Privacy Policy

Movo operates a digital platform connecting personal trainers and their clients via web and mobile. This Policy explains what personal data we collect, why, how it's stored, your rights, and how to contact us.

Drafted to align with the Israeli Privacy Protection Law (PPL) as amended by Amendment 13 (effective Aug 15, 2025), the Privacy Protection Authority (PPA) guidance, and the EU GDPR (Regulation 2016/679) where end-users are EU residents.

The data controller is Movo. [LEGAL-REVIEW: legal entity name, registration number, registered address.]

Privacy contact: privacy@movofitness.com.

• Account: name, email, phone, hashed password, address.
• Trainer business profile: business name, specialties, certifications, bio, photos, locations.
• Health & fitness (clients): weight, body measurements, workout logs, nutrition, progress photos, goals. Treated as sensitive under PPL Amendment 13.
• Payment: processed by PayMe. We receive only masked tokens (last 4 digits, brand) — full PANs never touch our servers.
• Usage: IP, browser/device, action logs, error traces.
• HealthKit / Google Fit (opt-in): steps, calories, heart-rate — only with explicit permission.
• Communications: messages between trainer and client, support tickets.

• Contract performance: service delivery (programs, tracking, marketplace).
• Legitimate interest: product improvement, security, fraud prevention.
• Consent: marketing, non-essential cookies, HealthKit / Google Fit sync.
• Legal obligation: tax-invoice retention (7 years per ITA).

Full list at /privacy/subprocessors. Summary:

• Supabase — data hosting (eu-central-1, Frankfurt).
• Vercel — web hosting.
• Sentry — error monitoring.
• Resend — transactional email.
• hCaptcha — bot mitigation on public forms.
• PayMe — payment processing and tax invoices.

We never sell or rent personal data to third parties for marketing.

Some processors operate outside Israel (mostly EU and US). Transfers rely on EU Standard Contractual Clauses or other approved safeguards. Our Supabase region is Frankfurt (EU).

• Active account: as long as the account is active.
• After deletion: 30-day removal, except records under legal retention duty.
• Tax invoices and financials: 7 years per Israel Tax Authority.
• Security logs: 12 months.
• Support tickets: 36 months.

Per Amendment 13 + GDPR, exercise via Account Settings or by emailing privacy@movofitness.com:

• Access — copy of your data.
• Rectification — correct inaccuracies.
• Erasure — close account and delete.
• Portability — export in machine-readable format (JSON).
• Objection — to specific processing including direct marketing.
• Withdraw consent — anytime, without affecting prior processing.

We respond within 30 days. EU residents may also lodge complaints with their national supervisory authority. Israeli residents may complain to the Privacy Protection Authority at the Ministry of Justice.

Essential cookies (auth, service operation) are always set. Optional cookies (functional, analytics, marketing) are set only with consent. Manage anytime in Privacy Settings.

Marketing email requires explicit opt-in per Israeli Communications Law (Spam Law) Amendment 40. Unsubscribe in any message.

We apply reasonable safeguards per Israeli Privacy Protection (Data Security) Regulations 2017: encryption at rest and in transit (TLS 1.2+), role-based access control, database-level RLS, periodic security reviews, and audit logging. Employees and subprocessors are bound by confidentiality.

In case of a serious security incident exposing personal data, we notify affected users and the Privacy Protection Authority per Data Security Regulations. Under GDPR — within 72 hours of awareness.

The service is not directed at children under 16. We do not knowingly collect data from minors below this age. Detected data will be removed.

We update this policy periodically. Material changes display on this page and may re-prompt consent. Current version date appears at the top.

Any question: privacy@movofitness.com.

[LEGAL-REVIEW: registered address, registration number, Privacy Officer if required.]