Privacy Policy
1. Who we are and how to reach us
10X-You LLC ("10X-U", "we", "us", "our") operates the 10X-U platform — an iOS mobile app for clients and a web dashboard for coaches — built for adults navigating midlife hormonal change.
- Legal entity: 10X-You LLC
- Registered address: Sharjah Media City, United Arab Emirates
- DSA Trader status: registered (EU Digital Services Act)
- Founders / privacy contacts: Lee Simpson — lee@10x-u.com; Claire Dreyer — claire@10x-u.com
For anything privacy-related — questions, requests, complaints — email either founder directly. We answer personally, not via a ticket queue.
For the purposes of GDPR and UAE PDPL, 10X-You LLC is the data controller for your personal data. Where we use third-party services to store or process that data on our behalf (Supabase, Anthropic, payment processors, etc.), those companies act as data processors under contract to us — listed in Section 6.
2. Who this policy applies to
- Clients using the 10X-U iOS app for personal coaching.
- Coaches using the 10X-U coach dashboard to work with clients.
- Prospective users visiting 10x-u.com or signing up for our mailing list.
Minimum age: 16. 10X-U is built for midlife adults and is not directed at or available to anyone under 16. See Section 9 for how we enforce this and what we do if we find an underage account.
3. What we collect
We try to collect only what we actually need to coach you well. Here's the full list:
A. What you give us when you sign up
- Name (first + last)
- Email address
- Date of birth (for age-band gating and to tailor coaching to your life stage)
- Invite token from your coach
- Profile photo (optional)
- Gender / hormonal stage indicators you choose to share
B. What you log in the app
- Daily check-ins — mood, energy, stress, sleep quality (1–5 scales), plus optional free-text notes
- Body data — weight, body composition, measurements, personal bests
- Hydration logs
- Nutrition logs (manual or synced from MyFitnessPal via Apple Health)
- Workout history — exercises, sets, reps, weights, breathwork sessions, optional form-check videos
- Bloodwork entries — lab values you choose to record (e.g. hormone panels, lipids, HbA1c)
- Blood pressure entries (where the feature is enabled)
- Weekly check-in photos — front, side, back progress photos
- Workout media — optional form-check photos and videos
C. What your coach adds on your behalf
- Training programmes and meal plans assigned to you
- Session bookings, attendance, and coach notes about your progress
D. Messages between you and your coach
The coaching chat supports text, voice notes, photos, and videos. All of these are stored in our database so your coach can review history, refer back, and stay continuous between sessions. Voice notes are stored as audio files and may be transcribed to text for search and accessibility.
E. Apple Health data (iPhone only, with your explicit permission)
If you grant HealthKit permission, the app reads — directly on your device — the following from Apple Health:
- Heart rate, resting heart rate, heart rate variability (HRV)
- Sleep duration and stages
- Steps, active calories, workouts
- Body mass, body fat %, lean mass (typically synced from smart scales)
- Dietary energy, protein, carbs, fat, water (typically synced from MyFitnessPal)
- Blood oxygen (SpO₂), respiratory rate
How HealthKit data flows: raw HealthKit values are read on your device and used locally to compute readiness scores, daily summaries, and trend charts. Summary metrics (e.g. "last night's sleep: 7h 12m", "steps today: 8,400") may be synced to your coach's view via our database so your coach can see your trends. Raw, individual HealthKit samples are not bulk-uploaded to our servers.
You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → 10X-U.
F. Subscription and payment metadata
When you subscribe to a paid plan, our payment processors collect what they need to process the transaction — card or wallet token, billing country, amount, currency, and a transaction ID. We never see your full card number or BNPL credit details. We do receive and store the transaction ID, plan, status (active / cancelled / past-due), and renewal date so we can keep your account in the right state. See Section 6 for which processor handles which region.
G. Device and technical data
- Device type and OS version (e.g. "iPhone 15 Pro, iOS 26.2") — for crash diagnostics
- Push notification token — used to deliver reminders you opted into
- App diagnostic and crash logs — basic stability data
- IP address — used at request time for security and abuse prevention; we do not build long-term IP profiles
- No Apple Identifier for Advertisers (IDFA). The 10X-U mobile app does not request the IDFA and does not show advertising. We have no third-party advertising SDKs.
H. Coach dashboard activity
When coaches use the dashboard, we log basic session activity (login times, which clients they viewed, which actions they performed) for audit and security purposes.
4. How we use your data
Plain English, in order of how much data each use needs:
- To deliver coaching. Your coach needs to see what you're logging — that's the whole point of the service. They use your check-ins, workouts, bloodwork, and photos to design and adjust your programme.
- To run the app itself. Authentication, sync between devices, push reminders you opted into, calendar invites for sessions, support replies.
