
  • Nutrition and calorie plans
  • Notes and progress tracking information
  • Communication history

Important: You are the data controller for your clients' personal data. You are responsible for obtaining appropriate consent from your clients and ensuring their data is handled in compliance with applicable privacy laws.

2.3 Payment Information

PTBase Subscription Payments:

Payment processing for your PTBase subscription is handled by Stripe. We do not store your complete credit card information on our servers. We receive and store:

  • Subscription status
  • Billing period dates
  • Transaction history references

Stripe Connect Payments (Trainer-to-Client Payments):

If you use Stripe Connect to accept payments from your clients:

  • Client payment data (card numbers, billing addresses) is collected and stored by Stripe, not PTBase
  • PTBase stores transaction metadata: amounts, dates, payment status, and receipt/invoice URLs
  • Connected account data (your Stripe account ID, onboarding status, currency) is stored in PTBase
  • We create products and prices on your connected Stripe account to facilitate package sales
  • Transaction history is shared between PTBase and Stripe for reconciliation

Your clients' payment information:

When your clients pay you through Stripe Connect, their payment data goes directly to Stripe's PCI-DSS compliant infrastructure. PTBase receives transaction confirmations and metadata but does not have access to full card numbers or sensitive payment credentials.

For details on how Stripe handles payment data, please refer to Stripe's Privacy Policy.

2.4 Calendar Integration Data

If you connect your Google Calendar, we access:

  • Your list of calendars (to let you choose which calendar to sync with)
  • The ability to create, update, and delete calendar events for your scheduled sessions

We do not access or read your other calendar events. We only manage events that PTbase creates. You can disconnect this integration at any time from your account settings.

2.5 Communication Data

We collect data related to communications sent through the Service:

  • SMS messages sent to clients (content, delivery status, timestamps)
  • In-app chat messages between you and your clients
  • Email communications related to your account

2.6 Usage and Technical Data

We automatically collect:

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Session duration and feature usage

3. How We Use Your Information

We use your information to:

  • Provide the Service: Manage your account, store client data, schedule sessions, and track progress
  • Process Payments: Handle subscription billing and SMS credit purchases
  • Send Notifications: Deliver SMS reminders, booking confirmations, and email notifications
  • Sync Calendars: Create and manage calendar events when you enable Google Calendar integration
  • Sync Accounting Records: Transmit sales and client contact data to Fiken when you enable the Fiken integration
  • Improve the Service: Analyze usage patterns to enhance features and fix issues
  • Communicate with You: Send important account updates, security alerts, and service announcements
  • Ensure Security: Protect against fraud, unauthorized access, and other security threats

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or Norway, we process your personal data based on:

  • Contract Performance: Processing necessary to provide the Service you have subscribed to
  • Legitimate Interests: Improving our Service, ensuring security, and communicating with you about your account
  • Consent: Where you have given explicit consent, such as for marketing communications or optional integrations
  • Legal Obligation: Where we are required to process data to comply with applicable laws

5. Third-Party Services

We use the following third-party services to operate PTbase:

5.1 Stripe

We use Stripe for two distinct purposes:

PTBase Subscription Billing:

We use Stripe to process subscription payments for your PTBase account. When you subscribe, your payment information is transmitted directly to Stripe.

Stripe Connect (Trainer-to-Client Payments):

If you enable Stripe Connect to accept payments from your clients:

  • Data Controller Role: You are the data controller for your clients' payment data. Stripe processes this data on your behalf as a data processor.
  • PTBase's Role: We act as a payment orchestrator, facilitating the connection between you and Stripe. We are not a payment processor for client transactions.
  • Data Shared with Stripe: Your business information, your clients' payment information (entered directly into Stripe's secure forms), and transaction metadata (amounts, descriptions, client identifiers).
  • Connected Account Access: You grant PTBase limited access to your Stripe account to create products, manage prices, and retrieve transaction data for display in PTBase.
  • Disconnection: You may disconnect your Stripe account at any time. Upon disconnection, PTBase loses access to your Stripe account, but historical transaction metadata is retained for business and legal record-keeping.

See Stripe's Privacy Policy.

5.2 Google

We use Google services for:

  • Authentication: Optional login via Google OAuth
  • Calendar Sync: Integration with Google Calendar (when you choose to connect it)

When you use Google login or connect your calendar, you authorize us to access specific Google account information as described in the Google authorization screen. See Google's Privacy Policy.

