Privacy Policy

1. Who we are

1.1 System7 Ventures Limited is the controller of your personal data for the purposes of UK GDPR and EU GDPR, and the “business” for the purposes of applicable US state privacy laws.

• Company name: System7 Ventures Limited
• Company number: 15881148
• Registered office: 21 Arlington Street, London, England, SW1A 1RN, United Kingdom
• Contact for privacy matters: support@dr-gains.com

1.2 “Dr Gains” is a brand persona owned by a third party and licensed to System7 for use in the App. System7 alone is the data controller in relation to information you provide through the App.

1.3 Apple Inc. and certain third-party affiliate retailers operate their own services and have their own privacy practices (see Section 7).

2. Scope

This Privacy Policy applies to personal data we collect through:

1. your use of the Dr Gains mobile application on iOS;
2. your communications with us (including support requests);
3. your interactions with any Dr Gains website or online service we operate; and
4. any purchases of products or services directly from us.

It does not apply to third-party services you access through the App — please refer to their own privacy policies.

3. Personal data we collect

We collect the following categories of personal data.

3.1 Information you provide directly

• Account data: name, email address, password (hashed), date of birth (to verify 18+), country, and, where you register via Sign in with Apple or Google OAuth, the identifier and limited profile information those providers share with us.
• Profile and fitness data: height, weight, training experience, goals, preferences.
• Health-related data (special category): blood pressure readings (systolic and diastolic), workout logs (exercises, weights, reps, sets), one-rep max and BFR calculator inputs, supplement names / doses / timings, session completion data, and any health information you choose to share through the AI Chat.
• Purchase data: purchases of subscriptions, program unlocks, and physical products, including order history; payment card details are not stored by us (see Section 3.3).
• Communications: messages you send to us, support tickets, AI Chat messages and history, survey responses.
• Marketing preferences: consent and preferences for email and in-app messages.

3.2 Information we collect automatically

• Device and technical data: device type and model, operating system version, IP address, device identifiers, crash data, performance and diagnostic data (via Sentry).
• Usage data: features used, screens viewed, time spent, interaction events, session data.
• Approximate location: derived from IP address (we do not collect precise GPS location).

3.3 Information we do not collect or store

• Payment card details are handled directly by Apple (for App Store purchases) or Stripe (for direct sales). We receive confirmation of transactions and limited metadata only; we never see or store your full card details.
• Precise location, photos, or camera/microphone content.
• Government-issued identifiers such as National Insurance or Social Security numbers.

3.4 Information from integrations

If you choose to connect Apple Health, we receive only the specific categories of data you authorise (for example, workout data, heart rate, or body measurements). You can disconnect at any time in iOS Settings. We do not use Apple Health data for advertising and we do not share Apple Health data with third parties except as needed to provide the service you requested, in line with Apple's HealthKit guidelines.

4. How we use your personal data and legal basis

We use your personal data for the purposes set out below. Under UK/EU law we rely on the following legal bases.

Where we rely on legitimate interests, we have carried out a balancing assessment and believe our interests do not override your rights. You can request details of that assessment from us.

Where we rely on consent — particularly for health-related data and marketing — you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing consent to process health-related data will prevent us from providing most of the App's features.

5. AI Chat (“Ask Dr. Gains”) — how it works

5.1 The AI Chat feature is powered by a large language model operated by OpenAI, L.L.C. (“OpenAI”). When you send a message:

1. your message (and relevant prior messages in the conversation, to provide context) is transmitted to OpenAI via its API;
2. OpenAI processes the message and returns a response;
3. we display the response to you and store both the message and response on our servers.

5.2 OpenAI and training. OpenAI states that, by default, it does not use API inputs or outputs to train its models. We have not opted in to any training arrangement. However, OpenAI may retain API data for a limited period for abuse monitoring and compliance. For the most up-to-date information, please refer to OpenAI's API data usage policies.

5.3 System7 and personalisation. We may retain your AI Chat history and use it, in combination with your other in-App data, to personalise what you see in the App — for example, to tailor programme recommendations, on-screen suggestions, and the style or content of future AI responses to you. We do not use your AI Chat content to train any general-purpose AI model and we do not share your AI Chat content with advertisers.

5.4 Please do not share information through the AI Chat that you are not comfortable being processed as described above. In particular, we recommend you do not share highly sensitive personal information unrelated to fitness (for example, detailed mental-health disclosures, government identifiers, or financial account information).

6. Special category (health) data

6.1 Some of the data you provide — blood pressure readings, workout performance, body measurements, supplement intake, and health-related information you volunteer through the AI Chat — constitutes “special category data” under Article 9 of the UK/EU GDPR, and “sensitive personal information” under several US state laws.

6.2 We process this data only with your explicit consent, given at sign-up and re-confirmed as appropriate within the App. You can withdraw your consent at any time by contacting us or through the App's settings; withdrawal will prevent further processing of that data but will not affect processing before withdrawal.

6.3 We apply additional safeguards to special category data: it is encrypted in transit and at rest, access is restricted to personnel who need it to provide the service, and it is retained only for as long as necessary (see Section 9).

7. Who we share your data with

We do not sell your personal data. We share it with the following categories of recipients, under contracts that require them to protect your data:

7.1 Service providers (processors) acting on our behalf

7.2 Affiliate retailers

When you purchase an affiliate product through a link in the App, you are taken to the retailer's own site. Those retailers are independent controllers of the data you provide to them; we may receive confirmation of commissionable purchases but do not receive your payment details.

7.3 Corporate transactions

If System7 is involved in a merger, acquisition, restructuring, asset sale, or insolvency, personal data may be transferred to the relevant counterparty or its advisers, subject to appropriate protections.

