Health Data Processing

Effective date: April 2026

1. What is health data?

Prokol collects and processes health information as defined under the Privacy Act 1988 (Cth), including:

  • Body weight, body composition measurements, and physical measurements
  • Food and nutrition logs, including calorie and macronutrient data
  • Exercise and training data, including workout logs and performance metrics
  • Menstrual cycle data, including period dates, symptoms, basal body temperature (BBT), cervical mucus, and cycle predictions
  • Sleep quality, heart rate variability (HRV), resting heart rate, and energy levels
  • Check-in responses relating to physical and emotional wellbeing
  • Supplement usage and protocol information assigned by coaches
  • Progress photographs

2. Legal basis for processing

We process health data on the following grounds:

  • Consent: You explicitly consent to health data collection when you create an account and use the Service. You may withdraw consent at any time by deleting your account.
  • Contract: Processing is necessary to deliver the coaching and health tracking services you have subscribed to.
  • Legitimate interests: Aggregated, de-identified data may be used to improve platform features and performance.

3. How health data is used

Your health data is used to:

  • Display your progress, trends, and insights within the platform
  • Allow your coach to review your data and provide personalised coaching
  • Generate cycle predictions, phase estimations, and personalised insights
  • Send contextual push notifications (e.g. cycle tracking reminders)
  • Calculate nutritional targets, TDEE estimates, and training recommendations

Your health data is never sold to third parties, used for advertising, or shared with any party other than your assigned coach and the infrastructure providers listed below.

4. Who can access your health data

4.1 Your assigned coach

If you are a coached client, your assigned coach has access to all health data you log within the platform, including cycle data, food logs, weight, check-in responses, progress photos, and workout data. This access is the core purpose of the coaching relationship. You consent to this access when accepting an invitation from your coach.

4.2 Cycle tracking data

Menstrual cycle data is treated as sensitive health information. Coaches with nutritionist-level access can view cycle logs within the client file to inform nutrition and training programming. Cycle predictions are statistical estimates based on your logged data and are not clinically validated — see our Terms of Service for the full cycle tracking disclaimer.

4.3 Infrastructure providers

We use the following sub-processors who may process health data as part of delivering the Service:

  • Supabase — database and authentication (data stored in AWS Sydney region)
  • Vercel — application hosting and edge functions
  • Stripe — payment processing (does not receive health data)
  • Resend — transactional email delivery

Each provider is bound by data processing agreements and operates under their own privacy policies.

5. Data storage and security

  • All health data is stored in encrypted databases within the AWS Sydney region
  • Row-level security (RLS) ensures you can only access your own data
  • Progress photos are stored in private, access-controlled cloud storage with signed URLs that expire after 1 hour
  • All data in transit is encrypted via TLS 1.2 or higher
  • Access to production data is restricted to authorised personnel only

6. Data retention and deletion

Your health data is retained for as long as your account is active. When you delete your account, all personal health data — including food logs, cycle data, check-ins, progress photos, workout records, and coach notes — is permanently deleted within 30 days, except where retention is required by law.

Account deletion can be initiated from Settings → Delete Account within the app.

7. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access the health data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Withdraw consent and deactivate your account
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at info@prokol.io. We will respond within 30 days.

8. Changes to this document

We may update this Health Data Processing statement from time to time. Material changes will be communicated via email or in-app notification. Continued use of the Service after notification constitutes acceptance of the updated terms.

9. Contact

For questions about how we handle your health data, contact our Privacy Officer:

Prokol Health

ABN 33 972 014 877

Email: info@prokol.io

Privacy PolicyTerms of Service