Privacy Policy

1. Introduction

LSDA Technologies Pty Ltd (ABN 680 940 381 / ACN 72 680 940 381) of New South Wales, Australia (“LSDA”, “Mesonate”, “we”, “us”, “our”) operates the Mesonate platform for coaches, athletes and businesses (the “Services”).

We are committed to protecting the privacy of our users (“you”, “your”). This Privacy Policy explains how we collect, use, disclose and protect your personal information when you use the Services.

We manage your personal information in accordance with the Privacy Act 1988 (Cth) (the “Privacy Act”) and the Australian Privacy Principles (APPs). LSDA Technologies Pty Ltd is an “APP entity” for the purposes of the Privacy Act.

Because Mesonate is used by coaches and organisations to record, manage and analyse individuals’ training, wellness, injury and rehabilitation information, much of the information we handle is “health information” and therefore “sensitive information” under the Privacy Act. We provide a digital platform that enables coaches, organisations and athletes to communicate, record and view this health‑related information. Mesonate itself does not provide medical, physiotherapy or other clinical services, does not make training or treatment decisions, and does not operate as a clinic or health service provider.

For privacy purposes, we treat personal information that we handle in connection with the Services as health information and therefore apply a higher standard of care to that information, even though we do not provide health services ourselves. We acknowledge and accept that we store and manage health information on behalf of our users and their organisations. We design our practices with reference to OAIC guidance for health service providers, the OAIC’s Guide to Health Privacy and the OAIC’s Guide to Securing Personal Information.

In addition to the Privacy Act, some state and territory health‑records laws may apply directly to coaches, clinicians and organisations that use Mesonate as part of providing health services (for example, the Health Records and Information Privacy Act 2002 (NSW) and similar legislation in other jurisdictions). Those organisations are responsible for complying with any such obligations, including in relation to access, correction and retention of health information. To the extent any of those laws apply directly to LSDA in our role as a technology provider, we comply with their requirements.

This Privacy Policy currently applies to users located in Australia.

By creating a Mesonate account, using the coach dashboard, creating or joining a Business, or using the athlete mobile app, you agree to the collection, use and disclosure of your personal information as described in this Privacy Policy.

2. How Mesonate works and who is responsible for your information

Mesonate is a software platform and technology service. We are not a health service provider or medical record system. We do not provide health or clinical services, and we do not make training, treatment or rehabilitation decisions for you.

Mesonate is a software platform that allows:

• individual users to create a Mesonate user account, and then:
  • use the coach dashboard;
  • create and manage businesses (coaching organisations);
  • invite athletes and other coaches; and/or
  • use the athlete mobile app to receive coaching and log training; and
• businesses (such as coaches, clubs, gyms, academies or schools) to manage teams, group classes, forms and athlete calendars.

Key concepts:

• A User is any individual with a Mesonate account. The same account can be used in a coach role, athlete role, or both.
• A Business is an entity (e.g. coach, gym, club, team, school) created and managed within Mesonate by one or more Users.
• A Coach is a User who has been given coach/staff access within a Business.
• An Athlete is a User who has accepted an invitation from a Business to receive coaching.

Our role vs. the role of Coaches and Businesses

Mesonate is responsible for operating the platform and for handling personal information within the Services in accordance with this Privacy Policy and the APPs. Because we provide a digital platform that is used to record and manage training and related health information, we act as a custodian and processor of that data on behalf of our users and their organisations. We do not provide health services or professional coaching services ourselves.

Coaches and Businesses are independent professionals or organisations. They decide:

• what information to collect about you;
• what they enter into Mesonate; and
• how they use or disclose that information outside Mesonate.

Coaches and Businesses may themselves be APP entities and health service providers under the Privacy Act and may have their own privacy obligations and privacy policies.

If you are an Athlete, you should also review any privacy information provided by your coach, club, school or other organisation that uses Mesonate to coach you. Mesonate cannot control how coaches or organisations handle information outside our platform (for example, information they export or copy from Mesonate); questions about those practices should be directed to the relevant coach or organisation.

If you are a Coach, clinician or Business and you are subject to professional or legal record‑keeping obligations (for example, minimum retention periods for health records under state or territory laws), you are responsible for complying with those obligations. Mesonate is not intended to be your sole medical or health‑record system and does not guarantee that records will be retained for any particular minimum period. You should ensure you maintain any records you require (for example, by exporting information from Mesonate or keeping separate records).

3. The kinds of information we collect

The information we collect depends on how you use the Services. It may include personal information and sensitive information (including health information) under the Privacy Act.

Because Mesonate supports the recording and management of training, wellness and injury information, we generally treat any personal information we collect in connection with providing the Services as health information and therefore as sensitive information, even if it is basic identity or contact information. OAIC guidance treats all personal information collected in the course of providing a health service as health information. While Mesonate itself is not a health service provider, our platform is often used in health‑ and performance‑related contexts and we choose to apply a similar high standard of protection.

3.1 Account and identity information (all Users)

When you create and use a Mesonate account we may collect:

• name;
• email address;
• password (stored in hashed form);
• date of birth (if provided);
• gender/sex (if provided);
• team or club affiliation (if provided);
• profile image or avatar (if provided);
• any other profile fields you choose to provide.

We do not create profile or form fields until they are specifically set through the coach dashboard or athlete app by you, your coach or your organisation.

3.2 Athlete profile, training and health information (sensitive information)

When you use the athlete features of the Services, or when a coach enters information about you, we collect training and health‑related information, for example:

• basic body and performance metrics such as:
  • weight and other body metrics you log;
  • height, playing position or level (if added);
  • personal bests (e.g. lift maxes, running/swimming times, test scores);
• training and performance data, including:
  • exercises performed, sets, repetitions, weight/load, distance, time;
  • difficulty ratings and other feedback (e.g. RPE or similar);
  • dates and times of workouts and sessions;
• information provided via custom forms created by your coach or Business (for example, onboarding and screening forms, ongoing check‑ins, feedback and surveys). These forms may include free‑text and other fields where you or your coach choose to enter:
  • current and past injuries;
  • pain levels, soreness, fatigue, sleep, stress or mood;
  • rehabilitation programs and progress;
  • relevant medical history (such as surgeries or conditions) and other health information; and
• information relating to your training or health that is included in:
  • workout notes;
  • documentation created by coaches;
  • free‑text notes attached to exercises, calendar events or group classes.

Because these data relate to your physical health, performance and training, they are generally health information and therefore sensitive information under the Privacy Act.

3.3 Wearable and watch data (sensitive information)

If you choose to connect a supported wearable or fitness app to Mesonate, we will receive data from that provider (via an integration service such as Terra, Spike or a similar API integrator). This may include, depending on your device and settings:

• distance, duration and pace/splits;
• heart rate and related metrics during a session;
• elevation and other training metrics.

At this stage we do not intend to store GPS route maps. If we later add GPS route storage we will update this Policy.

Wearable data is health information and is handled as sensitive information. You can connect and disconnect each wearable provider and may delete wearable data separately from other workout data, as described in Section 11.

3.4 Coach and Business information

For Users acting as coaches or creating Businesses, we may collect:

• Business name (required);
• Business logo or images;
• Business email address;
• website or social media links;
• business phone number and other contact details (if provided);
• public profile or bio text;
• documentation, notes and internal records related to athletes, classes or programs.

Business name, logo and public contact details you choose to provide may be visible to others (for example on a business page that athletes can view).

3.5 Communications, content and media

When you use communication and collaboration features we collect:

• direct and group messages between users:
  • 1:1 coach–athlete messages;
  • group chats (for example, team chats);
  • text, images, videos and structured feedback data;
• comments and notes on workouts and calendar events;
• documentation created by coaches (which they can name freely and may use for any purpose, including training plans, notes and reports);
• media files such as:
  • exercise demonstration videos uploaded by coaches;
  • technique, progress and rehabilitation videos or photos uploaded by athletes.

