Legal
Privacy Policy
Last updated: 6 April 2026
TwoRep ("we", "us", "our") operates the TwoRep mobile application ("App"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable law including the UK and EU General Data Protection Regulation (UK GDPR / GDPR).
By using TwoRep you agree to this policy. If you do not agree, please do not use the App.
1. Who We Are
TwoRep is the data controller for personal data collected through the App.
Contact: support@tworep.com
2. Data We Collect
2.1 Account & Identity Data
- Email address — used to create and manage your account via AWS Cognito.
- Display name — the name shown to other users on your profile.
- Date of birth (optional) — used to calculate age and apply appropriate age verification.
- Gender (optional) — used for same-gender matching preferences.
2.2 Fitness & Health Data
- Workout logs — exercises, sets, reps, weight, and RPE recorded during sessions.
- Personal records (PRs) — squat, bench press, and deadlift maxima entered during onboarding.
- Training preferences — goals, experience level, preferred training days, and training style.
- Height and weight (optional) — entered during onboarding for fitness context.
2.3 Location Data
- Approximate location — used to show nearby training partners and gyms on the in-app map. We use coarse location (city/district level) for matching purposes. We do not continuously track your location.
- Linked gym IDs (optional) — if you associate yourself with a specific gym.
2.4 Device & Technical Data
- Push notification token (Expo push token) — used to deliver in-app notifications to your device.
- Device type and operating system — collected automatically when you use the App.
2.5 Communications Data
- Chat messages — messages sent between you and your training partners are stored in our database. These are not read by TwoRep staff except where required for safety investigations or legal compliance.
2.6 Usage Data
- App interactions — how you use the App (e.g. screens visited, features used) may be collected for analytics purposes to improve the App.
3. Legal Basis for Processing
| Data Category | Legal Basis |
|---|---|
| Account & identity data | Contract — necessary to provide the service |
| Fitness & health data | Consent — you choose to enter this data; it is used solely to improve your experience |
| Location data | Legitimate interests — to enable location-based partner matching, subject to your in-app privacy settings |
| Push notification token | Consent — you grant permission via your device OS settings |
| Chat messages | Contract — necessary to deliver the messaging service |
| Usage data | Legitimate interests — to improve the App and user experience |
4. How We Use Your Data
We use your data to:
- Create and manage your account
- Enable you to find and connect with compatible training partners
- Deliver workout logging and programme management features
- Send push notifications for messages, connection requests, and training reminders (where permitted)
- Provide location-based features such as the partner discovery map
- Improve the App through analytics
- Respond to support requests
- Comply with legal obligations
We do not sell your personal data to third parties. We do not use your health or fitness data for advertising purposes.
5. How We Store Your Data
Your data is stored on AWS (Amazon Web Services) infrastructure located in the eu-west-1 (Ireland) region. We use:
- AWS DynamoDB — primary database for user profiles, workout logs, and chat messages
- AWS Cognito — identity and authentication management
- AWS API Gateway and Lambda — to process requests
AWS maintains ISO 27001 certification and SOC 2 compliance. Data is encrypted at rest and in transit.
6. Data Sharing
We share data with the following categories of recipients:
| Recipient | Purpose |
|---|---|
| AWS | Cloud infrastructure and hosting |
| Expo (by Expo Inc.) | Push notification delivery |
We will also disclose data where required to do so by law, court order, or regulatory authority.
7. Data Retention
- Active account data is retained while your account is active.
- If you delete your account, your personal data (display name, email, and profile data) is anonymised immediately and permanently deleted from all systems within 30 days of your deletion request.
- Chat messages are deleted within 30 days of account deletion.
- Anonymised aggregate data (e.g. usage statistics with no personally identifying information) may be retained indefinitely for product improvement.
8. Your Rights
Under UK GDPR and EU GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Article 15) | Request a copy of the personal data we hold about you |
| Rectification (Article 16) | Request correction of inaccurate personal data |
| Erasure (Article 17) | Request deletion of your personal data ("right to be forgotten"). You can also delete your account directly from the App at any time. |
| Restriction (Article 18) | Request we restrict processing of your data in certain circumstances |
| Portability (Article 20) | Request your data in a portable format |
| Object (Article 21) | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time |
To exercise any of these rights, contact us at support@tworep.com. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk. In the EU, contact your local Data Protection Authority.
9. Children's Privacy
TwoRep is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@tworep.com and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via a push notification or in-app notice. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
11. Contact
Email: support@tworep.com
For data protection enquiries, please use the subject line "Privacy Request" so we can route your message correctly.