Effective date: May 15, 2026 · Last updated: May 15, 2026
This Privacy Policy explains how TrainerStack.pro collects, uses, discloses, and safeguards personal information. It forms part of, and should be read together with, our Terms of Service.
This Policy applies to personal information we collect through the TrainerStack.pro website, software, applications, APIs, and related services (the "Platform"). It applies to Trainers who register an account, Clients whose data is entered into the Platform by a Trainer, and Visitors who browse our marketing pages.
We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the EU and UK General Data Protection Regulations (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the New Zealand Privacy Act 2020, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), to the extent they apply to our processing.
The data controller (or equivalent) for personal information collected directly by us is TrainerStack.pro. You can contact our Privacy Officer at privacy@trainerstack.pro.
Roles for Client data. Where a Trainer enters a Client's personal information into the Platform, the Trainer is the controller (or APP entity / business) of that data and TrainerStack acts as a processor (or service provider) handling the data only on the Trainer's documented instructions and as set out in our Terms of Service. Clients with questions about how their information is used by a particular Trainer should contact that Trainer directly.
The Platform is a fitness business management tool. It is not intended for the storage of clinical health records, diagnoses, prescriptions, or other sensitive medical information. Trainers should not enter such information.
We may receive limited information from Stripe (payment status, payout status, account verification status) to enable billing features. We do not receive or store full card details.
We do not seek to collect sensitive information (as defined in the Privacy Act). If a Trainer chooses to enter sensitive information about a Client into a notes field, the Trainer is responsible for having obtained valid consent for doing so.
We use the following cookies and similar technologies:
| Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Authentication, session management, security (e.g. CSRF protection) | Session / up to 30 days |
| Functional | Remembering preferences (e.g. timezone, sidebar state) | Up to 12 months |
| Performance / analytics | Aggregated, privacy-respecting product analytics. We do not use third-party advertising trackers. | Up to 24 months |
You can control cookies through your browser settings. Blocking strictly necessary cookies will prevent the Platform from functioning correctly.
We use personal information for the following purposes and on the following legal bases (where GDPR applies):
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, maintain, and improve the Platform | Performance of contract; legitimate interests |
| Create and manage Trainer accounts | Performance of contract |
| Process Subscription payments | Performance of contract; legal obligation |
| Facilitate Client payments through Stripe Connect | Performance of contract |
| Send transactional emails (payment links, PAR-Q forms, session reminders, account notices) | Performance of contract |
| Notify Trainers of new lead enquiries | Performance of contract |
| Provide customer support | Performance of contract; legitimate interests |
| Detect, investigate, and prevent fraud, abuse, or violations of our Terms | Legitimate interests; legal obligation |
| Maintain the security of our systems and your account | Legitimate interests; legal obligation |
| Comply with legal, regulatory, and tax obligations | Legal obligation |
| Send service-related announcements (changes to Terms, security advisories) | Performance of contract; legitimate interests |
| Send marketing communications about new features (with opt-out) | Legitimate interests; consent where required |
| Generate aggregated, de-identified analytics to improve the Platform | Legitimate interests |
| Defend and bring legal claims | Legitimate interests; establishment, exercise or defence of legal claims |
We do not use your personal information or User Content to train third-party generative AI models. We do not sell, license, or otherwise make personal information available to AI vendors for model training.
We may use aggregated, anonymised, or de-identified information — which cannot reasonably be used to identify any individual — for legitimate business purposes including service improvement, internal analytics, benchmarking, and reporting.
We share personal information with trusted service providers who help us operate the Platform. They process information only on our instructions and under written agreements that require them to maintain appropriate security and confidentiality:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | United States (AWS us-east-1) |
| Vercel Inc. | Application hosting and content delivery | Global edge network |
| Stripe Payments Australia Pty Ltd / Stripe, Inc. | Payment processing, Stripe Connect onboarding | Australia / United States |
| Resend, Inc. | Transactional email delivery | United States |
Information about a Client is accessible to the Trainer who manages that Client. Trainers will see information about Clients who interact with their lead-capture forms, payment links, or PAR-Q forms.
We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with a law, regulation, subpoena, court order, or other legal process; (b) cooperate with law enforcement or a regulatory authority; (c) enforce our Terms; (d) protect the rights, property, or safety of TrainerStack, our users, or the public; or (e) detect, prevent, or address fraud, security, or technical issues.
