Effective date: 1 May 2026 ยท Last updated: May 2026
This Data Security Policy describes how Rebirth of Fitness protects the personal information entrusted to us โ including sensitive health, location, and wearable data. We maintain a layered set of technical and organisational controls and respond promptly and transparently to any security incident.
1. Our Security Commitment
Protecting your personal information is a core responsibility of Rebirth of Fitness. We recognise that our users share sensitive data โ workout history, GPS routes, heart-rate variability, sleep scores, cycle phase โ that deserves the highest level of care. No system is entirely immune to risk, but we apply industry-standard practices, audit our controls, and react quickly to new threats.
2. Encryption
All traffic between the App, the website, our servers, and connected third parties (Strava, Garmin, WHOOP, OpenAI, RevenueCat) is encrypted using TLS 1.2 or higher. We do not accept unencrypted requests on production endpoints.
The PostgreSQL database that backs our service is encrypted at rest by our cloud infrastructure provider. Sensitive fields โ including OAuth tokens for Strava, Garmin Connect and WHOOP โ are additionally encrypted with AES-256-GCM using a key derived from a server-side secret that is never bundled with the App.
Passwords are hashed and salted using bcrypt โ we never store, log, or transmit plain-text passwords. API access uses signed, expiring session tokens. Wearable OAuth refresh-token rotation is handled transparently by the server and never exposed to the App bundle.
We never see, store, or transmit payment-card details. All purchases are handled by Apple App Store, Google Play, and RevenueCat โ each of which maintains its own PCI-DSS compliant payment infrastructure.
3. Application & Network Security
- Rate limiting on every authenticated and unauthenticated endpoint to prevent brute-force, scraping, and abuse
- CSRF protection on all state-changing requests originating from the website
- Input validation on every API payload and query parameter; user-supplied content is HTML-escaped before rendering in the admin dashboard
- Integrity / anti-cheat checks automatically flag impossible run paces, GPS jumps, duplicate sessions, abnormal session frequency, and points spikes for admin review
- Production code obfuscation โ the production JavaScript bundle is minified and identifier-mangled so internal program logic and AI-coach orchestration are not readable from the App binary
- Sensitive scoring server-side โ recommendation, scoring, and ranking algorithms run on the server, not in the App bundle
- Secrets in vault โ third-party API keys and signing secrets are stored only in our secure environment-variable store, never in source control
4. Administrative & Organisational Controls
- Role-based access โ admin staff are assigned the lowest role required for their work (Super Admin, League Admin, Content Admin, Support Admin)
- IP allowlisting for the admin dashboard in production
- Time-bounded sessions โ admin sessions expire after 24 hours and require re-authentication
- Full audit logging โ every administrative write action is recorded with the actor, timestamp, old value, new value, and reason
- Need-to-know access to user data โ engineers and support staff access user records only when required to investigate a support ticket or integrity flag
- Quarterly review of access lists, secrets rotation, and dependency security advisories
5. Sensitive Data Handling
Certain categories of data receive heightened protection:
- Health & fitness data (training logs, body measurements, weekly check-ins) โ stored securely, never used for advertising, never sold
- Women's Hub cycle data (cycle phase, symptoms, pregnancy / postpartum flags) โ restricted access internally; never shared with any third party
- Wearable biometrics (HRV, sleep, body battery, training load) โ used only to compute readiness and to display in the App; never resold
- GPS run routes โ used only for run history, replays, share cards (subject to your privacy toggles), and optional Strava push; never shared with advertisers
- AI coach conversations โ sent only to OpenAI for reply generation under contractual no-training terms
- Account credentials โ passwords hashed and salted; OAuth tokens AES-256-GCM encrypted
6. Third-Party Infrastructure Security
We rely on the following third-party providers to operate the platform; each maintains their own security programme and is contractually required to handle our users' data securely:
- Replit Inc. โ cloud hosting, PostgreSQL database, runtime, and TLS termination
- RevenueCat โ subscription and in-app purchase management; SOC-2 compliant
- Apple App Store / Google Play โ app distribution and payment processing
- OpenAI โ AI-coach reply generation; data sent via API is governed by OpenAI's enterprise data policy and is not used to train OpenAI models
- Strava, Garmin Connect, WHOOP, Apple HealthKit โ wearable / activity sync only when you explicitly connect them
- Apple Push Notification Service / Firebase Cloud Messaging โ delivery of opt-in push notifications
We do not share data with any other vendor and we do not sell personal data.
7. Data Breach Response
In the event of a security incident or data breach, our response procedure is:
- Detection & containment โ identify and isolate the breach as quickly as possible to prevent further exposure
- Assessment โ determine what data was affected, how many users are impacted, and the likely risk to individuals
- User notification โ notify affected users in the App and by email as soon as reasonably practicable, with clear information about what data was affected and what steps to take
- Regulatory notification โ report the breach to the Information Regulator of South Africa within the timeframes required by POPIA, and to relevant EU/UK supervisory authorities within 72 hours where required by GDPR
- Remediation โ fix the root cause, patch vulnerabilities, rotate any compromised credentials, and review the controls that allowed the breach
- Post-incident review โ conduct a thorough review and update security measures as needed
8. Vulnerability Disclosure
If you discover a security vulnerability in the Rebirth of Fitness App or website, we ask you to report it to us responsibly before disclosing it publicly. We are committed to investigating all credible reports promptly.
Email: support@rebirthapp.co.za
Subject line: Security Vulnerability Report
Please describe the issue in detail, with reproduction steps where possible. We will acknowledge
your report within 5 business days and keep you informed of our progress. We will not take legal
action against good-faith researchers who follow responsible disclosure practices.
9. Data Retention & Deletion
We retain personal data only for as long as your account is active. When you delete your account (Profile โ Danger Zone โ Delete account), we permanently erase your personal data within 30 days, except where we are required by law to retain certain records (for example, financial records relating to subscription payments). Backups are rotated on a 30-day cycle. Wearable connections are revoked at the third-party provider as part of account deletion.
10. Your Role in Security
Security is a shared responsibility. To protect your account, you should:
- Use a strong, unique password for your Rebirth of Fitness account
- Never share your account credentials with anyone
- Keep your device software, the App, and any connected wearable apps up to date
- Log out of your account if using a shared device
- Disconnect wearables you no longer use from the Profile screen
- Contact us immediately at support@rebirthapp.co.za if you suspect unauthorised access to your account
11. Changes to This Policy
We may update this Data Security Policy from time to time as our practices evolve. Changes will be reflected in the "Last updated" date above. For material changes, we will notify you in the App.
12. Contact Us
Email: support@rebirthapp.co.za
Website: rebirthapp.co.za
South Africa
36 Wroxham Rd, Paulshof, Sandton, 2191