Setoria — Privacy Policy
1. Who we are
Setoria is operated by Ryan Kealey, trading as Setoria, a sole trader based in Northern Ireland, United Kingdom. References to "Setoria," "we," "us," or "our" mean Ryan Kealey trading as Setoria. References to "you" mean the individual using the Setoria service.
Setoria is a web-based software product (Software-as-a-Service) that analyses workout history imported by users from third-party fitness tracking applications (such as Strong and Hevy) and from manual text or photo entries. Setoria is offered globally, including to users in the United Kingdom, the European Economic Area, the United States (including California), and other jurisdictions.
For any privacy question, request, or complaint, contact us at hello@setoria.io.
2. Scope of this Policy
This Policy covers personal data we process through:
- The Setoria marketing website at https://setoria.io
- The Setoria web application at https://app.setoria.io
- Email and payment interactions associated with your subscription
It does not cover third-party services you choose to use alongside Setoria (for example, the fitness tracker you exported your workout data from). Those services are governed by their own privacy policies.
3. Information we collect
3.1 Information you give us directly
- Account information — your email address, used to create your account and sign you in via magic link.
- Workout data you import — sets, reps, weights, exercise names, session dates, notes, and any other content contained in CSV exports from Strong, Hevy, or similar trackers; in text pastes; or in photos of paper or screen-based workout logs. Imported data may include personal identifiers if you choose to include them in notes (we do not require this).
- Manual entries — workouts you log directly within Setoria.
- Communications — the content of emails and messages you send us.
3.2 Information generated automatically
- Derived analysis — outputs generated from your imported data, including identity scores, training-pattern classifications, progression analysis, and coaching frames.
- Authentication and session data — secure tokens issued by our authentication provider so you stay signed in.
- Technical and log data — IP address, browser type and version, device and operating system, referring page, and timestamps. This is logged by our hosting and security infrastructure for service delivery and abuse prevention.
3.3 Payment information
When you subscribe, payment is processed by Stripe. Stripe collects your payment card details, billing address, and tax-relevant information directly. We do not see, store, or have access to your full card number. We receive limited subscription metadata from Stripe (status, plan tier, renewal date, last four digits, country) so we can grant the correct level of access.
4. How we use your information
We use your personal data to:
- Provide and operate the Setoria service, including running analysis on the workout data you import.
- Authenticate you and keep your session secure.
- Process subscription payments and manage your billing through Stripe.
- Send service-related emails (magic link sign-in, account changes, billing receipts, important service updates).
- Respond to support, privacy, and other requests you send us.
- Monitor service health, debug errors, and protect against fraud, abuse, and security threats.
- Comply with legal obligations.
We do not use your personal data for advertising, profiling for marketing, or sale to third parties.
5. Legal bases for processing (UK/EU users)
If you are in the United Kingdom or the European Economic Area, we rely on the following lawful bases under the UK GDPR and EU GDPR:
- Contract — to deliver the service you have subscribed to (account creation, analysis, billing, transactional email).
- Legitimate interests — to keep the service secure, prevent abuse, debug issues, and improve product quality. We balance these interests against your rights and freedoms.
- Legal obligation — where we must process data to comply with applicable law (for example, tax record-keeping).
- Consent — where required for any optional processing. You can withdraw consent at any time.
6. How we share your information
We do not sell your personal data. We share it only with the following categories of recipients, each acting as a processor on our behalf under a written agreement:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU (eu-west-2 / London) |
| Stripe | Payment processing and subscription billing | US / EU |
| Resend | Transactional and authentication email delivery | US / EU |
| Netlify | Web application hosting and content delivery | Global edge network including US and EU |
Replicate is used for image generation in our marketing pipeline only. No user personal data is sent to Replicate.
We may also disclose personal data:
- To comply with a lawful request (court order, regulator, law enforcement).
- To enforce our Terms of Service or protect our rights, your safety, or the safety of others.
- In connection with a merger, acquisition, or sale of business assets, in which case we will notify affected users in advance.
7. International data transfers
Setoria is operated from the United Kingdom. Some of our sub-processors store or process data in the United States and other regions outside the UK and EEA. Where we transfer personal data outside the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (2021), or, where applicable, the UK and EU adequacy decisions for the United States (e.g., the EU-US Data Privacy Framework). Our sub-processors maintain appropriate transfer mechanisms; specific details are available on request via hello@setoria.io.
8. How long we keep your information
- Account and workout data — for as long as your account is active. If you cancel, we retain your data for 30 days to allow account reactivation, then delete it on a rolling basis. You can request immediate deletion at any time (see Section 10).
- Billing records — retained for a minimum of six years to comply with UK tax and accounting requirements, even after account closure.
- Authentication and security logs — retained for up to 12 months for fraud prevention and incident response.
- Support emails — retained for up to 24 months unless you ask us to delete them sooner.
9. Your rights — UK and EEA users (UK GDPR / GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention requirements.
- Restriction — ask us to pause processing in specific circumstances.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — at any time, where consent is the basis of processing.
To exercise any of these rights, email hello@setoria.io. We respond within one month, extendable by up to two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons for it within the first month. There is no fee for a reasonable request.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk, or with your local supervisory authority in the EEA.
10. Your rights — California users (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights:
- Right to know — what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share with.
- Right to delete — request deletion of personal information we have collected from you, subject to lawful exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — Setoria does not sell your personal information and does not share it for cross-context behavioural advertising. There is no opt-out to exercise because no such activity occurs.
- Right to limit use of sensitive personal information — Setoria does not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
To exercise any California right, email hello@setoria.io with "California Privacy Request" in the subject line. We will verify your identity using the email address associated with your account and respond within 45 days, with a possible 45-day extension where reasonably necessary.
In the preceding 12 months, the categories of personal information we have collected are: identifiers (email, IP address), commercial information (subscription history), internet activity (technical/log data), and user-provided content (workout data and notes). We have not sold or shared personal information for cross-context behavioural advertising in the preceding 12 months and have no plans to do so.
11. Children
Setoria is not directed at, marketed to, or intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. New users are required to confirm they are at least 16 years old before creating an account. If you believe a child under 16 has created an account or provided personal data to us, contact hello@setoria.io and we will delete the account and associated data promptly.
12. Cookies and similar technologies
Setoria uses only strictly necessary cookies required to operate the service — primarily an authentication session cookie issued when you sign in. We do not use analytics, advertising, or cross-site tracking cookies at this time. If this changes, we will update this Policy and our Cookie Policy and obtain consent where required.
For full details, see our Cookie Policy at https://setoria.io/cookies.
13. Security
We protect your personal data using industry-standard measures, including encryption in transit (TLS), encryption at rest provided by our database and storage providers, role-based access controls, and database-level row security so that one user cannot access another user's data. No system is perfectly secure; if we become aware of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority within the timeframes required by law.
14. Automated decision-making
The analysis Setoria currently produces (training identity, progression scoring, coaching frames) is generated automatically from the data you import. These outputs are informational and do not, in our assessment, produce legal or similarly significant effects on you within the meaning of UK GDPR Article 22. If we introduce features that may change this assessment in future, we will update this Policy and provide you with the right to request human review of automated decisions where applicable.
15. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of Setoria after a change means you accept the updated Policy.
16. How to contact us
For privacy questions, data requests, or complaints:
Email: hello@setoria.io
Mail: Ryan Kealey, trading as Setoria, Northern Ireland, United Kingdom (specific address available on request for verified data subject requests)