Privacy Policy

Coach374 (“we”, “us”) is a personal fitness tracker. This policy explains what data we collect about you, how we use it, who we share it with, and how to exercise your rights under GDPR (EU/UK) and CCPA (California). For questions, email privacy@coach374.app.

1. Data we collect

• Account. Email address (for authentication), account-creation timestamp.
• Profile. Display name (optional), height, starting weight, current weight, target weight, age, training start date.
• Daily logs. Whether you completed each daily commitment (walk, indoor workout, water, reading, photo, diet).
• Meals. Names of meals you logged, ingredient lists (when generated by our AI), per-meal protein/carbs/fat/calories.
• Workouts. Per-set reps, weight, and exercise names you record.
• Body measurements. Weigh-ins, body fat percent, muscle mass per limb (when you enter Hume body-scan data).
• Photos. Daily progress photos you upload, stored in our private object storage. Visible only to you and admin staff handling support requests.
• Reading library. Books you mark as currently reading, pages logged.
• Recipes & supplements library. Items you save, including AI-extracted nutrition data.
• Chef Matty conversations. The text of your chats with our cooking AI, including any context about your kitchen (spices, pantry).
• Subscription state. If you become a paying customer, a Stripe customer ID and subscription status. We do NOT store payment-card details — those live with Stripe.
• Audit log. Admin actions affecting your account (with IP address and user-agent of the admin) for compliance.
• Server logs. Standard request logs (IP, user-agent, URL, timestamp), retained by our hosting provider for ≤ 30 days.

We do not collect: precise location, contacts, microphone audio, advertising identifiers, biometrics beyond what you manually enter, or tracking pixels from third-party advertisers.

2. How we use it

• To run the app you signed up for (the only legal basis we rely on).
• To send transactional + lifecycle emails (sign-in codes, daily push reminders if you opted in, weekly summaries). Opt out from the Settings page or the unsubscribe link in any email.
• To generate AI features you trigger (meal parsing, ingredient breakdown, recipe extraction, supplement label OCR, Chef Matty chats). Inputs are sent to Anthropic; see Subprocessors below.
• To provide support when you contact us, with audit logging.
• To meet legal obligations (tax records for paying customers).

We do not sell your personal information. We do not share it with advertisers. We do not run advertising in the app.

3. Subprocessors

The third parties that may process your data on our behalf:

4. Retention

• Your account data is kept while your account is active.
• If you request deletion (see Section 6), we erase everything within 30 days except for billing records we're legally required to retain (typically 7 years for tax purposes, anonymized to remove your identity).
• Server logs at Vercel are rolled over within 30 days.
• AI request logs at Anthropic follow Anthropic's privacy policy (typically ≤ 30 days for API, with no model training on customer data).
• Audit log entries are kept indefinitely for compliance, but they reference user IDs not contents — once a user is deleted, the audit row remains as a record of the action, with the user_id pointing to a tombstone.

5. Security

All data is encrypted in transit (HTTPS) and at rest (AES-256 via Supabase). Authentication uses email OTP — we never store your password because we don't have one. Access to admin tooling is restricted to founders, every action is recorded in an audit log, and we publish that fact here so you know.

6. Your rights

Wherever you live, you have the right to:

• Access a copy of all data we hold about you. Submit an export request from your account data page.
• Correct any inaccurate data. Most fields you can edit yourself in Settings; for anything you can't reach, submit a rectification request.
• Delete your account and all associated data. Submit a deletion request — we complete deletion within 30 days and email confirmation.
• Object to processing for marketing email — opt out from the unsubscribe link in any newsletter.
• Lodge a complaint with a supervisory authority (your local data protection authority for GDPR; the California AG's office for CCPA).

We respond to all requests within 30 days, free of charge for the first request per year. We may verify your identity by sending a link to the email on file before fulfilling sensitive requests.

7. International transfers

Your data is stored on US infrastructure (Supabase, Vercel, Anthropic, Stripe). If you're in the EU/UK, transfers are covered by Standard Contractual Clauses with each subprocessor.

8. Children

Coach374 is not directed at children under 16. We do not knowingly collect data from minors. If we learn we have, we delete the account and notify the registered email.

9. Changes to this policy

We'll email registered users about material changes at least 14 days before they take effect. Trivial changes (typo fixes, layout) may go in without notice.