// LEGAL

Privacy Policy

Last updated: 13 April 2026. Effective under UK GDPR and the Data (Use and Access) Act 2025.

1. Who we are

Tactical Fitness Unit (“TFU”, “we”, “us”) operates the training platform at tacticalfitnessunit.com. We are the data controller for personal data collected through this platform. Contact: privacy@tacticalfitnessunit.com

2. Data we collect

Account data: Email address, handle (pseudonym), birth year. We do not collect your full name or date of birth.

Assessment data: Physical performance test results (push-ups, pull-ups, run time, etc.), self-reported body composition estimates, training background.

Session data: Workout logs including exercise names, sets, reps, load, duration, and notes.

Subscription data: Payment processing is handled by Stripe. We store your Stripe Customer ID, subscription status, and plan type. We do not store card details.

Technical data: IP address (for security and fraud prevention only), server logs. No tracking pixels, no behavioural analytics.

3. Why we collect it

Contract performance: Providing the assessment, programme, and logging features you signed up for.

Legitimate interest: Security, fraud prevention, service improvement.

Legal obligation: Compliance with financial regulations (via Stripe), age verification under DUAA 2025.

We do not use your data for advertising, profiling, or sale to third parties.

4. Age restriction

TFU is restricted to users aged 18 and over. We verify age at registration using birth year. If we become aware that a user is under 18, we will delete their account and all associated data immediately. If you believe a minor has registered, contact privacy@tacticalfitnessunit.com.

5. Data sharing

Supabase (Supabase Inc., US): Database and authentication hosting. Data processed under Standard Contractual Clauses.

Stripe (Stripe Inc., US): Payment processing. Subject to Stripe’s own privacy policy.

Resend (Resend Inc., US): Transactional email. Minimal data (email address, handle).

Vercel (Vercel Inc., US): Application hosting. No personal data stored at the CDN layer.

No data is sold or shared with marketing partners.

6. The leaderboard

The public leaderboard displays handles (pseudonyms), tier, and aggregate scores only. No real names or contact information are ever displayed publicly. You control your handle at registration.

7. Retention

Your data is retained for as long as your account is active. On account deletion, all personal data is removed within 30 days. Stripe payment records are retained as required by financial regulations (7 years). Anonymised aggregate statistics may be retained indefinitely.

8. Your rights

Under UK GDPR and DUAA 2025, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — delete your account and all data (available in-app)
  • Portability — receive your data in a portable format
  • Object — object to processing based on legitimate interest

To exercise any right, contact: privacy@tacticalfitnessunit.com

You may also lodge a complaint with the ICO: ico.org.uk

9. Security

All data is encrypted in transit (TLS) and at rest. We use Row Level Security (RLS) on all database tables — users can only access their own data. Service role keys are never exposed to client-side code. We conduct periodic security reviews.

10. Cookies

We use a single session cookie for authentication, set by Supabase Auth. No tracking cookies, no advertising cookies, no third-party analytics scripts are present on this platform.

11. Changes

We will notify you by email if we make material changes to this policy. The “Last updated” date at the top of this page reflects the most recent revision.

Tactical Fitness Unit — privacy@tacticalfitnessunit.com — tacticalfitnessunit.com/privacy