MuscleCore
Legal

Privacy Policy

Last updated: May 26, 2025

MuscleCore (“we”, “us”, or “our”) is committed to protecting your personal data and your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use our website at musclecore.net(the “Service”).

This policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR where applicable.

1. Data Controller

MuscleCore is the data controller for personal data collected through the Service. For data protection enquiries, contact us at: privacy@musclecore.net

2. What Data We Collect

Account Data

  • Name and email address (when you create an account)
  • Password (stored as a secure one-way hash — never in plain text)
  • Account creation date and last login timestamp

Quiz and Plan Data

  • Your quiz responses (goal, fitness level, training preferences, equipment)
  • Generated workout plans associated with your account

Payment Data

  • Billing address and payment method details are collected by Stripe, Inc. on our behalf
  • We store only the last 4 digits of your card, card brand, and expiry month/year for display purposes
  • We never store full card numbers or CVV codes

Technical Data

  • IP address, browser type, and operating system (for security and analytics)
  • Pages visited and actions taken on the Service (aggregated, anonymised)
  • Cookie identifiers (see Section 8)

3. Legal Basis for Processing (GDPR)

We process your personal data under the following lawful bases:

  • Contract performance: To provide the Service you have purchased and manage your account.
  • Legitimate interests: To improve the Service, prevent fraud, and maintain security.
  • Legal obligation: To comply with tax, financial, and other legal requirements.
  • Consent: For optional marketing communications and non-essential cookies. You may withdraw consent at any time.

4. How We Use Your Data

  • To create and manage your account
  • To generate and deliver personalized workout plans
  • To process payments and manage subscriptions
  • To provide customer support
  • To send transactional emails (account confirmation, password reset, plan delivery)
  • To send marketing emails if you have opted in (opt-out any time)
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

  • Stripe, Inc. — payment processing. Subject to Stripe's Privacy Policy.
  • Cloud infrastructure providers — for hosting and data storage (EU/EEA or adequacy-decision countries only).
  • Legal authorities — when required by applicable law or to protect our legal rights.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service.

  • Account data: retained for the duration of your account, plus 30 days after deletion
  • Payment records: retained for 7 years to comply with tax and financial regulations
  • Technical logs: retained for up to 90 days

7. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data (“right to be forgotten”).
  • Right to restriction: Request that we limit processing of your data.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@musclecore.net. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Cookies

We use the following categories of cookies:

  • Strictly necessary: Session cookies required for authentication and security. Cannot be disabled.
  • Functional: Remember your preferences (e.g., notification settings). Can be disabled.
  • Analytics: Anonymised usage data to understand how the Service is used. Requires consent.
  • Marketing: We do not currently use marketing or tracking cookies.

You can manage cookie preferences via the cookie banner shown on your first visit, or through your browser settings at any time.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption for data in transit, encrypted storage for sensitive fields, access controls, and regular security reviews. No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required by GDPR.

10. International Transfers

Where data is transferred outside the European Economic Area (EEA) or the UK, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that a child has provided us with personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the Service. The “Last updated” date at the top reflects the most recent revision.

13. Contact

For privacy-related questions or to exercise your rights: privacy@musclecore.net