Just Hold
Start Free Trial

Privacy Policy

Just Hold Ltd — Effective 5 March 2026 — Last updated 1 May 2026

1. Who We Are

Just Hold Ltd (“we”, “us”, “our”) operates the Just Hold fitness-tracking application (“the App”). We are a company registered in England and Wales under company number 16976542.

Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

Contact: privacy@justhold.app

For the purposes of UK and EU data protection law, Just Hold Ltd is the data controller.

2. What We Collect

We only collect the data necessary to provide the App. We do not use advertising cookies, behavioural advertising, or cross-site tracking. We use a privacy-preserving, cookie-free analytics service (Vercel Web Analytics) to understand aggregate use of the App so we can improve performance and usability — see Section 5 for details and how to opt out.

CategoryDataWhy
AccountEmail address, display name, password (hashed), avatar imageTo create and secure your account
Date of birthThe date of birth you provided at signup or for each family profileTo verify you meet our age requirement (18+ for personal accounts; 13+ for family profiles). Never shared with other users; never used for marketing.
Fitness dataExercise type (plank, hang, wall squat), duration in seconds, date and time loggedTo track and display your progress
Family profilesProfile name, avatar image (linked to owner's account)To let Family plan users track multiple household members
GroupsGroup name, group image, membership, activity feed messagesTo enable shared fitness tracking with friends and family
Friend sponsorshipSponsor/friend relationship, invitation codes, sponsorship status, grace period datesTo manage free accounts provided by paying subscribers
SubscriptionStripe customer ID, subscription ID, subscription status, plan typeTo manage billing and access
NotificationsIn-app messages between users (e.g., group invitations, activity updates)To keep you informed of group and account activity
SettingsEmail digest preferences, muted groupsTo respect your communication preferences
Feature requestsCategory, feedback textTo improve the App based on user input
Aggregate analyticsPage views, referrer, country (no city), browser, operating system, device class, and Web Vitals timingsTo understand aggregate use of the App so we can improve performance and usability. Cookie-free; not tied to your identity
Diagnostic logsYour user ID (UUID) when included in a server error message; stack traces; request pathsTo investigate and fix bugs that affect your account. We do not log your email, name, or workout content
Launch notificationsEmail addressTo notify you when Just Hold launches publicly; only collected via the pre-launch sign-up form; deleted within 30 days of launch or when you unsubscribe
Product updatesEmail address (already held for your account)To send updates about new App features and improvements; only used for this purpose if you opt in at sign-up

Data we do NOT collect

  • Your IP address or precise geolocation (Vercel determines country at the network edge for analytics; we never see or store your IP)
  • Persistent device fingerprints (Vercel Analytics records browser, operating system, and device class in aggregate only, with no link to your account)
  • Advertising cookies, behavioural advertising, or cross-site tracking
  • User-level analytics that identify you across sessions or devices
  • Health or biometric data (hold durations are simple timers, not biometric measurements)
  • Data from third-party social media accounts (other than Google account email and name if you use Google sign-in)

3. How We Use Your Data

  • Provide the service: create your account, record and display your workout history, enable group features and family profiles
  • Verify age eligibility: confirm that personal-account holders are 18 or over and that family-profile members are 13 or over
  • Process payments: manage subscriptions and billing via Stripe
  • Send transactional emails: account confirmation, password resets, email digests, sponsorship notifications
  • Manage friend sponsorship: track which paying subscribers have sponsored free accounts for friends, handle grace periods when sponsorships end
  • Improve the App: review feature requests (aggregated, not tied to individual identity)
  • Improve performance and usability: aggregate analytics from Vercel Web Analytics highlight slow pages and broken flows; you can opt out at any time in Settings
  • Operate and debug the service: server-side error logs may include your user ID so we can investigate bugs you encounter. We do not log emails, names, or workout content
  • Send product update emails: notify trialists and subscribers about new features and improvements, where you have opted in at sign-up; you can withdraw consent at any time by emailing privacy@justhold.app or using the unsubscribe link in any email we send

We do not use your data for advertising, profiling, or automated decision-making.

