141kg
Legal

Privacy Notice

Version: 2026-07-12-c

Effective from: 12 July 2026

1. About this notice

This notice explains what personal data 141kg collects when you use the platform, why we collect it, what we do with it, how long we keep it, and the rights you have under UK GDPR.

It applies to:

If you are a client, please also read the section below on the two relationships, which explains the difference between the data we control and the data your PT controls.

2. Who we are

The controller of your personal data is 141kg Ltd, a company registered in England and Wales under company number 17241763, with registered office at Gables House, 62 Kenilworth Road, Leamington Spa, CV32 6JX.

You can contact us about anything in this notice at admin@141kg.com.

We are not required to appoint a Data Protection Officer under UK GDPR Article 37 because our processing does not meet the thresholds for mandatory appointment. Privacy questions are handled by the directors and reach us via the email above.

3. The two relationships (important for clients)

When you use the Client app, two separate UK GDPR relationships apply at the same time. Understanding the difference matters because your rights are exercised against different people in each case.

Where 141kg is the controller. For your account itself (your email address, password hash, date of birth, login activity, account preferences, how you use the app, and the technical operation of the app on your device), 141kg decides what is collected and why. This notice covers that. You exercise your rights against us.

Where your PT is the controller and 141kg is the processor. For the training data your PT enters about you and that you enter about yourself (workouts, sets, reps, body weight, heart rate, RPE, session calories, session notes, goals), your PT decides what is collected and why. We process it on their behalf under our Data Processing Agreement at https://legal.141kg.com/dpa/. Your PT should have their own privacy notice explaining this. You exercise rights over that data against your PT in the first instance. If your PT cannot be reached, contact us at admin@141kg.com and we will help.

Where you use the Client app without a personal trainer. There is no PT in the picture, so 141kg is the controller of your training data as well as your account. You exercise all of your rights against us.

4. What we collect and why

We collect personal data in the following categories. The lawful basis for each is named below, as required by UK GDPR Article 13(1)(c).

Account data (controller: 141kg)

Authentication and security data (controller: 141kg)

Communications data (controller: 141kg)

Payment data (controller: 141kg)

Training data (controller: your PT where you train with one; 141kg where you use the Client app without a PT)

The leaderboard. If you opt into the leaderboard, other clients of the same PT can see the display name you choose and your standing on it (such as ranking and points). They cannot see your body weight, date of birth, email address, or any other account detail. Taking part is optional and you can leave the leaderboard at any time.

Special category data (controller: your PT where you train with one; 141kg where you use the Client app without a PT)

If you are a PT entering this category of data about a client, the Tenant app provides a consent capture screen for the client to give explicit consent. You must use this before entering special category data about any client.

Technical and device data (controller: 141kg)

App usage analytics (controller: 141kg)

App engagement shared with your trainer (controller: your PT)

Trainer app usage (controller: 141kg, applies to personal trainers only)

5. Special category data, in plain terms

Some of the data the platform records is treated as a "special category" of personal data under UK GDPR Article 9. This category has tighter rules because it can reveal information about your health. On this platform, the special categories are:

For this category we rely on your explicit consent under Article 9(2)(a). This is a stricter standard than ordinary consent: it must be specific, informed, and given by a clear affirmative action.

Because this is special category data, the app asks for your consent in two parts on the consent capture screen:

Both tick-boxes must be ticked for consent to be valid. Without both, the platform will not record this data about you.

You can withdraw consent at any time in the app settings or by emailing admin@141kg.com. When you do, we stop the relevant processing immediately. Data already recorded remains in your history unless you also ask for it to be deleted (which is a separate right, covered in section 11).

About the Recovery feature. The Recovery indicator shown in the app is computed from your training data (volume per body area and time elapsed since you last trained that area). It is not a separate data point you or your PT enter, and we do not record sleep, soreness, mood, or stress ratings. Because Recovery is derived from training data, it does not require separate special category consent: its lawful basis is the same as the underlying training data it is computed from. If we ever add user-entered recovery or wellbeing fields (such as a sleep tracker or soreness slider), we will update this section and ask for fresh consent before recording that data.

6. What we do not collect

We do not collect, store, or process the following categories of data:

If you have entered any of the above into a free-text field on the platform (such as a session note or a goal description), this is outside the intended use of that field. PTs are instructed in the Tenant app not to enter health information in free-text fields and to keep that information in a separate clinical system if needed. See section 11 for what to do if you believe such data has been entered about you.

7. Change control for future fields

If we plan to add a new data field to the platform in the future, particularly one that would or might constitute health data under UK GDPR (for example, a sleep tracker, a soreness slider, a wearable integration, a nutrition log, or an AI-generated readiness score), we will:

8. Where we store your data

Your data is stored on infrastructure operated by our sub-processors:

Where data is transferred outside the UK to a country not covered by an adequacy decision, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, in line with UK GDPR Articles 44 to 49. These are the safeguards required to transfer personal data outside the UK. You can request a copy of the safeguards in place for any specific transfer by emailing admin@141kg.com. This is your right under UK GDPR Article 13(2)(e).

9. Automated decision-making

This statement is provided under UK GDPR Article 13(2)(f).

We do not make automated decisions about you that produce legal effects or similarly significant effects.

