Privacy Policy

Last updated: 8 June 2026

About This Policy

This Privacy Policy explains how PowerUp collects, uses, stores, and protects your personal data when you use the PowerUp platform, website (www.powerupglobal.io), and mobile application (together, the "Service").

Please read this policy carefully. It explains what data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have.

This policy covers two types of users:

— Individual users: employees, members or other individuals given access to the platform by an Organisation. — Organisation users: companies, employers, gyms, associations, and other groups that access aggregate, anonymised insights through the platform.

Who Is Responsible for Your Data?

EU users

The data controller for personal data processed through the Service is:

PowerUp Global SL Calle Joan Verdeguer 116, 46024, Valencia, Spain Privacy contact: privacy@powerupglobal.io

PowerUp Global SL is registered with the Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority, which is the primary supervisory authority for EU users: www.aepd.es.

UK users

For users based in the United Kingdom, the relevant entity is:

PowerUp Global Ltd 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom Privacy contact: privacy@powerupglobal.io

PowerUp Global Ltd is registered with the UK Information Commissioner's Office (ICO), which is the supervisory authority for UK users: www.ico.org.uk.

This policy satisfies our obligations under both GDPR and UK GDPR. Where you are based determines which entity is your data controller and which supervisory authority applies to you.

Organisation relationship

Where an organisation — such as an employer, gym, sports club, or association — has purchased the PowerUp platform for use by its members or employees, the organisation acts as a separate data controller in respect of any business data it provides to PowerUp (such as retention, performance, membership, or productivity metrics). PowerUp acts as an independent data controller for individual profiling data collected from users. We enter into a Data Processing Agreement with each organisation client governing how data is handled and protected.

Legal Framework

We process personal data in compliance with:

— Regulation (EU) 2016/679 (GDPR) — Spain's Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD) — UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, for UK-based users — Directive 2002/58/EC (ePrivacy Directive) and its Spanish implementation for cookie and electronic communications requirements

What Data We Collect and Why

Account and identity data:

When you create an account, we collect your first and last name, email address. We use one-time verification codes sent to your registered email address to confirm your identity. We do not store passwords. If you sign in via Google or Apple, we receive a limited set of authentication data from those providers.

Legal basis: Performance of a contract — this data is necessary to create and manage your account.

Psychometric and well-being profiling data:

The core of the PowerUp Service involves completing a psychometric assessment covering three domains:

— Stressors: causes and sources of stress in your life and work
— Capabilities: coping ability, high-performance behaviours, beliefs, and locus of control
— Outcomes: life satisfaction, health perception, health risk indicators, and daily habits

This data includes information relating to your health, mental well-being, and psychological characteristics. Under data protection law, it is classified as special category data because it relates to health and mental health.

We process this data solely to:

— Generate your profiling insights, personalised 12-week development cycle and Personal Development Activity
— Provide weekly progress tracking and your personal performance score
— Contribute, in anonymised and aggregated form only, to insights for your organisation, subject to strict minimum anonymity thresholds

Legal basis: Your explicit consent under GDPR Article 9(2)(a). During onboarding, you will be asked to provide explicit consent for this processing via a dedicated tick box, separate from your acceptance of our Terms of Service and Privacy Policy. All three consents are required to proceed. You may withdraw your profiling consent at any time without closing your account — see Your Rights below.

Usage data:

We automatically collect certain technical data when you use the Service, including your IP address, device type, operating system, browser, pages visited[RK4] within the PowerUp platform, features used, and session data.

Legal basis: Legitimate interests — to operate, maintain, and improve the Service, and to detect and prevent fraud and security issues.

Organisation-provided data:

Organisations may provide anonymised or aggregated data — such as retention rates, sales performance, membership figures, attendance, or productivity scores — to allow correlational analysis alongside well-being data. This data must not identify individual users. Where an organisation provides data that could identify individuals, it will be anonymised before processing.

Legal basis: Legitimate interests of the organisation and PowerUp in understanding the relationship between well-being and performance outcomes, subject to anonymisation safeguards.

Automated Decision-Making and Personalisation

PowerUp uses algorithms at two stages of your experience on the platform.

First, when you complete the psychometric assessment, an algorithm processes your responses to calculate your scores across the three profiling domains — Stressors, Capabilities, and Outcomes — and determine your locus of control profile. This scoring is fully automated.

Second, those scores are analysed by an algorithm to generate your personalised 12-week development cycle, including your recommended Personal Development Activity and daily habits most likely to improve your well-being and performance. This is also fully automated: no human manually reviews your individual plan unless you request this.

Both stages constitute automated processing as defined in GDPR Article 22. The outputs — your profiling scores and your action plan — are significant in that they provide personalised guidance based on your psychological profile. They do not produce legal effects or binding decisions: your scores are for your own development purposes and participation in any recommended activity is entirely voluntary.

The algorithm takes into account your responses across all assessment questions, your scores across the three profiling domains, your locus of control profile, and population-level benchmarking data to identify the development lever most likely to produce positive effects across multiple life areas.

You have the right to:

— Receive a meaningful explanation of how your scores and action plan were generated
— Request that a member of our team manually reviews your responses, scores, and recommended actions
— Object to automated processing. Please note that the personalised scoring and action plan are core to the PowerUp Service — if you object to this processing, we will not be able to provide your personalised results or recommendations. Your account will remain open and all other data rights are unaffected.

To exercise any of these rights, contact privacy@powerupglobal.io.

Organisation Intelligence Platform

What organisations see

Organisations that subscribe to the PowerUp Intelligence platform receive aggregated, anonymised insights based on the collective profiling data of their workforce, members, or participants. This includes trend data across the three profiling domains, benchmarked scores at group or organisational level, correlations with organisation-provided data where provided, and engagement and performance culture indicators.

Organisations do not have access to individual user data, individual profiling responses, or any information that could identify a specific person.

Anonymity thresholds

No group-level data is displayed unless it meets our minimum anonymity threshold, typically a minimum of 12 participants in any reported group. This threshold may be adjusted in agreement with an organisation but will never be reduced to a level where individual identification becomes possible. Where a group is smaller than the threshold, their data is suppressed or rolled into a broader group.

Organisation obligations

Organisations that use the platform are contractually required to inform their members or employees that PowerUp is being used, the purpose for which it is being used, and the data protection rights available to them. PowerUp can provide template communications for this purpose.

Participation and consent

We recognise that in organisational contexts — whether employment, membership, or other group settings — the relationship between an organisation and its members or employees means that consent may not always be freely given. We address this in the following ways:

— Participation in the profiling assessment is voluntary. You are informed of this at the point of sign-up.
— No negative consequences for non-participation may be imposed by the organisation. This is a contractual requirement in all organisation agreements.
— Your individual data is never shared with your organisation in any form.
— You can withdraw from the platform at any time by contacting privacy@powerupglobal.io.

Who We Share Your Data With

Service providers

We share data with the following third-party processors who act on our instructions:

Microsoft Azure — Microsoft Azure — cloud infrastructure and data storage — all Azure resources are hosted within EU/UK regions and are GDPR compliant by default under Microsoft's Data Protection Addendum. Transfers from EU to UK are covered by the EU-UK adequacy decision.

Azure Databricks— data analytics and processing — hosted within EU/UK Azure infrastructure; GDPR compliant by default under Microsoft's Data Protection Addendum.

Microsoft Azure Application Insights — application performance monitoring and diagnostic telemetry — hosted on EU/UK Azure infrastructure; GDPR compliant by default under Microsoft's Data Protection Addendum.

Sentry — error monitoring and crash reporting — US-based; transfers are covered by the EU-US Data Privacy Framework. Sentry may process limited technical data including error reports, session identifiers, and user identifiers where these are associated with a reported error. This data is used solely for diagnosing and resolving technical issues and is not used for any other purpose.

Customer.io — transactional and lifecycle email delivery — EU data centre; no cross-border transfer outside the EEA.

Google (Sign in with Google) — optional single sign-on authentication — subject to Google's Privacy Policy and Standard Contractual Clauses.

Apple (Sign in with Apple) — optional single sign-on authentication — subject to Apple's Privacy Policy and Standard Contractual Clauses.

We do not sell or rent your personal data to any third party. We never share identifiable individual data with organisations.

Business transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party. We will notify you in advance and your rights under this policy will be preserved.

Legal obligations

We may disclose personal data to law enforcement, regulatory authorities, or courts where required by law, or where necessary to protect the rights, property, or safety of PowerUp, our users, or others.

International Data Transfers

Some of our service providers process data on infrastructure outside the European Economic Area. Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place as required by GDPR Article 46.

Where an organisation client requests that data is processed or hosted in a specific region outside the EEA — for example to meet local data residency requirements — we will notify affected users in advance and ensure that appropriate safeguards are in place before any transfer occurs, in accordance with GDPR Article 46. We will not action such a request without a lawful transfer mechanism being in place.

Transfers to the United Kingdom are covered by the EU-UK adequacy decision. Transfers involving Google and Apple authentication services are made under Standard Contractual Clauses approved by the European Commission. Transfers to the United States (Google, Apple, Sentry) are made under Standard Contractual Clauses or the EU-US Data Privacy Framework as indicated above. Details of the safeguards in place for each provider are available on request at privacy@powerupglobal.io.

Your Rights

You have the following rights in relation to your personal data under GDPR and UK GDPR. To exercise any of them, visit your Account Settings, contact us at privacy@powerupglobal.io or use the form at www.powerupglobal.io/support. We will respond within one month. In complex cases we may extend this by a further two months and will notify you if this applies. There is no charge for exercising your rights.

Access — You can request a copy of the personal data we hold about you.

Correction — You can ask us to correct any inaccurate or incomplete data.

Erasure — You can ask us to delete your data. We will comply unless we have a legal obligation to retain it.

Restriction — You can ask us to restrict how we use your data in certain circumstances.

Portability — You can request that we provide your data in a structured, machine-readable format for transfer to another provider.

Object — You can object to processing based on legitimate interests.

Withdraw consent — Where processing is based on your consent, including for psychometric profiling, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. If you withdraw consent to profiling, your personalised results and action plan will no longer be available, but your account remains active.

Human review — You have the right to request that a human reviews any action plan generated by our algorithm.

Complaint — You have the right to lodge a complaint with your supervisory authority. EU users: Agencia Española de Protección de Datos (www.aepd.es). UK users: Information Commissioner's Office (www.ico.org.uk). We would appreciate the opportunity to resolve any concern directly first.

You can also manage or delete your data via your account settings at app.powerupglobal.io/settings.

How Long We Keep Your Data

Account and identity data: 24 months from last active use, or until you delete your account, whichever is earlier.

Psychometric profiling data: 24 months from collection, unless you withdraw consent earlier.

Usage data: 13 months from collection.

Organisation-provided data: for the duration of the organisation contract plus 6 months.

Anonymised and aggregated data: retained indefinitely, provided re-identification is not possible. This data is used for product improvement and research.

Backup and audit logs: up to 12 months from creation.

You can request deletion of your personal data at any time via app.powerupglobal.io/settings or by contacting privacy@powerupglobal.io. We will process deletion requests within 30 days.

How We Protect Your Data

We apply appropriate technical and organisational security measures in line with GDPR Article 32, including encryption of data in transit and at rest, role-based access controls, regular security assessments, staff training on data protection, and incident response procedures.

No method of internet transmission or electronic storage is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.

Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit or use a website or application. They allow the service to recognise your device and store certain information about your preferences or actions.

Essential cookies — required for the Service to operate, including login session management, security, and load balancing. The Service cannot function without these and they do not require your consent.

Analytics cookies — help us understand how users interact with PowerUp so we can improve the Service. These are non-essential and require your prior consent.

Preference cookies — remember your settings such as language or display options. These are non-essential and require your prior consent.

When you first visit the PowerUp website or application, you will be shown a cookie consent banner where you can accept or decline non-essential cookies. You can change your preferences at any time using the cookie settings link in the footer of our website. Declining non-essential cookies will not affect your ability to use the core Service.

Essential cookies — required for the Service to operate. These do not require your consent.

— Host-authjs.csrf-token — CSRF protection for authentication — session duration — __Secure-authjs.callback-url — stores authentication callback URL — session duration — __Secure-authjs.session-token — manages your secure login session — session duration — powerup_cookie_consent — stores your cookie consent preference — 12 months

Analytics cookies — help us understand how users interact with PowerUp so we can improve the Service. These are non-essential and require your prior consent.

— ai_session (Microsoft Application Insights) — tracks a single browsing session — 30 minutes — ai_user (Microsoft Application Insights) — identifies returning users across sessions — 12 months

Age Restrictions

The PowerUp Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you become aware that a person under 18 has provided us with personal data, please contact privacy@powerupglobal.io and we will delete that data promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by displaying a prominent notice within the Service at least 14 days before the changes take effect. The date at the top of this page indicates when the policy was last updated. Previous versions are available on request.

Contact and Complaints

For any questions about this policy, to exercise your rights, or to raise a concern about how we handle your data:

Email: privacy@powerupglobal.io Form: www.powerupglobal.io/support

or contact us by mail at:

PowerUp Global SL, Calle Joan Verdeguer 116, 46024, Valencia, Spain

We will acknowledge your request within 5 business days of receipt and respond substantively within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority:

EU users: Agencia Española de Protección de Datos (AEPD) — www.aepd.es — 901 100 099 UK users: Information Commissioner's Office (ICO) — www.ico.org.uk — 0303 123 1113