Last updated: 27 April 2026
Privacy Policy
1. Who We Are
CUE PT LTD ("we", "us", "our") is the data controller for personal data collected through the CUE PT platform at cue-pt.com. We are registered in England and Wales under company number 17114959, with registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ.
We are registered with the Information Commissioner's Office (ICO) under registration reference ZC126141.
Contact us about privacy matters at [email protected]
2. What Data We Collect
2.1 Account Data
- Name and email address (required to create an account)
- Profile photo (optional, uploaded by you)
- Phone number (optional)
- Google account details if you sign in with Google (name, email, profile photo)
2.2 PT Profile Data
- Professional bio, headline, and specialties
- Qualifications and certifications (uploaded documents)
- Insurance certificate (uploaded document)
- Years of experience
- Service areas and location data (postcodes, coordinates)
- Availability schedule and pricing
- Stripe Connect account ID (for payment processing)
2.3 Client Profile Data
- Postcode (for finding nearby PTs)
- Fitness goals and preferences (optional)
- Stripe customer ID (for payment processing)
- Saved payment method token (stored by Stripe, not us)
2.4 Booking and Session Data
- Session dates, times, and duration
- Location information (gym name, address)
- Session type
- Notes you add to a booking (visible to your trainer)
- Private notes and goals your trainer may write about your sessions (visible only to them — you can request a copy via our data export)
- Payment amounts and status
- Session start/end timestamps
- Cancellation reason (if applicable)
Please do not share medical conditions, diagnoses, or other health information through the platform. CUE PT is not a healthcare service and free-text fields are not intended for clinical or medical use.
2.5 Location Data
- PTs: GPS coordinates when you activate "Available Now" (used to show your location to nearby clients seeking instant sessions)
- Clients: browser location (if permitted) used to sort available PTs by distance. We do not store your precise location.
2.6 Content Reports
- When you report content or a user, we record the report reason, any detail you provide, and your account ID
- Both clients and PTs may submit reports — clients can report PT profiles, classes, and reviews; PTs can report client conduct
- Reports are accessible only to CUE PT Trust & Safety staff
- We retain open reports until resolved, and closed reports for up to 1 year for audit purposes
2.7 Technical Data
- IP address and browser/device information (for security and fraud prevention)
- Authentication session tokens
- Audit logs of key actions (booking, payment, cancellation)
- Failed and denied sign-in attempts, including the email address used and IP address — logged for security monitoring and deleted automatically after 90 days
3. Why We Collect It (Legal Basis)
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Creating and managing your account | Contract performance |
| Processing bookings and payments | Contract performance |
| Sending booking confirmations and receipts | Contract performance |
| Showing PT location to nearby clients | Contract performance (PT opt-in feature) |
| Fraud prevention and security | Legitimate interests |
| Improving the platform | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Marketing communications | Consent (you can unsubscribe at any time) |
4. Who We Share Data With
We do not sell your personal data. We share data only with the service providers necessary to operate the platform:
Stripe
Payment processing and PT payouts. Stripe handles all card data - CUE PT never stores raw card numbers. Stripe is certified to PCI DSS Level 1.Stripe Privacy Policy
Resend
Transactional email delivery (booking confirmations, receipts, notifications). Your email address is shared with Resend only to deliver emails from us to you.
If you sign in with Google, your name, email, and profile photo are shared with us by Google under their OAuth service. Google Privacy Policy
Vercel
Platform hosting and file storage (profile photos, documents). Vercel stores data in data centres in the EU/US. We use Vercel Blob for photo and document storage.
Firebase (Google)
Push notifications for the CUE PT mobile app. Firebase Cloud Messaging (FCM) processes device tokens to deliver booking alerts and session reminders to your device. Data is processed by Google in the US. Firebase Privacy
Neon
Database hosting. Your personal data is stored in our Neon-managed PostgreSQL database, hosted in the EU (Frankfurt region). Neon does not access your data except for infrastructure operations.
Cloudflare
DNS, DDoS protection, and web application firewall. Traffic to cue-pt.com is routed through Cloudflare's network for security and performance. Cloudflare may process IP addresses and request metadata as part of this service. Cloudflare Privacy Policy
We may also disclose personal data if required to do so by law, court order, or to protect the rights, property, or safety of CUE PT, its users, or others.
5. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion, or 2 years of inactivity |
| Booking and payment records | 7 years (UK tax/accounting requirements) |
| Session data | 2 years after session date |
| PT qualification documents | Duration of PT account + 1 year |
| Audit logs | 1 year |
| Failed / denied sign-in logs | 90 days (auto-purged) |
| PT location (Available Now) | Deleted when PT deactivates availability |
6. Your Rights (UK GDPR)
Under UK GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Ask us to correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data (subject to legal retention obligations such as financial records)
- Restriction: Ask us to limit how we use your data in certain circumstances
- Portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Cookies
CUE PT uses the following cookies:
| Cookie | Purpose | Type |
|---|---|---|
| next-auth.session-token | Keeps you signed in | Strictly necessary |
| next-auth.csrf-token | Security (prevents cross-site request forgery) | Strictly necessary |
We use only strictly necessary cookies. No analytics, advertising, or tracking cookies are set. No cookie consent banner is required under UK PECR.
We also use browser localStorage (not cookies) to remember UI preferences such as whether you have dismissed the beta banner or seen the onboarding modal. This data never leaves your device.
We use Vercel Analytics to measure aggregate page traffic. Vercel Analytics does not set any cookies, does not fingerprint visitors, and does not share data with third parties. No personal data is collected by this tool.
8. Data Security
We take reasonable technical and organisational measures to protect your personal data, including encrypted connections (HTTPS), hashed authentication tokens, and access controls limiting who can access personal data. However, no system is completely secure. Please notify us immediately at [email protected] if you believe your account has been compromised.
9. International Transfers
Some of our service providers process data outside the UK. This includes Stripe, Vercel, Resend, Google (Firebase), and Cloudflare, all of which are based in or operate infrastructure in the United States. Where personal data is transferred internationally, we put appropriate safeguards in place. For most of our processors, this means Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA). Where a formal data processing agreement is not yet available from a provider, we rely on their contractual terms of service, which include data processing commitments, and we keep this under review. Neon processes data in the EU (Frankfurt), which benefits from UK adequacy decisions for EEA transfers.
10. Children
CUE PT is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice on the platform. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact Us
For any privacy-related questions or to exercise your rights, contact us at:
See also: Terms of Service