Skip to main content

Last updated: 2026-07-06

Please read this Privacy Policy carefully. It explains how BONDI MOVES PTY LTD collects, uses, and protects your personal data when you use the Moves Method app.


1. Who We Are

The Moves Method app ("the App") is operated by BONDI MOVES PTY LTD (ABN: 32 665 146 896) ("Moves Method", "we", "us", or "our"). We are the data controller responsible for your personal data.

Contact: support@movesmethod.com


2. Data We Collect

Account Data

When you register, we collect your email address, password (stored in encrypted form), name, and date of birth.

Health and Fitness Data

To deliver the programme, we collect your fitness goals, self-reported fitness level, mobility assessment results, mobility scores, and workout history. You provide this data by choosing to use the assessment and programme features.

Camera-based assessments use your device's camera to analyse your movement quality. This analysis is performed entirely on your device — no camera images or video are transmitted to our servers. Only the derived assessment results (your mobility scores and joint breakdown) are stored in your account. We do not sell this data, use it for advertising, or share it with third parties. You may request deletion of your assessment data at any time.

Usage Data

We collect information about how you use the App, including screens viewed, features used, workout starts and completions, and onboarding progress. This data is collected via Mixpanel only with your consent.

Session Recordings

With your consent, we record screen activity during App sessions via Mixpanel Session Replay. All text input fields are masked. Camera previews and assessment photos are masked. Recordings are used solely to improve the App experience. Withdrawing consent stops future recordings; it does not retroactively delete recordings already made.

Push Notifications

If you grant permission, we collect your device token to send you push notifications such as workout reminders and re-engagement messages. Your device token is stored on our servers and used only to deliver notifications to your device. You can withdraw permission at any time through your device's notification settings (iOS Settings > Notifications > Moves Method) or through the App's notification settings. Withdrawing permission stops future notifications immediately.

Advertising Identifier (ATT)

On iOS, we request access to your device's advertising identifier (IDFA) through Apple's App Tracking Transparency framework. If you grant permission, this identifier may be used by Mixpanel and RevenueCat to measure the effectiveness of our campaigns. If you deny permission, both services continue to function using non-advertising identifiers and no cross-app tracking occurs. You can change this permission at any time through iOS Settings > Privacy & Security > Tracking.

Crash and Error Data

We collect technical data when the App crashes or encounters an error, including device type, operating system version, stack traces, and a pseudonymous user identifier. This data helps us maintain a stable and secure service and is processed by Sentry.

Device and Technical Data

We collect your IP address, device identifiers, operating system, and App version to operate the service and for security purposes.

Local Data

Before you register, data you enter (assessment results, onboarding answers) is stored only on your device and is not synced to our servers. Once you register, this data is transferred to your account.


3. How We Use Your Data

Purpose Data used Legal basis
Providing the App and its features Account data, health and fitness data Contract performance (Article 6(1)(b))
Personalising your programme Health and fitness data, workout history Contract performance (Article 6(1)(b))
Processing your subscription Account data, subscription data Contract performance
Sending push notifications Device token Consent
Measuring campaign effectiveness (IDFA) Advertising identifier Consent
Improving the App Usage data, session recordings Consent
Maintaining App stability and security Crash data, device data Legitimate interests: ensuring a reliable and secure service for all users
Complying with legal obligations As required Legal obligation

Where we rely on consent as the legal basis (analytics, session recordings), you can withdraw it at any time through Privacy Settings in the App. Withdrawal does not affect the lawfulness of processing before withdrawal.


4. International Data Transfers

We operate globally and use third-party services based primarily in the United States. When your data is transferred outside the European Economic Area or the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission where required.

Our data controller, BONDI MOVES PTY LTD, is based in Australia. Australia does not have an EU adequacy decision. If you are in the EEA or UK, the transfer of your personal data to us in Australia is necessary for the performance of the contract you have entered into with us (Article 49(1)(b) GDPR).

By using the App, you acknowledge that your data may be processed in countries outside your own.


5. Third-Party Services

We share data with the following third-party processors to operate the App. Each is bound by a Data Processing Agreement and is permitted to use your data only as instructed by us.

Essential Services

Service Provider Purpose Data processed
Supabase Supabase Inc. (USA) Backend database and authentication Account data, health and fitness data, assessment results
Render Render Inc. (USA) API hosting and infrastructure All data transmitted through the App
RevenueCat RevenueCat Inc. (USA) Subscription management Account data, subscription status
Sentry Functional Software Inc. (USA) Crash reporting and error monitoring Device data, pseudonymous user identifier, stack traces
Superwall Superwall Inc. (USA) Paywall and subscription flow Account data, subscription status
Usercentrics Usercentrics GmbH (Germany) Consent management Consent records and timestamps

Analytics Services (with your consent)

Service Provider Purpose Data processed
Mixpanel Mixpanel Inc. (USA) Product analytics Usage events, pseudonymous user identifier
Mixpanel Session Replay Mixpanel Inc. (USA) Screen recording for UX improvement Screen activity (sensitive content masked)

Independent controllers: Google Sign-In (Google LLC, USA) is available as an optional authentication method. When you choose to sign in with Google, Google acts as an independent data controller for your Google account data under its own privacy policy. We receive only the email address and name necessary to create your account.

We do not sell your personal data to any third party. We may in future use third-party advertising platforms to promote our services; if we do, we will update this policy accordingly.


6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

Crash and error data is retained for 90 days. Analytics event data is retained for up to 5 years in accordance with Mixpanel's default retention settings. Session recordings are retained for 30 days.


7. Your Rights

If you are in the European Economic Area or United Kingdom (GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your data ("right to be forgotten")
  • Restrict how we process your data
  • Receive your data in a portable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
  • Lodge a complaint with the data protection authority in your country of residence

If you are in California (CPRA)

You have the right to:

  • Know what personal data we collect and how it is used
  • Correct inaccurate personal data
  • Request deletion of your personal data
  • Limit our use of sensitive personal information — including health and fitness data and movement assessment results derived from your camera — to what is necessary to provide the service
  • Opt out of the sale of your personal data (we do not sell personal data)
  • Non-discrimination for exercising your privacy rights

If you are in Australia

Under the Australian Privacy Act 1988, you have the right to access personal information we hold about you and to request correction of that information. If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us first. If unresolved, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

How to exercise your rights

To exercise any of these rights, contact us at support@movesmethod.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

You can manage your consent preferences at any time through Privacy Settings in the App.


8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. All data is transmitted using encryption. Access to personal data is restricted to personnel who need it to operate the service.

No method of transmission over the internet or electronic storage is completely secure. If a data breach occurs that is likely to affect your rights and freedoms, we will notify you and the relevant supervisory authority as required by law, including under the Australian Notifiable Data Breaches scheme.


9. Children

The App is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at support@movesmethod.com and we will delete it promptly.


10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — those that affect what data we collect, how we use it, or who we share it with — we will notify you in advance through the App and require your explicit acceptance before you can continue using the service. For non-material corrections or clarifications, we will notify you through the App or by email, and continued use after the changes take effect constitutes acceptance. The date at the top of this document reflects when it was last updated.


11. Governing Law

This Privacy Policy is governed by the laws of Australia and the Australian Privacy Act 1988. If you are resident in the European Economic Area or United Kingdom, the GDPR and mandatory data protection laws of your country of residence apply in addition and prevail to the extent of any inconsistency.


12. Contact

For any questions about this Privacy Policy or to exercise your rights:

BONDI MOVES PTY LTD support@movesmethod.com