- To personalise AI features. We use AI to power two features: AXIOM (in-app coaching prompts and insights for clients) and AXCO (a coaching assistant inside the dashboard that helps your coach with summaries, suggestions, and message drafts). When we use AI we send a minimal, purpose-specific summary — typically your recent metrics, mood, and the conversation context — to Anthropic (Claude). We do not send your name, email, address, or payment details to the AI. See Section 6.
- To process payments and keep your subscription state correct.
- To improve the service. Aggregated, non-identifying usage patterns help us decide what to build. We do not need to identify you to do this.
- To meet legal obligations. Tax records, age-assurance compliance under laws like Texas SB 2420, Utah HB 142, Louisiana HB 570, and the EU age-of-consent rules.
- To keep accounts safe. Detecting abuse, fraud, or unauthorised access.
We do not:
- Sell your personal data. Not ever.
- Share your data with third parties for their own advertising or marketing.
- Use your photos, voice notes, messages, or bloodwork to train AI models. Anthropic's API terms confirm API data is not used to train Claude.
- Share HealthKit data with anyone outside the limited operational uses described in Section 6.
5. Legal bases for processing (GDPR users)
If you're in the UK or EU, we rely on the following legal bases under UK GDPR / EU GDPR:
| What we do | Legal basis |
|---|---|
| Create your account, run the app, deliver coaching, process your subscription | Contract performance — we can't provide the service without it |
| Process health data, bloodwork, blood pressure, weekly photos, Apple Health data | Explicit consent (Article 9 — special category health data). You can withdraw at any time. |
| Send transactional emails (booking confirmations, password resets) | Contract performance |
| Send marketing emails (newsletters, product updates) | Consent (you must opt in; you can opt out any time via the unsubscribe link) |
| Process AI requests through Anthropic | Consent + contract performance |
| Detect fraud, secure accounts, prevent abuse | Legitimate interest in keeping the platform safe |
| Comply with tax, accounting, and age-assurance laws | Legal obligation |
For UAE PDPL users, equivalent grounds apply (consent, contract necessity, legitimate interest, legal obligation).
6. Who we share data with
We use a small set of trusted service providers ("processors"). Each one only processes your data on our instructions, under a written contract, and only as much as needed to deliver 10X-U.
| Processor | What they do | Where | Data they see |
|---|---|---|---|
| Supabase | Database, authentication, file storage, edge functions | EU (primary) / US | Everything stored in our backend |
| Anthropic (Claude) | AI for AXIOM (client-facing) and AXCO (coach dashboard) | US | Minimal context summaries — metrics, recent messages, mood. No name, email, or payment data |
| Apple HealthKit | On-device health data store | On your iPhone | Raw HealthKit data stays on-device |
| Apple Push Notification Service | Delivers iOS notifications | US / global Apple infra | Notification payload + your device push token |
| Expo / EAS | App builds, OTA updates, push notification routing | US | Push tokens, device type, app version |
| Tabby | BNPL / payment processing — MENA region | UAE / KSA | Name, email, billing info, transaction amount |
| Tamara | BNPL / payment processing — MENA region | KSA / UAE | Name, email, billing info, transaction amount |
| Stripe | Payment processing — UK, EU, US, rest of world (planned, post-launch) | EU / US / UK | Name, email, billing info, transaction amount, card token |
| Google Calendar | Coach side only — syncs session bookings to coach calendars | US | Session times, client first name, session title |
| Resend / SMTP provider | Transactional and marketing email delivery | EU / US | Your name, email, message content |
| Sentry / crash reporting (if enabled) | Crash and error diagnostics | EU / US | Anonymous device + crash data, user ID for correlation only |
We update this list when we change providers. The current version always lives at the canonical URL referenced in the App Store listing.
We may also disclose data if compelled by valid legal process (court order, regulator request) or to protect rights, safety, or property — yours, ours, or the public's. When the law allows it, we tell you first.
7. How long we keep your data
| Data type | Retention |
|---|---|
| Account profile (name, email, DOB) | While your account is active, plus 30 days after deletion request |
| Check-ins, workouts, logs | While your account is active |
| Chat messages (text, voice, media) | While your account is active; deleted within 30 days of account deletion |
| Weekly check-in photos and workout media | While your account is active; deleted within 30 days of account deletion |
| Bloodwork and blood pressure entries | While your account is active; deleted on request |
| HealthKit raw data | Stays on your iPhone — we never hold it on our servers |
| Subscription and payment records | 5 years from the end of the relevant tax year (UAE + UK + EU tax law) |
| Crash and diagnostic logs | 90 days |
| Database backups | Rolling 30-day backups, purged thereafter |
| Marketing email list | Until you unsubscribe |
When you delete your account, we complete erasure of personal data within 30 days, except payment records we are legally required to keep for tax purposes (and which are then minimised to only what the law requires — typically transaction ID, amount, date).