7.4 Legal and safety

We may disclose personal data where we reasonably believe it is required to (a) comply with law, legal process, or a lawful request from a public authority; (b) enforce our Terms; (c) protect our rights, property, or safety, or that of users or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

7.5 With your consent or at your direction

We may share personal data with others where you have asked or authorised us to do so.

8. International data transfers

8.1 Some of our service providers are located outside the UK / EEA, particularly in the United States. When we transfer personal data outside the UK / EEA, we rely on one or more of the following safeguards:

1. Adequacy decisions where available (for example, transfers to organisations certified under the UK Extension to the EU–US Data Privacy Framework, or to countries subject to an adequacy decision by the UK Government or European Commission);
2. Standard Contractual Clauses (the UK International Data Transfer Agreement / Addendum or the European Commission's SCCs), supplemented where appropriate by additional technical and organisational measures; or
3. your explicit consent, where appropriate.

8.2 You may request a copy of the safeguards applicable to a specific transfer by contacting us.

9. How long we keep your data

9.1 We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer period is required by law. Our general retention periods are:

• Account data: for as long as your Account is active, and for up to 6 years after closure (for legal, tax, and defence-of-claims purposes).
• Health-related data: for as long as your Account is active; on Account closure we delete or anonymise this data within 90 days, save where we are required to retain it by law or for the defence of legal claims.
• AI Chat history: for as long as your Account is active, or until you delete individual chats from the App; on Account closure, within 90 days.
• Purchase and transaction records: for 7 years, as required by UK tax and commercial law.
• Marketing preferences: until you withdraw consent, and a suppression record thereafter.
• Technical and crash data: typically 90 days, occasionally longer for security investigations.

9.2 Where we anonymise personal data (so that it can no longer be associated with you), we may retain and use the anonymised data indefinitely.

10. Your rights

10.1 UK and EEA users

Under UK GDPR and EU GDPR, you have the following rights, subject to certain conditions and exceptions:

1. Right of access — to obtain a copy of the personal data we hold about you.
2. Right to rectification — to have inaccurate or incomplete data corrected.
3. Right to erasure (“right to be forgotten”) — to request that we delete your data.
4. Right to restrict processing — in certain circumstances.
5. Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
6. Right to object — to processing based on legitimate interests, and to direct marketing at any time.
7. Right to withdraw consent — at any time, where processing is based on consent.
8. Right not to be subject to solely automated decisions that produce legal or similarly significant effects on you. We do not currently make such decisions.

To exercise any of these rights, contact us at support@dr-gains.com. We will respond within one month (extendable by a further two months for complex requests).

You also have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ICO), www.ico.org.uk, 0303 123 1113.
• EEA: the data protection authority in your country of residence.

10.2 US state privacy rights (California, Colorado, Connecticut, Virginia, Utah, and other applicable states)

Depending on your state of residence, you may have rights including:

1. the right to know what personal information we have collected about you, and to obtain a copy;
2. the right to delete personal information, subject to exceptions;
3. the right to correct inaccurate personal information;
4. the right to opt out of “sales” and “sharing” of personal information and of targeted advertising — we do not sell personal information or share it for cross-context behavioural advertising;
5. the right to limit the use and disclosure of sensitive personal information;
6. the right to non-discrimination for exercising your rights.

California residents may make requests via support@dr-gains.com. You may use an authorised agent; we will require verification of the agent's authority. We will verify your request against information we hold in your Account.

10.3 How to make a request

Email support@dr-gains.com from the address associated with your Account, describing your request. We may need to verify your identity (for example, by confirming details on your Account) before responding.

11. Security

11.1 We implement technical and organisational measures designed to protect personal data, including:

• encryption of personal data in transit (TLS) and at rest;
• access controls and least-privilege access for personnel;
• secure software development and regular dependency review;
• logging and monitoring (including Sentry for error reporting);
• vendor due diligence for sub-processors;
• breach detection and incident response procedures.

11.2 No system is 100% secure. You are responsible for keeping your Account credentials confidential. If you suspect unauthorised access to your Account, notify us immediately.

11.3 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority as required by law.

12. Children

The App is not directed at, and we do not knowingly collect personal data from, individuals under 18. If you believe a minor has provided us personal data, contact us and we will delete it.

13. Cookies and similar technologies

13.1 The mobile App does not rely on traditional web cookies but uses similar technologies such as local storage, SDKs, and device identifiers for authentication, session management, analytics, and crash reporting.

13.2 Any website we operate may use cookies; in that case a separate cookie notice and consent mechanism will be presented on the website.

13.3 You can reset your device's advertising identifier or limit ad tracking in your device's settings. We do not use your data for cross-context behavioural advertising.

14. Marketing communications

14.1 We may send marketing messages by email or in-app notification where you have consented. You can opt out at any time by using the unsubscribe link in any marketing email, adjusting your notification settings, or contacting us.

14.2 You will continue to receive transactional messages (for example, receipts, security alerts, and important Account notices) regardless of marketing preferences.

15. Automated decision-making

We use algorithms to personalise recommendations and in-app content (for example, to suggest programme steps or adapt AI Chat responses). These adjustments are not legal or similarly significant decisions about you within the meaning of GDPR Article 22, and a human reviews any consequential decisions (such as Account termination).

16. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you through the App and/or by email. The “Last updated” date at the top of this Policy indicates when it was last revised. Continued use of the App after changes take effect constitutes acknowledgement of the updated Policy; where the changes require your consent, we will ask for it.

17. Contact us

For any questions, requests, or complaints about this Privacy Policy or our handling of your personal data:

If you are not satisfied with our response, you may contact the UK Information Commissioner's Office at www.ico.org.uk, your local EU data protection authority, or the relevant US state Attorney General's office.