Effective date: 1 March 2025 ยท Last updated: March 2026
This Data Security Policy describes how Rebirth of Fitness protects the personal information entrusted to us by our users. We are committed to maintaining robust technical and organisational measures to keep your data safe, and to responding promptly and transparently in the event of a security incident.
1. Our Security Commitment
Protecting your personal information is a core responsibility of Rebirth of Fitness. We recognise that our users share sensitive health, fitness, and location data with us โ data that deserves the highest level of care. No system is entirely immune to risk, but we implement industry-standard security practices and continuously review our controls.
2. Technical Security Measures
All data transmitted between the Rebirth of Fitness app, website, and our servers is encrypted using TLS (Transport Layer Security). This prevents interception of data during transmission.
Personal data stored on our servers is protected using encryption at rest. Sensitive fields โ including health data and Women's Hub information โ receive additional protection.
All API endpoints require authenticated sessions. We use token-based authentication to ensure that only authorised users and systems can access account data.
We do not store payment card details at any point. All payment processing is handled exclusively by RevenueCat, Apple App Store, and Google Play โ each of which maintains their own PCI-DSS compliant payment security standards.
3. Organisational Security Measures
- Access to user data is restricted on a need-to-know basis โ only authorised personnel who require access to perform their role may access personal information
- We do not retain data beyond what is necessary to deliver the service
- Internal procedures are reviewed periodically to ensure continued compliance with POPIA and applicable security standards
- We do not share data with third parties except as described in our Privacy Policy
4. Third-Party Infrastructure Security
We rely on the following third-party providers to operate the platform, each of whom maintains their own security programmes:
- Replit Inc. โ cloud hosting and server infrastructure. Replit maintains physical and network security controls for the servers on which our backend operates.
- RevenueCat โ subscription management and in-app purchase handling. RevenueCat is a trusted provider used by thousands of apps globally and operates under their own security and compliance framework.
- Apple App Store / Google Play โ app distribution and payment processing. Both platforms operate under strict security and compliance requirements.
All third-party providers are contractually obligated to handle data securely and only for the purposes we specify. We do not sell or share personal data with providers beyond what is strictly necessary to operate the service.
5. Sensitive Data Handling
Certain categories of data receive heightened protection:
- Health & Fitness Data (body weight, training logs, fitness goals) โ stored securely and never used for advertising or sold to third parties
- Women's Hub Data (cycle tracking, symptoms) โ treated as sensitive health data with restricted internal access; never shared externally
- Location Data (GPS routes from run tracking) โ stored only as needed to provide your activity history; not shared with advertisers or third parties
- Account Credentials โ passwords are hashed and salted; we never store plain-text passwords
6. Data Breach Response
In the event of a security incident or data breach, our response procedure is:
- Detection & Containment โ identify and isolate the breach as quickly as possible to prevent further exposure
- Assessment โ determine what data was affected, how many users are impacted, and the likely risk to individuals
- User Notification โ notify affected users as soon as reasonably practicable, providing clear information about what data was affected and what steps they should take
- Regulatory Notification โ report the breach to the Information Regulator of South Africa within the timeframes required by POPIA where the breach poses a risk to users
- Remediation โ address the root cause, patch vulnerabilities, and review processes to prevent recurrence
- Post-Incident Review โ conduct a thorough review and update security measures as needed
7. Vulnerability Disclosure
If you discover a security vulnerability in the Rebirth of Fitness app or website, we ask that you report it to us responsibly before making it public. We are committed to investigating all credible reports promptly.
Email: rebirthoffitnessapp@gmail.com
Subject line: Security Vulnerability Report
Please describe the issue in detail. We will acknowledge your report within 5 business days
and keep you informed of our progress. We will not take legal action against good-faith
researchers who follow responsible disclosure practices.
8. Your Role in Security
Security is a shared responsibility. To protect your account, you should:
- Use a strong, unique password for your account
- Do not share your account credentials with anyone
- Keep your device software and the Rebirth of Fitness app updated
- Log out of your account if using a shared device
- Contact us immediately at rebirthoffitnessapp@gmail.com if you suspect unauthorised access to your account
9. Changes to This Policy
We may update this Data Security Policy from time to time as our practices evolve. Changes will be reflected in the "Last updated" date above. For material changes, we will notify you through the app.
10. Contact Us
Email: rebirthoffitnessapp@gmail.com
Website: rebirthapp.co.za
South Africa