4. Lawful Basis for Processing (UK and EU GDPR)

BasisDataExplanation
Contract performance (Art. 6(1)(b))Account, fitness data, groups, family profiles, sponsorship, subscription, notifications, settingsNecessary to provide the service you signed up for
Legal obligation (Art. 6(1)(c))Date of birth (account holder and family-profile members)We are required to take a risk-proportionate approach to verifying that users meet our minimum age requirements (18+ for personal accounts; 13+ for family profiles) under DPA 2018 s.9 and the ICO Age Appropriate Design Code. The date of birth is also held to evidence accountability under UK GDPR Art. 5(2)
Legitimate interests (Art. 6(1)(f))Feature requestsOur legitimate interest in improving the App; balanced against minimal privacy impact of voluntary feedback
Legitimate interests (Art. 6(1)(f))Aggregate analyticsOur legitimate interest in improving performance and usability; balanced against minimal privacy impact (cookie-free, no PII, no cross-site tracking) and a free opt-out in Settings
Legitimate interests (Art. 6(1)(f))Server-side error logs and email send logsOur legitimate interest in operating, debugging, and securing the service; minimised to pseudonymous identifiers (user IDs) with short retention
Consent (Art. 6(1)(a))Google account data (email, name) via Google OAuthYou actively choose to sign in with Google; you can revoke access in your Google account settings at any time
Consent (Art. 6(1)(a))Launch notification emails; product update emails for trialists and subscribersYou actively opt in — via the pre-launch sign-up form or the checkbox at account creation; you can withdraw consent at any time by emailing privacy@justhold.app or using the unsubscribe link in any email we send

5. Cookies and Local Storage

The App uses no tracking cookies, no advertising cookies, and no cross-site analytics cookies.

Analytics

We use Vercel Web Analytics, a cookie-free analytics service, to understand aggregate use of the App so we can improve performance and usability. Vercel Web Analytics records limited information — page views, referrer, country (no city), browser, operating system, device class, and Web Vitals timings — and identifies visitors only by a daily server-side hash that resets each day. It does not set cookies, does not write to your device's local storage, and does not track you across days, sessions, or other websites. Before each event leaves your browser, the App strips query strings and replaces dynamic identifiers in the URL (such as group IDs, family-profile IDs, invite codes, and unsubscribe tokens) with placeholders so they never reach Vercel.

You can opt out at any time in Settings → Your Data → Allow analytics. When you opt out, the App stops sending analytics events from your browser.

Local storage and session storage

We use browser local storage and session storage only for essential functionality:

ItemStorage typePurpose
Supabase auth session token (sb-*-auth-token)cookie (HTTP-only) and localStorageKeeps you logged in between visits and authenticates your requests
Supabase PKCE code verifier (sb-*-auth-token-code-verifier)cookie (HTTP-only)Used during email-confirmation/OAuth sign-in to complete the secure exchange
auth_redirectcookie (during signup) and localStorageRemembers where to send you after email confirmation. The cookie is deleted on the auth callback
marketing_consentcookie (during signup only)Carries your marketing-consent choice from the signup form across email confirmation so we can record it accurately. Deleted on the auth callback
trial_plan_typecookie (during signup) and localStorageRemembers your plan choice during signup so we can present the right Stripe checkout after email confirmation. The cookie is deleted on the auth callback
pending_invite_codecookie (during signup only)Carries a server-validated group invite code through email confirmation so you land in the right group. Deleted on the auth callback
dobcookie (during signup only)The date of birth you entered at signup, carried through email confirmation so we can verify your age. Deleted when you finish signing up
justhold_current_profilelocalStorageRemembers your selected family profile
justhold:safety-ackedlocalStorageRecords that you have acknowledged the in-app safety warning so we do not re-prompt you on every workout
install_prompt_seenlocalStorageRecords that the “install as an app” prompt has been shown so we do not re-show it on every dashboard load
org_welcome_dismissed_<org slug>localStorageRecords that you have dismissed the team welcome card for a specific organisation, so it is not re-shown
grace_period_modal_dismissedsessionStoragePrevents showing the sponsorship grace period notice repeatedly in one session
analytics_opt_outlocalStorage (only present when set)Created only if you opt out of analytics in Settings — when present, it tells the App to drop analytics events client-side. Removed when you re-enable analytics

Google OAuth: If you sign in with Google, Google may set its own cookies during the authentication flow. These are governed by Google's Privacy Policy, not ours.

