← Back to Mavlo
Privacy Policy
Effective 14 July 2026
This privacy policy applies to the Mavlo application and website (mavlo.io), operated by Mavlo Ltd, a company registered in England and Wales and based in Newcastle upon Tyne, United Kingdom ("Mavlo", "we", "us", "our"). For the purposes of UK data protection law, Mavlo Ltd is the data controller.
Mavlo is a fitness accountability service. Members create weekly fitness commitments with an attached amount that is charged only if a week is incomplete, and Mavlo verifies completion through fitness data sources the member chooses to connect.
1. Information we collect
When you use Mavlo, we collect:
- Account information: name, email address, date of birth (collected at sign-up, including via Apple or Google Sign-In), an optional profile photo, and any phone number or postal address you choose to add for account and payment setup
- Commitment information: the commitments you create, your weekly targets, pledge amounts, results, streaks, and dispute history
- Gym attendance data: the dates and times of gym visits retrieved from your gym provider's member portal, used to verify whether you attended. Depending on the provider, verification may use your member-login session on device or a protected credential/session record so Mavlo can retrieve attendance you authorised. Only attendance records and verification status are used for commitments; credentials, cookies, and tokens are not used for gym access and are not logged.
- Public gym research tester data: no Mavlo account is required. When you run a test, we receive the gym provider and site you selected, the requested attendance window, and the attendance result. Planet Fitness and Crunch sign-in remains on the provider's website. For a JD Gyms test, Mavlo receives the email address and password you enter, sends them once to the selected JD Gyms member service to request that attendance window, and discards the credentials and provider session when the request finishes. We do not store or log those credentials. We process visit rows only long enough to validate the provider format and reduce them to a sanitised attempt state, row count, and attendance date range; raw rows are not stored or logged. For abuse prevention we retain a daily one-way digest derived from the request IP address; ordinary access and security logs follow the server-log retention period below. Research-tester evidence is separate from Mavlo accounts and is never used to verify a commitment or trigger a charge.
- Connected fitness and health data: when you choose these sources, we process only the categories needed for the commitment you create. From Strava this can include activity type, distance, duration, date, activity identifier, and — where an activity has one — its route map, which is precise location (GPS) data. From Apple Health this is step-count data, reduced on your device to a weekly total plus the covered commitment window and latest sample time. From Oura this can include sleep duration and timing, heart-rate variability (HRV), resting heart rate, average blood-oxygen saturation (SpO₂), and Oura's VO₂ max estimate. We do not use Apple Health or Oura data for advertising, marketing, profiling, or data sales.
- Payment information: your payment card is collected and stored by Stripe, our payment processor. We store only a Stripe customer reference and payment method reference — never your full card number.
- Subscription information: Apple In-App Purchase product and transaction identifiers, and subscription start and end dates
- Device and technical information: device type, operating system, IP address, push notification tokens, and server logs
2. Why we collect it and our legal basis
- To run your commitments — verifying your gym attendance or activity data against your weekly target, and charging missed-commitment fees you have agreed to. Legal basis: performance of a contract.
- To manage your account and subscription — sign-in, billing, receipts, notifications about your commitments, and customer support. Legal basis: performance of a contract.
- To keep the service safe and improve it — debugging, fraud and abuse prevention, and understanding how features are used. Legal basis: legitimate interests.
- To run the public gym research tester — testing provider compatibility using the result you choose to submit, including making the one-off JD Gyms attendance request you authorise, and retaining only its sanitised summary. Legal basis: consent. The IP-derived abuse-prevention digest and ordinary security logging are based on our legitimate interests.
- Product improvement and anonymised behavioural research — historical gym attendance data is used, with your consent, to improve the product and for anonymised research into behaviour and consistency. Anonymised data cannot be linked back to you. Legal basis: consent, which you can withdraw at any time.
- To meet legal obligations — keeping tax and financial transaction records. Legal basis: legal obligation.
3. Third parties we work with
We share data with the following processors and service providers, solely for the purposes described:
- Stripe — stores your payment card and processes missed-commitment fee charges. Stripe's own privacy policy applies to data it collects as a processor.
- Apple — processes subscription purchases through In-App Purchase, and provides Sign in with Apple and push notifications.
- Google — if you choose Sign in with Google, Google verifies your identity and returns your name and email to create or access your account. Google's own privacy policy applies to data it processes.
- Strava — when you connect Strava, we receive activity data via the Strava API to verify your commitments, including activity metadata and, where an activity has one, its route map (precise location/GPS data). We use Strava data only for verification, we do not share it with third parties, and we do not use it to train artificial intelligence or machine learning models. Disconnecting Strava (in Mavlo or at strava.com/settings/apps) stops all access, and we delete your Strava data on request or account deletion.
