PX | Privacy Policy
Effective from 09.07.2026 · Version 2.2
1. Introduction
1.1 This Privacy Policy explains how Pursue Excellence Ltd and its affiliates (“PX”, “we”, “our”, “us”) collect, use, share and protect personal information when you use the PX mobile applications, the PX website at pxmembership.com, and any related services (together, the “Services”). 1.2 PX is an AI-native operating system for human performance. The Services include an AI coach across training, nutrition, mindset, recovery and longevity. By design, the Services collect and process information about your body, your habits, your goals and your daily life. We take that responsibility seriously, and this Policy sets out the rules we hold ourselves to. 1.3 This Policy applies globally. Where local laws give you additional rights — including under the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Australian Privacy Act 1988, and the comprehensive privacy laws of other US states — those additional rights are described in Section 11. 1.4 By using the Services, you confirm that you have read and understood this Policy. If you do not agree with this Policy, you should not use the Services.
2. Who we are
2.1 The data controller responsible for your personal information is: Pursue Excellence Ltd — a private limited company incorporated in England and Wales under the Companies Act 2006. Company Number: 16333455. Date of incorporation: 21 March 2025. Registered office: Office 12115, 182–184 High Street North, East Ham, London E6 2JA, United Kingdom. Contact: support@pxmembership.com 2.2 The Australian operating company responsible for product development and day-to-day services is: Pursue Excellence Pty. Ltd. — an Australian Proprietary Company, Limited By Shares. ACN: 698 671 297. ABN: [TO BE ASSIGNED]. Date of registration: 2 June 2026. Registered office: 7 Mandolin Avenue, Helensvale QLD 4212, Australia. Contact: support@pxmembership.com Note on ABN status: At the time of publication, an ABN had not yet been assigned to Pursue Excellence Pty. Ltd. This policy will be updated once the ABN is issued. The ACN remains the company’s primary registered identifier in the interim. 2.3 For users in the European Economic Area (EEA), our EU Representative under GDPR Article 27 is: [TO BE APPOINTED — engagement in progress with counsel]. 2.4 For users in the United Kingdom, our UK Representative under UK GDPR Article 27 is: [TO BE APPOINTED — engagement in progress with counsel]. 2.5 Privacy enquiries can be sent to support@pxmembership.com with “Privacy” in the subject line. We treat all privacy correspondence as a priority and respond within the timeframes set out in this Policy.
3. Definitions
The following defined terms are used throughout this Policy:
| Term | Meaning |
|---|---|
| “Account” | Your registered PX user account. |
| “AI Coach” | The artificial-intelligence coaching system that delivers personalised guidance across the Move, Mind and Fuel pillars. |
| “Health Data” | Information about your physical health, fitness, sleep, recovery, biometrics, body composition and related parameters, whether you log it directly or it is received from a Wearable Integration. |
| “Personal Information” | Any information that identifies, relates to, describes, or could reasonably be linked with you, directly or indirectly. |
| “Premium” | The paid subscription tier of the Services. |
| “Services” | The PX mobile applications, website, and any related products or services we provide. |
| “Sub-processor” | A third-party provider that processes Personal Information on our behalf under our instructions. |
| “Wearable Integration” | A third-party device or service (such as Apple Health, Google Health Connect, Oura, or Terra) that you choose to connect to your Account so that data can flow into the Services. |
4. Information we collect
We collect Personal Information in three ways: information you provide to us, information we collect automatically when you use the Services, and information we receive from third parties you choose to connect.
4.1 Information you provide to us
When you create an Account and use the Services, you may provide:
- Identity information: name, date of birth, sex, country of residence, profile photo.
- Contact information: email address, and optionally phone number.
- Authentication information: password (stored as a salted, irreversible hash), or third-party sign-in tokens (Sign in with Apple, Google).
- Health and lifestyle information: your training history, injuries, dietary preferences and restrictions, sleep patterns, stress levels, goals, life context, occupation, family circumstances, communication style preferences, and any other context you provide during onboarding or in ongoing conversation with the AI Coach.
- Logged activity: workouts you complete, meals you log, hydration, mood and biometric self-reports, mindfulness sessions, body scans (if you opt in), and any other activity you record in the Services.
- Conversation content: messages you send to the AI Coach, including voice transcripts where you use voice features.
- Community content: posts, comments, reactions, and other content you publish in the Community feature.
