Privacy Policy
Last updated: 19 May 2026
1. Data Controller
Load & Flow ("we", "our", or "us") is a kettlebell training application operated by Ollie Castle, trading as Load & Flow, a sole trader registered in Ireland.
Data Controller: Ollie Castle, trading as Load & Flow
Contact Email:
privacy@loadandflow.com
Supervisory Authority: Data Protection Commission (Ireland) —
www.dataprotection.ie
2. Lawful Basis for Processing
Under GDPR Article 6, we process your data on the following bases:
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account creation & authentication | Contract performance | Art. 6(1)(b) |
| Health & fitness data (workout tracking, fatigue, HR zones) | Explicit consent | Art. 9(2)(a) |
| AI-powered training recommendations | Explicit consent | Art. 9(2)(a) |
| Strava activity sync | Consent (OAuth authorisation) | Art. 6(1)(a) |
| Security logs & rate limiting | Legitimate interest | Art. 6(1)(f) |
| Transactional emails (magic links, export notifications) | Contract performance | Art. 6(1)(b) |
Health and fitness data is classified as special category data under GDPR Article 9. We process this data only with your explicit consent, which you provide at registration. You may withdraw consent at any time via Settings → Privacy & Data.
3. Information We Collect
3.1 Information You Provide
- Account information: Email address (passwordless authentication via magic links)
- Profile preferences: Display name, timezone, measurement units
- Training preferences: Experience level, session duration, rest periods, movements to avoid
- Equipment: Kettlebell weights and quantities
- Consent records: Timestamp, IP hash, and version of each consent granted
3.2 Health & Fitness Data (Special Category)
When you use the Service to track training, we collect:
- Workout sessions (start/end time, exercises, sets, reps, weight, RPE)
- Running activities (distance, pace, elevation, heart rate)
- Muscle fatigue levels (calculated from your training load)
- Heart rate zones and training stress scores
- Wellness entries (sleep, soreness, fatigue, mood)
- FIT files (GPS and sensor data from connected devices)
3.3 Automatically Collected Data
- IP address: Logged for security and rate limiting (hashed in consent records)
- User-Agent: Device type for responsive rendering
- Error logs: Error messages and page URLs for debugging
We do not use third-party analytics, crash reporting, advertising SDKs, or device fingerprinting.
4. How We Use Your Data
- Deliver the Service: Authenticate, store workouts, generate training plans
- Personalise training: Adapt suggestions based on fatigue, history, and goals
- AI enrichment: Generate activity narratives and training insights (anonymised data sent to AI provider — no PII)
- Communicate: Magic link emails, data export notifications, service notices
- Security: Detect unauthorised access, enforce rate limits
We do not use your data for advertising, marketing, profiling for third parties, or automated decision-making with legal effects.
5. Data Sharing & Sub-Processors
We do not sell, rent, or trade your personal data. Data is shared only with sub-processors necessary to operate the Service. All processors have Data Processing Agreements (DPAs) in place.
See our full Sub-Processors list for details on each provider, what data they access, and their legal basis.
We may also disclose data if required by law, regulation, or valid legal process.
6. Data Storage & Security
6.1 Data Location
All personal data is stored exclusively within the European Union:
- Primary database: UpCloud Managed PostgreSQL, Amsterdam, Netherlands — encrypted at rest
- Application server: OVH VPS, Gravelines, France
- File storage: OVH Object Storage (S3), Gravelines, France — client-side encrypted (AES-256-GCM)
- Backups: OVH Object Storage (S3), Strasbourg, France — age-encrypted
6.2 Security Measures
- HTTPS everywhere (TLS 1.3 via Bunny.net CDN)
- Passwordless authentication — no password database to breach
- JWT tokens with short expiry (60 min access, 30 day refresh)
- Refresh tokens stored as SHA-256 hashes, rotated on each use
- Database disk encrypted with LUKS2 (AES-256-XTS, 512-bit key)
- FIT files encrypted with AES-256-GCM before upload
- Rate limiting on all API endpoints
- Content Security Policy with strict-dynamic nonces
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & training data | Until account deletion + 14 day grace period |
| Access tokens (JWT) | 60 minutes |
| Refresh tokens | 30 days (purged hourly) |
| Magic link tokens | 15 minutes |
| AI usage logs | 90 days (then anonymised) |
| Security/error logs | 90 days |
| Consent records | 6 years (legal obligation) |
| Data exports | 24 hours after generation |
When you delete your account, all personal data is permanently erased after the 14-day grace period. Consent records are retained in anonymised form for 6 years per legal requirements.
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of all personal data we hold — use the Export My Data button in Settings
- Rectification (Art. 16): Correct inaccurate data via Settings or by contacting us
- Erasure (Art. 17): Delete your account and all data — use Delete Account in Settings (14-day grace period)
- Portability (Art. 20): Export your data in machine-readable format (JSON + original FIT files)
- Restrict processing (Art. 18): Request we limit processing while a dispute is resolved
- Object (Art. 21): Object to processing based on legitimate interest
- Withdraw consent (Art. 7): Withdraw health data consent at any time via Settings
- Lodge a complaint: Contact the Irish Data Protection Commission
Most rights can be exercised self-service via Settings → Privacy & Data. For requests requiring manual processing, email privacy@loadandflow.com — we respond within 30 days.
9. Age Requirement
The Service requires users to be at least 16 years old (the GDPR digital age of consent in Ireland). We verify age confirmation at registration. If we become aware that a user is under 16, we will immediately delete their account and all associated data.
10. Cookies
We use only strictly necessary cookies (authentication and security). No analytics, marketing, or tracking cookies are used. See our full Cookie Policy.
11. International Data Transfers
All personal data is stored within the EU. Where sub-processors have US presence (OpenAI for AI narratives, Strava for activity sync), we ensure:
- EU Standard Contractual Clauses (SCCs) are in place
- No personally identifiable information is sent to OpenAI (only anonymised activity summaries)
- Strava access is user-initiated via OAuth and can be revoked at any time
12. Changes to This Policy
Material changes will be notified via email at least 14 days before taking effect. Non-material clarifications may be made without notice. The "Last updated" date above always reflects the most recent revision.
13. Contact
For privacy-related enquiries:
- Email: privacy@loadandflow.com
- Website: loadandflow.com