Privacy Policy

If you have questions about how your data is processed, or wish to exercise any of your rights, please contact us at the address above.

• Account data: name, email address, encrypted authentication credentials, profile information.
• Health and fitness data: workout logs, training schedules, exercise history, body metrics (weight, body fat percentage, measurements), nutrition logs, and wellness assessments.
• Progress photos: images you upload to track physical transformation over time.
• Coach-client messages: text communications between coaches and clients within the platform.
• Billing data: Stripe customer/subscription identifiers and plan status. We do not store full card details.
• Uploaded content: files and media you upload for use within the platform.
• Usage data: interaction patterns, feature usage, and device/browser information collected to improve the service.

Certain data we collect — including workout logs, body metrics, nutrition information, and progress photos — qualifies as special category data under GDPR Article 9 (data concerning health). We process this data only with your explicit consent, which you provide when you enter health-related information into the platform. You may withdraw this consent at any time by contacting us or deleting the relevant data from your account.

We process your personal data under the following legal bases (GDPR Article 6):

• Consent (Art. 6(1)(a)): For processing health and fitness data, progress photos, and sending optional communications. You may withdraw consent at any time.
• Contract performance (Art. 6(1)(b)): To provide the coaching platform services you have subscribed to, manage your account, process payments, and deliver training programs.
• Legitimate interest (Art. 6(1)(f)): To improve our services, ensure platform security, prevent fraud, and analyze aggregated usage patterns.

• Operate core coaching features, training schedules, and workspace sync.
• Facilitate coach-client communication and program delivery.
• Track fitness progress, body metrics, and transformation results.
• Manage subscription status and access levels.
• Provide AI-powered features (workout suggestions, analysis).
• Improve reliability, performance, and product experience.
• Send service-related communications (with your consent for marketing).

Payments are processed by Stripe. Their handling of payment information is governed by Stripe's Privacy Policy.

We use the following third-party services to operate the platform. Each processes data only as necessary for its stated purpose:

• Stripe — payment processing and subscription management.
• OpenAI — AI-powered features such as workout analysis and recommendations.
• Anthropic — AI-powered features for coaching insights and content generation.
• Sentry — error tracking and application monitoring (collects anonymized technical data only).
• Apple — Sign in with Apple authentication (Apple shares only your name and email, or a relay email if you choose to hide it).

We do not sell your personal data to any third party.

We do not sell personal data. We only share data with:

• Service providers necessary to run the app (as listed in Section 7).
• Your assigned coach, who can view your training data, metrics, messages, and progress photos as part of the coaching relationship.
• Law enforcement or regulatory authorities, if required by law.

Your data is stored on servers located in the Americas. If you access the service from outside this region, your data will be transferred to and processed in the Americas. We implement appropriate safeguards for cross-border transfers, including encryption in transit and at rest.

We use reasonable security measures to protect data, including encryption, access controls, and secure authentication. No system is 100% secure, so users should also use strong passwords and protect account access.

• Active accounts: Your data is retained for as long as your account remains active.
• After account deletion: A 30-day grace period allows you to recover your account. After 30 days, your personal data is permanently erased from our production systems.
• Backups: Residual copies in encrypted backups are purged within 90 days of account deletion.
• Legal obligations: Certain records (e.g., billing history) may be retained longer where required by law.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data.
• Right to data portability: Receive your data in a structured, machine-readable format. You can export your data at any time via the /api/auth/me/export endpoint.
• Right to restriction of processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@superhumancode.app. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, you have the following rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties we share it with.
• Right to delete: Request deletion of your personal information, subject to legal exceptions.
• Right to opt-out of sale: We do not sell your personal information.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a request, contact us at support@superhumancode.app. We will verify your identity and respond within 45 days.

We do not use cookies for tracking or advertising. Instead, we use:

• localStorage: To persist your session, preferences, and cached data on your device. This data never leaves your browser unless synced to the server as part of normal app operation.
• Service Worker: For offline caching, enabling the app to function without an internet connection.

No third-party tracking cookies or advertising pixels are used.

This service is not intended for children under the age of 13 (16 in the EU unless a member state has legislated a lower age). We do not knowingly collect personal data from children below these age thresholds. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or email. Continued use of the service after changes constitutes acceptance of the updated policy.