Legal
Privacy Notice
1. Who we are
141kg.com is operated by 141kg Ltd, a company registered in England and Wales under company number [COMPANY NUMBER], with registered office at Gables House, 62 Kenilworth Road, Leamington Spa, CV32 6JX. We are the data controller for the personal data described in this notice, except where stated otherwise in section 4 below.
Contact us at admin@141kg.com for any data protection request, including access, correction, deletion, portability, or restriction.
We are not currently required to appoint a Data Protection Officer (DPO) under UK GDPR. If that changes, we will update this notice.
2. What this notice covers
This notice explains:
- What personal data we collect.
- Why we collect it and what we do with it.
- Our lawful basis under UK GDPR for processing it.
- Who we share it with.
- How long we keep it.
- Your rights and how to exercise them.
It applies to everyone who uses the 141kg platform: personal trainers (PTs) who use the Tenant app, and clients of those trainers who use the Client app.
3. What we collect
From PTs (Tenant app users)
- Account data: name, email address, password (stored as a salted hash by Supabase), business name and brand details (logo, colour).
- Authentication data: login timestamps, IP address, browser and device information.
- Content you create: exercise libraries, workout templates, session plans, set-by-set logs you record during sessions, planning and session notes.
- Data you enter about your clients: client name, contact details, date of birth, sex, body weight, training history, injury notes against specific body areas, training goals, and any other notes you record. See section 4 for the controller/processor split that applies to this data.
- Consent records: timestamp, policy version, IP address, and user agent at the moment you accept or decline our terms.
From clients (Client app users)
- Account data: name, email address, password (stored as a salted hash by Supabase).
- Profile data: date of birth (used for age-based leaderboard grouping and to confirm you are 16 or over), sex (used for like-for-like leaderboard comparison), training goals you record.
- Authentication data: login timestamps, IP address, browser and device information.
- Training data: exercises you log, sets, reps, weights you lift, time-under-tension where applicable, session dates and timings, body weight (recorded in kg or stones and pounds), injury notes you log against specific body areas, recovery and wellbeing entries (where the feature is enabled), leaderboard display name (if you opt in).
- Consent records: timestamp, policy version, IP address, and user agent at the moment you accept or decline our terms.
From everyone
- Technical data: error logs, page load timestamps, anonymised usage statistics.
The personal data listed above is used for fitness logging and training purposes. We do not ask for, and you should not enter, special category data under UK GDPR Article 9 (such as health diagnoses, clinical records, sexual orientation, ethnicity, or religious beliefs). Body weight, training metrics, and injury notes captured in the platform are fitness data, not medical data, and we do not treat them as such. Injury notes in particular should describe how the injury affects training (for example, "tweaked lower back, avoid heavy hinge work for two weeks"), not clinical diagnoses or treatment plans.
4. Controller / processor relationship for client data
The relationship between 141kg, the PT, and the client requires explanation.
- For PT account data (the PT's own account details, login data, billing data), 141kg is the controller.
- For client account data and training data entered by the client themselves into the Client app, 141kg is the controller under the contract with the client.
- For data the PT enters about the client in the Tenant app (workout history, notes, body weight records entered by the PT), the PT is the controller and 141kg is the processor. The PT processes that data under their own contract with the client. 141kg processes it on the PT's instructions, under a Data Processing Agreement which forms part of our Terms of Service.
In practice this means: if you are a client and you want to know why your PT recorded a particular piece of data about you, ask your PT. If you want to know how 141kg stores or secures that data, contact us at admin@141kg.com.
5. Why we process your data, and our lawful basis
| Purpose | Lawful basis (UK GDPR Article 6) |
|---|---|
| Running your account and the platform | Contract, Art 6(1)(b) |
| Authenticating you when you log in | Contract, Art 6(1)(b) |
| Showing you your own training data | Contract, Art 6(1)(b) |
| Sharing client data with the PT who manages them | Contract, Art 6(1)(b) |
| Showing your name on the leaderboard (Client app) | Consent, Art 6(1)(a), opted in separately |
| Improving the platform (error logs, usage analytics) | Legitimate interests, Art 6(1)(f) |
| Complying with legal obligations (tax, regulatory) | Legal obligation, Art 6(1)(c) |
| Sending you service emails (account, security, terms updates) | Contract, Art 6(1)(b) |
| Sending you marketing emails | Consent, Art 6(1)(a), opted in separately |
We will only send marketing emails to people who have opted in. If we introduce marketing in the future, we will ask you separately at that time. You can withdraw consent at any time using the unsubscribe link in any marketing email.
