Privacy policy.

This policy explains what Shape collects, why we collect it, who we share it with, and the choices you have. It applies to theshapecommunity.com and any connected apps or services operated by Shape ("Shape," "we," "our"). By using Shape you accept this policy; if you do not agree, please don't use the service.

Information we collect

Account & profile. Name, email, password hash, role (client, trainer, nutritionist), bio, profile photo, and—if you're a coach—credentials, specialties, and business details submitted during application.

Fitness & health information you choose to share. Goals, workout logs, session notes, meal plans, macro targets, weight, measurements, performance metrics, and progress photos. We treat this as sensitive data and apply stricter protections below.

Payment information. Shape uses Stripe for all payments. Card details are entered directly into Stripe; Shape receives only the last four digits, card brand, and transaction status. We never see, store, or transmit full card numbers.

Communications. Messages you send through our in-app chat with coaches, consultation notes, and support requests.

Usage & device. IP address, browser type, device identifiers, pages visited, referring pages, session timestamps, and basic analytics. Collected automatically for security and product improvement.

Third-party fitness, health, and audio connections (optional). Shape only pulls the specific data types you authorize during each provider's OAuth or HealthKit consent flow — nothing more. The services you can currently connect are:

• Apple Health / Apple Watch / Apple Fitness (HealthKit). Workouts, heart rate, activity, sleep, and other metrics you enable in the iOS Health permissions sheet. Available only through the Shape iOS app; HealthKit is not exposed on the web.
• Strava. Activities, routes, and basic profile, via Strava OAuth. See Strava's privacy policy.
• Garmin Connect. Workouts, heart rate, calories, sleep, and similar metrics from your Garmin device, via Garmin's Health API consent flow. See Garmin's privacy policy.
• Whoop. Recovery, strain, sleep, and workout data, via Whoop OAuth. See Whoop's privacy policy.
• Spotify. Basic profile and the playlists you choose to share with Shape (used for in-workout audio). See Spotify's privacy policy.

You can disconnect any of these services from your account settings at any time. Disconnecting stops new data from syncing; previously synced data remains in your Shape account until you delete it (see Section 05).

How we use your information

• Provide core service: account creation, authentication, billing, and matching clients with coaches.
• Personalize your experience: showing relevant trainers/nutritionists, calculating Shape Score, and recommending programs.
• Facilitate coaching: sharing relevant client data with the specific coach(es) a client has subscribed to or booked — never more broadly.
• Handle payments: processing the $5/month membership, coach subscriptions, and one-off purchases through Stripe.
• Operate the platform: fraud detection, debugging, security monitoring, and platform improvements.
• Communicate: transactional email (receipts, booking confirmations, password resets), product updates, and—only if you opt in—marketing.
• Comply with legal obligations, including tax reporting for coaches earning revenue on the platform.

We do not use your fitness or health data to train machine-learning models or sell targeted advertising.

Information sharing & processors

We do not sell your personal information. We share it only in these specific situations:

With the coach(es) you subscribe to or book. A trainer you've subscribed to sees the workout data, goals, and messages relevant to coaching you. A nutritionist you hire sees your meal log and targets. You control the relationship: cancel any time and that coach's ongoing access ends.

With subprocessors who help us run Shape. Each is bound by contract to protect your data and use it only to deliver their service to us.

• Supabase — database, authentication, file storage (hosted in United States / EU regions).
• Stripe — payments, subscriptions, Connect payouts to coaches. See Stripe's privacy policy.
• Vercel — web hosting and edge delivery. See Vercel's privacy policy.
• Cloudflare — DNS and network security.
• Resend — transactional email delivery.

With law enforcement or legal counterparties when required by subpoena, court order, or applicable law, or to protect the rights, safety, and property of Shape or others.

In connection with a business transfer (merger, acquisition, financing) — recipients are bound by this policy.

Data security

Shape uses industry-standard safeguards:

• TLS 1.2+ for all traffic in transit.
• Encryption at rest for database tables and storage.
• Role-based access controls; engineering staff access logged and minimized.
• Short-lived session tokens with automatic rotation.
• Payment data handled only by Stripe (PCI-DSS Level 1).
• Regular dependency audits and vulnerability patching.

No system is perfectly secure. If a breach affects your personal data, we will notify you and any regulator required by law (typically within 72 hours of discovery).

Your rights

Depending on where you live, you may have the right to:

• Access: request a copy of the personal information we hold about you.
• Correct: update inaccurate or incomplete data.
• Delete: request we erase your account and associated data (subject to legal retention needs such as tax records).
• Port: receive your data in a machine-readable format.
• Object or restrict: limit how we process your data.
• Opt out of marketing: unsubscribe links in every marketing email; transactional email cannot be disabled.

California residents (CCPA/CPRA): you additionally have the right to know the categories of personal information collected and shared, and to opt out of any sharing that qualifies as a "sale" or cross-context behavioral advertising — we do not engage in either.

EEA/UK residents (GDPR): our legal bases for processing are (a) contract performance, (b) legitimate interest (security, product improvement), (c) consent for optional analytics and marketing, and (d) legal obligation. You may lodge a complaint with your national data protection authority.

To exercise any right, email christopher.perry@theshapecommunity.com. We verify identity before acting and respond within 30 days.

Cookies & tracking

We use cookies and similar technologies for three purposes:

• Strictly necessary: session cookies that keep you logged in and protect against CSRF. Cannot be disabled without breaking the site.
• Functional: remember your preferences (e.g., dashboard view, active role) across sessions.
• Analytics: Vercel Analytics collects aggregate, anonymized usage data (page views, referrers) to help us improve the product. No cross-site tracking or advertising pixels.

You can block or delete cookies in your browser settings. Doing so may sign you out or disable certain features.

Data retention

We keep personal data only as long as we need it:

• Active accounts: kept for as long as the account is active.
• Deleted accounts: removed within 30 days of your deletion request, except for records we must keep by law (e.g., tax records are retained for 7 years).
• Financial records: retained for 7 years to comply with U.S. tax law.
• Backups: may contain deleted data for up to 90 days before they expire.
• Support correspondence: retained for 2 years.

Children's privacy

Shape is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email christopher.perry@theshapecommunity.com and we will delete it promptly.

International data transfers

Shape is operated from the United States. If you access Shape from outside the U.S., your personal data will be transferred to, stored in, and processed in the U.S. Where required by law (e.g., for EEA/UK users), we rely on Standard Contractual Clauses approved by the European Commission to legitimize the transfer.

Changes to this policy

We may update this privacy policy. Material changes will be announced via email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version. Continued use after the effective date means you accept the updated terms.

Contact us

Questions about this policy, or how to exercise a right? Reach us at christopher.perry@theshapecommunity.com or through the contact page. For security reports, please use the same address.