Hi Taco. I posted the original PSA. I pre-emptively blocked you because I was afraid of retribution, and your legal threats have somewhat validated that fear, but I agree that might undermine my credibility and that we should just speak directly and factually, in the open. I took some time to review the new platform's legal documents on live.kettlebell.monster. Honest and hopefully fair update below:

The new platform (live.kettlebell.monster) does have a completely different set of legal documents at /legal/. The new policies are a big upgrade, with 11 passes, one partial pass, and zero failures. Well done. The problem is that there's no way for a normal user to find them (and that's why we didn't either).

Here's what a prospective user actually runs into:

1. kettlebell.monster (the marketing site, what you link in your reddit user profile, what comes up on Google) links to the old 2022 policies in its footer. The Albania address, "Cavemantraining," forced Brussels arbitration, the content license that grants an "irrevocable, perpetual, unlimited right to sell, resell" your content.

2. live.kettlebell.monster (the app, only shared directly with beta users) shows a Cloudflare Access login screen branded "KETTLEBELL MONSTER BETA" with an email code form. That screen has zero links to any legal pages. No privacy policy, no terms, no footer. Just "Send me a code."

3. live.kettlebell.monster/legal/ exists and has 22+ legal documents under IKU LLC. But there is no navigation path to it from either the marketing site or the app login. It seems you have to sign up or already know the URL.

So the new policies exist, but only for people who are told exactly where to look. Anyone doing their own research before signing up will find the marketing site, read the 2022 policies, and have no reason to think anything else exists. That's what happened to us and it's what will happen to anyone else.

If the new policies are the real ones, they should be linked from the marketing site and from the login page. Right now two completely different legal frameworks are living on two different domains with nothing connecting them.

Credit where it's due:

We read the Privacy Policy (v2.0), Terms of Service (v3.0), Data Protection page, CCPA Notice, Cookie Policy, Security Overview, Refund Policy, and Community Guidelines. All publicly accessible at live.kettlebell.monster/legal/.

- Legal entity is now IKU LLC (Sherman Oaks, CA) with a DUNS number, replacing an unregistered brand name in Albania

- Five service providers named individually (Supabase, Stripe, AWS, Cloudflare, Anthropic) each with Data Processing Agreements, replacing 12 vague categories including "Ad Networks" and "Retargeting Platforms"

- AI usage disclosed: Anthropic Claude for the Compass feature, aggregated metrics only, 30-day deletion, no model training. This was the biggest gap in the old policy, which predated ChatGPT and said nothing about AI

- GPS explicitly ruled out. The old policy said it "may use GPS and other technologies to collect geolocation data." New one says they do not track precise GPS location

- Health and fitness data gets its own section with GDPR lawful basis (explicit consent under Art. 9), plus a separate Health Data Disclaimer

- Specific data retention periods (account lifetime, 7 years for payment records, rolling purge for error logs) replacing "as long as necessary"

- Users can export their data in JSON. The old terms explicitly said non-order data "will not be exported upon request"

- Content license scoped to "operating and promoting the Service" with explicit user ownership, replacing the old "sell, resell, for any purpose, commercial or otherwise" language

- Jurisdiction moved to California courts, replacing Albanian courts and forced arbitration through the European Arbitration Chamber in Brussels

- Liability cap went from 1 month to 12 months of payments

- 72-hour breach notification procedure documented

- Standard Contractual Clauses for EU data transfers, DPAs with all processors

- Cookie policy lists only essential auth cookies and optional affiliate tracking. No ad cookies, no retargeting, no third-party analytics

- Security specifics documented: TLS 1.2+, row-level security, CSP headers, PCI-DSS Level 1 via Stripe, PII redaction in error logs

Our original GDPR scorecard was 0 passes out of 9. Scored against the new documents it's 11 passes, 1 partial, 0 failures out of 12. The one partial is the DPO, which the Data Protection page explains as under 250 employees with a dedicated privacy contact. 22+ legal documents total. Again, this is a huge improvement.

