Privacy Policy

Last updated: 12 April 2026

1. Introduction

PROTR is operated by Out of Home Limited, a company registered in Hong Kong SAR ("we", "our", "us"). Out of Home Limited is the data controller responsible for your personal data under the Hong Kong Personal Data (Privacy) Ordinance (PDPO). We serve users globally and, where applicable, we also comply with the EU General Data Protection Regulation (GDPR) for users in the European Economic Area, the UK GDPR for users in the United Kingdom, and other applicable local data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service"). Please read this policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you have any questions, contact our data protection team at [email protected].

2. Information We Collect

We may collect the following types of information:

Account Information

  • Name and email address (when you create an account)
  • Profile information you choose to provide (display name, profile photo, sport preferences)
  • Authentication data via Apple Sign-In, Google Sign-In, or email/password

Fitness & Health Data

  • Workout logs (exercises, sets, reps, weights, duration, GPS data where applicable)
  • Nutrition logs (meals, calories, macronutrients, water intake)
  • Body measurements and progress photos (stored only when you choose to log them)
  • Apple HealthKit data (only with your explicit permission; see Section 4)
  • Google Health Connect data (only with your explicit permission on Android devices; see Section 4)

Marketplace & Creator Data

  • If you are a creator: your creator profile information, content metadata, and payout details (processed via Stripe)
  • Purchase records: transaction identifiers, listing purchased, price, and date of purchase
  • Reviews and ratings you submit

Social & Coaching Data

  • Social interactions (follows, reactions, social feed activity)
  • Coach-athlete relationships and shared training data (when you connect with a coach)
  • Chat messages between coaches and athletes

Shop & Product Data

  • Your country (detected from device locale) to determine product availability
  • Products browsed or added to wishlist within the PROTR Shop
  • If you make a purchase through a third-party vendor link, the vendor's own privacy policy applies to that transaction

Camera

  • Camera access is used solely to scan QR codes when linking your account to the PROTR web dashboard. No images or video are stored or transmitted.

Usage & Engagement Data

  • App usage analytics (features used, session duration, screen views)
  • Engagement metrics (workout frequency, consistency patterns, app interaction data)
  • Crash reports and performance data
  • Device information (device model, operating system version)

3. Lawful Basis for Processing

We process your personal data on the following lawful bases (as applicable under the PDPO, GDPR, and other local laws):

  • Contract performance: Processing your account data, workout logs, nutrition data, and purchase records is necessary to provide you with the Service.
  • Consent: We process health and fitness data from Apple HealthKit or Google Health Connect only with your explicit permission. You can withdraw this consent at any time in your device settings. Where we deliver personalised brand experiences or sponsored content (see Section 9), we do so only with your opt-in consent, which you can withdraw at any time in Settings.
  • Legitimate interest: We process usage analytics, engagement metrics, and crash reports to improve the Service, maintain its quality, and ensure its security. We have assessed that this processing does not override your rights and freedoms.
  • Legal obligation: We may process and retain certain data (such as payment records) to comply with legal and regulatory requirements, including financial record-keeping obligations.

4. HealthKit & Health Connect Data

If you grant PROTR access to Apple HealthKit (iOS) or Google Health Connect (Android), we will only read the data categories you explicitly authorise. This data is used solely to display your health and fitness information within the app and to enhance your training experience. We do not store HealthKit or Health Connect data on our servers, sell it to third parties, or use it for advertising purposes. This is in full compliance with Apple's HealthKit guidelines and Google's Health Connect policies.

5. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To personalise your experience (e.g., workout suggestions, nutrition targets)
  • To sync your data across devices
  • To process marketplace purchases and creator payouts
  • To facilitate coach-athlete relationships (coaches can view shared workout and nutrition data when you connect with them)
  • To categorise users into engagement segments for the purpose of delivering relevant notifications and improving the Service (processed under our legitimate interest; segment data is not shared with third parties in identifiable form)
  • To send you important updates about the Service (you can opt out of marketing communications)
  • To monitor and analyse usage trends and improve performance
  • To detect, prevent, and address technical issues

6. Automated Decision-Making

The Service uses artificial intelligence to provide nutrition insights, training recommendations, and coaching suggestions. These automated features are designed to assist you and are not used to make decisions that have legal or similarly significant effects on you. You are always free to disregard any AI-generated suggestion and make your own decisions about your training and nutrition.

