Privacy Policy
Version v1.0.0 — effective 17 May 2026.
PYBOX — PRIVACY POLICY
Version: v1.0.0
Effective from: 17 May 2026
Jurisdiction: Australia (Western Australia)
1. WHO THIS POLICY IS FROM
1.1 This Privacy Policy describes how Joshua J Iszatt trading as Pybox
(ABN 71 441 409 935) ("Pybox", "we", "us", "our") collects, holds,
uses, and discloses personal information. It is
written to comply with the Privacy Act 1988 (Cth) and the 13
Australian Privacy Principles ("APPs") in Schedule 1 of that Act.
1.2 This policy is published openly at https://pybox.io/legal/privacy in
accordance with APP 1.3 and is referenced in our Terms of Service
(https://pybox.io/legal/terms).
1.3 In this policy, "personal information" has the meaning given in
section 6 of the Privacy Act 1988 (Cth), and "sensitive information"
includes "health information" as defined in that Act.
2. WHAT INFORMATION WE COLLECT
2.1 Information you give us directly:
Account information:
- Username, email address, password (stored as a `bcrypt` hash —
we never see your plaintext password).
- Optional: title, first name, surname, nickname, profile picture.
Subscription and payment information:
- Stripe customer reference, subscription identifier, subscription
status, current period end date, manual access grant expiry where
applicable. Full payment card details are stored by Stripe — not
by us.
Training and fitness content ("health information" — sensitive):
- Workout journal entries and notes.
- Personal training programs (your weekly schedule and the sessions
you've planned).
- Calendar entries — sessions you've scheduled, tracked, missed, or
cancelled.
- Fitness testing records (run times, rep counts, etc.).
- Saved session structures and timer presets.
Gym membership information:
- Gyms you belong to, your role within each (member / coach / owner),
whether your membership is primary, and the gym programs you've
imported into your personal calendar.
Issues and feedback:
- Bug reports, feature requests, and any feedback you submit.
2.2 Information we collect automatically:
- Session activity — login times, last-active timestamps,
authenticated session records (IP address, user agent, device
label, session created-at, last-active timestamp).
- Audit log entries for security-significant events: login, session
tracking, account changes, subscription changes, policy
acceptance, admin actions affecting your account.
- Consent records — username, the version of each policy you've
accepted, the date and time of acceptance, the IP address you
accepted from, and the user agent.
2.3 We do not currently use analytics tracking, advertising trackers,
or third-party cookies. If we add any of these in the future, this
policy will be updated and re-consent will be required.
3. HOW WE COLLECT INFORMATION
3.1 Almost all information is collected directly from you when you
create an account, configure your profile, save a session, log a
training day, or interact with the gym features.
3.2 We collect technical information (IP address, user agent, request
timestamps) automatically when you make requests to the platform.
3.3 We may collect information about you indirectly from a gym you've
joined — for example, the gym owner adding you as a coach or
inviting you to join.
3.4 We do not collect personal information from third-party sources
about people who have not interacted with our Service.
4. ANONYMITY AND PSEUDONYMITY (APP 2)
4.1 You may use a pseudonym as your username. However, certain
functions of the Service — including payment, gym memberships
tied to a real-world organisation, and any future identity-
verification features — require us to associate you with
identifiable information (typically your email address and Stripe
customer record).
4.2 Where it is lawful and practicable, you may interact with us
anonymously about general queries. For account-specific issues we
need to confirm your identity before acting.
5. PURPOSES OF COLLECTION (PRIMARY AND SECONDARY)
5.1 We collect, hold, use and disclose personal information for the
following primary purposes:
(a) to provide, operate, secure and improve the Service;
(b) to authenticate you and manage your active sessions;
(c) to process payments and manage subscriptions;
(d) to deliver the gym and coaching features (where you choose
to participate in those features);
(e) to send you transactional emails directly related to your
account (verification, payment failures, subscription
changes, password resets, dormant-account warnings);
(f) to comply with our legal obligations, including the Notifiable
Data Breaches scheme;
(g) to maintain immutable records of policy consent as required
by clause 14 of our Terms of Service.
