How I handle customer and client data

Posted on December 21, 2016


(Last Updated On: December 21, 2016)

If you at all pay attention to the online sphere you’ve heard something negative about privacy recently. Or if you have a Yahoo account you just received your bi-monthly data breach report.

David Heinemeier Hansson is a notable programmer, runs an online business, and someone I find I more often than not agree with. Or if I follow his advice, it was worthwhile. He and Jason Fried’s book Rework is by far the most influential business book I’ve read.

He recently did a podcast and answered how he approaches digital security. Nothing too detailed, but it was informative. I’ve been leery of putting out there what I do for my customers / clients, but realized what he put out there is ok, and the fact he did it -and is a privacy (anti)nazi- then this is not only ok, but something I should do.

That said, the main reason for this is incredulously America is back in our never ending debate whether we should all have health insurance. We decided forever ago everybody gets healthcare -doctors more or less treat people when they come into the ER- yet even though we acknowledge if somebody drives a car they need car insurance, we’re back in the throes of the asinine argument if you have a body, should you have health insurance.

55 million people are again at risk of not having insurance.

Meaning people now have to again worry if something like a god forsaken injury from bum-fuck years ago can prevent their ability to get insurance. (Like my ACL injury did.) As someone who asks every client about their e.g. injury history, I have information insurance companies may want very soon.

-> Discussed below- how your employer may want this information too.

One, I feel obligated to attempt to give readers some reassurance. I’m only one site, but it’s something, and frankly I haven’t seen any other personal trainer do something like this.

Two, I’d implore you to consider this when hiring a trainer -apps qualify (discussed below)- or really any healthcare worker. (Or if you’re a trainer or worker!) I’m by no means a technical person with computers, but I have a dad who has worked in IT for 30 years, a mom with a master’s in computer science, and a brother with a bachelor’s in computer science who has a significant interest in machine learning. I’m around this more than most. I highly doubt any of the healthcare workers you’re hiring, especially personal trainers who often state how tech illiterate they are, are up to date on their security.

Which means your info isn’t either.

The irony is trainers more often than not know a client and have more info on them than anybody else. Doctors see you 15 minutes a year. Trainers can see you for hours a week.

As a practitioner, all of this could be set up in a day, if not a couple hours.

I know I have a lot of software engineers / programmers / IT workers who read this site. The perk of publishing this is if you think I’m not doing something I should be, or doing something I shouldn’t, please let me know. Comments, or if you think email is best,, and I’ll be sure to update this page.

What info do I gather?

Customers- considered people who buy a product. The only thing I get is email addresses. My online checkout cart does store these for me, but they do not go on ANY email list. Not even mine. I hate shitheads who do that.

If you want to sign up for my email list, you have to do it separately. You’ll see a form at the bottom of this page as one way.

The reason emails are stored is so I can confirm purchases. I have people who months after buying something will email me saying they somehow lost access to the product. Deleted the email, changed computers, whatever. I can go into the repository and confirm their purchase rather than making them buy again.

I collect no home addresses and no credit card information. Even for people who donate. PayPal just emailed me saying they will no longer automatically show the addresses for donations. Great. I don’t want that info anyways.

Clients- people who partake in this process or meet regularly in person. This where I get the most info due to the questionnaire. Every one filled out goes on my laptop, which is an Apple. Apple has by far proven to take privacy the most seriously. This is getting harder with the increase in machine learning, as its hard to overstate how reliant AI is on data accumulation, but as Tim Cook, Apple CEO has said “We make money by selling products. Not by selling your data.”

-> It’s worth considering how the majority of fitness apps make money (if they make any). Every time I hear someone bitch about paying for an app I wonder if they realize what they’re giving up for downloading the free one.

Another way of looking at this- where do you think your data is safer? In the hands of your personal trainer, or in the hands of your fitness app…which are nowhere near replicating what a trainer can do, and if we truly do automate everything, may very well be one of the last professions to get there.

This is not only relevant to insurance companies. Every month I hear about an employer trying a new measure to get their employees healthier. Employers want to decrease health costs -> Does anybody think no employer would partake in “Oh, doesn’t look like you’ve used RunKeeper much the last few months, and when you do you’re clearly out of shape. Let’s go with the other candidate.” Experian, a background check employers use, has been buying health data.