- Payment information: where you subscribe through a payment processor (Apple, Google, or Stripe), they collect your payment details directly. We receive transaction confirmation, subscription status, and a token identifying the transaction, but we do not see or store your full card number.
- Support information: any information you provide when contacting our support team.
4.2 Information we collect automatically
When you use the Services, we automatically collect:
- Device information: device model, operating system and version, app version, device identifiers, language and locale settings, time zone.
- Usage information: features you use, sessions you start and complete, screens you view, in-app actions you take, performance and crash data.
- Network information: IP address, internet service provider, general location derived from IP (city or region level only — we do not collect precise location unless you specifically enable a location-based feature).
- Diagnostic information: error logs, crash reports, performance traces.
- Cookies and similar technologies: on the website, we use cookies as described in Section 17.
4.3 Information from third parties
With your explicit permission, we receive information from Wearable Integrations and other third-party services you connect:
- Apple HealthKit: HR, HRV, resting HR, sleep stages, steps, active calories, respiratory rate, nutrition, mindful minutes, and other health metrics you grant us permission to read.
- Google Health Connect: activity, vitals (including BP, SpO₂), body composition, glucose, nutrition, sleep, and other categories you grant us permission to read.
- Oura: activity, sleep, readiness, resilience, stress, HR / HRV, SpO₂, VO₂ max, cardiovascular age.
- Terra: data from any of 500+ wearables and health apps that you connect through the Terra aggregator (including Garmin, Fitbit, WHOOP, Polar, Samsung Health, Withings, Suunto, Wahoo, Coros, Eight Sleep, Strava, Peloton, Zwift, TrainingPeaks, MyFitnessPal, Cronometer, continuous glucose monitors, blood-test providers, and others).
- Calendar integrations: where you connect Google Calendar, Outlook (via Microsoft Graph), or Apple Calendar, PX reads your calendar events — including their name, start and end time, busy/free status, and location — to display your schedule in the app and to plan PX sessions around your existing commitments. PX processes this on your device and does not read attendees or event notes/description. This information is not transmitted to PX’s servers, is not used to train or prompt the AI Coach, and PX never accesses event attendees, notes, or descriptions. Data minimisation is enforced at the network layer so attendees, notes and descriptions are never even returned to the device. Our use of Microsoft Graph calendar data is likewise limited to reading the same event details to display your schedule and plan sessions, consistent with Microsoft’s API terms, and Apple Calendar data is read on-device via EventKit.
- Authentication providers: where you sign in with Apple or Google, the provider tells us your verified email address and (with your permission) basic profile information.
You can disconnect any Wearable Integration or third-party connection at any time in Account settings. Doing so will stop new data flowing from that source.
4.3.1 Writing PX sessions to your calendar
When PX adds a session (workout, meditation, or recovery block) to your calendar, PX does so directly through your device’s calendar or your calendar provider — PX’s servers are not involved in creating the event. PX can add sessions you choose to save; it cannot edit or delete your existing calendar events.
- For Apple Calendar: PX uses Apple’s native EventKit on your device. The system calendar sheet opens, and you save the event to your local calendar yourself.
- For Google Calendar and Outlook: PX builds a standard “create event” link (Google Calendar / Outlook deep-link) and opens it on your device. The event is created by your Google or Microsoft account directly; PX’s backend has no role in writing the event.
The only thing PX stores locally is an optional on-device session cache that allows PX to rehydrate the workout detail when you return to it. PX does not record on its servers which calendar events you have created.
4.4 Information about other people
If you invite a friend to PX, refer someone using a referral link, or interact with another user in the Community, we receive Personal Information about those individuals (such as their email address or username). We use that information only for the limited purpose for which you provided it.
4.5 Special category data
Some of the information you provide or that we collect is “special category personal data” under the GDPR and UK GDPR, “sensitive personal information” under the CPRA, and “sensitive information” under the Australian Privacy Act. This includes:
- Health data
- Biometric data (where you opt in to body scans)
- Information that reveals racial or ethnic origin, religious beliefs, or sexual orientation (where you choose to disclose this in conversation with the AI Coach or in Community content)
We process special category data only where (a) you have given us your explicit consent, (b) it is necessary for the provision of the Services you have requested, or (c) another lawful basis under applicable law applies. You can withdraw consent at any time by adjusting your settings or by contacting us.
