Privacy Policy
Last Updated: April 6, 2026
Data Collection
mAI Coach collects workout data (exercises, sets, reps, weights, RPE), nutrition data (meals, calories, macros), injury/rehabilitation data, exercise preferences, and profile information. When you use AI coaching features, relevant context is sent to Google's Gemini API. Crash reports are collected via Firebase Crashlytics on both iOS and Android. Barcode scans query the Open Food Facts API in real-time.
AI Coaching Data
When you use AI features, your profile context, workout history, recorded injuries, and conversation messages are sent to Google's Gemini API through our secure server-side proxy. API keys are managed server-side and never touch your device. Google may retain this data for up to 55 days for safety monitoring. AI usage metrics (request counts, token usage) are tracked for rate limiting. Full prompt content and AI responses are not stored on our servers; however, brief AI-distilled coaching notes (up to 25 per user) may be stored to improve coaching continuity across sessions.
When you photograph food for AI nutrition analysis, the image is sent to Google's Gemini Vision API for processing. Food photos are not permanently stored on our servers.
Camera & Biometric Data
The app uses your device camera for real-time exercise form analysis via on-device pose estimation. Camera frames are processed entirely on-device and are NEVER recorded, stored, or transmitted. Body position data from pose estimation may constitute biometric information under certain laws. All such processing occurs entirely on-device and no biometric data is stored, transmitted, or shared.
Nutrition & Barcode Data
Nutrition data (meals, calories, macros, body weight, meal plans) is stored locally on your device by default. AI-generated meal plans are processed via Google's Gemini API. Barcode scanning uses the Open Food Facts API, a user-contributed open database made available under the Open Database License (ODbL). We do not control or guarantee the accuracy of Open Food Facts data.
Data Storage & Sync
All workout, nutrition, and profile data is stored locally on your device by default. If you create an account, authentication data (email, hashed password) is stored with bcrypt hashing. Cloud sync, when enabled, transmits data encrypted in transit (TLS 1.2+) and at rest (AES-256). Security policies ensure users can only access their own data.
Injury & Health Data
Self-reported injury data is classified as sensitive health information. It is stored locally and used to personalize AI coaching and rehab exercise recommendations. Recording injuries does NOT create a medical record or patient-provider relationship. The App is not a HIPAA-covered entity.
If you enable both Health Data and Cloud Sync, your health readings may be synced to our servers. This is opt-in, encrypted in transit and at rest, user-controlled, and deletable at any time. Health data is NEVER used for advertising and NEVER sold to third parties.
Third-Party Services
We use the following third-party services: cloud hosting and authentication (Supabase), AI coaching chat (Google Gemini API), AI-curated research digest (Anthropic Claude API), on-device pose estimation (Google MediaPipe), on-device OCR (Google ML Kit), crash reporting (Firebase Crashlytics), push notifications (Apple APNs and Google FCM), and barcode nutrition lookup (Open Food Facts API). We do NOT sell your data. We do NOT use your data for advertising. We do NOT share health data with data brokers or information resellers. We do not collect advertising identifiers.
Your Rights
You can view, export, and delete your data at any time within the App. EU residents have GDPR rights including access, rectification, erasure, and portability. California residents have CCPA/CPRA rights including the right to limit use of sensitive personal information. Oregon residents have OCPA rights including explicit consent for sensitive data processing. Washington residents have rights under the My Health My Data Act including separate consent for health data collection. Virginia, Colorado, Connecticut, and Texas residents have rights under their respective state privacy laws. Canadian residents have rights under PIPEDA. Brazilian residents have rights under the LGPD. Contact us to exercise these rights.
Health Breach Notification
We comply with the FTC's Health Breach Notification Rule (16 CFR Part 318, as amended July 2024). In the event of a breach involving your health-related information, we will notify affected individuals within 60 days of discovery, notify the FTC, and if 500+ residents of a state are affected, notify prominent media outlets in that state. For EU/EEA/UK residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach (GDPR Article 33).
Aggregate Analytics
If you connect health data (sleep, heart rate, HRV, steps), your raw health data stays on your device. The app computes derived training metrics locally. Anonymized, aggregate training metrics (not raw health data) are used at the population level to improve coaching accuracy. This aggregate data contains no user IDs, no individual readings, and no personally identifiable information.
Children's Privacy
The App is not directed at children under 13 (under 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we discover a user is under the applicable age, we will delete their data promptly.
Changes & Contact
We may update this policy from time to time. Material changes will be communicated via in-app notification.
Contact: mAI.Coach.app.contact@gmail.com