and

Privacy Policy

Back In Shape Program Limited Effective from: 1 June 2026 Version: 2.0 (full rewrite — replaces all prior versions)

About this policy

Back In Shape Program Limited (“Back In Shape”, “we”, “us”, “our”) respects your privacy and takes the protection of your personal information seriously. This Privacy Policy explains what data we collect about you, why we collect it, how we use it, and what rights you have over it.

We’ve written this policy to be clear and direct rather than legalistic. If anything is unclear, please contact us at [email protected].

This policy applies to:

Our marketing website (backinshapeprogram.com)
Our members area (app.backinshapeprogram.com)
Our Spine Resilience Index (SRI) assessment
Email communications between you and us
Any other interaction you have with Back In Shape Program Limited

We are required to provide this information to you under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are in the European Union or Switzerland, your data is protected by equivalent provisions of the EU GDPR or revFADP.

Who we are

Back In Shape Program Limited is a company registered in England and Wales. We are the “data controller” for the personal information we hold about you. This means we decide how and why your data is processed.

We are registered with the UK Information Commissioner’s Office (the ICO).

Contact us:

Email: [email protected]
Postal address: Units B2, Staverton Connection, Cheltenham GL51 0TF, United Kingdom

The person responsible for data protection within Back In Shape is Mike Fatica, the founder.

The data we collect

We collect different kinds of data depending on how you interact with us.

When you take our Spine Resilience Index (SRI) assessment

To generate your personalised SRI report, we collect:

Your name and email address
Your responses to the 10 assessment questions, which include information about:
- The location and nature of your back pain
- Any formal diagnoses you’ve received (such as herniated disc, sciatica, spinal stenosis)
- Previous surgeries or clinical injections
- Movement patterns and pain triggers
- Neurological symptoms (numbness, tingling, weakness)
- How much your pain affects your daily life
- Treatments you’ve tried previously
- Your goals and preferred support level
Technical information (timestamp, the page you came from, your browser type)

Some of this information is health-related, which the law treats with extra care. We handle this carefully and only with your explicit consent. See “Special category (health) data” below for the detail.

When you become a member

To create and run your account, we collect:

Your name and email address
Your payment details (handled and stored by Stripe, our payment processor — we never see or store your full card details)
Your subscription tier (Core or Premium)
The date you joined
A hashed version of your password (we cannot see your actual password)
Your unit preference (kilograms or pounds)

While you are a member

To deliver the programme and help you track progress, we collect:

Your workout sessions: dates, the phase you’re on, the equipment you use
Your individual sets: exercises, weights, reps, equipment variations
Whether you flagged any pain or aggravation during a workout
Notes you choose to add to your sessions
Your personal bests on the strength milestones
Your progress through the educational lessons
Your posts and contributions in the community (Premium members)
Your login dates (for the consistency tracker)

If you complete our deeper onboarding profile (the Spine Resilience Profile), we also collect:

Functional baseline measurements you provide
Your detailed pain history
Your goals for the programme
Demographic information (age, sex, height, weight)
Scores from validated clinical questionnaires, where we use them

If you complete periodic check-ins, we collect:

Your pain and function scores at defined intervals (typically week 1, week 6, week 12, month 6, month 12)
Any notes you add to the check-in

When you visit our website

Like most websites, we collect some information automatically when you visit:

Your IP address
Your device type, operating system, and browser
The pages you visit and how you got to them
Your interaction with our content

We use cookies and similar technologies for some of this. See “Cookies and tracking” below for details and how to control them.

When you contact us

If you contact us by email, social media, or any other channel, we keep a record of our communications so we can follow up properly.

Special category (health) data

Information about your physical health — your pain, your diagnoses, your symptoms, your rehabilitation progress — is considered “special category data” under data protection law. We treat it with particular care.

How we handle it:

We only collect health information that we genuinely need to help you with your back pain recovery
We process this information based on your explicit consent, which we ask for clearly at each stage
We restrict access to identifiable health information within our team to those who genuinely need it for service delivery
Before using any data for analytical purposes (understanding patterns across our members), we remove information that identifies individual members
We never include identifiable health information in any AI-assisted analytical tools we use

You can withdraw your consent at any time by contacting us. Withdrawal of your consent to process health information for service delivery effectively means you’re cancelling your membership, since we cannot deliver a personalised rehabilitation programme without it. We’ll explain the implications clearly if you contact us.

