ProgramGrid logoProgramGrid

Privacy Policy

Last updated: 28 April 2026

This privacy policy explains how ProgramGrid (“we”, “us”) collects, uses, stores, and protects personal data when you visit programgrid.co.uk or use the ProgramGrid service. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and (for visitors in the EU) the EU GDPR.

1. Who we are

ProgramGrid is a coaching software platform operated from the United Kingdom. For all data-protection enquiries you can contact us at legal@programgrid.app. We act as the “data controller” for the personal data you provide directly to us. Where you are a client of a coach who uses ProgramGrid, your coach is also a controller for the data you share with them through the service.

2. What data we collect

When you visit the marketing site (programgrid.co.uk): we do not collect personal data through forms or store cookies on your device. The site is statically rendered and contact requests are sent via your own email client (mailto links). Standard server logs may capture IP addresses for security and abuse-prevention purposes; these are kept for no longer than 30 days.

When you sign up to the ProgramGrid service:we collect the data you give us, including your name, email address, account credentials, training programmes, logged sets and reps, body weight, body measurements, dietary log entries, meal plans, calorie targets, and any notes or messages you send through the service. Some of this data (body weight, diet, health-related notes) is “special category data” under Article 9 of UK GDPR.

When you pay for a subscription: billing is processed by Stripe (Stripe Payments Europe Ltd, Ireland). You enter your card details directly into a Stripe-hosted form; the data flows from your browser to Stripe without touching our servers, and we never see or store full card numbers. We retain only the billing email, country, last-four digits of the card, subscription tier, and Stripe customer ID so we can invoice you, handle refunds, and meet UK accounting record-keeping obligations.

3. Why we collect it (lawful bases)

  • To provide the service: performance of a contract (Article 6(1)(b) UK GDPR).
  • To process special category (health) data: your explicit consent (Article 9(2)(a)). You give this consent when you create an account, and you can withdraw it any time by deleting your account or emailing us.
  • To communicate with you about your account: performance of a contract.
  • To improve the service and prevent abuse: our legitimate interests (Article 6(1)(f)), balanced against your rights and freedoms.
  • To meet legal obligations: Article 6(1)(c).

4. Where your data is stored

Application data is stored in Supabase, a managed Postgres service, in EU data centres. The marketing site is hosted by Vercel. Vercel’s edge network may serve cached static content from regions outside the EU/UK; this is covered by the UK’s International Data Transfer Addendum and the EU’s Standard Contractual Clauses.

5. Who we share data with

We do not sell personal data. We share it only with the processors needed to run the service:

  • Supabase: database, authentication, storage. Acts as processor.
  • Vercel: website and application hosting. Acts as processor.
  • Stripe: subscription billing and payment processing. Stripe is a PCI-DSS Level 1 compliant payment provider that handles card details directly; we never see or store full card numbers. Acts as a separate data controller for payment data and as a processor for the subscription metadata we share with them.
  • Your coach: if you are a client, your training and dietary data is visible to the coach who invited you, by design.
  • Law enforcement or courts: only where we are legally required.

6. How long we keep it

We keep account data for as long as your account is active. After you delete your account, we remove personal data from production within 30 days. Backup snapshots are rotated on a 90-day cycle, after which deleted data is permanently overwritten. Billing records are kept for six years to meet UK accounting law.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased (the “right to be forgotten”).
  • Restrict or object to certain processing.
  • Receive your data in a portable format (CSV export is built into the service).
  • Withdraw consent for processing of health data at any time.
  • Lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk. If you are in the EU, you can complain to your local supervisory authority.

To exercise any of these rights, email legal@programgrid.app. We respond within one calendar month.

8. Cookies and tracking

The marketing site does not currently set cookies or use third-party analytics. If we add analytics in future, we will use a cookieless or consent-gated tool and update this policy. The ProgramGrid application sets a small number of strictly necessary cookies for authentication and session security; these do not require consent under UK PECR.

9. International transfers

Personal data is stored in the UK and EU. Where a processor moves data outside the UK/EEA (for example, Vercel’s global edge network or Stripe’s US infrastructure), we rely on the UK’s International Data Transfer Addendum and EU Standard Contractual Clauses to ensure equivalent protection.

10. Children

ProgramGrid is intended for coaches and adult clients. We do not knowingly collect data from children under 16 without parental or guardian consent. If you believe a child has signed up, contact us and we will delete their account.

11. Security

We use TLS in transit, encryption at rest in our database provider, hashed passwords, role-based access control, and row-level security so users can only see their own data (and, for clients, the data their coach is permitted to see). We restrict employee access to production data to what is strictly necessary.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active users by email and posted here at least 14 days before they take effect. The “Last updated” date at the top of the page reflects the most recent revision.

13. Contact

For any privacy question or to exercise a right, email legal@programgrid.app.

See also: Terms of Service