Because we use no non-essential cookies, we do not display a cookie consent banner. You can clear local storage at any time through your browser settings, though this will log you out.

6. Third-Party Processors

We share data with three service providers, all acting as data processors under written agreements:

Stripe (payment processing)

  • Data shared: email address, user ID (as metadata), payment card details (entered directly into Stripe's payment form — we never see or store card numbers)
  • Purpose: subscription billing and payment processing
  • Location: United States (certified under the EU-US Data Privacy Framework)
  • Their policy: stripe.com/privacy

Resend (transactional email)

  • Data shared: email address, display name, email content
  • Purpose: sending account confirmations, password resets, email digests, sponsorship notifications
  • Location: United States
  • Their policy: resend.com/legal/privacy-policy

Vercel (hosting, server-side functions, runtime logs, analytics)

  • Data shared: all data the App processes server-side passes through Vercel's infrastructure during request handling. Server-side error logs may include your user ID. Vercel Web Analytics receives aggregate page views, referrer, country, browser, OS, device class, and Web Vitals — no cookies, no PII (see Section 5)
  • Purpose: hosting our application, running server-side functions, capturing diagnostic logs, providing aggregate usage analytics
  • Location: United States (multi-region)
  • Their policy: vercel.com/legal/privacy-policy

Supabase (database, authentication, file storage)

  • Data shared: all App data listed in Section 2
  • Purpose: database hosting, user authentication, avatar and group image storage
  • Location: EU (London/Frankfurt)
  • Their policy: supabase.com/privacy

We do not share data with any other third parties. We do not sell, rent, or trade personal data.

7. Data Visibility Within the App

  • Group members can see your display name, avatar, exercise type, hold duration, and the date/time you logged a workout — for all groups you share
  • Family profiles: all profiles under a single Family plan account share the same login. The account owner can view and manage all profiles and their workout history
  • Friend sponsorship: a sponsor can see that a sponsored friend has joined their group and whether the sponsorship is active. Sponsors cannot see the friend's detailed workout history unless they are in the same group

Your email address is never displayed to other users.

8. Data Retention

DataRetention period
NotificationsAutomatically deleted after 90 days
Expired group invitationsDeleted daily by automated cleanup
Orphaned activity feed entriesDeleted weekly by automated cleanup
Workouts, account data, groupsRetained while your account is active; deleted within 30 days of an account deletion request
Subscription and payment records6 years after the end of the subscription (UK tax and accounting obligations)
Supabase auth tokensExpire according to session configuration; cleared on logout

9. Your Rights Under UK and EU GDPR

If you are in the UK or European Economic Area, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (“right to be forgotten”) (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time where processing is based on consent (Art. 7(3)) — this does not affect the lawfulness of processing before withdrawal

To exercise any of these rights, email privacy@justhold.app. We will respond within one month (extendable by two further months for complex requests, with notice).

Right to complain: You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO):

10. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

  • Right to know: You can request the categories and specific pieces of personal information we have collected about you
  • Right to delete: You can request deletion of your personal information
  • Right to correct: You can request correction of inaccurate personal information
  • Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of
  • Right to non-discrimination: We will not treat you differently for exercising your privacy rights

Categories of personal information collected (per CCPA)

CCPA CategoryExamples from our App
IdentifiersEmail address, display name, Stripe customer ID
Commercial informationSubscription plan type, subscription status
Internet or electronic network activityNone — we do not collect browsing history, search history, or interaction data
Audio, electronic, visual, or similar informationAvatar images and group images you upload
InferencesNone — we do not create profiles or draw inferences

We have not sold personal information in the preceding 12 months. We have not shared personal information for cross-context behavioural advertising.

To exercise your California privacy rights, email privacy@justhold.app. We will verify your identity and respond within 45 days.