5.2 Secondary purposes — we will only use personal information for a
secondary purpose where:
(a) you would reasonably expect us to use it for that purpose and
the secondary purpose is directly related to the primary; or
(b) you have given separate consent; or
(c) another lawful exception under APP 6 applies.
5.3 Sensitive information (including health information) is collected
only with your express consent, given through the consent flow at
signup or when you first use a feature that collects it. Sensitive
information is used only for the primary purpose for which it was
collected, except where you give us further explicit consent.
5.4 We do not use your personal information for direct marketing
beyond transactional emails. If we introduce optional marketing
communications in the future, we will collect a separate opt-in
consent before sending any marketing message (APP 7).
6. WHO WE DISCLOSE INFORMATION TO
6.1 Subprocessors. We share the minimum personal information needed
with the following service providers, each bound by a data
processing agreement:
+------------------+--------------------------------+------------+
| Provider | Purpose | Location |
+------------------+--------------------------------+------------+
| Amazon Web | Hosting, storage, backups | Sydney, |
| Services (AWS) | (data plane is Sydney; console | Australia |
| | / billing surfaces are US- | (data), |
| | based metadata) | US (meta) |
+------------------+--------------------------------+------------+
| Stripe Payments | Payment processing, subscription| United |
| Australia Pty | billing, fraud screening | States, |
| Ltd / Stripe Inc.| | Ireland |
+------------------+--------------------------------+------------+
| Cloudflare | DNS, TLS termination, edge | Global |
| | caching, DDoS protection | |
+------------------+--------------------------------+------------+
| Email provider | Transactional email delivery | [TBD — |
| [TBD] | (signed reset links, payment | Postmark |
| | failure notices, etc.) | likely US] |
+------------------+--------------------------------+------------+
6.2 Gym sharing. If you join a gym, the gym's owner and coaches can
see your username, your role, and any content you create under
that gym's account (gym programs you build, gym-saved sessions).
They cannot see your personal journal entries, personal calendar
sessions sourced from your own programs, personal fitness testing
records, or content from any other gym.
6.3 Legal obligations. We will disclose personal information if
required by law, by a court order, or by a regulator with
jurisdiction. We will not voluntarily disclose your information
to law enforcement except where the disclosure is required by law
or is necessary to protect against an imminent risk of harm.
6.4 Business transfer. If we sell or restructure the business, we
may transfer personal information to the buyer or new entity,
subject to the buyer agreeing to honour this policy. We will
notify you in advance if this occurs.
7. CROSS-BORDER DISCLOSURE (APP 8)
7.1 Our user data plane is hosted in AWS ap-southeast-2 (Sydney), so
your operational data remains onshore in Australia.
7.2 However, some service providers in clause 6.1 process metadata
outside Australia — notably Stripe (US and Ireland), Cloudflare
(global), and our email provider (likely US).
7.3 By using the Service you consent to those disclosures. Where APP 8
applies, we take reasonable steps to ensure the overseas recipient
does not breach the APPs, including by accepting their standard
data processing agreements.
8. SECURITY OF YOUR INFORMATION (APP 11)
8.1 We take the following reasonable technical steps to protect your
personal information:
(a) TLS 1.2+ on all network traffic;
(b) AES-256 encryption at rest for hosted storage;
(c) passwords stored only as one-way `bcrypt` hashes;
(d) multi-factor authentication required on infrastructure
accounts;
(e) principle of least privilege for staff access;
(f) rate limiting and bot protection on authentication endpoints;
(g) CloudTrail audit logging retained for at least 12 months;
(h) daily encrypted backups with a 14-day rolling retention.
8.2 Organisational measures include access reviews, dependency
vulnerability scanning, and an internal data breach response
plan.
8.3 No system is perfectly secure. You must also do your part by
choosing a strong password, not reusing it across services, and
notifying us promptly if you suspect unauthorised access.
9. DATA BREACH NOTIFICATION
9.1 We comply with the Notifiable Data Breaches scheme (Part IIIC of
the Privacy Act 1988 (Cth)).
9.2 If we become aware of an event that may constitute an "eligible
data breach", we will assess the event within 30 days. If we
conclude that the breach is likely to result in serious harm,
we will notify the Office of the Australian Information
Commissioner ("OAIC") and the affected individuals as soon as
practicable after the assessment.