Why we use your data — the lawful bases

Under UK GDPR, we need a clear legal reason (“lawful basis”) for processing your data. Here’s how we map our different processing activities:

Performing our contract with you

When you become a member, we form a contract with you to deliver the programme. We process most of your data on the basis of performing this contract. This covers:

Setting up and running your account
Processing your payments (via Stripe)
Delivering the workout programme, educational content, and community access
Recording your workouts and progress so you can track them
Sending you service-related communications (workout reminders, password resets, account updates)
Retaining records of your subscription history

Your consent

We rely on your consent for:

The SRI assessment (pre-membership) — both your responses and the follow-up emails explaining your results
Processing your health-related information (separate, explicit consent given at relevant points)
Sending you marketing communications (newsletters, promotional content)
Using your anonymised progress data in research outputs and outcomes reporting (if you’ve opted in)
Setting non-essential cookies on your device

You can withdraw any consent at any time. We explain how below.

Our legitimate interests

We rely on legitimate interests for some processing where we have a genuine business need that doesn’t override your rights:

Analysing patterns across our member base to improve the programme (using anonymised data — we never process identifiable health information on this basis)
Securing our systems and preventing fraud
Understanding which marketing approaches work (using engagement data)

You have the right to object to processing based on legitimate interests. See “Your rights” below.

Legal obligations

We retain some data because we’re legally required to:

Financial records (we keep for six years after the end of each accounting period, as required by UK financial law)
Records of unsubscribe requests (we keep indefinitely so we don’t accidentally email you again)

Who we share your data with

We don’t sell your data. We don’t share your data with advertisers or marketing networks.

We do share specific data with the following service providers (“data processors”) who help us run Back In Shape. Each is contractually obliged to handle your data only for the purposes we instruct, with appropriate security and confidentiality.

Provider	What they do	What data they handle
Stripe (Ireland, with US sub-processing)	Payment processing	Name, email, payment details, billing address
ScoreApp (UK/EU)	Hosts the SRI assessment	SRI responses, name, email
Klaviyo (USA)	Email marketing and profile management	Name, email, marketing preferences, engagement data, SRI responses (limited fields)
SendGrid (USA)	Transactional emails (password resets, etc.)	Name, email, transaction context
BuddyBoss (USA)	Community platform	Name, email, profile information, community posts
Cloudflare (USA)	Content delivery, video, security	Technical access data
Cloudways/DigitalOcean	Website hosting	Technical access data
Rapyd (managed by BuddyBoss)	Members area hosting	All members area data
Zapier, Uncanny Automator	Workflow automation	Data transiting between systems
Google Workspace	Internal records	Limited operational records
ManyChat (USA)	Social media DM automation	Names and conversation content where members start a chat

We also use AI-assisted analytical tools (from providers including Anthropic, OpenAI, and Google) for strategic analytical work and operational efficiency. We never share information that could identify you with these tools. Only aggregate or fully anonymised data is processed in this way.

We may share your data more broadly if we are legally required to (for example, in response to a court order), or to protect the rights, property, or safety of Back In Shape, our members, or others.

If Back In Shape were ever sold, merged, or reorganised, your data would be one of the assets transferred, and the new owners would be bound by the same protections. We would notify you in advance if this happened.

International data transfers

Some of our service providers are based outside the UK, primarily in the United States. When we transfer your data to these providers, we use approved legal mechanisms to ensure your data has equivalent protection to that required by UK law. These mechanisms include:

The UK Extension to the EU-US Data Privacy Framework (for providers certified under this scheme, including Klaviyo, Stripe, and our AI providers)
The UK International Data Transfer Addendum to Standard Contractual Clauses
Standard Contractual Clauses approved by the European Commission and recognised by the UK

If you’d like more detail about the protections in place for any specific transfer, please contact us.

How long we keep your data

We keep your data only as long as we need it for the purposes set out in this policy, or as long as we’re legally required to.

Type of data	How long we keep it
Active member data	While you’re a member, plus 24 months after cancellation (then anonymised or deleted)
Financial / billing records	6 years from end of the relevant accounting period (UK legal requirement)
Health information (workout logs, pain reports, SRP)	While you’re a member, plus 24 months after cancellation, then deleted (special category data we don’t retain longer than needed)
SRI lead data (if you don’t become a member)	24 months from quiz completion if there’s no further engagement, then deleted
Email engagement data	24 months from last engagement
Unsubscribe records	Indefinitely (legal requirement so we don’t email you again)
Consent records	6 years after cancellation (audit trail)
Server logs (IP, browser, etc.)	90 days
Cookies	As specified in our Cookie Policy, typically 12 months

When data reaches the end of its retention period, we either delete it or, where it has continued analytical value (for example, helping us understand patterns in member outcomes), we anonymise it — meaning we strip out everything that could identify you, leaving only patterns. Once truly anonymised, the data is no longer considered personal data.

