How Built Twice handles personal information.

Who we are

Built Twice provides software for coaching workflows, athlete planning, check-ins, training review, community features, and supported data integrations.

For data protection purposes, Built Twice is responsible for deciding how personal information is used in the service. Coaches, clubs, or organizations using Built Twice may also have their own responsibilities for the information they add about athletes and workspace users.

Information we collect and create

Built Twice may collect account details such as name, email address, profile image, role, workspace membership, invite status, and sign-in information.

The service may also process coach and athlete profile information, accessibility or adaptation notes, training plans, session notes, readiness and wellness check-ins, comments, attachments, community posts, messages, preferences, support requests, and technical information needed to operate the service.

Some information may relate to health, wellbeing, disability, adaptation needs, or performance. This can be sensitive personal data under UK GDPR and EU GDPR, so it should only be added where it is relevant to coaching, athlete support, safety, or the athlete's use of the service.

When athletes connect supported integrations such as Strava or Polar, Built Twice may receive activity, workout, wearable, recovery, heart-rate, distance, duration, sport, training-load, provider account, and connection-status data made available by the athlete's provider permissions.

Authentication and account providers

Built Twice uses Supabase Auth to provide account creation, email and password sign-in, password reset, session management, and authentication security. Authentication records may include email address, provider identifiers, session tokens, confirmation status, timestamps, and related security metadata.

Built Twice also offers Google sign-in. If a user chooses Google sign-in, Google may share basic account information needed to authenticate the user, such as name, email address, profile image, and a Google account identifier. Built Twice uses this information to create or access the user's Built Twice account and does not sell Google user data.

Google and Supabase process information under their own terms and privacy notices. Users should review those notices where they use those providers.

How we use information

• To provide coach, athlete, admin, community, and public-facing account features.
• To create, display, and manage athlete profiles, plans, check-ins, attachments, training history, reports, and invitations.
• To authenticate users, maintain sessions, prevent unauthorized access, and protect the service.
• To sync, normalize, and display connected training-provider data where an athlete has enabled an integration.
• To support communication between authorized coaches, athletes, community members, and workspace users.
• To provide AI-assisted coaching summaries or suggestions where the feature is enabled.
• To investigate errors, monitor reliability, improve product quality, and respond to support requests.
• To send service, security, account, or legally required communications.

Legal bases for processing

Where UK GDPR or EU GDPR applies, Built Twice relies on different legal bases depending on the context. These may include performing a contract with the user or workspace, taking steps requested before entering a contract, legitimate interests in operating and improving a secure coaching platform, complying with legal obligations, and consent where required.

For sensitive information such as health, wellbeing, disability, or adaptation-related data, processing may rely on explicit consent, information made available for coaching support by the user or their organization, or another lawful condition available under applicable data protection law. Users should not add sensitive information unless they have an appropriate reason and permission to do so.

Sharing and access

Built Twice is designed around coach, athlete, admin, community, and workspace roles. Information may be visible to the coach, athlete, authorized workspace users, community moderators, or support users involved in the relevant training relationship or workspace.

Built Twice may share information with service providers that help operate the platform, including authentication, database, hosting, storage, email, analytics, support, security, and AI infrastructure providers. These providers should only process information for Built Twice's instructions and service operation.

We may disclose information if required by law, to protect users or the service, to enforce terms, or in connection with a business transfer such as a merger, acquisition, or restructuring.

We do not sell personal information.

Connected providers

If an athlete connects Strava, Polar, or another supported service, that connection is controlled by the athlete and the relevant provider permissions.

Built Twice stores connection status and may store encrypted provider tokens so the app can sync permitted activity data. Disconnecting a provider stops future syncs where the integration supports it, but previously synced records may remain in Built Twice until removed according to account settings, support processes, or legal retention requirements.

Third-party providers may continue to hold their own copies of data under their privacy policies. Disconnecting inside Built Twice may not delete information held directly by those providers.

AI-assisted features

Built Twice may include AI-assisted features to help coaches review check-ins, training context, athlete notes, and related coaching information. These features are intended to support human review, not replace professional judgment, medical advice, or safeguarding responsibilities.

When an AI-assisted feature is used, Built Twice is designed to minimize the information sent for processing and to replace direct athlete identifiers, such as names and internal IDs, with neutral labels where practical. This helps keep coaching context useful while reducing the amount of directly identifiable data processed by AI providers.

Relevant prompts, user-provided content, and generated outputs may still be processed by Built Twice and its AI service providers to deliver the feature, secure the service, and troubleshoot errors. Protecting athlete privacy is important to Built Twice, and users should avoid entering unnecessary sensitive information into AI prompts.

Security and storage

Built Twice uses technical and organizational measures intended to protect personal information, including authenticated access controls, role-based permissions, encrypted provider tokens, and secured infrastructure.

No online service can guarantee absolute security. Users should keep their login details safe, use appropriate device security, and tell Built Twice promptly if they believe their account or workspace access has been compromised.

International transfers

Built Twice and its providers may process information in the United Kingdom, European Economic Area, United States, and other locations where our infrastructure or service providers operate.

Where personal information is transferred internationally, Built Twice aims to use appropriate safeguards required by applicable data protection law, such as contractual protections, data processing agreements, or provider transfer mechanisms.

Retention

Built Twice keeps personal information for as long as needed to provide the service, maintain account and workspace records, support coaching history, comply with legal obligations, resolve disputes, enforce agreements, and maintain security.

Retention periods may vary by record type. For example, training plans, check-ins, messages, community content, synced workouts, attachments, and audit or security logs may be kept for different periods depending on product requirements, workspace configuration, legal obligations, and deletion requests.

Your rights and choices

Depending on where a user is located, they may have rights to access, correct, delete, restrict, object to, or receive a copy of their personal information. They may also have the right to withdraw consent where processing is based on consent.

Coaches and athletes can request access, correction, export, or deletion of relevant account information by contacting Built Twice through the app or their usual support contact. Some requests may need to be handled with the coach, club, organization, or workspace owner responsible for the data.

Users can disconnect supported integrations through the app where available, or through the third-party provider's own account settings. Users can also manage Google account permissions through their Google account.

Children and safeguarding

Built Twice is not intended for unsupervised use by children. Where a coach, club, parent, guardian, school, or organization uses Built Twice with minors or vulnerable athletes, they are responsible for having the appropriate permissions, safeguarding procedures, and lawful basis for the information they add.

Contact and complaints

Questions or requests about privacy can be raised through the app or through your usual Built Twice support contact.

If UK GDPR applies and a concern is not resolved, users may have the right to complain to the UK Information Commissioner's Office. Users in the EEA may have the right to contact their local data protection authority.

Policy updates

We may update this policy as the product, integrations, providers, or legal requirements change. Material updates will be reflected on this page, and we may provide additional notice where appropriate.