4.6 Children
The Services are intended for people aged 18 years and older. We do not knowingly collect Personal Information from anyone under 18. If we learn we have collected information from a person under 18, we will delete it as soon as practicable. If you believe we have collected information about a person under 18, please contact support@pxmembership.com.
5. How we use your information
We use Personal Information to provide, personalise and improve the Services, and for the other purposes set out below.
5.1.1 To deliver the Services
- Create and manage your Account.
- Authenticate you when you sign in.
- Deliver personalised coaching across Move, Mind and Fuel through the AI Coach.
- Generate, adjust and remix workouts, meal plans, mindfulness sessions and recovery protocols.
- Compute scores (PX Score, longevity metrics, healthspan capture, biological age direction) from the information you provide and receive.
- Synchronise data with Wearable Integrations you connect.
- Process subscriptions, payments and refunds (via Apple, Google, RevenueCat and Stripe).
- Send service-related communications (account confirmations, billing receipts, security alerts).
- Provide customer support and respond to your requests.
5.1.2 To personalise and improve
- Adapt coaching to your patterns, preferences and goals over time.
- Maintain a persistent memory of insights about you that improves the quality of the AI Coach over time (you can review and delete these insights at any time).
- Compute analytics to understand which features are working and which are not.
- Detect and prevent abuse, fraud, security incidents and violations of our Terms of Use.
5.1.3 To communicate with you
- Send transactional emails (account, billing, security).
- With your consent, send optional product updates, educational content and offers.
- Conduct optional surveys, research and product testing.
5.1.4 To comply with the law and protect rights
- Comply with legal obligations, including responding to lawful requests from authorities.
- Enforce our Terms of Use and other agreements.
- Establish, exercise or defend legal claims.
- Protect the rights, property and safety of PX, our users, and the public.
5.2 Lawful bases (EU / UK)
If you are in the EEA or the UK, we rely on the following lawful bases under the GDPR and UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing the Services you have requested | Performance of a contract (Article 6(1)(b)) |
| Processing health data and other special categories | Your explicit consent (Article 9(2)(a)) |
| Sending transactional and service communications | Performance of a contract (Article 6(1)(b)) |
| Sending marketing communications | Your consent (Article 6(1)(a)) |
| Improving the Services, fraud prevention, analytics | Our legitimate interests (Article 6(1)(f)), balanced against your interests and rights |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
| Establishing, exercising or defending legal claims | Our legitimate interests, or legal obligation (as applicable) |
Where we rely on consent, you may withdraw it at any time. Where we rely on legitimate interests, you may object to the processing — see Section 11.
5.3 We do not sell your Personal Information
We do not sell your Personal Information for money, and we do not “sell” or “share” your Personal Information for cross-context behavioural advertising as those terms are defined under the CPRA and other US state laws. We do not use your Health Data or AI Coach conversations to train any general-purpose AI model. Our third-party AI providers are engaged on their commercial, business or paid API tiers, under terms that — with the limited exception of our voice provider (see Section 6.4) — do not permit them to use your prompts or our outputs to train their general-purpose models, and never permit the use of your data for advertising.
6. The AI Coach, third-party AI providers, and your explicit consent
In plain language: To coach you, PX sends your messages and the fitness and health details needed to answer them to specialist AI companies that run the models behind the AI Coach. Anthropic (Claude) is our primary provider and handles all generative coaching; OpenAI and Google are used only as backups for short, structured tasks (for reliability if Anthropic is unavailable, or, where enabled, for cheaper structured tasks that have been shown to be equally accurate); and ElevenLabs converts text replies into speech for voice features. All of them process your data in the United States, solely to generate your result. We never sell this data and never use it for advertising. You decide whether to turn AI features on, and you can turn them off at any time. This Section 6 also satisfies Apple App Store Review Guidelines 5.1.1(i) and 5.1.2(i), which require explicit disclosure of, and informed user consent to, the sharing of personal data with third-party AI services. By turning on and using the AI Coach, you give your explicit consent (via the AI Consent screen during onboarding) to the data flows described in this section.
