Privacy Policy
This Privacy Policy explains how My Personal Trainer Malta ("MyPT", "we", "us") collects, uses, stores, and protects your personal data when you use our website at https://myptmalta.com and our mobile/web applications (collectively, "the Service"). MyPT is committed to the principles of the EU General Data Protection Regulation (GDPR). If you have questions about this policy, contact us at info@mypersonaltrainermalta.com.
1. Data controller
The data controller is My Personal Trainer Malta, based in Malta. Marvic Debono is the responsible person and can be reached at info@mypersonaltrainermalta.com.
2. Data we collect
2.1 Account data
- Email address and name (required to create an account)
- Date of birth (required for age-appropriate training defaults)
- Gender (optional, used for body-composition norms and benchmark brackets)
- Profile photo (optional, only stored if you upload one)
- Password (stored as a salted bcrypt hash — never in plain text)
2.2 Training and health data
- Workout history, sets, reps, weights, RPE notes
- Nutrition logs (foods, photos, macros)
- Body composition measurements you choose to log
- Progress photos (stored encrypted at rest)
- Wearable data (heart rate, sleep, HRV, steps) from providers you authorise via OAuth
- Walking routes and trail data
2.3 Communication data
- Messages with your trainer and community posts
- Voice notes you send or receive
- Support emails to info@mypersonaltrainermalta.com
2.4 Billing data
All payment processing is handled by Stripe. MyPT receives a tokenised reference to your payment method but never sees your card number, CVV, or full bank details. Billing history is stored under your account so you can download invoices.
2.5 Technical data
- IP address (kept for 30 days for security and abuse-prevention)
- Device type, OS version, app version (for diagnostics)
- Crash logs (anonymised via Sentry)
3. How we use your data
We process your data only for the purposes you would reasonably expect:
- To provide the Service (workouts, nutrition tracking, messaging, community)
- To generate AI-assisted insights (meal scans, meal plans) when you explicitly request them
- To send transactional emails (account confirmations, invoices, password resets)
- To improve the Service via aggregated, anonymised analytics
- To comply with legal obligations (tax records, court orders)
We do not use your data for behavioural advertising, sell it to third parties, or train AI models on your private data.
4. Third-party processors
We use the following sub-processors, each bound by GDPR-compliant data-processing agreements:
| Service | Purpose | Region |
|---|---|---|
| Stripe | Payment processing | EU/global |
| Google Workspace | Transactional email | EU |
| Google Gemini | AI photo meal scans, AI meal plans | EU |
| OpenAI | AI fallback when Gemini is unavailable | EU |
| Google Routes | AI-generated walking routes | EU/global |
| HostGator (cPanel) | Web hosting | EU |
| Sentry | Anonymised crash logging | EU |
| Wearable providers | Apple, Fitbit, Garmin, Whoop, Oura, Samsung — only when you OAuth-connect | Per provider |
5. AI data handling
When you use AI features, the input is sent to the third-party model for processing. Photo meal scans send the image and basic metadata; meal plans send your goals and preferences. We hold AI providers to strict contractual terms: your data is not used to train their models, and they process your data only to return the requested result. Photos sent for meal scans are deleted from MyPT servers within 24 hours of being scanned.
6. Retention
Active account data is retained for as long as your account is active. If you delete your account, we keep a minimal record (account ID, deletion timestamp) for 90 days in case of accidental deletion. All other data is permanently deleted within 90 days of account closure, except where we are legally required to retain it (e.g. tax records for 7 years per Maltese law).
7. Your rights under GDPR
You have the following rights at all times:
- Access. Request a copy of all data we hold about you.
- Rectification. Correct any inaccurate data.
- Erasure. Delete your account and associated data (the "right to be forgotten").
- Portability. Export your data in a structured, machine-readable format (CSV).
- Restriction. Limit how we process your data while a dispute is resolved.
- Objection. Object to processing where we rely on legitimate interest.
- Withdraw consent. Where processing is based on consent, withdraw it at any time.
- Complain. Lodge a complaint with the Maltese Information and Data Protection Commissioner (idpc.org.mt).
Most of these rights can be exercised in-app from Settings → Privacy. For anything else, email info@mypersonaltrainermalta.com. We respond to GDPR requests within 30 days.
8. Children
MyPT is intended for users 16 and older. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete the account immediately.
9. Security
- All data is transmitted over HTTPS (TLS 1.2+)
- Passwords are stored as salted bcrypt hashes
- Database backups are encrypted at rest in EU data centres
- Two-factor authentication is available on the account settings page
- We never email you asking for your password
10. International transfers
Your data is processed primarily in the EU. Some third-party processors (Google, OpenAI) may transfer data internally to their global infrastructure under EU-approved Standard Contractual Clauses or other valid GDPR transfer mechanisms.
11. Changes to this policy
If we make material changes to this policy, we will notify you via email and an in-app banner at least 14 days before the change takes effect. Older versions of this policy are available on request.
12. Contact
For privacy questions, data requests, or complaints, email info@mypersonaltrainermalta.com. We answer within five business days.