“Hmm, these two candidates are very even. Let’s avoid the pre diabetic. They’re less likely to miss work.”

My laptop locks its screen after five minutes of disuse. All its contents are encrypted and a password is required to open the laptop.

Zero client questionnaires are stored on the cloud.

I do see addresses for clients (not customers) when they send payment, and that info is stored in my credit card processor. They automatically do this for shipping purposes, though I’m not shipping anything. To get into that account requires…

Two factor authentication

Most of us enter a password to get into our services. Two factor authentication means when you type your password you then also have to approve the log in request, which is sent to you somehow. Such as to your email or phone. Idea being somebody gets your password and types it in, but without your e.g. phone they still can’t get in.

Every account of mine which offers this, I use it. The others are two step authentication. (There is a difference between two factor and two step. Two factor is preferred.)

To get into my phone requires either my fingerprint or passcode, and my phone locks the screen immediately once I stop using it. And my text messages can’t be seen without unlocking the phone. I virtually always use my fingerprint to access my phone in case someone is trying to watch me enter the passcode.

If my phone is stolen I can remotely delete all the data on it. It is an iPhone, per the Apple reasons above.

You know how Russians hacked the DNC? One way they got in was a simple phishing scheme for a password. Yeah, lack of two factor authentication could have swung a presidential election.


I do use the cloud to store client spreadsheets / programs. (Not questionnaires.) This again requires two factor / step authentication.

These spreadsheets have nowhere near the info in them that the questionnaires do. If someone’s questionnaire is all about their right knee, the program may say “Work on knee” as one of the goals. Someone may write me 1,000 words about the knee in a questionnaire, but I’ll write maybe five in the spreadsheet.

All sheets only list a person’s first name and maybe last initial. Though full pictures of the client -which they’ve sent to me (people are welcome to, and have, blur out their face)- may appear in the spreadsheet.

My main use of the cloud is receiving videos. I leave it up to the client how they want to send them. Google Drive / Youtube, DropBox, OneDrive, whatever, but I always gently lean people towards WeTransfer. WeTransfer automatically deletes each file after seven days, rather than leaving it up perpetually. There are other services out there like Safe Secure, which people are again welcome to use. (There is only so much I can do on my end. A good deal is up to the client. I don’t force people to use a service.)

If I download the media then it goes into my laptop per security measures above. If it’s left on the cloud, then to access it requires getting into my email, provided I didn’t delete the message, which I often do.


I use Outlook (Microsoft). I’ve used them for a long time. Never had an issue, they offer encryption depending on what you’re using, and with how many businesses use them, they seem to be reliable in this area.

That said, if somebody wants to send me something, like their questionnaire, through a service such as InfoEncrypt or SBWave, that’s fine. (I realize there are more serious encryption services out there. If a client is on that level, I’m typically willing to meet them there.)

Zuck Sucks

The only communicating with client’s I do on Facebook is if they contact me. Once they do, I immediately tell them to email me instead.

I’m on no other social media.


I do have ads on my site. I’m ok if people access my site with an ad blocker. I don’t control what the ads are, WordPress, a highly regarded service, does that. I have no ties to any particular advertisers.

To give a sense of things, I make about 1% of monthly revenue from advertising. 99% of income is derived from people directly paying for something. Not for giving access to my readers.

Permission before showing up on my site

I don’t post any pictures or videos of clients on my site without asking them first. Even then, this is very clear on the testimonials page, I don’t divulge last names.

Spread across multiple platforms

While someone like Apple does appear to take security the strongest, I don’t only use them. For example, I don’t use them for my laptop, phone, cloud, spreadsheets, FaceTime, Apple Pay, etc. I only use them for some things.

Idea being it’s harder for multiple companies to be hacked simultaneously than it is for one. So while I may have X stored on my Apple computer, Y is on a different company’s cloud.

Anonymous comments

Comments where someone attaches their real name and email are highly preferred, but I understand the desire for anonymity, emotionally and data wise. So it’s still allowed.

Become a client

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Tagged: ,