6.1 Our AI providers
PX uses a small number of third-party AI providers to deliver coaching. We use them on their commercial, business or paid API tiers — never their free consumer products. When you use AI features, the following data is sent solely to generate your result:
- Anthropic, PBC (Claude) — our primary provider, used for all generative coaching: chat with PX, session and plan generation, your daily briefing, and food-photo and body-scan analysis. We send your messages, any images or files you attach, and the context PX assembles to personalise the response (your goals, profile, and the training, nutrition, sleep and health data you have shared). PX uses Anthropic’s commercial API. Under Anthropic’s Commercial Terms your inputs and outputs are not used to train Anthropic’s models; Anthropic deletes API inputs and outputs within 30 days, except where a longer period is required to investigate a policy violation or by law.
- OpenAI, L.L.C. — a fallback provider, used only for short, structured tasks (for example, classifying or formatting a piece of text) when Anthropic is unavailable, or, where we enable it, for such structured tasks that are cheaper and have been shown to be equally accurate. OpenAI receives only the specific structured request and the minimal context needed to complete it — not your full conversation. PX uses OpenAI’s API. Under OpenAI’s API terms, data submitted through the API is not used to train OpenAI’s models by default; OpenAI retains API data for up to 30 days for abuse monitoring and then deletes it, except where a longer period is required by law.
- Google LLC (Gemini API / Google Cloud) — a second fallback provider for the same short, structured tasks as OpenAI. Google receives only the specific structured request and the minimal context needed to complete it. PX uses the paid tier of Google’s Gemini API (and/or Vertex AI) — never the free tier. On the paid tier, Google does not use your prompts or responses to train or improve its models; Google retains data only transiently for abuse monitoring (up to 55 days on the Gemini API, or up to 90 days on Vertex AI and only where content is flagged for review) and then deletes it.
- ElevenLabs, Inc. — text-to-speech for the voice coach, breathwork and meditation. We send only the text to be spoken (the AI Coach’s reply); ElevenLabs returns audio. Important: unlike our text providers above, ElevenLabs’ standard terms allow it to retain submitted content and to use it to improve its services. See Section 6.4 for how PX limits this.
Speech-to-text (converting your spoken words to text) uses your device’s built-in Apple or Google speech recognition, governed by your device permissions; your voice recordings are not sent to our AI providers. You can withdraw AI consent at any time in Settings → Privacy, which disables AI coaching features.
6.1.1 What we send to our AI providers
When you interact with the AI Coach, we transmit the following categories of personal information to our AI providers to generate a response. Anthropic, as the primary provider, may receive all of these; the OpenAI and Google fallbacks receive only the subset needed for the specific structured task they perform:
- the message you send (text or voice transcript);
- relevant parts of your PX profile (your goals, preferences, training context, dietary context, and the health constraints you have shared with us);
- recent conversation history with the AI Coach;
- structured insights we have extracted from your prior conversations (the “memory” the AI Coach references — see Section 6.6);
- your current biosignals where available (e.g., HRV, sleep score, recovery readiness, training load);
- system context required for the response (which agent is being addressed, current scoring state, active coaching flags).
What we do not share with our AI providers
- your name, email address, phone number, payment information, postal address, or any other directly identifying personal information that is not required for the response;
- your account credentials;
- your raw calendar event content (see Section 4.3);
- any content from third-party services that is not required for the response.
6.2 Explicit consent obtained before any AI processing
PX obtains your explicit consent to the data sharing described in this Section 6 through a dedicated AI Consent screen presented during onboarding, before any personal data is sent to any AI provider. You must grant this consent before any AI processing takes place, and you cannot interact with the AI Coach until you have done so. You may withdraw your consent at any time in the app — in Settings → Privacy, by ceasing to use the AI Coach, or by deleting your Account. Withdrawing consent disables the AI features and stops further AI processing of your data; it does not affect the lawfulness of processing carried out before the withdrawal.
6.3 How our AI providers handle and protect your data
We engage our AI providers as Sub-processors under data-protection terms. On the commercial and paid tiers we use, our providers:
- process the data we send only to generate your result and for limited abuse-monitoring, security and legal-compliance purposes;
- do not use your prompts or our outputs to train or improve their general-purpose models — this applies to Anthropic, OpenAI and the paid Google tier we use; the position for our voice provider is described in Section 6.4;
- retain your inputs and outputs only for a limited period and then delete them — by default up to 30 days for Anthropic and OpenAI, and, for Google, only transiently for abuse monitoring (up to 55 days on the Gemini API, or up to 90 days on Vertex AI where content is flagged) — except where a longer period is required by law or to investigate a policy violation;
- do not sell your data and do not use it for advertising;
- are engaged under a Data Processing Addendum (DPA) or equivalent written data-protection terms, with appropriate international-transfer safeguards (see Sections 7 and 9).