These communications and media may contain health or other sensitive information if you or your coach choose to share it. We treat them as health information where they relate to your health, physical condition, performance or training.

3.6 Invitations, relationships and organisational data

We collect information relating to invitations and relationships in the platform, such as:

• invitation records (email address of invitee, inviting Business, role, status and timestamps);
• connections between Users and Businesses (for example, which Business coaches you, and which Businesses you coach for);
• participation in group classes and group sessions (including attendance and associated workout information).

If you leave a Business, we remove that Business’s access to your calendar and personal data, subject to some limited retention of group‑class records (see Sections 7 and 11).

3.7 Technical and usage data

When you use the Services, we automatically collect:

• IP address and approximate location;
• device identifiers, operating system, browser type and version;
• app version, device language and settings;
• log data about how you use the Services (for example, sign‑in events, invitations accepted, features used, error reports);
• analytics events recorded through Firebase Analytics and Google Analytics 4.

Technical and analytics data may constitute personal information if it can reasonably identify you (for example, in combination with other data). We treat it as personal information and handle it in accordance with this Policy.

3.8 Payment and subscription information (Coaches and Businesses)

For paid subscriptions:

• we collect and send to Stripe:
  • coach or Business owner name;
  • email address;
  • Business name;
• Stripe collects and processes your payment card details and billing address directly. We do not see or store full card numbers.
• we receive from Stripe:
  • subscription status and identifiers;
  • quantity information (number of athletes linked to a Business);
  • invoice and payment status (successful, failed, refunded etc.).

Stripe manages invoice receipts and billing history. We retain only the minimum billing metadata we need to manage your subscription and support our accounting obligations.

3.9 Government identifiers

We do not require or encourage Coaches, Businesses or users to collect or store government identifiers such as Medicare numbers or Individual Healthcare Identifiers within Mesonate. We do not use government identifiers as your account identifier and we do not adopt them as our own identifiers. If such identifiers are nevertheless entered into custom fields or documentation, we treat them as sensitive information and do not use them for any purpose other than securely storing them on behalf of the relevant Business, in accordance with this Privacy Policy and the APPs.

4. How we collect your information

We collect information in the following ways.

4.1 Directly from you

We collect information that you provide directly, for example when you:

• create an account;
• set up your profile in the athlete app or coach dashboard;
• create or join a Business;
• accept or send invitations;
• log workouts or other training data;
• fill in forms, questionnaires or surveys;
• upload media or send messages;
• connect a wearable or fitness service;
• contact us for support.

4.2 From Coaches, Businesses and organisations

Coaches and Businesses may provide information about you, for example when they:

• create or manage your athlete profile;
• log workouts, sessions or group classes for you;
• complete forms or notes about your training or health;
• upload media or documentation relating to you;
• invite you to join Mesonate using your email address.

We rely on Coaches, Businesses and organisations (such as clubs or schools) to:

• ensure they have any necessary consent or authority to provide information about you to us; and
• ensure that minors (under 18s) use the Services only with appropriate consent, including any required parental or guardian consent (see Section 13).

If you are added by a coach or organisation, we will present this Privacy Policy to you via the app at or before you first log in.

4.3 From wearable and integration providers

If you connect a wearable or third‑party fitness service, we receive data from:

• the wearable provider (e.g. Apple, Garmin etc.), via
• a selected integration service such as Terra or Spike (or a similar provider).

You can control these connections in your account and can disconnect them at any time.

4.4 Automatically through technology

We automatically collect technical and usage data via:

• Google Cloud and Firebase;
• Firebase Analytics and Google Analytics 4;
• cookies and similar technologies in the web dashboard (see Section 9).

4.5 If you choose not to provide information

If you choose not to provide certain information:

• you may not be able to create an account or use some features of the Services;
• your coach or Business may not be able to manage your training through Mesonate; and
• we may not be able to respond fully to your requests or inquiries.

