Privacy Policy

Effective: 2026-06-21 · Last updated: June 21, 2026

This Privacy Policy explains how RepRoute ("RepRoute", "we", "us", or "our") collects, uses, discloses, stores, and protects your personal data when you visit our website, create an account, or use our fitness planning web application (together, the "Service"). We are committed to handling your data lawfully, fairly, and transparently, in compliance with the Thailand Personal Data Protection Act B.E. 2562 (the "PDPA") and, where it applies to you, the EU General Data Protection Regulation (the "GDPR").

The short version. We collect only what we need to build and adapt your workout plans. We never sell your data, never run advertising or third-party tracking, and process your health-related information only with your explicit consent. You can export or delete everything at any time from Settings → Privacy. This summary is for convenience only — the full text below governs.

1. Definitions

Personal data — any information relating to an identified or identifiable natural person.
Sensitive / special-category data — data revealing health or other categories given heightened protection under GDPR Article 9 and PDPA section 26.
Processing — any operation performed on personal data, such as collection, storage, use, disclosure, or erasure.
Data controller — the party that determines the purposes and means of processing (that is us, for direct users).
Data processor / sub-processor — a third party that processes personal data on our behalf and on our instructions.

2. Data Controller and Contact

The data controller responsible for your personal data is Jirawut Suwatcharakulthorn, operating as a sole proprietor in Thailand. For any privacy enquiry or to exercise your rights, you may contact our Data Protection Officer through our contact form.

EU representative (GDPR Article 27): RepRoute is established in Thailand. Before we actively offer the Service to data subjects in the EU/EEA, we will appoint a representative in the Union and publish their name and contact address here. This appointment is pending.

3. Data We Collect

We collect the categories of data below. Most of it you provide directly; some (such as security logs) is generated automatically when you use the Service.

3.1 Account data

Email address
Password (stored as a salted hash by Supabase Auth; we never see plaintext)
Account creation date and last sign-in timestamp
If you sign in with a third-party provider (for example Google), that provider shares your email and basic profile identifier with us so we can create or match your account

3.2 Profile data

Display name and (optionally) username
Age, height, weight (used to calibrate exercise intensity and load)
Equipment availability, training goals, preferences, and schedule
Display preferences such as language, theme, and units

3.3 Sensitive health data

Injury flags (e.g. lower-back, knee, shoulder limitations)
Body-weight history and age — used to derive load progression
Any health-relevant note you choose to enter (for example a limitation you describe in your own words)

3.4 Activity and usage data

Workout completions, sets, reps, and weights you log
Plans generated for you and adjustments you make
Prompt content and responses when an adaptive plan is generated
Optional content you submit, such as support messages, food entries, and photos you upload for a scan
Service logs (rate-limit counters, error reports, feature usage)

3.5 Security audit data

For security, fraud prevention, and abuse investigation we record an audit trail of sign-in events, access to other users' data, and rate-limited requests. Each entry may include:

IP address
Browser user agent
Event type and timestamp

These security audit logs are retained for a maximum of 2 years and then permanently deleted (see Retention Periods below).

3.6 Data we do not collect

We do not collect payment card numbers (these are handled directly by our payment processor), we do not buy personal data from data brokers, and we do not run advertising, analytics, or third-party tracking scripts. See our Cookie Disclosure for the complete list of cookies and storage we use.

4. Sensitive Health Data — Explicit Consent

Injury flags, body weight, and age qualify as special category data under GDPR Article 9 and as sensitive personal data under PDPA section 26. We process this data only with your explicit, freely given consent. This consent is captured as a separate, unbundled checkbox at sign-up (distinct from accepting the Terms) and recorded in our consent log. You may withdraw this consent at any time through Settings → Privacy. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but it may prevent us from generating or adapting plans for you afterwards.

5. How and Why We Use Your Data

We use personal data for the following purposes:

To provide the Service — create your account, generate and adapt workout plans, store your logs and progress.
To personalise plans — calibrate intensity, route around injuries, and respect your equipment and schedule.
To keep the Service safe — authenticate you, enforce rate limits, detect abuse, and investigate security incidents.
To communicate with you — send essential transactional emails (email confirmation, password reset, security and account notices) and, only if you opt in, product updates and weekly training summaries.
To handle support requests — respond to messages you send through the contact form.
To meet legal obligations — retain consent records and respond to lawful requests.
To improve the Service — understand which features are used, using aggregated or de-identified data where possible.

6. Legal Basis for Processing

Contract performance (GDPR Art. 6(1)(b) / PDPA s.24(3)): to deliver the workout planning service you signed up for.
Explicit consent (GDPR Art. 6(1)(a) + Art. 9(2)(a) / PDPA s.26): for sensitive health data, adaptive plan generation, and marketing emails.
Legitimate interest (GDPR Art. 6(1)(f)): for security, fraud prevention, rate-limit enforcement, and basic service improvement, balanced against your rights and freedoms.
Legal obligation (GDPR Art. 6(1)(c)): for retaining consent records and complying with lawful requests.

7. Marketing Communications

We send marketing or product-update emails only if you opt in (for example by ticking the optional box at sign-up). Every marketing email includes an unsubscribe link, and you can change your preference at any time in Settings → Privacy. Essential transactional messages — such as email verification, password resets, and important security or account notices — are not marketing and are sent regardless of your marketing preference because they are necessary to operate your account.

8. Automated Plan Generation and Profiling

Some plans are produced with the help of automated reasoning systems that process the goals, equipment, and limitations you provide. This is a core part of the Service and is carried out with your consent and to perform our contract with you. These automated suggestions do not produce legal effects concerning you or similarly significant effects within the meaning of GDPR Article 22: they are recommendations you remain free to accept, modify, or ignore, and you can always reach a human by contacting us. We do not use your data for automated decisions about credit, employment, insurance, or any comparable consequential outcome.

9. Data Processors and Sub-processors

We engage the following processors. Each is bound by a data-processing agreement and processes your data only on our documented instructions. We share only the minimum data each processor needs for its function.

Processor	Purpose	Location
Supabase	Database + Auth	Singapore (ap-southeast-1)
Cloudflare Workers	App hosting + edge runtime	Global edge
Cloudflare R2	Static media storage	Global edge
Cloudflare Turnstile	Bot protection	Global edge
Resend	Transactional email	US / EU
Groq	Text AI inference (primary)	US
Cerebras	Text AI inference (fallback)	US
Cloudflare Workers AI	Image AI inference — gym, food & program photo scans	Global edge
Upstash Redis	Rate limiting	Global

We also use public third-party food databases (Open Food Facts and the USDA FoodData Central database) to look up nutrition information. When you search for a food, the search term is sent to these services; we do not send them any account identifier or health data.

10. When We Disclose Data

We do not sell your personal data and we do not share it for cross-context behavioural advertising. We disclose personal data only:

to the processors listed above, to operate the Service;
where you direct us to (for example, making part of a profile public through a feature you choose to enable);
to comply with a valid legal obligation, court order, or lawful request from a competent authority;
to protect the rights, safety, and property of RepRoute, our users, or the public; and
in connection with a merger, acquisition, or sale of assets, in which case we will notify you and any new owner will remain bound by this policy or a materially equivalent one.

11. International Data Transfers

Our primary database is hosted in Singapore (Supabase ap-southeast-1). Some processors — in particular our text AI inference providers (Groq and Cerebras), our image AI provider for photo features (Cloudflare Workers AI), and Resend — are based in the United States or operate global edge networks. Where data leaves Thailand or the EEA we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and on the supplementary safeguards described in those agreements, as well as the transfer mechanisms required under the PDPA.

12. Retention Periods

Account and profile data: kept until you delete your account, then irreversibly purged after a 30-day grace period during which deletion can be cancelled.
AI usage log (including the prompt content and the response generated when a plan is created): 90 days, then deleted.
Consent events: 7 years, as required for proof of consent under PDPA and GDPR. The IP address attached to a consent record is removed after 2 years.
Security audit logs (sign-in events, data-access records, and rate-limit violations, including any IP address and user agent): permanently deleted after 2 years.
Support messages: kept while needed to resolve your request and for a reasonable period afterwards for follow-up and record-keeping.
Workout history: kept for the lifetime of your account; you may export or delete it at any time.

13. Your Rights

You have the following rights with respect to your personal data:

Access — request a copy of the data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — ask us to delete your data ("right to be forgotten")
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interest
Restriction — ask us to limit how we process your data
Withdraw consent — at any time, without affecting prior processing
Lodge a complaint — with a competent supervisory authority

14. How to Exercise Your Rights

Most rights can be exercised in-app under Settings → Privacy, including data export and account deletion. For requests that cannot be self-served, use our contact form. We respond within 30 days as required by PDPA and GDPR; where a request is complex we may extend this and will tell you why. We do not charge for exercising your rights unless a request is manifestly unfounded or excessive. We may ask you to verify your identity before acting on a request.

15. Children

RepRoute is intended only for users aged 16 or older. You confirm at sign-up that you meet this minimum age. We set the threshold at 16 so that a single gate satisfies the highest digital-consent age applied across EU member states, as well as Thai PDPA expectations. We do not knowingly collect data from anyone below this age. If we learn that we have collected data from a person below this age without verifiable parental consent, we will delete it.

16. Security

We protect your data with row-level security on every database table, encrypted transport (TLS), encryption at rest by Supabase, JWT-based authentication, server-side rate limiting, and Cloudflare Turnstile bot protection. Service-role keys are held only in server runtime secrets and are never exposed to client code. Uploaded images are validated by file signature, and access to other users' data is logged. No method of transmission or storage is perfectly secure, but we work to protect your data using measures appropriate to its sensitivity.

Breach notification. If a personal-data breach is likely to affect your rights, we will notify the relevant supervisory authority — and, where the breach poses a high risk to you, affected users — without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Articles 33–34 and PDPA section 37.

17. Cookies and Similar Technologies

We use only strictly necessary cookies and local-storage entries and run no advertising or analytics trackers, so we do not display a cookie consent banner. A full, itemised list is in our Cookie Disclosure. If we ever introduce a non-essential cookie, we will ask for your consent first.

18. Third-party Links

The Service may link to third-party websites or embed third-party content (for example exercise demonstration videos). We are not responsible for the privacy practices of those third parties, and this policy does not apply to them. Please review their own privacy policies.

19. Complaints and Supervisory Authorities

We would like the chance to address your concern first, so please consider contacting us before lodging a complaint. If you are in Thailand, you may lodge a complaint with the Personal Data Protection Committee (PDPC). If you are in the European Economic Area, you may complain to the data-protection authority of your country of residence, place of work, or place of the alleged infringement.

20. Changes to This Policy

We may update this policy from time to time. When we make a material change we will bump the effective date, notify you by email, and where required by law re-request your consent. Your continued use of the Service after an update takes effect means you accept the revised policy (except where renewed consent is required). The current version is 2026-06-21.