Where a provider offers zero-data-retention or an equivalent arrangement, we will adopt it; until such an arrangement is confirmed for a given provider, the default retention periods above apply. [TO BE CONFIRMED BY PX: which zero-retention arrangements are in place with each AI provider.]
6.4 Voice features (ElevenLabs)
Voice features are delivered by ElevenLabs, Inc., a US-based voice-synthesis provider. When you use voice mode, only the AI Coach’s response text (the words to be spoken) is sent to ElevenLabs to generate audio; your own messages and profile data are not sent to ElevenLabs. Unlike our text AI providers, ElevenLabs’ standard terms permit it to retain submitted content and to use it to improve and train its models. To protect your data, PX [TO BE CONFIRMED BY PX: has enabled ElevenLabs Zero-Retention Mode and registered the account-level opt-out from model training], so that the text we send is not used to train ElevenLabs’ models and is not retained beyond delivering your audio. Until that configuration is confirmed, you should assume ElevenLabs may retain and use the text sent for voice features in accordance with its own privacy policy (elevenlabs.io/privacy-policy).
6.5 Health and fitness data in AI coaching context
Your health and fitness data — including data you log (workouts, meals, hydration, mood, biometrics) and data from Apple Health / Apple HealthKit, Google Health Connect, and connected wearables via Terra (such as heart rate, HRV, sleep, recovery, steps and other metrics) — may be included in the context PX sends to its AI providers when it is relevant to answering your request. This data is used only to generate your coaching response and to keep the service reliable. It is never sold, never used for advertising, and never used to build advertising or marketing profiles. Health data obtained through Apple HealthKit is handled in accordance with Apple’s HealthKit requirements: it is not used for advertising or marketing, is not sold or disclosed to data brokers, and is used only to provide health and fitness services to you. You control which health sources are connected and can disconnect any of them at any time in Account settings (see Section 4.3).
6.6 The AI Coach memory
The “memory” the AI Coach references in your conversations is stored only on our own infrastructure (see Section 8). It is generated by extracting structured insights from your check-ins and conversations using the same AI providers described above, under the same terms — on the tiers we use, your data is not used to train their models (subject to the voice-provider position in Section 6.4). You can review the insights the AI Coach has stored about you at any time in Account settings, edit them, or delete any or all of them. Deleting an insight removes it from future coaching context.
6.7 What the AI Coach does not receive
For clarity and completeness:
- PX reads event names, times, busy/free status, and locations to show your schedule on your device. This calendar data is never transmitted to Anthropic, OpenAI, Google, ElevenLabs, or any other AI provider. See Section 4.3.
- Payment information, account credentials and contact details are never transmitted to AI providers.
- Body scan images, where you opt in to cloud sync, are never sent to AI providers as image files; only structured measurement summaries derived from them may inform AI Coach context, and only with your additional consent for cloud sync.
6.8 AI providers at a glance
The table below summarises how each AI provider is used and whether it uses your data to train its models. The final column links each provider’s current data-usage terms (shown as plain text); we review these periodically. For the authoritative list of all Sub-processors, see Section 7.
| Provider | Role | Processing region | Default retention | Used to train their models? | Provider data terms |
|---|---|---|---|---|---|
| Anthropic, PBC (Claude) | Primary — all generative coaching | United States | Inputs/outputs deleted within 30 days (longer only if flagged for policy review or required by law) | No — commercial API | https://www.anthropic.com/legal/commercial-terms |
| OpenAI, L.L.C. | Fallback — short structured tasks | United States | Abuse-monitoring logs up to 30 days, then deleted | No — API data not used for training by default | https://openai.com/enterprise-privacy/ |
| Google LLC (Gemini API / Google Cloud) | Second fallback — short structured tasks (paid tier only) | United States | Abuse-monitoring logs up to 55 days (Gemini API) / up to 90 days if flagged (Vertex AI) | No — paid tier is not used to train or improve models (the free tier is; we do not use it) | https://ai.google.dev/gemini-api/terms |
| ElevenLabs, Inc. | Text-to-speech (voice features) | United States | Retained per ElevenLabs’ policy unless Zero-Retention Mode is enabled (see 6.4) | By default yes — unless the opt-out / Zero-Retention Mode is enabled (see 6.4) [TO BE CONFIRMED BY PX] | https://elevenlabs.io/privacy-policy |
6.9 Limited Use of Google API data
PX’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. PX uses Google Calendar data solely to display your schedule in the app and plan around your commitments; it does not transfer or sell this data, does not use it for advertising, and does not allow humans to read it. Google Calendar data is processed on-device only and is never transmitted to PX’s servers or any third party.