The platform computes summaries, trends, and observations from data you and your PT have entered (for example, weekly tonnage, frequency of training, changes in load on specific exercises, body area volume). These are shown to your PT as part of their analysis view, and to you in your own progress view. They are observations, not decisions. They do not change anything about your access to the platform, your tier, your data, or any external service. Decisions about your training are made by your PT, not by the platform.

If this ever changes (for example, if a future feature uses automated decision-making in a way that produces a significant effect), we will update this section and ask for your consent before the change applies to you.

10. How long we keep your data

This is the single retention schedule for the 141kg platform. It is referenced by our Terms of Service and our Data Processing Agreement, and overrides any retention period stated elsewhere.

Data category Retention period Trigger for deletion
Active account data (PT or client) For the life of the account Account closure
Training data (workouts, sets, body weight, special category data) For the life of the account Account closure or deletion request
PT account after closure (transitional period for client data export) 30 days after closure Automatic deletion 30 days after closure
Authentication logs (login events, IP, user agent) 12 months Rolling deletion
Failed login attempts and security events 12 months Rolling deletion
App usage analytics events (screen views, app opens, in-app action events) 6 months Rolling deletion
Trainer app usage events (screen views, app opens) 6 months Rolling deletion
Transactional emails (invites, password resets) and engagement email sent on a PT instruction 30 days at sub-processor (Resend), then deleted Automatic at Resend
Engagement email: record of which messages your PT sent you 12 months Rolling deletion
Engagement email: your opt-out, if you unsubscribe For as long as your account exists Account closure. We keep this so we do not email you again by mistake. Deleting it would put you back on the list.
Inactive accounts (no login for 24 months) Closed and deleted after notice Reasonable notice, then deletion
Backups (containing any of the above) Up to 30 days after the live record is deleted Backup rotation
Anonymised aggregate data Indefinite (cannot be linked to any individual) Not applicable
Records we are required to keep by law (accounting, tax) As required by the relevant law (typically 6 years) End of statutory retention period

When we delete data, we remove it from active systems first. Data may persist in backups for up to 30 days after that, in line with normal backup rotation. After that point it is gone.

11. Your rights

Under UK GDPR you have the following rights over your personal data. To exercise any of them, email admin@141kg.com. We will respond within 30 days. There is no fee unless the request is manifestly unfounded or excessive.

If your data is controlled by your PT (training data, special category data), you exercise these rights against your PT in the first instance. If your PT cannot be reached, contact us and we will help.

12. Children

The 141kg platform is not available to anyone under 16 years old. We enforce this by capturing date of birth at signup and blocking accounts that indicate the person is under 16. PTs are required by our Terms of Service not to enter data about anyone under 16 and to confirm a client's age before inviting them.

If we become aware that we hold data about someone under 16, we will delete it without delay. If you believe we hold such data, please tell us at admin@141kg.com.

13. Cookies and tracking

We use only strictly necessary cookies and storage on your device. These are required to keep you logged in, remember your preferences, and operate the app on your device. They are not used for analytics, advertising, or profiling.

We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Amplitude, Segment, PostHog, Vercel Analytics, or any equivalent service. We do not embed third-party tracking scripts. We do not sell your data and we do not share it with advertisers.

We do not send you marketing or promotional communications for our own purposes. The emails you receive from us on our own behalf are transactional: account invitations, password resets, account notifications, billing emails if you are on a paid plan, and replies to your queries. If we ever change this position, we will update this notice and ask for your consent first.

If you train with a PT, your PT can ask us to send you an email about the app on their behalf. Your PT chooses who to email; we send none on our own initiative. Every such email carries an unsubscribe link that stops all of them, from any trainer. Section 4 sets this out under App engagement shared with your trainer.

Separately from cookies, we collect first-party usage analytics about how the app is used (which screens are opened, when the app is opened, and that certain in-app actions were used), as described in section 4. This is recorded on our own systems as events linked to your account. It does not use third-party tracking scripts, advertising cookies, or cross-site tracking.

If you are a client: we analyse this only in aggregate, with a small-number floor that drops anything used by fewer than three people on a given day. Nothing we look at or send ourselves can single you out, and your PT never sees these events at all. Separately, your PT can see the date you last used the app. That comes from your login record, not from these analytics events. Section 4 sets it out, including how to opt out of the emails your PT can send about it.

If you are a personal trainer: we record when you open the Tenant app and which screens you open, and our internal reporting on that identifies you. It is not aggregate only. Section 4 sets this out in full, including your right to object.

Our sub-processors (Vercel and Supabase) log technical request data (IP address, request path, timestamp) for security and service operation. This is strictly necessary and is covered by the legitimate interests basis in section 4.

14. Security

We take security seriously. Specifically:

If there is a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and we will notify you without undue delay where the risk to you is high. This is required by UK GDPR Articles 33 and 34.

15. Sub-processors

The following sub-processors handle your personal data on our behalf. The full list with role, location, and safeguards is set out in our Data Processing Agreement at https://legal.141kg.com/dpa/.

If we add or change a sub-processor, we will update the DPA and notify PTs in the app.

16. Changes to this notice

We may update this notice from time to time. When we do, we will:

Previous versions are available on request.

17. Contact

For anything about your data, including to exercise any of the rights in section 11, email admin@141kg.com.