Privacy Policy

Last updated: March 31, 2026

Meso ("we", "our", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, authentication credentials (hashed password or social login identifiers).
• Profile data: height, weight, date of birth, gender, activity level, training experience, and unit preferences.
• Training data: mesocycles, workout sessions, prescribed exercises, logged sets (weight, reps, RPE), volume landmarks, and weekly reviews.
• Nutrition data: food logs, nutrition plans, calorie and macro targets, food favorites.
• Body metrics: weight entries and body weight trends.
• Device information: device name, platform (iOS/Android), push notification tokens.
• Payment data: subscription status and platform identifiers (actual payment details are processed by Stripe, Apple, or Google and never stored on our servers).

How We Use Your Data

• Provide and personalize your training and nutrition programs based on mesocycle periodization.
• Track your progress and generate weekly reviews and recommendations.
• Send push notifications for workout reminders and check-ins (with your permission).
• Process subscription payments through third-party payment processors.
• Monitor application performance and fix bugs.
• Analyze anonymized usage patterns to improve the app experience.

Third-Party Services

We use the following third-party services that may process your data:

• Sentry — error tracking and performance monitoring. We scrub all personally identifiable information (PII) from events before they are sent, including email addresses, passwords, and authentication tokens.
• PostHog — product analytics. We use anonymized user IDs only. No PII (names, emails, or personal health data) is sent to PostHog events.
• Stripe — payment processing for web-based subscriptions. Stripe processes your payment details directly; we only store your subscription status and Stripe customer/subscription IDs. See Stripe's Privacy Policy.
• Apple App Store / Google Play — in-app purchase processing for mobile subscriptions. These platforms handle payment directly.

Data Retention

• Your data is retained for as long as your account is active.
• When you delete your account, your account is immediately soft-deleted (deactivated). After a 30-day grace period, all of your data is permanently and irreversibly deleted from our servers.
• During the 30-day grace period, you may contact us to restore your account.
• Anonymized, aggregated analytics data (which cannot identify you) may be retained indefinitely.

Your Rights

You have the following rights regarding your personal data:

• Access & Export: You can export all of your data at any time via the app (Settings > Export Data), which provides a complete JSON download of your profile, training, nutrition, and body metrics.
• Deletion: You can delete your account at any time via the app. All data is permanently removed after a 30-day grace period.
• Correction: You can update your profile and personal information at any time through the app.
• Portability: The data export feature provides your data in a standard, machine-readable JSON format.

California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you. Use the in-app data export feature for a complete copy.
• Right to Delete: You may request deletion of your personal information. Use the in-app account deletion feature.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• No Sale of Personal Information: We do not sell your personal information to third parties.

To exercise your CCPA rights, you can use the app's built-in export and deletion features, or contact us at privacy@originalsolutions.com.au.

Data Security

• All data is transmitted over HTTPS/TLS.
• Passwords are hashed using bcrypt and never stored in plain text.
• API authentication uses short-lived tokens (30-day expiry) via Laravel Sanctum.
• PII is scrubbed from error-tracking events before transmission.

Children's Privacy

Meso is not intended for children under the age of 16. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via the app or email.

Contact Us

If you have questions about this privacy policy, contact us at privacy@originalsolutions.com.au.