7. Sub-processors
We use a limited number of carefully selected Sub-processors to deliver the Services. Each Sub-processor is engaged under a Data Processing Addendum (DPA) or equivalent written data-protection terms that require it to protect your Personal Information at least to the standard required by applicable law. Our current Sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI coaching language model (primary) | United States |
| OpenAI, L.L.C. | AI language model — fallback for short structured tasks | United States |
| Google LLC (Gemini API / Google Cloud) | AI language model — second fallback for short structured tasks (paid tier) | United States |
| ElevenLabs, Inc. | AI voice synthesis (text-to-speech) | United States |
| Supabase Inc. | Database, authentication, file storage, backend | United States, EU (multi-region) |
| RevenueCat, Inc. | Subscription management | United States |
| Stripe, Inc. | Web subscription payment processing | United States, EU, AU |
| Apple Inc. | iOS payment processing, Sign in with Apple | United States, EU, AU |
| Google LLC | Android payment processing, Sign-In with Google | United States, EU, AU |
| Sentry (Functional Software, Inc.) | Crash and error reporting | United States |
| Expo (650 Industries, Inc.) | Push notification delivery | United States |
| Loops, Inc. | Lifecycle and transactional email | United States |
| Terra API | Wearable and health data aggregation | United States, EU |
| Oura Health Oy | Oura device data | EU (Finland) |
| Vercel Inc. | Web hosting | United States, EU |
| Cloudflare, Inc. | Content delivery network, DDoS protection, and Turnstile bot/abuse prevention | Global edge |
We maintain an up-to-date list of Sub-processors at pxmembership.com/sub-processors. We will provide reasonable advance notice of any new Sub-processor we add that processes Personal Information. Some of our Sub-processors are located outside your country of residence. Where we transfer your Personal Information internationally, we rely on appropriate safeguards as described in Section 9. We use Cloudflare Turnstile, a privacy-preserving alternative to CAPTCHA, to confirm that visitors are human and to protect the Services from automated abuse and fraud. Turnstile may run invisibly, without requiring you to complete a visible challenge. Cloudflare's collection and processing of information in connection with Turnstile is described in the Cloudflare Turnstile Privacy Addendum, linked below.
Cloudflare Turnstile Privacy Addendum8. Where we store and process your data
- Your Personal Information is stored primarily in databases operated by Supabase in regions selected to minimise latency for the majority of our users and to comply with data residency requirements where they apply.
- Some Personal Information is processed in real time by Sub-processors located in the United States (notably Anthropic for AI coaching; OpenAI and Google as fallback AI providers for short structured tasks; ElevenLabs for voice; and Stripe for payments).
- We maintain regular backups, which are encrypted at rest and stored in secure, access-controlled environments.
9. International data transfers
Because PX is a global service, your Personal Information may be transferred to, stored in, and processed in countries other than the country in which you are resident, including the United States and other countries where our Sub-processors operate. Where we transfer Personal Information from the EEA, the UK, or Switzerland to a country that has not been determined to provide an adequate level of data protection, we rely on:
- the European Commission’s Standard Contractual Clauses (SCCs), as updated;
- the UK Information Commissioner’s Office International Data Transfer Agreement or UK Addendum to the SCCs;
- the Swiss Federal Data Protection and Information Commissioner’s recognition of the SCCs with adaptations;
- and, where applicable, the EU-US Data Privacy Framework, the UK Extension thereto, and the Swiss-US Data Privacy Framework, where the recipient is certified.
Where we transfer Personal Information from Australia, we comply with Australian Privacy Principle 8 by ensuring the overseas recipient handles the information in a way that is consistent with the Australian Privacy Principles, or by obtaining your informed consent. You can obtain a copy of the safeguards we use by contacting support@pxmembership.com.