If we are involved in a merger, acquisition, restructuring, sale of assets, financing, bankruptcy, or similar transaction, personal information may be transferred to the successor or acquirer as part of that transaction. We will notify you (by email or in-app notice) and update this Policy if your information becomes subject to a different privacy policy as a result.
We may share information for any other purpose with your consent or at your direction.
We do not sell, rent, or trade personal information for monetary or other valuable consideration. We have not done so in the preceding 12 months and have no plans to do so.
The Platform operates internationally. Personal information may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States, Australia, and other countries where our service providers operate. These countries may have data protection laws different from those in your country.
Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. You can request a copy of the relevant safeguard by contacting us.
By using the Platform, where permitted by law, you consent to the transfer of your information to countries outside your country of residence.
We retain personal information only for as long as necessary for the purposes set out in this Policy, including to comply with legal, accounting, tax, or reporting obligations.
| Category | Typical retention |
|---|---|
| Active Trainer account data | For the duration of the account |
| After account deletion — personal account data | Deleted or de-identified within 30 days of cancellation |
| Client records held on behalf of a Trainer | Controlled by the Trainer; deleted after account closure or as instructed |
| Billing, invoicing, and tax records | Up to 7 years (Australian tax-record retention requirements) |
| Server and security logs | Up to 12 months |
| Support communications | Up to 3 years from last interaction |
| Aggregated, de-identified data | Indefinitely |
| Backups | Rolling backups overwritten on a schedule (typically up to 35 days) |
Where we are subject to a litigation hold, regulatory investigation, or legal preservation requirement, we may retain information for longer.
We take the security of personal information seriously and implement and maintain reasonable physical, technical, and administrative safeguards designed to protect it from unauthorised access, use, alteration, disclosure, or loss. These include:
No method of electronic storage or transmission is completely secure. While we strive to protect personal information, we cannot guarantee absolute security. You are responsible for keeping your password confidential and for the security of your own devices.
Depending on where you live and the laws that apply to you, you may have some or all of the following rights:
Trainers can update most of their information directly in the Platform. To exercise any other right, contact us at privacy@trainerstack.pro with sufficient detail to identify yourself and your request. We may need to verify your identity before responding.
We will respond within 30 days (or 45 days for California residents, with possible extensions). We do not charge a fee unless your request is manifestly unfounded, excessive, or repetitive.
If you are a Client and wish to exercise rights with respect to information held by a Trainer about you, please contact that Trainer directly. We will assist the Trainer in responding to your request as required.
California residents may use an authorised agent to submit requests on their behalf. We may require written authorisation and verification of identity.
We may send you marketing communications about TrainerStack features, updates, or offers. You can opt out at any time by:
Opting out of marketing communications does not stop service-related notices (such as billing receipts, security alerts, or material changes to these documents), which are necessary for providing the Platform.
We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of the GDPR.
The Platform is intended for users aged 18 and over. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected information from a child without appropriate consent, we will delete it as soon as reasonably practicable.
The Platform may contain links to third-party websites, services, or content. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Please review the privacy policies of any third party before providing personal information.
If a data breach occurs that is likely to result in serious harm to any individual whose personal information is involved, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) without undue delay and within the timeframes required by the Notifiable Data Breaches scheme. Where applicable, we will also notify the relevant supervisory authorities under the GDPR (within 72 hours of becoming aware of the breach) and other jurisdictions.
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent version. If we make a material change, we will notify you by email or in-app notice at least 14 days before the change takes effect. Your continued use of the Platform after the effective date constitutes acceptance.
If you have a complaint about how we handle personal information:
If you are not satisfied, you may escalate to the relevant authority for your jurisdiction:
We have collected the categories of personal information identified in Section 3 in the preceding 12 months for the purposes described in Section 5, and disclosed those categories to the service-provider categories listed in Section 7. We have not sold or shared personal information for cross-context behavioural advertising. We do not knowingly collect personal information from anyone under 16. California residents have the rights described in Section 11 and may submit requests via the contact methods in Section 11.1.
The legal bases on which we rely are set out in Section 5. You have the rights set out in Section 11 and the right to lodge a complaint with your local supervisory authority. International data transfers are handled as described in Section 8.
This Policy is intended to comply with the Australian Privacy Principles. You may complain about a breach of the APPs to our Privacy Officer and, if unsatisfied with our response, to the OAIC.
For privacy-related questions or to exercise your rights: