Privacy Policy
Effective: 26 March 2026 · Last updated: 26 March 2026
P247 ("we", "us", "our") operates the P247 mobile application and the website at p247.io (together, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.
P247 is operated by Commit-IT (ABN 60 137 471 615), based in New South Wales, Australia. We serve users internationally and comply with applicable data protection laws including the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
1. Data We Collect
1.1 Account Data
When you create an account, we collect:
- Email address
- Name (optional)
- Password (stored as a salted hash, never in plain text)
- Timezone and locale preferences
1.2 Health and Fitness Data
With your explicit consent, we collect health and fitness data from:
- Apple HealthKit: heart rate variability, resting heart rate, sleep stages, steps, active energy, workouts, body measurements, respiratory rate, blood oxygen saturation, body composition (weight, body fat percentage, lean body mass)
- Connected wearables (Garmin, Whoop, Strava, Oura): activity data, recovery scores, training load, sleep data, and device-specific metrics
- Manual entries: body composition scans (InBody, DEXA), daily check-ins (subjective feel, soreness, sleep quality, nutrition), and notes
Important: Health data is sensitive personal data. We only collect it after you grant explicit permission through the HealthKit consent screen or by connecting a third-party account via OAuth. You can revoke access at any time through your device settings or the P247 app.
1.3 Usage Data
We automatically collect:
- Device type, operating system, and app version
- Interaction data (screens viewed, features used, timestamps)
- Crash reports and performance diagnostics
- IP address (used for security and approximate geolocation at the country level only)
1.4 Website Analytics
Our website uses Google Analytics 4 (GA4) to understand traffic and usage patterns. GA4 collects anonymised usage data including page views, session duration, and referral sources. See our Cookie Policy for details.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service (daily briefs, trend analysis, coaching) | Health data, account data, manual entries | Explicit consent (Art. 9(2)(a)) |
| Generate personalised recommendations via AI | Health data, training history, check-ins | Explicit consent |
| Send notifications (daily brief, alerts) | Device token, account data | Consent / legitimate interest |
| Improve the Service | Aggregated and anonymised usage data | Legitimate interest |
| Respond to support requests | Account data, communications | Legitimate interest / contract |
| Prevent fraud and ensure security | IP address, device data, access logs | Legitimate interest |
3. AI Processing
P247 uses artificial intelligence to analyse your health data and generate daily performance briefs, coaching messages, and trend insights. Your data is processed by:
- Our analysis engine: statistical and machine learning models that detect patterns in your data. These run on our infrastructure.
- Third-party AI providers: we use Anthropic (Claude) for natural language interpretation of health patterns and coaching. When your data is sent to these providers, it is transmitted securely (TLS), used only to generate your response, and not used to train their models.
We do not sell your data to AI companies. We do not use your health data to train general-purpose AI models.
4. Data Sharing
We do not sell your personal data. We share data only in these circumstances:
- Service providers: hosting (cloud infrastructure), AI processing (Anthropic), analytics (Google), email delivery. All bound by data processing agreements.
- Connected platforms: when you connect Strava, Garmin, Whoop, or Oura, we exchange data with those platforms using their APIs under their own privacy policies. We only read data from these platforms; we do not write your P247 data back to them.
- Legal requirements: if required by law, court order, or to protect the safety of our users.
- Business transfer: in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before this happens.
5. Data Storage and Security
- Data is stored on secured servers with encryption at rest and in transit (TLS 1.2+)
- Database access is restricted to authenticated application services only
- API authentication uses per-user keys; passwords are salted and hashed
- We conduct regular security reviews of our infrastructure
- Data is primarily stored in Australia. Where data is processed outside your jurisdiction (e.g., AI processing in the United States), we ensure appropriate safeguards are in place (Standard Contractual Clauses for EU data transfers)
6. Data Retention
- Active accounts: your data is retained for as long as your account is active
- Deleted accounts: upon account deletion, all personal data is permanently removed within 30 days. Anonymised, aggregated data may be retained for service improvement.
- Backups: data may persist in encrypted backups for up to 90 days after deletion
7. Your Rights
All Users
- Access: request a copy of all data we hold about you
- Correction: update or correct inaccurate data
- Deletion: delete your account and all associated data
- Withdraw consent: revoke HealthKit or wearable access at any time
- Data portability: export your data in a machine-readable format
EU/UK Residents (GDPR)
In addition to the above, you have the right to:
- Restrict processing of your data
- Object to processing based on legitimate interest
- Lodge a complaint with your local Data Protection Authority
- Not be subject to decisions based solely on automated processing (you can request human review of any AI-generated recommendation)
California Residents (CCPA)
You have the right to:
- Know what personal information we collect and why
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Not be discriminated against for exercising your privacy rights
Australian Residents
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to access and correct your personal information. You may also complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.
8. Apple HealthKit Compliance
P247 complies with Apple's HealthKit guidelines:
- We do not use HealthKit data for advertising or marketing
- We do not sell HealthKit data to third parties
- We do not share HealthKit data with third parties for their own purposes
- HealthKit data is used solely to provide the core features of the Service (performance analysis, daily briefs, coaching, trend tracking)
- Users must explicitly grant permission for each HealthKit data type we access
9. Children's Privacy
P247 is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. International Data Transfers
P247 is based in Australia and serves users globally. Your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we use:
- EU Standard Contractual Clauses (SCCs) for transfers from the EU/EEA
- UK International Data Transfer Agreement/Addendum for transfers from the UK
- Contractual protections with all third-party service providers
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top reflects the most recent revision.
12. Contact Us
For privacy inquiries, data access requests, or complaints:
- Email: privacy@p247.io
- Address: PO Box 6853, Norwest NSW 2153, Australia
We aim to respond to all privacy requests within 30 days (or sooner where required by law).