10. How long we keep your data
We retain Personal Information for as long as your Account is active and for a reasonable period thereafter, in accordance with the retention principles below.
| Category | Retention period |
|---|---|
| Account information (name, email, profile) | Active Account + 30 days after deletion request |
| Health and activity logs | Active Account + 30 days after deletion request |
| AI Coach conversation history | Active Account + 30 days after deletion request (you may delete sooner) |
| AI Coach insights (memory) | Active Account + 30 days after deletion request (you may delete individual insights at any time) |
| Body scan images | Default: on-device only. Cloud copy (opt-in): until you delete |
| Payment and subscription records | 7 years after the end of the financial year of the transaction (tax / accounting requirements) |
| Support correspondence | 3 years after the matter is closed |
| Security and audit logs | Up to 18 months for security and legal purposes |
| Anonymised analytics data | Retained indefinitely in anonymised form, where re-identification is not possible |
If you delete your Account, we will delete or anonymise your Personal Information within 30 days of your deletion request, except where we are required to retain certain information for the periods specified above. Backups containing your Personal Information are rotated out of our backup system within 90 days of deletion.
11. Your rights
Depending on where you live, you may have some or all of the following rights in relation to your Personal Information. We honour these rights for all users where practicable, regardless of where you are located.
| Right | What it means |
|---|---|
| Access | Receive confirmation of whether we hold Personal Information about you, and a copy of that information. |
| Rectification / correction | Have inaccurate Personal Information corrected, and incomplete Personal Information completed. |
| Erasure / deletion | Have your Personal Information deleted, subject to limited exceptions. |
| Restriction | Restrict our processing of your Personal Information in certain circumstances. |
| Portability | Receive your Personal Information in a structured, commonly used and machine-readable format, and have it transmitted to another controller. |
| Objection | Object to our processing of your Personal Information where we are relying on legitimate interests. |
| Withdraw consent | Withdraw any consent you have given us, at any time, without affecting the lawfulness of processing before the withdrawal. |
| Opt out of sale / sharing | Opt out of any “sale” or “sharing” of your Personal Information, as those terms are defined under US state law. We do not sell or share, but the right is preserved. |
| Limit use of sensitive PI (California) | Direct us to limit our use of sensitive personal information to that which is necessary to provide the Services. |
| Complain to a regulator | Lodge a complaint with the data protection authority in your country. |
| Non-discrimination | Not be discriminated against for exercising your rights. |
To exercise any of these rights, contact support@pxmembership.com or use the in-app tools available in Account → Privacy. We will respond within the timeframes required by applicable law (typically one month for GDPR; 45 days for CCPA / CPRA, extendable by 45 days where necessary). We will verify your identity before responding. If you are in the EEA or the UK you may complain to your national data protection authority (in the UK, the ICO at ico.org.uk; in Ireland, the Data Protection Commission at dataprotection.ie). If you are in Australia, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au. If you are in California, Virginia, Colorado, Connecticut, Utah, Texas or another US state with a comprehensive privacy law, you have substantially equivalent rights and may appeal a denial by emailing support@pxmembership.com with “Appeal” in the subject line.
See data deletion process12. Security
We take the security of your Personal Information seriously and implement administrative, technical and physical safeguards designed to protect it against unauthorised access, disclosure, alteration and destruction. These safeguards include:
- Encryption of Personal Information in transit (TLS) and at rest (database-level encryption).
- Encrypted secure storage of authentication tokens on your device.
- Multi-factor authentication options for your Account.
- Strict access controls limiting employee and contractor access to Personal Information on a need-to-know basis.
- Role-based access controls and audit logging on all production systems.
- Regular security reviews, vulnerability scanning and dependency monitoring.
- Sub-processor contracts that require Sub-processors to implement appropriate technical and organisational measures.
- An incident response process designed to detect, contain and remediate security incidents.
No system is perfectly secure. While we work hard to protect your Personal Information, we cannot guarantee its absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law (GDPR Article 33; UK GDPR Article 33), and we will notify you without undue delay where required by law.
13. Marketing communications
We may send you marketing communications about the Services and related offerings where you have given us permission to do so, or where applicable law permits. You can opt out of marketing communications at any time by:
- using the “unsubscribe” link in any marketing email;
- adjusting your notification preferences in Account settings;
- emailing support@pxmembership.com.
Opting out of marketing does not affect transactional communications (account confirmations, billing receipts, security alerts) which we may continue to send for as long as you have an active Account.