- Apple Health — when you explicitly grant access, the Mavlo app reads step counts from HealthKit on your device and uploads the weekly total, covered commitment window, and latest sample time. Apple Health access is read-only, can be changed in the Health app at any time, and is not used for advertising or shared with data brokers.
- Oura — when you connect your Oura account, Oura provides the sleep or recovery measurements needed for the commitment you choose, which may include sleep duration and timing, HRV, resting heart rate, average SpO₂, and an Oura VO₂ max estimate. Disconnecting Oura stops future access. Oura data is used only for account setup, verification, progress, review, and support for your commitments.
- Gym providers — supported gym integrations (such as PureGym, The Gym Group, OneGym, and Anytime Fitness UK) are accessed only after you authorise Mavlo to use your own member login or session to retrieve attendance history. This is attendance-only: Mavlo does not generate access credentials, does not act as a gym pass, and protects provider credentials, cookies, and tokens used for verification.
- Hetzner — our hosting provider. Mavlo's servers and database are located in Hetzner data centres in the European Union (Germany).
- Sentry — processes minimised application error diagnostics in its European Union region so we can identify crashes and service failures. It receives only bounded technical details such as the error class, stack location, runtime version, and request method/path; request bodies, query values, cookies, authorisation headers, and provider credentials are excluded.
The public gym research tester uses the selected gym provider's member service under that provider's terms. Planet Fitness and Crunch sign-in takes place on the provider's own website. For JD Gyms, Mavlo forwards the credentials once to the selected JD Gyms member service solely to retrieve the requested attendance history, then destroys the request-local credentials and session. A provider appearing in the tester does not mean that Mavlo is partnered with or endorsed by that provider.
We do not sell your personal data to anyone. Connected fitness and health data is never sold, never used for advertising, and never shared for third-party marketing. It is used only to connect the source you chose, establish a baseline where requested, verify and display your commitment progress, resolve a review or support request, and operate the service securely.
4. Where your data is stored
Your data is stored on servers in the European Union (Germany). Transfers between the UK and the EU are covered by the UK's adequacy regulations for the EEA. Stripe and Apple may process data in other countries under their own safeguards.
5. How long we keep your data
- Account data: kept while your account is active. After account deletion, personal data is deleted within 30 days.
- Financial records: records of subscription transactions and missed-commitment fee charges may be retained for up to 7 years to meet UK tax and accounting obligations.
- Attendance, activity, Apple Health aggregate, and Oura records: retained for up to 24 months, including a window for resolving disputes about charges. Disconnecting a source stops future collection; account deletion removes personal data within the account-deletion period, subject to the financial-record exception above.
- Server access and security logs: retained for up to 14 days. Application logs are rotated more frequently and are never retained beyond that period.
- Public gym research tester data: attempt metadata and its daily IP-derived abuse-prevention digest are deleted within 30 days. JD Gyms credentials and the resulting provider session are processed only in memory for the one request and are never retained or logged; raw visit rows are also processed transiently and are not retained or logged. Ordinary access and security logs follow the server-log period above.
- Anonymised research data: once anonymised, data is no longer personal data and may be retained indefinitely.
6. Your rights (UK GDPR)
Under UK data protection law you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to the legal retention periods above)
- Receive a copy of your data in a portable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent (such as research use of attendance data)
To exercise any of these rights, email hello@mavlo.io. If you used the public gym research tester without an account, include the attempt reference shown by the tester so we can locate the relevant metadata. We will respond within one month. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).
7. Deleting your account
You can delete your account at any time in the Mavlo app (Settings → Delete Account), or by emailing hello@mavlo.io from your registered email address. Deletion ends your access immediately, disconnects all integrations, and removes your personal data within 30 days, except records we must keep for legal reasons (see Section 5).
8. Age requirement
Mavlo is only for people aged 18 or over, because the service involves financial transactions. We do not knowingly collect data from anyone under 18. If we learn that an account belongs to someone under 18, we will close it and delete its data.
9. Cookies
The Mavlo website uses only essential cookies. These include session cookies needed to keep members signed in and, for the public gym research tester, a short-lived HttpOnly cookie containing a random capability used to start and read the browser's current attempt and enforce per-browser limits. Mavlo stores only a one-way digest of that capability, which is deleted with the attempt metadata. We do not use advertising, analytics, tracking, or third-party cookies.
10. Security
All connections use HTTPS. Integration tokens and any provider credential or session secrets retained for supported verification are protected at rest and never logged. The public JD Gyms tester does not retain its password or provider session at rest. Payment card data is handled entirely by Stripe and never touches our servers. Access to personal data is restricted. No system is 100% secure, but if a breach affects your data we will notify you and the ICO as required by law.
11. Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated effective date, and we will notify you of material changes in the app or by email.
12. Contact
Data controller: Mavlo Ltd, a company registered in England and Wales, Newcastle upon Tyne, United Kingdom.
Questions or data requests: hello@mavlo.io