Team Breakthrough App
Privacy Policy
Last updated: 16 May 2026
1. Who we are
The Team Breakthrough app is operated by Oxygen Therapy South West Limited, a company incorporated in England and Wales (company number 15557769), whose registered office is at Woodstream, The Ley, Box, Corsham, England, SN13 8EW ("we", "us", "our"). The "Team Breakthrough" trade name and branding are used under licence from Team Breakthrough Limited.
We are the data controller of your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this policy or how we handle your personal data, contact us at info@breakthroughgym.co.uk or by post at the address above.
2. What data we collect
When you use the Team Breakthrough app, we collect:
Information you give us
- Name (first and last)
- Email address
- Date of birth (optional, used for our annual birthday bonus only)
- Phone number (optional)
- Payment card details — these are collected and stored by our payment processor, Stripe; we do not see or store your full card details ourselves
- Referral code (if you signed up via a referral link)
Information generated through your use of the app
- Your wellness points balance and transaction history
- Treatment and class bookings, including dates, times and treatment types
- Records of any pack purchases, biohack purchases, and other in-app activity
- Email confirmations sent to you (held by our email provider, Resend)
- Account creation and last sign-in timestamps
Information collected automatically
- Your IP address (used by Supabase, our authentication provider, for security purposes)
- Basic device and browser information needed to display the app properly
We do not track you across other websites or apps. We do not use third-party advertising cookies.
3. How and why we use your data
We use your personal data only for the following purposes:
| Purpose | Lawful basis under UK GDPR |
|---|---|
| To create and manage your account | Performance of a contract (our terms of service) |
| To take payments for wellness packs, treatments and biohack experiences | Performance of a contract |
| To send booking confirmations, cancellation notifications and other essential service emails | Performance of a contract |
| To maintain your wellness points wallet and transaction history | Performance of a contract |
| To award birthday bonuses (only if you have provided your date of birth) | Performance of a contract / consent |
| To detect and prevent fraud, including verifying referrals are genuine | Legitimate interests |
| To respond to your enquiries and provide customer service | Legitimate interests |
| To comply with our legal obligations (e.g. tax and accounting records) | Legal obligation |
We will not send you marketing emails without your explicit opt-in consent. You can withdraw that consent at any time.
4. Who we share your data with
We share limited personal data with the following service providers, all of whom act as data processors under contract with us:
- Supabase — for authentication, database hosting and email sign-in. Hosted in the EU.
- Stripe — for processing card payments. Stripe is responsible for the security of your card details and is PCI-DSS compliant.
- Resend — to send booking confirmations and other transactional emails on our behalf.
- Railway — to host the backend services that power the app.
- Netlify — to host the app's web front-end.
We share with our staff only the minimum information needed to deliver your treatments and answer your questions (typically: name, email, booking history and points balance).
We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing purposes.
5. International data transfers
Most of our service providers store your data within the UK or the European Economic Area. Where any provider stores or processes data outside the UK/EEA (for example, Stripe may transfer payment data to the United States), they do so under appropriate safeguards including Standard Contractual Clauses and the UK Addendum.
6. How long we keep your data
- Active account data (profile, wallet balance, bookings) — for as long as your account exists.
- Transaction records of payments — for 6 years after the end of the financial year in which they were made, in line with HMRC requirements.
- Booking history — retained for 6 years for accounting and dispute resolution.
- Email communications — retained by our email provider for up to 24 months for delivery audit purposes.
When you delete your account (see Section 8), your account-related personal data is deleted within 30 days, except where we are legally required to retain certain records.
7. How we protect your data
- All data is transmitted over encrypted HTTPS connections.
- Passwords are never stored in plain text — they are hashed and salted by our authentication provider, Supabase.
- Access to administrative tools is restricted to authorised staff and protected by individual login credentials.
- We use row-level security in our database to ensure that members can only access their own data.
- We regularly review our security practices and update them as needed.
8. Your rights
Under UK GDPR you have the following rights, and you can exercise any of them by emailing info@breakthroughgym.co.uk:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate information.
- Right to erasure — you can delete your account at any time directly from the Profile page in the app.
- Right to restrict processing — ask us to pause processing your data in certain circumstances.
- Right to data portability — request a copy of your data in a machine-readable format.
- Right to object — object to our processing of your data where we rely on legitimate interests.
- Right to withdraw consent — where we rely on your consent, withdraw it at any time.
We will respond to any request within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.
9. Children
The Team Breakthrough app is intended for use by adults aged 18 or over. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided personal data to us, please contact us immediately and we will delete it.
10. Cookies and similar technologies
The Team Breakthrough app uses only essential technical storage — for example, to keep you signed in between sessions. We do not use analytics cookies, marketing cookies, or third-party tracking technologies.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes we will notify you by email and update the "Last updated" date above. Continued use of the app after a material change indicates your acceptance of the updated policy.
12. Contact
If you have any questions, requests or complaints about your personal data:
- Email: info@breakthroughgym.co.uk
- Phone: 01225 743 801
- Post: Oxygen Therapy South West Limited, Woodstream, The Ley, Box, Corsham, England, SN13 8EW