9.3 Our notification will include — to the extent we are able to
identify them at the time — what happened, what information was
involved, what we are doing about it, and what you can do to
reduce the risk to yourself.
10. RETENTION
10.1 We retain personal information only for as long as we need it for
the purposes set out in clause 5, or as long as we are required to
by law.
10.2 Indicative retention periods:
+--------------------------------+-----------------------------------+
| Category | Retention period |
+--------------------------------+-----------------------------------+
| Active account data | While the account is active |
+--------------------------------+-----------------------------------+
| Account on 60-day inactivity | Held indefinitely until you log |
| soft-suspension | back in to reactivate |
+--------------------------------+-----------------------------------+
| Account in 12-month dormancy | Notification sent; if no response |
| | within 30 days, account deleted |
+--------------------------------+-----------------------------------+
| User-initiated account deletion| Processed within 30 days |
+--------------------------------+-----------------------------------+
| Backups containing your data | 14-day rolling retention; deleted |
| | versions persist until backups |
| | naturally age out |
+--------------------------------+-----------------------------------+
| Consent records | Retained as legally required |
| | evidence. After 12 months, the IP |
| | address and user agent in each |
| | record are de-identified; only the|
| | username and policy version |
| | accepted are kept thereafter |
+--------------------------------+-----------------------------------+
| Activity log entries | 12 months |
+--------------------------------+-----------------------------------+
| Soft-deleted user rows | Retained for the username unique |
| | constraint and audit trail; not |
| | usable for any purpose |
+--------------------------------+-----------------------------------+
10.3 When we no longer need personal information for any of the
purposes in clause 5, we destroy or de-identify it in accordance
with APP 11.2.
11. ACCESS AND CORRECTION (APP 12 AND 13)
11.1 You can view and correct most of your personal information at any
time through your Account page on the Service. This includes
name, email, password, training content, journal entries, and
gym memberships.
11.2 If you cannot access or correct information through the platform
itself, contact us at the address in clause 14. We will respond
to a request within 30 days. We do not charge for access or
correction requests, in accordance with APP 12 and 13.
11.3 If we refuse access or correction, we will tell you why in writing
and how you can complain (see clause 12).
11.4 You can request export of all your personal information through
the Account page (or by contacting us). We provide exports in a
structured, common-use format within 30 days.
11.5 You can request hard deletion of your account and personal
information at any time through the Account page. Hard deletion
is processed within 30 days, subject to the retention exceptions
in clauses 6.3, 10.2 (backups) and 10.2 (consent records).
12. COMPLAINTS
12.1 If you believe we have breached the APPs or this policy, please
contact us first at the address in clause 14. We will acknowledge
your complaint within 7 days and respond substantively within 30
days.
12.2 If you are not satisfied with our response, you can complain to
the Office of the Australian Information Commissioner:
Website: https://www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5288, Sydney NSW 2001
13. CHILDREN
13.1 The Service is intended for users aged 16 and over (with a
parent's or guardian's consent for those aged 16 or 17).
13.2 We do not knowingly collect personal information from children
under 16. If we become aware that we have done so, we will delete
that information.
13.3 We will reassess this section before 10 December 2026 in light of
the Children's Online Privacy Code coming into force on that date.
14. CONTACT US
14.1 The contact point for privacy queries is:
Joshua J Iszatt trading as Pybox
ABN 71 441 409 935
60 Wittenoom Street, East Perth WA 6004, Australia
Privacy contact: [email protected]
General contact: [email protected]
15. POLICY VERSIONING
15.1 Each version of this policy is identified by a version number and
an effective date. Historical versions remain available at
/legal/privacy/<version>.
15.2 If we materially change the policy, we will require you to re-
accept the new version on your next login. Until you accept, your
access to the Service is limited to the acceptance flow itself.
15.3 We maintain an immutable audit record of each acceptance — your
username, the policy version, the date and time of acceptance, and
your IP address at the time. These records are retained according
to clause 10.2.
--------------------------------------------------------------------------------
DOCUMENT HISTORY
| Version | Date | Author | Change |
|---------|-------------|-----------|-----------------|
| v1.0.0 | 17 May 2026 | Pybox | Initial version |
This is the current published version. Earlier versions remain available at
/legal/privacy/<version> for the audit trail.