← Back to Home

Privacy Policy

Last updated: April 2026

1. About This Policy & Data Controller

This Privacy Policy explains how My90Plan Co. Ltd, a private company limited by shares incorporated in the Republic of Mauritius (Company Number C233649, Business Registration Number C26233649), with its registered office at 342, Morcellement Ruisseau Delices, Ville Noire, Mahebourg, Mauritius ("My90Plan", "we", "us", or "our"), collects, uses, shares, and protects personal information when you use the My90Plan platform, mobile application, and related services (the "Platform").

My90Plan Co. Ltd is the data controller responsible for your personal information. We process personal data in accordance with the Mauritius Data Protection Act 2017 and, where applicable, the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

2. Information We Collect

We collect the following categories of information:

  • Account information — name, email address, role (coach/client/admin), password (stored as a salted hash), set during account creation.
  • Client profile data — date of birth, gender, weight, height, fitness goals, medical conditions, injuries, lifestyle notes, and training preferences (provided by the coach or client). Some of this qualifies as special category data (health data) and is handled with the additional safeguards described in section 4.
  • Workout data — exercise logs (sets, reps, weight), session feedback (difficulty, energy, pain levels), body metrics, plan ratings, and attendance.
  • Communication data — 1:1 messages between coaches and clients, group chat messages, broadcast messages, and any images or videos uploaded through chat.
  • Billing information — subscription tier, billing status, payment history, and payment provider identifiers (e.g. Paddle customer ID). We do not store full card numbers or CVVs; payment details are handled directly by our payment providers.
  • Device & usage data — login timestamps, last-active timestamps, feature usage patterns, and limited technical data (browser type, operating system, PWA install status) needed to operate the Platform.
  • Marketing & funnel data — for visitors who opt into the waitlist, quiz, or referral flows, we collect the information you provide (name, email, responses) and basic funnel events (viewed, started, submitted).

3. How We Use Your Information & Lawful Basis

We use your information to:

  • Provide, maintain, and improve the Platform's functionality (contract, legitimate interests)
  • Generate AI-powered workout plans (client profile data is sent to the Anthropic API for processing) (contract; explicit consent for health data)
  • Display progress charts and analytics to coaches and clients (contract)
  • Facilitate communication between coaches and clients (contract)
  • Send transactional emails (account invitations, password resets, payment receipts, plan updates) (contract, legitimate interests)
  • Send push notifications, where you have enabled them (consent)
  • Process subscription payments and prevent fraud (contract, legal obligation)
  • Comply with applicable legal, tax, and accounting obligations (legal obligation)
  • Detect and investigate abuse, security incidents, or violations of our Terms (legitimate interests)

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you. Your coach remains the human decision-maker for any plan decisions.

4. AI Data Processing

When a coach generates or refines a workout plan using AI, the following client data is sent to Anthropic, PBC (our AI sub-processor): name or first name, age, gender, weight, height, fitness goals, medical conditions or injuries disclosed to the coach, and training preferences. This data is used solely to generate or update the workout plan. In accordance with Anthropic's API data usage policy, inputs and outputs sent through the API are not used to train Anthropic's models and are retained only as long as needed to provide the service and comply with legal obligations. By using the AI plan generation feature, clients give explicit consent to this processing of health-related data.

5. Data Sharing & Sub-processors

We do not sell, rent, or trade your personal information. Data is shared only with:

  • Your coach (if you are a client) — coaches see their clients' profile, plan, workout logs, progress, feedback, and messages. Clients see only their own data, plus messages from their coach and their coach's broadcasts.
  • Sub-processors and infrastructure providers, each bound by data processing terms:
    • Supabase Inc. (United States) — database, authentication, and file storage
    • Vercel Inc. (United States) — hosting, serverless compute, and content delivery
    • Anthropic, PBC (United States) — AI plan generation and refinement
    • Resend Inc. (United States) — transactional email delivery
    • Paddle.com Market Limited (United Kingdom; acting as Merchant of Record where applicable) — subscription payments, invoicing, and tax
    • Web Push providers — browser-native push services operated by Apple, Google, Microsoft, and Mozilla, used only to deliver push notifications you have opted into
    • GIPHY, LLC (United States) — GIF search in chat (no personal data is sent; only the search term you type)
  • Professional advisers — accountants, auditors, lawyers, and insurers, bound by confidentiality, where necessary to operate the business
  • Legal and regulatory authorities — where required by law, court order, or to protect the rights, safety, or property of My90Plan, our users, or the public
  • Successors in interest — in connection with a merger, acquisition, reorganization, or sale of assets, subject to this Policy