11. Account Deletion and Data Export

You can request account deletion or a copy of your data by emailing privacy@justhold.app.

  • Deletion: We will delete your account and all associated personal data within 30 days of a verified request. Data we are legally required to retain (e.g., financial records for tax purposes) will be kept for the required period and then deleted
  • Data export: We will provide your data in a common machine-readable format (JSON or CSV)
  • Family profiles: Deleting an account also deletes all family profiles associated with it
  • Sponsorships: If a sponsor's account is deleted, sponsored friends will enter a 7-day grace period and then need their own subscription to continue using the App
  • Group data: Your workout entries will be removed from all groups. Group activity feed messages you authored may be retained in anonymised form

12. Children's Privacy

The App is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13.

Family plan account owners may create profiles for household members, including children aged 13 and over. The account owner is responsible for any data entered under family profiles and must have appropriate authority (such as parental responsibility) to manage profiles on behalf of minors.

If we learn that we have collected personal data from a child under 13 without verified parental consent, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact privacy@justhold.app.

If you are between 13 and 17 and using a family profile. You can contact us directly at privacy@justhold.app about anything to do with your information — even if you didn't set up the account. You can ask to see what we hold about you, ask us to correct it, or ask us to delete it. The person who runs the account does not need to be involved.

13. International Data Transfers

Our database is hosted by Supabase in the EU (London/Frankfurt). Most of your data stays within the EU.

Data may be transferred to the United States by:

  • Stripe: for payment processing. Stripe is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) as an additional safeguard
  • Resend: for transactional email delivery. Transfers are protected by Standard Contractual Clauses (SCCs)
  • Vercel: for hosting, server-side function execution, diagnostic logs, and aggregate analytics. Transfers are protected by Standard Contractual Clauses (SCCs)

We only transfer data to third parties that provide appropriate safeguards as required by UK GDPR (Chapter V) and EU GDPR (Chapter V).

14. Security

  • All data in transit is encrypted via HTTPS/TLS
  • Data at rest is encrypted by our database provider (Supabase)
  • Passwords are hashed — we cannot see or recover your password
  • Row-level security (RLS) policies ensure users can only access their own data and data shared with their groups
  • Stripe handles all payment card data and is PCI-DSS Level 1 certified — card details never touch our servers
  • Access to production systems is restricted to authorised personnel

No system is 100% secure. If you discover a security vulnerability, please report it to privacy@justhold.app.

15. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify you via the App or by email for significant changes.

Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

16. Organisation (Team) Accounts

Just Hold offers team subscriptions for organisations. When a company signs up for Just Hold Teams, the following applies to employees or members who join via an organisation invite.

Who sees what

  • Organisation administrators can see participation and engagement signals for members of groups they manage: whether a member has logged a workout, how often, and weekly activity trends.
  • Administrators cannot see individual workout durations, personal bests, or the specific exercises you perform. That data stays with the individual account holder.
  • Other members of your organisation's groups see the same data that members of any group see: your display name, avatar, workout activity, and positions on group leaderboards.

Data controller and processor roles

Where an organisation subscribes to Just Hold Teams and invites its employees or members to join the app, the organisation is the data controller for the decision to enrol those people in the programme and for the engagement data it receives about them. Just Hold Ltd acts as a data processor for that engagement data and as an independent controller for the personal account data each individual creates (display name, password, workout durations, group memberships).

When someone leaves an organisation

If your organisation cancels its subscription, or you are removed from your organisation's groups, you lose access to those team groups but your personal account and workout history are preserved. You can continue using Just Hold on your own account (subject to having an active personal subscription, free trial, or sponsorship) or export your data at any time (see section 11).

Billing data

Organisation billing is processed via Stripe in the same way as individual billing (see section 6). The organisation's billing contact details (email address, company name, address for invoicing) are held by Just Hold Ltd for the purpose of providing the Teams service and by Stripe for the purpose of processing payments.

17. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Email: privacy@justhold.app

Post: Just Hold Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

For UK data protection complaints, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk or by phone at 0303 123 1113.