Migrator Privacy Policy

How the AllStrong Migrator Chrome extension handles your data

Last Updated: April 16, 2026 — Version 1.0

1. Introduction

This Privacy Policy governs the AllStrong Migrator Chrome extension (the "Extension"), published by AllStrong ("we," "us," "our") for one-time data migration from third-party gym, studio, and team management platforms into AllStrong.

This policy is separate from and supplemental to the main AllStrong Privacy Policy. The main policy governs the AllStrong app itself. This policy governs only what the Extension does while it is installed in your browser.

The Extension is only intended for use by gym, studio, or team owners or staff who are actively switching their operations to AllStrong. If you are not a gym operator migrating data, you should not install the Extension.

Privacy contact: privacy@allstrong.app
Support: support@allstrong.app

2. What the Extension Does

The Extension is a one-time tool that reads your gym's own data from a source platform's website — the same data you can see when you log in and browse that platform's UI — and sends it to your AllStrong account via an authenticated API call.

The Extension is dormant unless you:

  1. Create a migration session in your AllStrong dashboard
  2. Paste the session link into the Extension's popup
  3. Navigate to a supported source platform tab
  4. Click "Start migration"

When no active migration session exists, the Extension does not read, transmit, or modify any data.

3. Data Handled by the Extension

3.1 Data the Extension reads from source platforms

When you start a migration session, the Extension reads the following data from the source platform's pages (only the data you select to migrate):

  • Member roster: Names, email addresses, phone numbers, dates of birth, guardian contact information (for minor members), external member IDs
  • Memberships: Plan names, start and end dates, prices, status
  • Classes and schedules: Class names, schedules, instructor assignments, capacity
  • Attendance: Check-in records and class attendance history
  • Rank and belt history (martial arts): Current rank, belt promotions, stripes, dates, instructor-of-record
  • Workout and performance scores: WOD results, benchmarks, personal records
  • Signed waivers: Waiver names and signature dates (we do not transmit the PDF waiver body, only the acknowledgment metadata)
  • Staff and coaches: Names, email addresses, roles
  • Payment history: Historical transaction records (amounts, dates, descriptions) — NOT live payment credentials or card numbers

3.2 Data the Extension does NOT read

  • Your password for the source platform (we never see credentials — the Extension runs inside your already-authenticated browser session)
  • Payment card numbers, bank account numbers, or live payment credentials
  • Messages or communications unrelated to migration
  • Data from websites outside the 27 declared source-platform domains
  • Data from any source platform you have not explicitly started a migration on

3.3 How the Extension handles the data

  • Data is read from the source platform's rendered pages or its own API responses (observed passively — we do not forge requests)
  • Data is transmitted directly from your browser to the AllStrong backend API at https://health-app-api-nk9i.onrender.com over HTTPS (TLS 1.2+)
  • Data is not stored locally in your browser beyond the duration of the active migration session
  • Data is not sent to any third party
  • Data is not used for advertising, analytics, tracking, or profiling

3.4 Authentication token storage

To maintain the active migration session, the Extension stores a short-lived one-time session token in chrome.storage.local (device-local only, never chrome.storage.sync). This token:

  • Is issued by the AllStrong backend when you start a migration from the dashboard
  • Expires automatically after 2 hours
  • Is cleared immediately when you click "Stop migration" or uninstall the Extension
  • Is redacted from all diagnostic logs

The Extension does not store any other credentials, tokens, cookies, or session data.

4. How Long Data Is Retained

4.1 In the Extension

Data flows through the Extension in real time during the migration session; it is not persisted in the Extension. When the session ends or the Extension is uninstalled, no migration data remains in your browser.

4.2 On AllStrong servers

Data sent to your AllStrong account during migration is retained according to the main AllStrong Privacy Policy. Staged migration records are kept for up to 90 days after a migration completes to allow for rollback and audit, after which they are deleted. Permanent records (members, memberships, attendance history, rank progressions) become regular AllStrong data.

You may request deletion at any time by emailing privacy@allstrong.app.

5. Who We Share Data With

We do not sell, rent, or share data collected through the Extension with any third party for any purpose, including marketing or advertising.

The only services that receive data collected through the Extension are:

  • AllStrong's own backend API (health-app-api-nk9i.onrender.com) — operated by us, hosted on Render, Inc.
  • Neon Postgres — our database provider (Neon, Inc.) which stores the migrated data as part of the AllStrong platform
  • Anthropic (Claude) — our migration orchestration uses Anthropic's Claude AI to plan navigation steps on source platforms. Source platform metadata (page titles, DOM structure snippets) may be sent to Anthropic for this purpose. Member personal data extracted during migration is not sent to Anthropic.
  • Sentry — error monitoring. The Extension itself does not send events to Sentry. Backend errors during migration may be sent to Sentry with PII redacted.

All services are bound by their own privacy policies and data processing agreements with us. None receive data for marketing, advertising, or independent purposes.

6. Permissions Explained

The Extension requests the following Chrome permissions:

  • activeTab — so the Extension reads only the tab you explicitly activate. Dormant on all other tabs.
  • storage — to cache the migration session token locally during the session. Cleared when the session ends.
  • scripting — to inject a small observation helper on React-based source platforms (so we can read their own JSON API responses rather than scraping rendered HTML).
  • webRequest — to observe (not modify) the response bodies of the source platform's own API requests, limited to the declared source-platform hosts and only while a migration session is active.
  • host_permissions — 27 specific gym-management platform domains. The Extension can read data from these domains only when you have started a migration on them. It cannot read data from any other domain.

7. Your Rights

You have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure under GDPR, right to deletion under CCPA)
  • Withdraw consent at any time by uninstalling the Extension and/or deleting your AllStrong account

To exercise any of these rights, email privacy@allstrong.app.

8. Children

The Extension is not intended for use by children. It is a professional tool for gym and studio operators. If you are using the Extension to migrate data about members who are children, the member data is treated as regular AllStrong data under the main app's Privacy Policy, which addresses minor users with parent/guardian consent.

9. International Users

The Extension sends data to servers in the United States. If you are outside the United States, by using the Extension you consent to the transfer of data to the United States.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses for international transfers where required.

10. Security

The Extension:

  • Transmits all data over HTTPS (TLS 1.2 or higher)
  • Does not store passwords, payment credentials, or long-lived tokens
  • Caps observed data payloads at 5 MB (DOM) or 2 MB (XHR responses) to prevent memory exhaustion
  • Restricts navigation actions to the same origin as the source platform page
  • Is open source — the full extension source is available at github.com/DanielSwick/health/tree/main/migrator

We review all extension updates for security before publishing. If you discover a security issue, please email support@allstrong.app.

11. Changes to This Policy

If we materially change how the Extension handles data, we will publish a new version of this Policy and bump the Extension's version number. Your continued use of the Extension after a policy update indicates your acceptance of the changes.

12. Contact

Postal address available on request via email.