← Back to pbX

Privacy Policy

Last updated: 7 March 2026

1. About this policy

pbX (“we”, “us”, “our”) is an Australian strength training platform operated at pbxstrength.com.au. This policy explains how we collect, use, store and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By creating an account or using pbX, you agree to the practices described in this policy.

2. Information we collect

We collect the following personal information:

  • Account information — your name (optional) and email address, collected when you register.
  • Authentication data — your password is stored as a one-way cryptographic hash (bcrypt). We never store your password in plain text.
  • Training data — workout logs, exercises, sets, reps, weights, and program history that you enter while using the app. This may constitute health information under the Privacy Act.
  • Subscription and billing data — your subscription plan and payment status. Payment card details are handled entirely by Stripe and are never stored on our systems.
  • Coach relationship data — if you use the coach feature, we store the connection between a coach and their clients, and any messages exchanged within the platform.
  • Usage data — basic technical data such as access logs, which may be retained by our hosting provider (Vercel).

We collect only the information necessary to provide the service. We do not collect sensitive information such as government identifiers or financial account details.

3. How we use your information

We use your personal information to:

  • Create and manage your account
  • Provide the strength training platform and its features
  • Send transactional emails (email verification, password resets, subscription receipts)
  • Process subscription payments via Stripe
  • Enable coach-client relationships and in-platform messaging
  • Maintain the security and performance of the platform
  • Comply with legal obligations

We do not use your personal information for advertising, and we do not sell or trade your information to third parties.

4. Third parties we share information with

We share limited personal information with the following trusted third-party service providers, solely to operate the platform:

Supabase / AWS

Our database is hosted on Supabase, running on Amazon Web Services in the Asia-Pacific (Singapore) region. Your account and training data is stored here. Supabase maintains SOC 2 Type II certification.

Vercel

Our application is hosted on Vercel's infrastructure (United States). Vercel processes web requests and may retain access logs.

Stripe

Subscription payments are processed by Stripe (United States). Stripe receives your email address and payment details. We store only a Stripe customer reference ID. Stripe is PCI DSS Level 1 certified.

Resend

Transactional emails (verification, password reset) are delivered via Resend (United States). Resend receives your email address and the content of transactional emails only.

5. Overseas data storage

Some of your personal information is stored or processed outside Australia — specifically in Singapore (Supabase/AWS) and the United States (Vercel, Stripe, Resend). By using pbX, you consent to this transfer. We take reasonable steps to ensure these providers handle your information in a manner consistent with the Australian Privacy Principles.

6. Data security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access. Measures include:

  • All data transmitted over HTTPS/TLS
  • Passwords stored as bcrypt hashes (never in plain text)
  • Database access restricted to application services only
  • Email verification required for new accounts

If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

7. Data retention

We retain your personal information for as long as your account is active, or as necessary to provide the service. If you close your account, we will delete or de-identify your personal information within a reasonable period, unless we are required to retain it by law.

8. Your rights

Under the Privacy Act, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — ask us to correct information that is inaccurate, out of date, or incomplete
  • Complaint — make a complaint if you believe we have mishandled your personal information

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. Cookies and local storage

pbX uses session cookies for authentication (managed by NextAuth.js). We do not use third-party tracking or advertising cookies. A service worker is used to enable offline/PWA functionality — it does not collect personal information.

10. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by a prominent notice within the app. The date at the top of this page indicates when the policy was last updated.

11. Contact us

For privacy-related enquiries, access requests, or complaints, please contact us at:

pbX
Email: support@pbxstrength.com.au