Privacy Policy

Last updated: February 2026

At FirstRep, we take your privacy seriously. This Privacy Policy explains how FirstRep, Inc. ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our fitness coaching platform, website, and mobile applications (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

We collect information to provide and improve the Service. The types of information we collect include:

Account Information:

  • Name, email address, and profile photo
  • Account type (trainer or client)
  • For trainers: certifications, specializations, bio, and business information
  • For clients: fitness goals, experience level, and preferences

Fitness and Health Data:

  • Body measurements (weight, body fat, circumference measurements)
  • Workout logs (exercises, sets, reps, weights, duration)
  • Nutrition logs (food entries, macronutrient data, calorie intake)
  • Progress photos uploaded by you
  • Health questionnaire responses and injury reports
  • Personal records and performance metrics

Usage Data:

  • Device information (type, operating system, browser)
  • App usage patterns, feature interactions, and session duration
  • IP address and approximate location
  • Crash reports and performance data

Payment Information:

  • Billing name and address
  • Transaction history and subscription status
  • Note: Credit card numbers and bank account details are processed and stored exclusively by Stripe. FirstRep never has access to your full payment card information.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To create and manage your account, deliver workouts and programs, track your progress, and facilitate the trainer-client relationship
  • Communication: To send you notifications about workouts, check-ins, messages from your trainer or clients, and important account updates
  • Platform improvement: To analyze usage patterns, fix bugs, improve features, and develop new functionality
  • AI-powered features: To generate workout suggestions, detect personal records, compute compliance metrics, and provide automated coaching insights (all processed in aggregate or within your coaching relationship)
  • Safety and security: To detect and prevent fraud, abuse, and security threats
  • Legal compliance: To comply with applicable laws, regulations, and legal processes

3. Data Sharing

We do not sell your personal information to third parties. We share information only in the following circumstances:

  • With your trainer (clients): When you subscribe to a trainer, they can access your workout logs, progress data, body stats, nutrition logs, check-in responses, and messages. This is essential for delivering coaching services. Trainers cannot see data from other trainers you may work with.
  • With your clients (trainers): Clients can see your public profile, certifications, reviews, and any programs or content you assign to them.
  • Stripe: We share necessary information with Stripe to process payments, manage subscriptions, and handle payouts. Stripe's privacy practices are governed by their own Privacy Policy.
  • Service providers: We may share data with trusted third-party service providers who assist us in operating the platform (hosting, analytics, email delivery), subject to strict confidentiality agreements.
  • Legal requirements: We may disclose information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect rights, safety, or property.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement robust security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest
  • Infrastructure: We use Supabase, built on top of enterprise-grade PostgreSQL, with industry-standard security practices
  • Row Level Security (RLS): Database-level access controls ensure that users can only access data they are authorized to see. Every table in our database has RLS policies enforced.
  • Authentication: Secure authentication with encrypted password storage and optional multi-factor authentication
  • Access control: Internal access to user data is strictly limited to authorized personnel who require it for their job functions
  • Regular audits: We conduct regular security reviews and vulnerability assessments

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You can request a copy of the personal data we hold about you
  • Correction: You can update or correct inaccurate information through your account settings or by contacting us
  • Deletion: You can request deletion of your account and associated data. Some data may be retained as required by law or for legitimate business purposes (e.g., transaction records)
  • Data portability: You can request an export of your data in a structured, commonly used format
  • Restriction: You can request that we restrict processing of your data in certain circumstances
  • Objection: You can object to certain types of data processing, including direct marketing
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us at baraa@firstrep.fit. We will respond to your request within 30 days.

6. Progress Photos and Health Data

We recognize the sensitive nature of fitness-related data, particularly progress photos and health information. We apply additional protections to this data:

  • Private storage: Progress photos are stored in a private, access-controlled storage bucket. They are never publicly accessible.
  • Limited sharing: Your progress photos and detailed health data are only visible to you and the trainer(s) you are actively subscribed to. Other users, including other trainers, cannot see this information.
  • No AI training: We do not use your progress photos or health data to train machine learning models
  • Deletion: When you delete a progress photo or your account, the files are permanently removed from our storage systems
  • Health questionnaires: Responses to intake forms and health questionnaires are encrypted and accessible only to you and your assigned trainer

7. Cookies and Tracking

Our website and platform may use cookies and similar tracking technologies:

  • Essential cookies: Required for the platform to function (authentication, session management). These cannot be disabled.
  • Analytics cookies: Help us understand how users interact with the platform to improve the experience. You can opt out of these.
  • Performance cookies: Monitor platform performance and help us identify and fix issues

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the platform.

8. Children's Privacy

The FirstRep platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18 without verified parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at baraa@firstrep.fit.

9. International Data Transfers

FirstRep is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

For users in the European Economic Area (EEA), we rely on standard contractual clauses and other appropriate safeguards for international data transfers.

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we may retain certain data for a limited period as required by law (e.g., tax and financial records) or for legitimate business purposes (e.g., resolving disputes). Anonymized or aggregated data that cannot identify you may be retained indefinitely for analytics and platform improvement.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email or an in-app notification
  • Where required by law, obtain your consent before applying changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

FirstRep, Inc.
Privacy Team
Email: baraa@firstrep.fit
San Francisco, CA, United States

For data protection inquiries from the EEA, you may also contact your local data protection authority.