Privacy Policy
Effective date: 30 May 2026
PlanningFit ("we", "us", "the Service") is a strength-training planning and tracking application operated by Parks Computing (Paul Parks), based in Singapore. This policy describes what personal data we collect, why, how we process it, and your rights. It is written to align with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
1. Who we are
Parks Computing, based in Singapore, is the data controller for personal data processed through PlanningFit. You can reach us at [email protected].
2. What data we collect
2.1 Account data
PlanningFit supports two ways to sign in, and collects accordingly:
- Social sign-in (Google, Microsoft). We receive the
provider's stable subject identifier (Google's
subclaim, Microsoft'soidclaim) — an opaque join key used to recognise you across sign-ins — plus your provider-supplied email address, display name, and avatar URL. We never receive your Google or Microsoft password. - Email and password. If you sign in with email and password, we store your email address and a one-way argon2id hash of your password. We never store your password in plaintext and cannot recover it.
2.2 Training data
PlanningFit exists to record your training, so we store the workout data you create: routines and templates; planned and recorded sessions; individual sets (weights, repetitions, technique, side, order, and your free-text notes); exercises you add; and the natural-language instructions you write to steer AI planning. If you later use measurement features, the bodyweight and measurement values you enter are included. This data describes your training and is personal to you.
2.3 AI-assisted planning
PlanningFit can use a large language model to analyse your history and draft your next workout for your approval. When you invoke an AI feature, the relevant training data and your steering instructions are sent to our LLM provider (Anthropic) to generate the draft, and the draft is returned to you. AI features are optional; if you do not use them, no training data is sent to the LLM provider.
2.4 Invitations
Access is currently invitation-only. An invitation is a single-use link token generated by an administrator. We store the token and its status (issued, used, revoked) so the link can be validated and consumed once.
2.5 Cookies
We set a session cookie after you sign in to maintain your
authenticated state, and a short-lived OAuth state cookie
during a social-login flow to protect the callback against CSRF. Both are
first-party, HttpOnly, Secure, and
SameSite=Lax. We use no analytics, advertising, or tracking
cookies. See section 9.
2.6 Data stored on your device
The in-gym workout screen is designed to work offline. To do that, your browser stores your current planned session and the sets you log locally on your device (in the browser's storage) and synchronises them to our server when connectivity returns. This on-device copy lives in your browser and is cleared when you sign out or clear site data.
2.7 Server logs
Our server records standard HTTP access logs — IP address, request path, HTTP status, and user-agent — used only for operational monitoring and security investigation, retained for 30 days.
2.8 What we do not collect
- No third-party analytics, tracking pixels, advertising networks, or behavioural advertising.
- No device fingerprinting or browsing-history collection.
- No third-party scripts on authenticated pages.
3. Legal basis for processing (GDPR Article 6)
| Data | Legal basis | Purpose |
|---|---|---|
| Account data (provider identifier / email / password hash) | Contract (Art. 6(1)(b)) | Account creation and authentication |
| Training data | Contract (Art. 6(1)(b)) | Providing the planning and tracking service |
| AI request data | Consent (Art. 6(1)(a)) | Generating an AI draft when you invoke it |
| Invitation tokens | Legitimate interest (Art. 6(1)(f)) | Access control |
| Session / OAuth-state cookies | Contract / legitimate interest | Maintaining sessions; CSRF protection |
| Server logs (IP) | Legitimate interest (Art. 6(1)(f)) | Security monitoring, abuse prevention |
4. How we use your data
- Authenticate you and maintain your session.
- Store and display your training history, plans, and progress analysis.
- Generate AI-drafted workouts when you ask for them.
- Manage invitation-based access.
- Detect and prevent abuse or unauthorised access.
We do not send marketing email. We do not currently send any email at all.
5. Data sharing
We do not sell, rent, or trade your personal data. It is shared only with processors that operate on our behalf:
- Anthropic — when you use an AI feature, your training data and instructions for that request are processed by Anthropic to generate the draft, under Anthropic's terms.
- Cloudflare — production traffic reaches our server through a Cloudflare tunnel; Cloudflare sees TLS metadata and request paths in transit but not your authenticated session contents.
- Legal obligations — we may disclose data if required by law or valid legal process.
6. International data transfers
PlanningFit is operated from Singapore. If you are in the European Economic Area or the United Kingdom, transfers are protected by Standard Contractual Clauses. If you are in Singapore, overseas transfers comply with the PDPA's section 26 requirements. AI requests are processed by Anthropic, which operates in the United States.
7. Data retention
| Data type | Retention |
|---|---|
| Account data | Until you delete your account |
| Training data | Until you delete it, or delete your account |
| Session cookies | 30 days from last activity |
| OAuth-state cookies | A few minutes (single-use) |
| Invitation tokens | Until used or revoked |
| Server logs | 30 days |
8. Your rights
Depending on your location you have rights to access, correct, delete, and export your data, to restrict or object to certain processing, and to withdraw consent (for example, by not using AI features). To exercise any right, contact [email protected]; we respond within 30 days.
8.1 Singapore (PDPA)
You may access and correct your personal data and withdraw consent. Complaints may be made to the Personal Data Protection Commission at www.pdpc.gov.sg.
8.2 EU/EEA (GDPR)
You may lodge a complaint with your local data protection authority.
8.3 California (CCPA)
You have the right to know, delete, and not be discriminated against for exercising these rights. We do not sell personal information.
9. Cookies
PlanningFit uses only strictly-necessary, first-party cookies (the session cookie and the OAuth-state cookie described in section 2.5). It uses no analytics, advertising, or tracking cookies of any kind.
10. Security
- Social sign-in is delegated to Google and Microsoft over OAuth 2.0 / OpenID Connect.
- Passwords, where used, are stored only as argon2id hashes, never in plaintext.
- All connections are encrypted with TLS, terminated at the Cloudflare edge.
- Session tokens are generated with a cryptographically secure random source; secret comparisons are constant-time.
- Database access is restricted to the application server.
11. Children
PlanningFit is not directed at individuals under 16, and we do not knowingly collect their data. If you believe a child has provided us data, contact [email protected] and we will delete it.
12. Changes to this policy
We may update this policy. Material changes update the effective date above and, where appropriate, are notified in the Service. Continued use after a change constitutes acceptance, subject also to our Terms of Service.
13. Contact
Questions or data-rights requests: [email protected].