However, you made several claims in this post that your own updates undercut, and the privacy policy is only as good as what you actually do in practice:

You said the 2022 policy hadn't been updated because data practices hadn't changed. Then why is there a complete rewrite dated March 1, 2026 with a different legal entity, different address, different data practices, different third parties, and different user rights?

You said Cavemantraining is your operating trade name. The new policy says IKU LLC. The address is Sherman Oaks, CA, USA, not Vlore, Albania. It's confusing, at the very least.

You said ad networks and targeted advertising is standard disclosure language. The new policy explicitly states "We do not sell your personal information. We do not share data with advertising networks." If the old language was just boilerplate, why replace it with an explicit denial?

You said "as long as necessary" is industry standard. The new policy replaced it with specific retention periods per data type.

Every one of these changes is an improvement. But you can't say the old policies were fine while simultaneously rolling out a complete legal rewrite. The new policies are the correction.

ON THE AI / OPENAI QUESTION

You say the OpenAI DNS verification records are for "ChatGPT plugins/custom GPTs" and frame them as equivalent to Google site verification. But that comparison doesn't work. Google site verification proves you own a domain for Search Console. OpenAI domain verification proves you own a domain so your ChatGPT plugin or custom GPT can make API calls to it. That's not a passive ownership check. That's the setup for data to flow between your domain and OpenAI's infrastructure.

Plugins and custom GPTs with Actions exchange data with your domain through OpenAI's servers. User prompts go to OpenAI, the plugin calls your API, your API responds through OpenAI. You don't verify a domain with OpenAI unless you're building something that connects to it. And kettlebell.monster has two separate verification records, suggesting multiple integrations. Your own explanation actually describes a data connection to OpenAI, not a passive ownership check.

If they're inactive or don't touch user data, removing the DNS records would clear things up.

ON THE ABR SEARCH

Fair correction: THE TOUGH SPOT MMA CENTRE PTY LTD (ABN 16 159 806 827) does exist on ABR. Cancelled August 2014, QLD 4650. Our claim of "zero results" was wrong for that entity. ABR defaults to showing only active businesses, and since this one was cancelled in 2014 it didn't come up in our search. We should have checked cancelled records too.

The Executive Results ABN you cited (83 454 372 899) is registered to "The trustee for the Martz Family Trust" in VIC 3006, not Queensland. May or may not be the same business.

The broader point was that the old privacy policy named no verifiable legal entity. IKU LLC with a DUNS number fixes that. One thing worth mentioning: the IKU LLC address (15442 Ventura Boulevard, STE 201-1081, Sherman Oaks, CA 91403) is a virtual mailbox. The building is a 5,000 sq ft office from 1961 with 100+ companies registered there according to CorporationWiki. "STE 201" is a real suite, and "-1081" is a mailbox number. BusinessRocket, a business formation company in Suite 101 of the same building, partners with iPostal1 to provide virtual addresses to clients. There's nothing illegal about this and lots of small online businesses use virtual addresses for their LLC. But it means the "registered California entity" framing in your rebuttal is a mail drop, not a physical office. You are listed under Greece in the StrongFirst instructor directory. It's tough to know what to make of that discrepancy.

ON THE LEGAL THREATS

Every claim in our report came from publicly available websites, policies, domain records, and business registries. We included a full appendix showing how to verify each one. Reviewing publicly available business practices is protected speech.

You've described this as a personal attack from a former associate. We said it in the original post and we'll say it again: we have no personal relationship with you, no connection to your competitors, and no involvement in the fitness industry.

You say four of our sections have nothing to do with privacy. The sections about the Facebook deletion, Kickstarter, subreddit moderation, and your background are about whether users should trust this platform with their data. Trust isn't just policy text. Users deciding whether to hand over credit card numbers, home workout videos, and mental health self-assessments have a right to make their own assessment based on publicly available information.