Google Calendar Scope: We request access to manage calendar events. This allows us to:

  • View your list of calendars
  • Create events for your scheduled sessions
  • Update or delete events we have created

We do not read, modify, or delete any events that were not created by PTbase.

5.3 SMS and Email Services

We use third-party providers to send SMS messages and transactional emails on your behalf. These providers process recipient phone numbers, email addresses, and message content solely for delivery purposes.

5.4 Cloud Infrastructure

Your data is stored on secure cloud infrastructure. Our service providers maintain appropriate security certifications and comply with applicable data protection regulations.

5.5 Fiken

If you connect Fiken accounting software (Pro+ feature), PTbase transmits data to Fiken on your behalf to create sales records, invoices, and client contacts.

Data transmitted to Fiken:

  • Your clients' names, email addresses, phone numbers, and addresses (to create or update contacts in Fiken)
  • Sale amounts, dates, descriptions, and payment status
  • Stripe invoice numbers (used as the Fiken sale number for Stripe-backed sales)
  • Attached files: client contract files and Stripe invoice PDFs where available

OAuth credentials:

  • When you connect Fiken, we store an OAuth access token and refresh token on our servers to authenticate API calls to Fiken on your behalf
  • Tokens are stored securely and used exclusively to perform sync operations you have configured
  • Tokens are deleted when you disconnect the integration

Data controller and responsibility:

  • You are the data controller for all data transmitted to Fiken, including your clients' personal data
  • You are responsible for ensuring you have a lawful basis and, where required, your clients' consent to share their personal data with Fiken
  • PTbase acts as a data processor for the purpose of transmitting this data to Fiken, processing it only as instructed by your integration settings
  • PTbase does not use data sent to Fiken for any purpose other than completing the sync operation

Third-party terms:

Data transmitted to Fiken is subject to Fiken's Privacy Policy. PTbase is not responsible for how Fiken stores or processes data after it is received.

5.6 Data Processing Roles (Stripe Connect Payments)

To clarify data protection responsibilities when Stripe Connect is used for trainer-to-client payments:

You (the Trainer):

  • Data Controller for your clients' payment and personal data
  • Responsible for obtaining client consent for payment processing
  • Responsible for responding to client data access or deletion requests
  • Must comply with GDPR, and other applicable privacy laws

Stripe:

  • Data Processor for payment card data
  • Processes card information and payment credentials on your behalf
  • Complies with PCI-DSS and financial data protection standards
  • See Stripe's data processing terms for details

PTBase:

  • Payment Orchestrator — not a data processor for payment credentials
  • Facilitates the connection between you and Stripe
  • Stores transaction metadata (amounts, dates, statuses, receipt URLs)
  • Does not process or store full card numbers, CVVs, or sensitive payment credentials
  • Acts as a data processor for non-payment client data (names, emails, session history)

Client Payment Data Flow:

  1. Client enters payment information into Stripe's secure hosted checkout form
  2. Stripe processes the payment on your connected account
  3. Stripe sends PTBase a confirmation with transaction metadata (no card data)
  4. PTBase records the transaction and updates session balances

Your Obligations:

If you use Stripe Connect, you should:

  • Inform clients that their payment data is processed by Stripe
  • Include appropriate payment processing information in any privacy notices you provide to clients
  • Obtain necessary consents for payment processing where required
  • Honor client data requests regarding their payment history

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Secure authentication mechanisms
  • Regular security assessments
  • Access controls and monitoring

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

  • Account Data: Retained while your account is active and for a reasonable period afterward for legal and business purposes
  • Client Data: Retained until you delete it or close your account
  • Payment Records: Retained as required by tax and financial regulations
  • SMS Credits: Prepaid SMS credits expire 12 months after purchase
  • Communication Logs: Retained for service operation and troubleshooting

When you delete your account, we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data
  • Portability: Request a copy of your data in a structured, machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, please contact us at support@ptbase.app. We will respond to your request within 30 days.

9. Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses or other approved mechanisms.

10. Children's Privacy

PTbase is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

11. Cookies and Tracking

We use essential cookies and local storage to:

  • Keep you logged in to your account
  • Remember your preferences
  • Ensure the Service functions properly

We do not use third-party advertising or tracking cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the updated policy on our website
  • Sending an email notification to your registered email address

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

support@ptbase.app

For data protection inquiries from EU/EEA residents, you also have the right to lodge a complaint with your local data protection authority.