8. Your rights
You can, at any time:
- Access the personal data we hold about you — request a copy via email
- Correct anything that's wrong — most of it you can edit yourself in the app; for the rest, email us
- Delete your account and associated data (with the tax exception above)
- Export your data in a portable format (JSON / CSV)
- Withdraw consent for any processing based on consent (e.g. HealthKit, marketing emails, AI features)
- Object to legitimate-interest processing
- Restrict how we use your data in specific cases
- Lodge a complaint with a data protection authority — for UK users, the ICO; for EU users, your national DPA; for UAE users, the relevant supervisory authority
To exercise any of these, email lee@10x-u.com or claire@10x-u.com. We respond within 30 days (one calendar month). If a request is complex we may extend by a further two months and tell you why.
US state-specific rights — California, Colorado, Connecticut, Virginia, Utah, and other US states with comprehensive privacy laws — are honoured equivalently. We do not sell or "share" personal data for cross-context behavioural advertising under any of these state laws.
9. Children and age assurance
10X-U is for adults aged 16 and over. We don't knowingly collect data from anyone under 16. If we find out an underage account exists, we delete it.
On iOS, where Apple's Declared Age Range API is available (iOS 26.2+, currently active in Texas, Utah, Louisiana, with California from January 2027), we use that signal to:
- Confirm the user is in the 16+ band before account creation
- Trigger the parental-consent flow if a minor in a covered jurisdiction reaches signup
- Honour the "significant change" re-acknowledgement requirement under Texas SB 2420
Under EU GDPR Article 8, the digital age of consent varies by member state (13–16). 10X-U applies a uniform 16+ minimum across all EU markets — at or above the highest member-state threshold.
If you're a parent or guardian and you believe a child has used 10X-U, email us. We will delete the account immediately.
10. International transfers
10X-U is operated from the United Arab Emirates. Our processors operate from the EU, UK, US, KSA, and other jurisdictions listed in Section 6. Your data will be transferred internationally as a normal part of using the service.
For transfers out of the EU/EEA and UK:
- We rely on Standard Contractual Clauses (SCCs) where the destination country has no adequacy decision
- Where adequacy decisions exist (e.g. EU → UK, EU → certain other jurisdictions), we rely on those
- For UK transfers, we use the UK International Data Transfer Addendum to the EU SCCs
For transfers from the UAE under PDPL, we rely on the recipient country's adequacy status or, where required, on contractual safeguards equivalent to SCCs.
Each of our major processors (Supabase, Anthropic, Stripe, Expo, Google) publishes their own data processing addendum incorporating SCCs, which we have accepted.
11. Security
We take security seriously — partly because we're storing health data, partly because we're a small team and a breach would be a company-level event for us, not a quarterly inconvenience.
What we do:
- Encryption in transit — all client-server and server-processor traffic uses TLS 1.2+
- Encryption at rest — database storage encrypted by Supabase using AES-256
- Row-Level Security (RLS) — every table that holds user data uses Postgres RLS so clients only see their own data and coaches only see clients assigned to them. Multi-coach isolation is verified by automated tests
- API key isolation — third-party API keys (Anthropic, OpenAI) live in server-side edge functions, never shipped in the mobile bundle or admin browser bundle
- Auth via Supabase Auth — email + password with secure password storage; magic-link option available
- Least-privilege access — only the founders have admin access to production data, and that access is logged
- Regular dependency updates and security review of changes
No system is perfectly secure. If we discover a personal data breach likely to affect you, we will notify you and the relevant regulator within the timeframes required by GDPR (72 hours to regulator) and equivalent laws.
12. Cookies, analytics, and tracking
Mobile app: the 10X-U iOS app does not use third-party advertising trackers or analytics SDKs. We do not request the Apple Identifier for Advertisers (IDFA). We use Apple's standard push notification token (required to send reminders) and basic crash diagnostics.
Coach dashboard (web): uses session cookies necessary to keep coaches logged in. No advertising, profiling, or cross-site tracking cookies. If we add product analytics in future (e.g. to understand which dashboard features coaches use), we will update this policy and ask for consent where required.
Marketing website (10x-u.com): uses only essential cookies. No third-party advertising cookies. If we add analytics, we will disclose them here and provide a cookie banner where the law requires one.
13. How to contact us
Anything privacy-related — a question, a request, a complaint, a tip-off about a breach — comes straight to us:
- Lee Simpson — lee@10x-u.com
- Claire Dreyer — claire@10x-u.com
- Postal: 10X-You LLC, Sharjah Media City, United Arab Emirates
For EU/EEA users, you also have the right to complain to your national data protection authority. For UK users, the ICO (ico.org.uk).
14. Changes to this policy
We will update this policy when we change how we handle data, add new processors, or when the law changes. When we do:
- We update the "Last updated" date at the top
- For material changes (new categories of data, new purposes, new processors with broad access), we notify you in the app and by email at least 14 days before the change takes effect
- For minor changes (clarifications, typo fixes, processor swaps with equivalent role), we update the page and note it in our changelog
Your continued use of 10X-U after a material change takes effect constitutes acceptance of the updated policy. If you don't agree, you can delete your account.