Security
Last updated
Athlemove is operated from Ontario, Canada. This page describes how we protect your data, who we share it with, and how to reach us if you find a problem.
1. Hosting & infrastructure
- Application servers & database — Hetzner (United States region). ISO 27001 certified.
- Email, file storage, CDN, and DNS — Amazon Web Services (United States). AWS is certified to SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS Level 1, and others.
- Bot protection — Cloudflare Turnstile on sign-up, forgot-password, and contact forms. Cloudflare is SOC 2 Type II, ISO 27001, PCI DSS certified.
All production data is stored in the United States. We're planning to consolidate on AWS as we grow.
2. Encryption
- In transit — All traffic to and from Athlemove uses TLS (HTTPS). HTTP requests are redirected to HTTPS.
- At rest — Files stored in AWS S3 are encrypted at rest by default (AES-256, managed by AWS).
- Passwords — Never stored in plaintext. Hashed with a modern, industry-standard algorithm.
- Session tokens — Short-lived, rotated automatically, single-use where appropriate (such as Client Portal invitation links).
3. Authentication & access
- Email + password sign-in, with Google Sign-In also available for both Trainers and Clients.
- Cloudflare Turnstile protects sign-up, forgot-password, and contact forms from automated abuse.
- Rate limiting on sign-in, authentication, and all sensitive endpoints to prevent credential stuffing and brute-force attacks.
- Production database and infrastructure access is limited to authorized personnel.
4. Payments
We use Stripe to process every payment. Stripe is PCI DSS Service Provider Level 1 certified — the highest tier of payment security.
We never see, transmit, or store credit card numbers, CVCs, or bank details. Card data is captured directly by Stripe's hosted elements and exchanged with Stripe's servers; Athlemove only ever holds a Stripe customer ID and subscription metadata.
Clients are never billed by Athlemove and we collect no payment information from Clients.
5. Data isolation
Your data is yours. No other Trainer on Athlemove can see your Clients, programs, workouts, or notes. Clients can only see the content their own Trainer has shared with them.
6. Backups & recovery
- Daily automated snapshots of the application server and primary database, via Hetzner's managed backup service.
- Backups are retained for a rolling window sufficient to recover from accidental deletion or corruption.
7. Sub-processors
We use the following third parties to operate Athlemove. Each is contractually limited to processing data only for the purpose listed. Certifications link to each vendor's public trust page.
| Vendor | Purpose | Location | Certifications |
|---|---|---|---|
Hetzner | Application compute & primary database | United States | |
Amazon Web Services | Email (SES), file storage (S3), CDN (CloudFront), DNS (Route53), image processing (Lambda) | United States | |
Stripe | Payment processing for Trainer subscriptions | Global (US/EU) | |
Cloudflare | Bot protection (Turnstile) on sign-up, forgot-password, and contact forms | Global | |
OpenAI | AI workout/program generation | United States | |
Sign-In (optional), Google Analytics (website only) | United States | ||
Microsoft | Bing Ads conversion tracking (website only) | United States | |
Sentry | Error monitoring & application reliability | United States |
When you use AI workout generation, we send OpenAI the Client's name, age, gender (when set), any AI context you've added, and the workout parameters (sets, reps, equipment, goals). OpenAI does not use API data to train their models. OpenAI may retain prompts for up to 30 days for abuse monitoring, after which they are deleted.
8. Compliance posture
Athlemove is operated as a small business and we do not currently hold independent compliance audits. We do commit to the following frameworks:
- GDPR & UK GDPR — We comply with GDPR and UK GDPR. We honor data subject access, deletion, correction, and portability requests within 30 days. International transfers from the EEA and UK rely on the Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
- PIPEDA — As an Ontario-based business, we comply with Canada's federal privacy law (PIPEDA).
- Australian Privacy Principles — We voluntarily align our practices with the Australian Privacy Principles under the Privacy Act 1988.
- CCPA / CPRA — Athlemove is below CCPA's revenue and processing thresholds, so the law does not directly apply to us. We voluntarily honor access, deletion, and correction requests from California residents on the same terms.
9. HIPAA
Athlemove is intended for general fitness coaching, not clinical care. We do not sign Business Associate Agreements and the service is not designed or intended for use with Protected Health Information (PHI) as defined under HIPAA. If you're a licensed healthcare provider handling PHI, Athlemove is not the right tool for you.
10. Breach notification
If we become aware of a personal data breach affecting your information, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and we will notify affected users without undue delay where there is a high risk to your rights and freedoms.
11. Reporting a vulnerability
If you discover a security issue in Athlemove, please report it through our Contact Us page. We acknowledge reports within 2 business days.
- Please give us a reasonable window to fix issues before public disclosure.
- We don't run a paid bug bounty, but we will publicly credit researchers who want recognition.
- Acting in good faith, we won't pursue legal action against researchers who follow responsible disclosure.
Our security.txt is published at https://athlemove.com/.well-known/security.txt.
12. Your data, your control
You can request a copy of your data or delete your account at any time. We do not sell your data, and we do not use it to train AI models. See our Privacy Policy for full details.