5. Consent to collection and use of health and sensitive information

We will not collect sensitive information about you unless:

• it is reasonably necessary for one or more of our functions or activities; and
• you have consented (or an exception under the Privacy Act applies).

Because Mesonate is a training platform, your workout, training and wearable data are central to how the Services work.

When you first use Mesonate’s training features we will present you with a clear notice explaining that:

• we will collect and handle health information about you (including training, performance, wellness and wearable data); and
• the main purposes for which we collect and use that information.

By affirmatively agreeing to this notice, you give express consent to our collection and use of your health and sensitive information as described in this Privacy Policy.

If you are under 16, we expect that your parent or legal guardian (often working through your coach, club, school or similar organisation) has agreed to your use of the Services and to our handling of your health information (see Section 13).

You may withdraw your consent to our ongoing collection and use of your sensitive information at any time by:

• disabling wearable integrations;
• ceasing to use the health/training features; and/or
• deleting your Mesonate account.

If you withdraw consent, some or all of the Services may no longer be available to you. Even after you withdraw consent or delete your account, some limited information may still be retained as described in Section 11 (for example, in backups, group‑class aggregates, logs, or other users’ chat histories), or where we are otherwise required or permitted by law.

6. How we use your information

We use your personal information for the following purposes (and any directly related purposes you would reasonably expect).

6.1 To operate, provide and maintain the Services

Including:

• creating and managing your user account;
• authenticating you when you sign in (including via Apple or Google login);
• operating the coach dashboard, athlete app and Business features;
• connecting Athletes with their chosen Businesses and Coaches;
• enabling Businesses to invite athletes and coaches, and manage staff;
• programming and logging workouts and group classes;
• enabling messaging, group chats, notes and documentation;
• storing and displaying your training history and progress;
• integrating wearable and fitness data into your training calendar;
• providing forms and managing responses.

6.2 To enable coaches and organisations to train and support Athletes

Where you have accepted an invitation from a Business, we use your information to:

• display your profile and calendar to Coaches within that Business;
• allow Coaches to program and edit your calendar (including workouts, classes and events);
• allow Coaches to view and respond to your logged data, messages and forms;
• allow Coaches within a Business to collaborate through shared notes and documentation;
• retain reasonable records of group classes and group sessions (including aggregated outcomes and, in some cases, reduced or aggregated historic participation records) even after an Athlete leaves the Business (see Section 11).

Mesonate supports training, wellness and rehabilitation workflows, but it does not provide medical, physiotherapy or other clinical services, does not provide medical diagnosis or treatment, and does not replace professional medical advice. Coaches, health professionals and organisations remain responsible for their own professional obligations, clinical decisions and record‑keeping. Any health, performance or treatment decisions should be made by you and your qualified health or performance professionals.

6.3 To manage subscriptions and payments

Including:

• calculating the number of Athletes connected to each Business;
• managing Business subscriptions (including changes over time);
• sending necessary billing information to and receiving billing information from Stripe;
• supporting our accounting, audit and tax obligations.

6.4 To communicate with you

Including:

• sending transactional and service‑related emails (for example, account verification, password resets, subscription notices, invite notifications, and important changes to the Services);
• sending system notifications (for example, new messages or relevant updates), where enabled;
• responding to your queries and support requests.

You may control some notification settings through your account or device settings. However, we may still send you essential service messages, such as password resets, important security notices or significant changes to this Privacy Policy.

6.5 Direct marketing (Coaches and prospective Coaches only)

We may use coach and prospective‑coach contact details to send:

• updates about new features or improvements to Mesonate;
• newsletters, tips and educational content;
• offers, promotions or surveys relevant to coaches and Businesses.

We will do this only where you have opted in or where the Privacy Act otherwise permits. We send these communications in accordance with the Spam Act 2003 (Cth), including by providing a functional unsubscribe mechanism.

You can opt out of marketing communications at any time by using the unsubscribe link in the email or by contacting us.

We do not send marketing communications to Athletes about unrelated third‑party products.

We do not use your training or health information to create marketing profiles that suggest health conditions or other sensitive traits.

6.6 Analytics, product improvement and internal profiling

We use de‑identified and aggregated information, and event data from Firebase Analytics and Google Analytics, to:

• understand how the Services are used;
• improve performance, usability and reliability;
• test and develop new features;
• understand which types of coaches and organisations get the most value from Mesonate (for example, by sport type or organisation size).

Where reasonably possible we analyse data in a way that does not identify individual users.

When configuring analytics we:

• use pseudonymous identifiers (for example, Firebase UIDs or internal IDs) rather than your name;
• avoid sending names, email addresses or free‑text notes as analytics parameters; and
• do not link logged‑in analytics properties with Google Ads for behavioural advertising.

6.7 Security, abuse prevention and legal compliance

We use information to:

• protect the security of the Services and user accounts;
• detect, investigate and prevent fraud, abuse, spam or misuse;
• enforce our Terms and Conditions and other policies;
• comply with our legal and regulatory obligations;
• respond to lawful requests from law enforcement or regulators.

If we suspend or terminate an account for breach of our terms or misuse, we may retain certain information for longer to manage risk, investigate issues and protect our legal rights (see Section 11).

7. When we disclose your information

We do not sell your personal information.

We disclose personal information only in the limited circumstances described below, in accordance with APP 6 and APP 8.

7.1 Between Users within the Services

As a core part of how Mesonate works:

• When you accept an invitation from a Business:
  • Coaches within that Business can view and edit your calendar, workouts and related information;
  • your profile (for example, name, team and basic info) becomes visible to those Coaches.
• When you participate in a group class or group chat:
  • your name and relevant information may be visible to other participants; and
  • Coaches may continue to see records of group sessions (including aggregated results and, in some cases, reduced or aggregated participation records) even if you later leave the Business.

If you leave a Business:

• Coaches in that Business will no longer be able to see your calendar or your ongoing training data;
• coaches may continue to see reasonable records relating to past group classes and group sessions which were administered by that Business, but where possible this will no longer show your name (for example, it may keep a record that an anonymous or user‑ID participant attended or completed a session).

Coaches and Businesses may export or copy information from Mesonate or retain separate records outside Mesonate. We cannot control how they use or retain that external data. If you have concerns about those uses you should contact the relevant coach or organisation directly.

7.2 Service providers and partners

We engage carefully selected third‑party service providers to help us operate the Services. These providers may have access to personal information as necessary to perform their services for us, subject to appropriate contractual and security protections.

These include, for example:

• Google Cloud Platform and Firebase (Australia‑southeast1 and other regions as needed for support and reliability):
  • hosting of our infrastructure, databases and media;
  • user authentication, functions, storage and disaster recovery;
  • logging and performance monitoring.
• Google Analytics 4 and Firebase Analytics:
  • collection of usage analytics for our apps and web dashboard.
• Stripe:
  • processing coach and Business subscription payments;
  • managing subscriptions and invoicing.
• SendGrid:
  • sending transactional emails (for example, verification, password reset and service notifications).
• Wearable and health integration services (such as Terra, Spike or similar):
  • connecting to multiple wearable and fitness data providers;
  • receiving training and health metrics you choose to share.

Some of these providers are located outside Australia, including in the United States and the European Union (see Section 8).

We take reasonable steps to ensure that these providers:

• only use personal information to perform services for us; and
• implement privacy and security protections that are at least substantially similar to the APPs, taking into account that much of the information they process for us is health information.

Our Services may contain links to third‑party websites or services. Their privacy practices are not covered by this Privacy Policy, and we encourage you to review their privacy policies.

7.3 Legal and safety disclosures

We may disclose your information where we reasonably believe it is necessary to:

• comply with applicable laws, regulations, court orders or regulatory requests;
• respond to requests or lawful orders from law enforcement agencies;
• protect the rights, property or safety of Mesonate, our users or the public;
• detect, prevent or address fraud, security or technical issues.

Where appropriate and lawful, we will notify you of such disclosures.

7.4 Business transfers

If we are involved in a merger, acquisition, reorganisation, sale of assets or similar transaction, your information may be transferred as part of that transaction. We will ensure that any recipient continues to handle your information in accordance with this Privacy Policy.

8. Overseas disclosure and cross‑border transfers

Our infrastructure is based in Australia but we also use service providers and infrastructure located in other countries, including the United States and the European Union.

This means your personal information (including health information) may be stored, processed or accessed in those countries by:

• Google Cloud, Firebase and Google Analytics;
• Stripe;
• SendGrid;
• wearable integration services such as Terra or Spike (or similar providers);
• other technical service providers we may engage in the future.

Under APP 8 and section 16C of the Privacy Act, before we disclose personal information to an overseas recipient we must usually take such steps as are reasonable in the circumstances to ensure the recipient does not breach the APPs (other than APP 1) in relation to that information. We may be accountable if they do.

To meet these obligations, we:

• use major, reputable cloud and payment providers with robust privacy and security programs;
• enter into contracts or rely on providers’ standard terms that:
  • limit their use of personal information to providing services to us; and
  • require them to implement appropriate security and privacy safeguards;
• assess their security and privacy documentation where reasonably available;
• implement strong technical security controls on our side (see Section 10).

We do not generally rely on your consent to remove our obligations under APP 8. If, in limited circumstances, we ever do rely on an APP 8 exception based on your express consent, we will clearly explain the consequences of that consent, as required by law.

By using the Services, you acknowledge that your personal information (including sensitive health information) may be disclosed to and processed in these overseas locations, subject to the protections described above.

9. Cookies, local storage and analytics

We use cookies and similar technologies in the Mesonate web dashboard and website.

9.1 What we use

Essential cookies and local storage

These are necessary for the Services to function, for example to:

• keep you signed in;
• maintain your session and security tokens;
• remember basic preferences.

Analytics cookies and SDKs

We use Firebase Analytics and Google Analytics 4 to collect information about how users interact with the Services, such as:

• pages and screens viewed;
• features used;
• approximate location, device and browser information;
• app performance and errors.

We configure analytics so that we:

• do not send names, email addresses or free‑text notes as analytics parameters; and
• use pseudonymous identifiers (such as Firebase UID or internal IDs) rather than real names.

We do not use advertising or remarketing cookies or pixels (such as Meta Pixel or Google Ads tags) inside logged‑in training views, and we do not link the analytics properties used for logged‑in Services to Google Ads for behavioural targeting.

We may use advertising or remarketing tools (for example, Google Ads or Meta Pixel) on our public marketing website and coach‑facing landing pages, but these tools are not linked to your logged‑in training behaviour.

9.2 Your choices

You can:

• configure your browser to refuse some or all cookies or to alert you when cookies are being set;
• use browser add‑ons that block Google Analytics in the web dashboard; and
• adjust device‑level ad or analytics settings where supported by your device.

If you disable essential cookies, some parts of the Services may not function properly.

For Australia‑only users, we currently use a simple cookie notice rather than a granular cookie preference manager. If our practices change, we will update this Privacy Policy and our cookie notices.

10. Data security

We take reasonable steps to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by APP 11. We design our security practices with reference to the OAIC’s Guide to Securing Personal Information and its guidance for health service providers.

Security measures include:

• hosting on Google Cloud Platform and Firebase, which provide encryption of data in transit (TLS) and at rest;
• role‑based access controls and authentication for our production environment;
• restricting direct access to production databases to a small number of authorised staff using individual accounts protected by multi‑factor authentication;
• using multi‑factor authentication for administrative access to key third‑party services (such as Stripe and SendGrid);
• Firestore security rules and architecture designed so that users can access only the data they are authorised to see;
• signed URLs for CDN media access;
• logging and monitoring of application behaviour and errors;
• regular backup and disaster recovery procedures (see Section 11).

No system can be completely secure. While we strive to protect your information, we cannot guarantee absolute security.

10.1 Data breaches and the Notifiable Data Breaches scheme

If we experience a data breach that is likely to result in serious harm to individuals, we will:

• promptly assess the situation;
• contain and remediate the breach where possible; and
• notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

11. Data retention and deletion

We keep personal information only for as long as it is reasonably necessary for the purposes described in this Privacy Policy, or for as long as required or authorised by laws that apply directly to us.

Mesonate is not designed or warranted to be a long‑term medical or health‑record archive, and we do not promise to retain particular records for any specific minimum period (such as seven years). Coaches, clinicians and Businesses that use Mesonate and are subject to their own legal or professional record‑keeping obligations are responsible for ensuring they retain any records they require (for example, by exporting information from Mesonate or keeping separate records).

11.1 Active accounts

For active accounts, we generally retain personal information for as long as you continue to use the Services. We may also remove or archive data associated with accounts that have been inactive for a lengthy period, in line with our operational needs and any applicable legal requirements.

11.2 Backups and disaster recovery

We maintain backup copies of our databases for disaster recovery:

• point‑in‑time recovery data is retained for 7 days; and
• weekly backups are retained for approximately 98 days.

Backups are stored securely and are only used where necessary to recover from a serious incident. Information in backups cannot usually be accessed or edited on a per‑user basis and may persist for the durations above even after your account is deleted.

11.3 Account deletion by Users

You can delete your Mesonate account from within the Services (whether you are primarily a coach or athlete — they are the same underlying account type).

When you delete your account:

• your user profile and associated settings are deleted or de‑identified from our active systems;
• as an Athlete, your personal calendar data (workouts, events, notes etc.) is deleted from our active systems;
• as a Business owner, Businesses that you alone created and own may also be deleted or transferred in line with our product design;
• workouts that you programmed as a Coach but which belong to another User’s calendar become that Athlete’s data and continue to exist under their account;
• participation records in group classes may be retained in a reduced form (for example, linked only to an internal user ID that is not used to re‑identify you in normal operations) or in an aggregated, de‑identified form (for example, counts of attendance without your name);
• chat messages and media you previously sent are generally retained in the recipient’s or group’s history so that those conversations remain meaningful for other users.

For chat and media:

• your name may continue to appear alongside historical messages and media you sent;
• we do not provide a way for other users to navigate from those historic messages back to a deleted user profile.

We may retain certain information after deletion where reasonably necessary to:

• comply with legal obligations that apply directly to us (for example, tax and accounting records);
• enforce our rights and agreements;
• resolve disputes;
• investigate misuse, fraud or security incidents.

Where information is retained beyond account deletion, it is generally held in a reduced, archived or de‑identified form and is not used for normal product operations.

11.4 Termination by Mesonate

If we suspend or terminate your account for breach of our Terms and Conditions or misuse of the Services, we may retain personal information for a longer period where we reasonably consider it necessary to:

• protect our rights, users or the public;
• cooperate with law enforcement or regulators; or
• prevent you from using the Services in ways that cause harm.

12. Your rights and choices

Under the Privacy Act and APPs, you have certain rights in relation to your personal information.

12.1 Access and correction

You have the right to:

• request access to the personal information we hold about you; and
• request correction of any inaccurate, out‑of‑date or incomplete information.

You can access and update much of your information directly via your account settings. For other information, you can contact us using the details in Section 15.

We may need to verify your identity before providing access or making corrections.

We aim to respond to access and correction requests within 30 days. For very complex requests we may need more time, in which case we will let you know and keep you updated.

12.2 Deletion

You may:

• delete your account yourself via the Services; or
• request that we delete your account and associated personal information by contacting us.

As explained in Section 11, some information (for example, group‑class aggregates, logs, backups, and data needed for legal or security reasons) may be retained for limited periods after deletion, or in a reduced or de‑identified form, or for as long as required or authorised by applicable law.

12.3 Data exports

We do not currently provide a self‑service “export my data” feature. However, as an APP entity that handles health information we will, where reasonable and practicable, provide you with access to a copy of your personal and health information in a commonly used electronic form if you request it.

In practice this may include:

• your basic account and profile information in a simple, human‑readable format (for example, PDF, CSV or JSON);
• your responses to forms, questionnaires and surveys (for example, CSV or JSON exports);
• your training calendar and workout data in a machine‑readable JSON format that reflects how this data is stored in our systems.

Because calendar and workout data are highly structured and technical, JSON exports may be complex. Where we provide data in raw JSON, we will include a brief explanation of the main structures and fields, but we may not be able to convert all data into a custom format you specify.

We may refuse access to some information, or provide partial access, where an APP 12 exception applies — for example, where giving access would unreasonably impact the privacy of other individuals. If we refuse access in whole or in part, we will tell you why (unless it is unreasonable to do so) and how you can complain.

12.4 Direct marketing

You can:

• opt out of marketing emails by using the unsubscribe link in our emails; or
• contact us to request that we stop using your details for direct marketing.

We may still send you essential service or transactional communications, such as account or security notices.

12.5 Anonymity and pseudonymity

Because Mesonate is used to manage training and health information in a coaching and organisational context, we usually need users to identify themselves so that coaches and organisations can safely and appropriately manage training and related activities. In limited contexts (for example, some feedback forms), we may allow you to respond anonymously or under a pseudonym. If you have questions about whether you can use a pseudonym in your situation, please contact us.

13. Children and young people

Mesonate is often used with youth and junior teams.

Our Services are designed primarily for adults. Individuals under 18 should only use the Services where they, and where appropriate their parent or legal guardian, understand and agree to how we handle their health information.

In practice, minors usually join Mesonate through an invitation from a coach, club, school or other trusted organisation. We rely on Coaches, Businesses and organisations to:

• obtain any necessary parental or guardian consent before adding minors to Mesonate or collecting information about them; and
• ensure that minors use the Services in a supervised and appropriate way.

For Mesonate, we apply the following approach:

• users under 16 should only use the Services where a parent or legal guardian has consented to their participation and to our handling of their health information; and
• users aged 16 and over may in many cases be able to provide their own consent, but we expect coaches and organisations to consider any additional requirements that apply in their context (for example, school policies or state laws).

We do not knowingly allow minors to use Mesonate without appropriate consent. If we become aware that a minor is using the Services without such consent, we may:

• suspend or delete the minor’s account; and/or
• take other steps we consider appropriate to protect the minor’s privacy.

Parents or guardians who have questions about a child’s account, or who wish to access or request deletion of their child’s personal information, can contact us using the details in Section 15. We may need to verify your identity and your relationship to the child, and in some cases we may coordinate with the child’s coach or organisation.

We do not currently provide a separate parent or guardian portal.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect:

• changes to our Services or business practices;
• changes in law or regulatory guidance; or
• feedback from users or regulators.

When we make changes, we will:

• post the updated Privacy Policy at the same URL;
• update the “Last updated” date at the top; and
• where changes are material, provide additional notice (for example, by email or in‑app notification).

Your continued use of the Services after the updated Privacy Policy takes effect will constitute your acceptance of the changes.

15. Contact us and complaints

15.1 Contacting us

If you have any questions, concerns or requests about this Privacy Policy or how we handle your personal information, please contact our Privacy Officer:

• Privacy Officer: Dominic Andrews
• Email: dominic.andrews@mesonate.com

(If these details change, we will update them in this Privacy Policy.)

15.2 Complaints

If you believe we have breached the Privacy Act or the APPs, or mishandled your personal information, you can lodge a complaint with us using the contact details above. Please include:

• your name and contact details;
• a clear description of your concerns; and
• any supporting documentation.

We will investigate your complaint and aim to respond in writing within 30 days. If we need more time, we will let you know.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

• Website: https://www.oaic.gov.au
• Phone: 1300 363 992
• Post: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001