6. International Data Transfers

My90Plan Co. Ltd is based in Mauritius. Several of our sub-processors are located outside Mauritius, including in the United States and the United Kingdom. Where we transfer personal data outside your country, we rely on appropriate safeguards, including Standard Contractual Clauses (where applicable) and the data processing terms of each provider. If you would like a copy of the safeguards that apply to a specific transfer, please contact us at support@my90plan.com.

7. Data Storage & Security

  • Data is stored in a Supabase-managed PostgreSQL database with encryption at rest and encryption in transit (TLS) between your device and our servers.
  • Row Level Security (RLS) at the database layer enforces that coaches can only access their own clients' data, and clients can only access their own data. Administrative access is limited to a small number of authorized personnel.
  • Authentication is handled by Supabase Auth with secure session management and salted password hashing.
  • Administrative service credentials are server-only and never exposed to client-side code.
  • All communication between your browser and our servers is encrypted via HTTPS.
  • We maintain access logs and review them periodically. No system is perfectly secure — we cannot guarantee absolute security, but we take reasonable and appropriate measures to protect your data.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by law. Indicative retention periods:

  • Active accounts — for the duration of the account, plus up to 90 days after deletion to handle reversals, disputes, or restore requests.
  • Workout logs and progress data — retained alongside the account; soft-deleted plans remain recoverable by the coach for audit purposes, subject to the same 90-day post-deletion window.
  • Payment and invoicing records — retained for up to 7 years to comply with Mauritian tax, accounting, and anti-money-laundering legislation.
  • Marketing & funnel data — retained for up to 24 months after the last interaction, unless you request earlier deletion.
  • Security logs — retained for up to 12 months.

If a coach's account is deleted, their clients' data is deleted or transferred to another coach as instructed, subject to the retention periods above.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing of your data
  • Request a portable copy of your data in a structured, machine-readable format
  • Withdraw consent where we rely on consent as the lawful basis for processing (without affecting the lawfulness of prior processing)
  • Lodge a complaint with a supervisory authority — in Mauritius, the Data Protection Office (dataprotection.govmu.org); in the EU or UK, your local data protection authority

To exercise these rights, contact us at support@my90plan.com. We will respond within 30 days, and may ask you to verify your identity before acting on a request. We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive.

10. Cookies & Local Storage

The Platform uses:

  • Strictly necessary cookies — for authentication session management (Supabase Auth). These are required for the Platform to function and cannot be disabled.
  • Functional local storage — for UI preferences such as theme selection, notification dismissals, session feedback tracking, and install-prompt state. This data stays on your device.
  • Service worker caches — to support offline use of the Progressive Web App.

We do not use third-party tracking or advertising cookies, and we do not track individual users across other websites.

11. Children's Privacy

My90Plan is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected such information, we will delete it promptly. Users aged 13–17 may only use the Platform with the consent of a parent or legal guardian and under the supervision of a qualified coach.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users without undue delay, and in any event within 72 hours of becoming aware of the breach where required by law. Notifications will describe the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email or in-app notification at least 14 days before the changes take effect, where reasonably possible. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

14. Contact

For privacy-related questions, data subject requests, or to exercise any of your rights, contact us at support@my90plan.com or write to us at:

My90Plan Co. Ltd
342, Morcellement Ruisseau Delices
Ville Noire, Mahebourg
Republic of Mauritius
BRN: C26233649

Terms of ServiceHome