Privacy Policy

1. Introduction

Pretty Good Software Company, LLC ("we," "us," or "our") operates SufferClub, a real-time collaborative workout application available on iOS, Android, and at sufferclub.fit (collectively, the "Service").

We built SufferClub to help people suffer together -- not to collect and sell your data. This Privacy Policy explains what information we collect, how we use it, and what choices you have. We want to be upfront:

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Profile photo (optional)
• Authentication credentials
• Account preferences and settings

2.2 Health and Biometric Data

If you choose to connect a heart rate monitor (such as an Apple Watch, Bluetooth chest strap, or other wearable), we collect heart rate data during workout sessions. Under the EU General Data Protection Regulation (GDPR), heart rate data is classified as "special category" personal data. Under the California Consumer Privacy Act (CCPA), it qualifies as sensitive personal information.

We collect this data only when you actively connect a heart rate device and enable broadcasting. It requires your explicit, separate consent before collection begins, and you can disable it at any time.

2.3 Workout and Session Data

• Workouts you create (type, structure, exercises, intervals, rest periods, rounds)
• Session participation (who joined, timestamps, duration)
• Performance metrics (leaderboard rankings, post-workout statistics)
• Saved workout library and history (Pro tier)

2.4 Device and Technical Information

• Device type, operating system, and app version
• IP address and general location (country/region -- not precise GPS)
• Crash logs and performance data
• Unique device identifiers

2.5 Payment Information

Subscriptions are processed entirely through the Apple App Store or Google Play Store. We do not directly collect or store your credit card number, bank account details, or other financial information. Please refer to Apple's or Google's privacy policies for how they handle payment data.

3. How We Use Your Information

We use the information we collect to:

• Operate the Service -- run workouts, manage sessions, display leaderboards, and deliver the features you expect
• Broadcast your heart rate to other session participants in real time (only during active sessions, only with your consent)
• Calculate and display workout statistics, analytics, and leaderboard rankings
• Improve the app -- fix bugs, monitor performance, and develop new features
• Communicate with you -- respond to support requests and send service-related updates
• Comply with legal obligations

We do NOT use your health, biometric, or workout data for advertising, ad targeting, profiling for marketing purposes, or sale to third parties.

4. Real-Time Heart Rate Broadcasting

Heart rate broadcasting is a core feature of SufferClub, so we want to be especially clear about how it works:

• When you enable heart rate broadcasting, your heart rate data is transmitted in real time to all participants in your current workout session.
• This data is visible to other session participants only during the active session.
• You can disable heart rate broadcasting at any time from the session screen.
• After a session ends, only summary statistics (such as peak heart rate and average heart rate) are retained. Raw, real-time heart rate streams are not permanently stored.
• Explicit consent is required before enabling this feature for the first time.

5. Data Sharing and Disclosure

5.1 What We Share

• With session participants: Your display name, performance statistics, and heart rate (if broadcasting is enabled) are visible to other participants in sessions you join.
• With service providers: We work with a limited number of third-party services for infrastructure, hosting, analytics, and crash reporting. These providers are bound by data processing agreements and have access only to what is necessary to provide their services.
• For legal compliance: We may disclose information if required by law, court order, or to protect the safety of our users or the public.

5.2 What We Do NOT Share

• We do not sell your personal information to anyone.
• We do not share health or biometric data with advertisers, data brokers, or for marketing purposes.
• We do not share data with Apple HealthKit or Google Health Connect for any purpose other than reading data you have explicitly authorized, in accordance with Apple's and Google's policies.
• We do not use health data to build advertising profiles.

5.3 If Our Practices Change

If we ever decide to share workout or health data with third parties beyond what is described in this policy, we will:

1. Provide at least 30 days' advance notice via in-app notification or email.
2. Require your explicit opt-in consent before any health or biometric data is shared with new parties.
3. Update this Privacy Policy with specific details about who the data is shared with, what data is involved, and why.

You will always have the option to decline new sharing arrangements or delete your account and data.

6. Data Retention and Deletion

• Account data: Retained while your account is active. Deleted within 30 days of an account deletion request.
• Workout and session data: Retained while your account is active. Can be deleted upon request.
• Heart rate data: Real-time broadcast data is not permanently stored in raw form. Only aggregated session statistics (peak HR, average HR) are retained.
• Backups: After account deletion, data may persist in encrypted backups for up to 90 days before full removal.

To request deletion of your data, email hello@sufferclub.fit or use the in-app account settings.

7. Your Rights and Choices

7.1 All Users

• Access the data we hold about you
• Request deletion of your account and data
• Disable heart rate broadcasting at any time
• Manage notification preferences

7.2 European Economic Area and UK Residents (GDPR)

If you are in the EEA or UK, you have additional rights under GDPR:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to withdraw consent at any time (Article 7) -- particularly relevant for heart rate and biometric data
• Right to lodge a complaint with your local supervisory authority

Our legal bases for processing are: consent (biometric data), performance of a contract (account and service data), and legitimate interests (analytics, security, and service improvement).

7.3 California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale or sharing of your personal information (note: we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

8. International Data Transfers

Your information may be processed in the United States. If you are located in the EEA or UK, we ensure that any cross-border data transfers are protected by appropriate safeguards, such as standard contractual clauses approved by the European Commission.

9. Children's Privacy

SufferClub is not directed at children under the age of 13 (or 16 in the EEA and UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected data from a child below the applicable age, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at hello@sufferclub.fit.

10. Security

We take the security of your data seriously. We use encryption in transit (TLS) and at rest, enforce access controls and authentication on our internal systems, and conduct regular security reviews. Health and biometric data receives additional protections consistent with its sensitive nature.

That said, no system is 100% secure. We encourage you to use a strong, unique password for your SufferClub account and to protect your login credentials.

11. Third-Party Links and Services

The Service may integrate with or link to third-party services such as Apple Health, Google Fit, or wearable device platforms. This Privacy Policy does not cover those services. We encourage you to review their privacy policies separately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via in-app notification or email. For changes that affect how we handle health or biometric data, we may require your explicit re-consent.

Continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes, except where re-consent is required.

13. Contact Us

If you have questions about this Privacy Policy or your data, please reach out:

• Pretty Good Software Company, LLC
• Email: hello@sufferclub.fit
• Web: sufferclub.fit

For GDPR-related inquiries, Pretty Good Software Company, LLC is the data controller.