14. Profiling and automated decision-making
The AI Coach uses information about you to make recommendations and to generate personalised coaching content. This is a form of profiling for the purposes of the GDPR and UK GDPR. The AI Coach does not make decisions that produce legal or similarly significant effects on you without human involvement. The AI Coach is non-clinical guidance, designed to support your personal performance and wellbeing; it is not used for medical diagnosis, insurance underwriting, credit decisions, employment decisions, or any other decision that has a legal or similarly significant effect on you. You can object to any specific profiling by adjusting your preferences in Account settings or by contacting support@pxmembership.com. You may also delete the insights the AI Coach has accumulated about you at any time.
15. California: Notice of Collection and Sensitive PI
In the previous twelve months, we have collected the following categories of Personal Information about California residents:
- Identifiers (name, email address, account identifiers).
- Personal Information categories listed in Cal. Civ. Code § 1798.80(e) (signature, date of birth).
- Commercial information (subscription history).
- Internet or other electronic network activity (interaction with the Services).
- Geolocation information (general, city/region from IP).
- Audio, electronic, visual or similar information (voice messages, profile photos, body scans where you opt in).
- Professional or employment-related information (where you provide this).
- Inferences drawn from the above (preferences, characteristics, patterns).
- Sensitive Personal Information: account credentials, precise geolocation (where you specifically enable a location feature), Health Data, and the content of communications with the AI Coach.
We use Sensitive Personal Information only for the purposes set out in Cal. Civ. Code § 1798.121(a) and for the purposes you have requested or consented to. You may request that we limit our use of Sensitive Personal Information by contacting support@pxmembership.com. We do not sell or share Personal Information as those terms are defined under the CPRA. California’s “Shine the Light” law (Civ. Code § 1798.83) permits California residents to request information about disclosure of certain Personal Information to third parties for direct marketing purposes; we do not share Personal Information with third parties for their direct marketing purposes.
16. Australia: notifiable data breaches and the APPs
We comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth). In the event of an eligible data breach under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), we will notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable, in accordance with our obligations. If you have a complaint about how we have handled your Personal Information, please contact support@pxmembership.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.
17. Cookies and similar technologies
The PX website uses cookies and similar technologies to operate the site, remember your preferences, and understand how visitors use the site. We use:
- Strictly necessary cookies: required for the website to function (authentication, session management).
- Functional cookies: remember your preferences (language, region).
- Analytics cookies: help us understand how visitors use the website.
We do not use advertising cookies or cross-site tracking cookies, and our website analytics are cookieless. The website sets a small number of strictly functional cookies and similar technologies, such as remembering your approximate region for currency display. Because we do not place non-essential cookies, the website does not currently show a cookie consent banner; if that ever changes, we will request your consent before placing any non-essential cookie. You can control cookies at any time through your browser settings. The PX mobile applications do not use cookies in the traditional sense, but use local storage, secure tokens and device identifiers as described in this Policy.
18. Third-party links and services
The Services may contain links to third-party websites and services that are not operated by us. This Policy does not apply to those third parties. We encourage you to review the privacy notices of any third party before providing them with Personal Information. Where the Services integrate with third-party services (such as Apple HealthKit, Google Health Connect, Oura, Terra, or your calendar), those third parties handle your information under their own privacy notices. We are not responsible for the privacy practices of those third parties beyond the limited scope described in this Policy.
19. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, our Services, or applicable law. The “Effective” and “Last updated” dates at the top of this Policy tell you when it was last revised. Where we make material changes, we will notify you in advance by email, by an in-app notice, or by a banner on the website, and obtain your consent again where required by applicable law. We encourage you to review this Policy from time to time.
20. Contact us
If you have any question, request or complaint about this Policy or about how we handle your Personal Information, please contact us. For users in the EEA, our EU Representative under GDPR Article 27 is [TO BE APPOINTED]. For users in the UK, our UK Representative under UK GDPR Article 27 is [TO BE APPOINTED]. Privacy correspondence is treated as a priority. We aim to acknowledge all privacy enquiries within 5 working days and substantively respond within the timeframes required by applicable law (typically one month for GDPR; 45 days for CCPA / CPRA, extendable by 45 days where necessary).
- Email: support@pxmembership.com (with “Privacy” in the subject line)
- Postal: 7 Mandolin Avenue, Helensvale QLD 4212, Australia
- Attention: Privacy Team, Pursue Excellence Pty. Ltd.