Legal
Last updated: 8 April 2026
PTBase is software for independent personal trainers and the clients they train. This policy explains what personal data we collect, why we collect it, how we use it, who gets to see it, and how to make us delete it.
PTBase is operated by Webclouds, registered in the Netherlands. For anything in this policy you can contact us at privacy@ptbase.app.
Account data. Your name, email, and whatever profile information you add (bio, photo, public slug). Authentication is handled by Clerk. we don't store passwords.
Client data (trainers only). If you're a trainer, the clients you invite have their own accounts with us but you can see their goals, injuries, notes, sessions, programs, progress, phone number, and messages.
Session & program data. Bookings, schedules, workouts, progress entries, nutrition plans.
Payment data. Handled by Mollie. We only see the transaction ID and the amount. never card numbers or bank details.
Technical data. Server logs (IP, browser, time of request) for debugging and security. Kept for 30 days.
We use your data to:
We do not sell, rent, or share your data with advertisers. We don't run ads. We don't profile you for marketing purposes.
Your trainer. If you're a client, your trainer sees everything on your profile. by design. PTBase isn't a diary, it's a training tool your trainer uses to coach you.
Other trainers. Never. Trainers can only see their own clients. There's no shared pool, no discovery, no leaderboard across accounts.
Other clients. Never. Clients can only see their own account, their own trainer, and the content their trainer sent them.
PTBase staff. Only when strictly necessary (abuse investigation, legal compliance, critical bug fixing) and only on request.
Encryption in transit. Every request to PTBase goes over TLS (HTTPS). No plaintext, anywhere.
Encryption at rest. The database is encrypted by Supabase. Backups are encrypted.
Field-level encryption. Client phone numbers are encrypted at the application layer with AES-256-GCM. Even a raw database dump would not reveal them.
Access control. Every database query goes through a server-side check that matches the row's trainer or client to the authenticated session. Cross-tenant access is impossible through the API.
Audit logging. All mutations are logged with the authenticated user, timestamp, and entity id.
PTBase relies on a short list of trusted infrastructure providers. All of them are GDPR-compliant and under a Data Processing Agreement with us.
Under GDPR you have the right to access, correct, export, and delete your personal data. You can exercise most of these directly in the app:
If we can't resolve a request to your satisfaction, you have the right to complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
We keep your data for as long as your account is active. When you delete your account, your personal data is removed within 30 days. Backups are purged on a 90-day rotation.
Some data we keep longer for legal reasons. e.g. invoice records must be kept for 7 years under Dutch tax law. These are stored in a separate, access-controlled archive.
PTBase data is stored in the European Union. Some of our sub-processors (Clerk, Vercel, Resend) may process data outside the EU. in those cases we use Standard Contractual Clauses approved by the European Commission.
Questions about this policy? Email us at privacy@ptbase.app. We read everything.