6. Who we share your data with
We share your data only with the following:
- Your PT or your clients, as appropriate to the platform's function. If you are a client, your PT can see the data you enter. If you are a PT, you can see the data your clients enter. This is the core function of the platform.
- Our hosting and infrastructure providers: Vercel (web hosting) and Supabase (database and authentication). Both act as our processors under written agreements. Both store our data within the EEA (Ireland, eu-west-1).
- Other professional advisers (accountants, solicitors, auditors) where strictly necessary and under confidentiality.
- Law enforcement or regulators where we are legally required to disclose data.
We do not sell your data. We do not share your data with advertisers. We do not use your data to train AI models.
7. Where your data is stored
Your data is stored on Supabase infrastructure in the eu-west-1 region (Ireland), which is within the European Economic Area (EEA). Data transfers between the UK and the EEA are covered by mutual adequacy decisions; no additional transfer safeguards are required.
Some operational tools (email delivery, error monitoring) may transfer limited data outside the EEA. Where this happens, we use providers covered by appropriate transfer mechanisms (UK adequacy decisions or Standard Contractual Clauses with the UK addendum).
8. How long we keep your data
We retain personal data for as long as your account is active, plus 6 years after your account is closed. This retention period aligns with:
- The UK statute of limitations for contract claims (Limitation Act 1980, six years).
- HMRC business record retention requirements for limited companies.
After the retention period ends we delete the data, or anonymise it so it can no longer be linked to you.
You can ask us to delete your data sooner. We will do so unless we are required by law to keep it. See section 10 for how to make the request.
Audit logs (records of consent, login activity, security events) are kept for 6 years after the event regardless of account status, because they may be needed as evidence in a legal or regulatory dispute.
9. Security
We take security seriously. The platform uses:
- HTTPS for all data in transit.
- Encryption at rest on the Supabase database.
- Row-level security (RLS) policies that restrict each user to seeing only their own data.
- Salted password hashing handled by Supabase Auth.
- Optional multi-factor authentication (MFA) for PT accounts.
No system is perfectly secure. If you believe your account has been compromised, change your password immediately and contact admin@141kg.com.
10. Your rights under UK GDPR
You have the following rights:
- Right of access (Art 15): ask us for a copy of your data.
- Right to rectification (Art 16): ask us to correct inaccurate data.
- Right to erasure (Art 17): ask us to delete your data, subject to legal retention requirements.
- Right to restriction of processing (Art 18): ask us to stop processing your data in specific ways.
- Right to data portability (Art 20): receive your data in a machine-readable format and have it transmitted to another controller where technically feasible.
- Right to object (Art 21): object to processing based on legitimate interests.
- Right to withdraw consent (Art 7(3)): where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
- Right to complain: if you believe we have mishandled your data, you have the right to complain to the Information Commissioner's Office (ICO). We would prefer you came to us first so we can try to resolve the issue.
To exercise any of these rights, email admin@141kg.com. We will respond within one month. There is no fee, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse.
The ICOInformation Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk
11. Cookies and similar technologies
The platform uses essential cookies and similar technologies (local storage) for:
- Keeping you logged in.
- Remembering your preferences (theme, brand colour cache).
- Authentication tokens issued by Supabase.
These are strictly necessary for the platform to function and do not require consent under PECR. We do not use advertising cookies, tracking cookies, or third-party analytics cookies on the platform itself.
12. Children
The Client app is intended for users aged 16 and over. If a PT invites a client under 16, the PT is responsible for obtaining parental or guardian consent before adding that client. The platform is not designed for users under 16 and we do not knowingly collect data from children under 16.
13. Changes to this notice
We may update this notice from time to time. When we do, we will:
- Bump the version number at the top of this document.
- Show you the updated notice in the app, with a tick-box, the next time you log in.
- Record your acknowledgement of the new version with a timestamp, the version number, your IP address, and your device.
14. Contact
For any privacy question or to exercise any right under UK GDPR, contact us at admin@141kg.com.