Your rights

You have a number of rights over the personal data we hold about you. These are:

Right to be informed

You have the right to be told how we use your data. This policy is how we discharge that duty.

Right of access

You can ask us for a copy of the personal data we hold about you. We’ll respond within one calendar month (or up to three months for complex requests, with notification).

Right to rectification

If any of the data we hold about you is wrong or out of date, you can ask us to correct it.

Right to erasure (“right to be forgotten”)

You can ask us to delete the personal data we hold about you. We’ll do this except where we have a legal obligation to keep certain records (for example, financial records or unsubscribe lists).

Important clarification on erasure and anonymised data: When you ask us to delete your data, we will remove all information that identifies you personally. However, we may retain data that has been fully anonymised — where everything that could trace back to you has been removed — as part of our overall service-improvement and outcomes records. Anonymised data is no longer considered personal data under UK GDPR. We do this because it lets us continue to learn from broad patterns in how the programme works, without holding anything that connects to you as an individual.

Right to restrict processing

You can ask us to stop processing your data while a dispute or query is being resolved.

Right to data portability

You can ask us for your data in a structured, machine-readable format so you can take it to another service if you wish.

Right to object

You can object to processing we do on the basis of legitimate interests. You can also opt out of marketing communications at any time (every marketing email contains an unsubscribe link).

Rights related to automated decision-making

We don’t make automated decisions about you that have a significant effect on you. Our SRI assessment recommends a tier of membership based on your responses, but you make the actual decision about whether to join.

How to exercise your rights

Email us at [email protected]. We’ll acknowledge your request within a few working days and respond fully within one calendar month.

Right to complain

If you’re unhappy with how we handle your data, please tell us first so we can try to put it right. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)

Website: ico.org.uk
Helpline: 0303 123 1113

If you’re in the EU, you can complain to your national data protection authority.

AI tools and your data

We’re transparent about our use of AI-assisted analytical tools. Many businesses don’t disclose this; we think you should know.

We use AI tools (currently including services from Anthropic, OpenAI, and Google) for strategic work — analysing patterns, drafting communications, generating ideas, summarising information. We do this on commercial plans that explicitly do not train their models on our inputs.

Our policy:

We never input identifiable member data (names, emails, individual health information) into AI tools
We never input raw health data of any kind, identified or otherwise
We only use aggregate statistics or anonymised cohort data in this way
Our AI providers are bound by data processing agreements with us

This means an AI tool we use will never see “Jane Smith reported pain in her lower back.” It might see “42% of members in cohort X reported improvements after 8 weeks.” That second example, properly anonymised, is no longer personal data.

Cookies and tracking

Our website uses cookies and similar technologies. Some are strictly necessary for the site to work (for example, keeping you logged in). Others are optional and used for analytics or improving your experience.

When you first visit our site, you’ll see a cookie banner asking your permission for the optional cookies. You can change your preferences at any time.

For full details of the cookies we use, please see our Cookie Policy.

Children’s privacy

Back In Shape is intended for adults. Our services are not directed at anyone under 18, and we do not knowingly collect data from anyone under 18.

If you’re a parent or guardian and you believe your child has provided us with personal data, please contact us immediately at [email protected] and we will remove it.

Security

We take security seriously and use industry-standard measures to protect your data:

Encryption in transit (TLS/HTTPS) and at rest where appropriate
Two-factor authentication on administrative accounts
Restricted access to member data within our team
Regular review of our security practices

That said, no system is perfectly secure. We work to minimise risk, and we’ll notify you and the ICO promptly in the unlikely event of a serious data breach affecting your data.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we’ll notify you by email and prominently on the website. The “Effective date” at the top of the policy will always reflect the latest version.

We encourage you to review this policy periodically.

Contact us

For any questions about this policy or about how we handle your data:

Email: [email protected]

Post: Back In Shape Program Limited Units B2, Staverton Connection Cheltenham GL51 0TF United Kingdom