7. Data Storage & Security

Your data is stored securely using Google Firebase (Firestore and Firebase Authentication). Firebase services are hosted on Google Cloud Platform infrastructure with industry-standard encryption in transit (TLS) and at rest. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

8. Third-Party Services

We use the following third-party services to operate the Service:

  • Firebase Authentication: secure account sign-in
  • Cloud Firestore: cloud data storage and sync
  • Firebase Crashlytics: crash reporting and diagnostics
  • Firebase Analytics: anonymous usage analytics (may set cookies on the website)
  • Apple Sign-In: authentication on iOS devices
  • Google Sign-In: authentication across platforms
  • Apple StoreKit: in-app purchases on iOS
  • Google Play Billing: in-app purchases on Android
  • Stripe: web purchases and creator payouts (Stripe may collect payment information directly; see Stripe's privacy policy)
  • Cloudflare: web hosting, content delivery, image and video storage (R2), and serverless API functions (Workers)
  • Third-party shop vendors: if you browse or purchase physical products through the PROTR Shop, we may share limited data (such as your country) with third-party vendors or affiliate partners to fulfil orders and display relevant products. We do not share your health or fitness data with shop vendors.

These services have their own privacy policies. We encourage you to review them.

9. Data Sharing and Brand Partnerships

We do not sell or rent your personal information to third parties.

We may share your data only in the following circumstances:

  • With your explicit consent (e.g., sharing workout data with a coach you connect with)
  • With marketplace creators: when you purchase content, limited purchase data (transaction ID, date) is shared with the relevant creator to facilitate the service and enable payouts
  • With Stripe: limited data is shared with Stripe to process payments and creator payouts
  • To comply with legal obligations or respond to lawful requests
  • To protect the rights, safety, or property of PROTR, our users, or the public

Brand Partnerships and Sponsored Experiences

We may partner with brands to deliver sponsored experiences, promotions, or content within the platform. Where we do this, we act as the data controller and use anonymised or aggregated audience segments based on in-app behaviour (such as sport type or activity patterns) to determine which users see a given experience. We do not transfer personally identifiable information to brand partners. If you have opted in to personalised offers in Settings, we may use your profile data to tailor brand experiences to you. You can withdraw this consent at any time in Settings under Privacy.

10. International Data Transfers

Out of Home Limited is registered in Hong Kong SAR and operates as a global platform. Your data is stored and processed using infrastructure provided by our third-party service providers, whose servers are primarily located in the United States (Google Firebase, Stripe, and Cloudflare). These transfers occur in the ordinary course of providing the Service.

Our service providers maintain appropriate safeguards for international data transfers. For users in the European Economic Area or United Kingdom, transfers from those providers' infrastructure rely on Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Agreement/Addendum. These are obligations applied at the provider level. Where a destination country benefits from an adequacy decision under applicable law, we rely on that decision as the transfer mechanism.

For users in Hong Kong, cross-border transfers of your data to our service providers are made on the basis that those providers maintain security and contractual standards consistent with the requirements of the PDPO.

11. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Delete your account and all associated data
  • Export your data in a portable format (data portability)
  • Restrict the processing of your data in certain circumstances
  • Object to processing based on legitimate interest
  • Withdraw consent for data processing at any time (where consent is the lawful basis)

Many of these rights can be exercised directly within the app: you can edit your profile, export your data, and delete your account under Settings. To submit a formal data request, restrict processing, or object to our use of your data, contact us at [email protected]. We will respond within 30 days.

If you are in Hong Kong, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk. If you are in the EU/EEA, you may lodge a complaint with your local data protection supervisory authority. If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

12. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (such as financial transaction records, which may be retained for up to 7 years in accordance with applicable law).

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant data protection authority and affected users in accordance with applicable law. Where required (for example under GDPR), notification will be made within 72 hours of becoming aware of the breach.

14. Cookies and Tracking

The PROTR website may use cookies and similar tracking technologies. Firebase Analytics may set cookies to collect anonymous usage data. We do not use cookies for advertising purposes. You can control cookie preferences through your browser settings.

15. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy within the app or on our website. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

17. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

[email protected]