Privacy Policy
Last updated: 3 March 2026
1. Who We Are
Hybrid Training Plan ("the Service", "we", "us", "our") is operated by STELLAR ENGINEERS LTD, registered in England and Wales (Company Number: 16220494), with its registered office at 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE.
STELLAR ENGINEERS LTD is the data controller for personal data collected through this Service. For data-related queries, contact us at privacy@hybridtrainingplan.app.
2. Data We Collect
2.1 Account Data
- Email address and password (stored as a hashed value — we never see your raw password)
- Date of birth (used to determine age eligibility and plan personalisation)
- Gender (used for plan personalisation)
- Timezone (used for scheduling and notifications)
- Distance unit preference (km or miles)
- Referral code (if applicable)
2.2 Fitness Profile Data
Collected during onboarding and used to generate your training plan:
- Primary training goal (e.g. hybrid, running race, HYROX, strength, weight loss)
- Target event details (race type, date, target time)
- Available training days and session duration preferences
- Running data (weekly mileage, pace, recent race times, experience level)
- Strength data (experience level, lift style, exercise maxes / 1RMs)
- Equipment access and available gym kit
- Lifestyle factors (sleep quality, job activity level, recovery capacity)
- Exercise preferences and dislikes
2.3 Health Data (Special Category)
We collect data that may constitute health data under UK GDPR Article 9, including:
- Current injuries (body part, severity, description)
- Movement restrictions (e.g. no overhead pressing, no impact activity)
- Medical clearance status
This data is processed only with your explicit consent, which you provide when completing onboarding. You may withdraw consent at any time, though this may affect our ability to generate safe, personalised plans for you.
2.4 Performance and Training Data
- Workout session logs (exercises performed, sets, reps, weights)
- Run session logs (distance, duration)
- Exercise 1RM records
- Completed training days
- Session notes you choose to add
2.5 Payment and Credit Data
- Credit balance and transaction history (plan purchases, mutations, bonuses, refunds)
- Stripe customer ID (used to link your account to Stripe — we do not store card numbers)
Card details are collected and stored exclusively by Stripe. We only receive confirmation of payment success and a Stripe customer reference.
2.6 Technical and Usage Data
- IP address
- Browser type and version, operating system, device type
- Pages visited and features used
- Date and time of access
- Referring URLs
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Performance of a contract |
| Generate personalised training plans | Performance of a contract |
| Process credit purchases and manage your balance | Performance of a contract |
| Process health and injury data to ensure safe plan generation | Explicit consent (Art. 9 UK GDPR) |
| Send transactional emails (receipt, plan ready, account alerts) | Performance of a contract |
| Send product updates and feature announcements | Legitimate interests (you may opt out at any time) |
| Improve the Service and train plan generation quality | Legitimate interests |
| Fraud prevention and security | Legitimate interests / Legal obligation |
| Comply with legal obligations | Legal obligation |
4. Third Parties We Share Data With
We do not sell your personal data. We share data with the following service providers as necessary to operate the Service:
Stripe
Payment processing. Stripe may process your data in the United States. Transfers are protected by Standard Contractual Clauses. See Stripe's Privacy Policy.
Vercel
Cloud hosting and infrastructure. Your data may be processed on Vercel's servers, which may be located in the US or EU. See Vercel's Privacy Policy.
Other Disclosures
We may also share data:
- With law enforcement or regulators when required by law
- To protect the rights, property, or safety of STELLAR ENGINEERS LTD, our users, or others
- In connection with a merger, acquisition, or sale of the business (you will be notified in advance)
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until account deletion, plus 30 days |
| Training plans and session logs | Until account deletion, plus 30 days |
| Payment and credit transaction records | 7 years (UK tax and accounting law) |
| Technical and usage logs | Up to 12 months |
| Backup data | Up to 90 days after deletion request |
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent for health data processing at any time
To exercise any of these rights, contact us at privacy@hybridtrainingplan.app. We will respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or by calling 0303 123 1113.
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords, and access controls. However, no internet transmission is completely secure. You use the Service at your own risk and are responsible for keeping your login credentials confidential.
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO as required by law.
8. International Data Transfers
Some of our service providers process data outside the UK/EEA (primarily in the United States). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK ICO or the European Commission, or transfers to countries with an adequacy decision.
9. Children's Privacy
The Service is available to users aged 13 and over. We do not knowingly collect personal data from children under 13. If you are between 13 and 17, a parent or legal guardian must have agreed to these terms and this Privacy Policy on your behalf.
If you believe we have inadvertently collected data from a child under 13, please contact us immediately at privacy@hybridtrainingplan.app and we will delete it promptly.
10. Cookies
We use essential cookies to keep you logged in and to maintain your session. We may also use analytics cookies to understand how the Service is used. You can control cookies through your browser settings, though disabling essential cookies will prevent you from using the Service.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or a notice within the Service before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact Us
For any privacy-related queries or to exercise your rights:
- Email: privacy@hybridtrainingplan.app
- Company: STELLAR ENGINEERS LTD
- Address: 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE