privacy policy.
last updated · 21 april 2026
1. who we are (the responsible party).
unlocked fitness studio is the responsible party under popia. stellenbosch, western cape, south africa. our information officer is kirsten beukes — reach her at privacy@unlockedonline.co.za.
2. what we collect and why.
here's the full list, no surprises:
| what | why we need it |
|---|---|
| full name | so your coach can greet you properly and personalise coaching |
| email address | account login, password resets, receipts, important service notices |
| whatsapp number | so your coach can reach you + access to our community whatsapp group |
| password | to protect your account — stored encrypted, we cannot see it |
| payment info | card details are collected and stored by payfast (our processor), never by us. we only receive a payment token and subscription status. |
| chat messages, form-check videos, workout logs | to deliver coaching and let you track progress |
| usage data (workouts viewed, time spent, device, ip address) | to fix bugs, improve the service, prevent abuse |
we do not collect health data like heart rate, weight, biometrics — unless you choose to log it yourself in your account.
3. who we share it with.
we use a small number of trusted service providers to run unlocked online. each one only sees the data they need:
| service | what they see | where |
|---|---|---|
| payfast (payments) | your name, email, card | south africa |
| supabase (database + auth) | account info, workout logs, chats | eu data centres |
| vercel (website hosting) | ip address, browser info | global cdn |
| cloudflare stream (video) | video viewing activity | global cdn |
| whatsapp / meta (community group) | your name + whatsapp number if you join the group | meta platforms |
we never sell your information to advertisers, data brokers, or anyone else.
we may disclose your data if legally required — for example, a court order or a regulator request. if this happens, we'll tell you unless we're legally prevented from doing so.
4. cross-border data transfers.
some of our providers (supabase, vercel, cloudflare, meta) store data outside south africa. popia allows this as long as the receiving country has adequate protection or binding contractual safeguards. all our providers offer gdpr-level protection, which is at least equal to popia.
5. how long we keep it.
- while you're a member: we keep your data for as long as you have an account
- after you cancel: we keep your account for 12 months in case you come back. after that we delete or anonymise it.
- payment records: we're legally required to keep invoice and transaction records for 5 years (tax law)
- deletion request: if you ask us to delete your data now, we do it within 30 days — except the payment records we're legally required to keep
6. your rights under popia.
you have the right to:
- know what we have on you — request a copy of your data
- correct anything that's wrong or outdated
- delete your account and personal data (with the exceptions noted above)
- object to us processing your data — this will usually end the service
- unsubscribe from marketing emails any time
- complain to the information regulator if you think we've messed up — inforegulator.org.za
to use any of these rights, email privacy@unlockedonline.co.za. we'll respond within 30 days.
7. how we protect your data.
- all traffic to the site uses https (encrypted)
- passwords are hashed with bcrypt — we cannot see them in plain text
- card details never touch our servers — they're handled by payfast
- we use supabase's row-level security to limit who in our team can see what
- only coaches and admins can read chat messages sent to them
if we ever have a data breach, we'll tell you and the information regulator within 72 hours, as popia requires.
8. cookies.
we use a small number of cookies to make the service work:
- session cookies — to keep you logged in
- preference cookies — to remember your settings (e.g. dark mode)
we don't use advertising cookies or third-party tracking pixels. if we add basic analytics (e.g. plausible, umami) later, we'll update this page.
9. children.
unlocked online is for adults aged 18+. we don't knowingly collect data from anyone under 18. if you think a child has created an account, email us and we'll delete it.
10. changes to this policy.
if we change how we handle your data, we'll email you and update the "last updated" date at the top of this page. we'll only do this for material changes — small wording clarifications we'll just quietly update.
11. contact us.
information officer: kirsten beukes
email: privacy@unlockedonline.co.za
general contact: hello@unlockedonline.co.za
address: stellenbosch, western cape, south africa