Privacy Policy
Last Updated: June 22, 2026
1. Scope
This Privacy Policy explains how CT Labs LLC collects, uses, stores, shares, and protects information for mAI Coach across the iOS app, Android app, website, backend services, subscriptions, community features, and related services.
We do not sell your data, do not use health data for advertising, do not share health data with data brokers, and do not collect advertising identifiers.
2. Information We Collect
Depending on the features you use, mAI Coach may collect account data, profile data, workout logs, exercise history, sets, reps, weights, RPE/RIR, schedules, templates, body weight, body measurements, nutrition logs, calories, macros, meal plans, dietary preferences, allergies, injury or rehabilitation notes, progress photos you save, AI-generated programs, AI-generated meal plans, coach notes, daily check-ins, health readings you permit through HealthKit or Health Connect, subscription entitlement metadata, diagnostics, crash reports, push notification tokens, and optional community data.
Guest mode stores data locally on your device. Account, sync, subscription, community, AI, notification, support, and moderation features require server-backed processing.
3. AI Coaching and Vision Data
When you use AI features, relevant context such as your goals, equipment, workout history, nutrition context, injury restrictions, and user message may be sent to Google's Gemini API through our Supabase Edge Function proxy. API keys are managed server-side and never touch your device.
Google may retain Gemini API input and output data for a limited period for abuse monitoring, safety review, service security, and legal compliance. Under Google's paid API service terms, Google does not use API input or output to train or improve models. We do not store full AI prompt or response content on our servers, but brief AI-distilled coach notes, up to 25 per user, may be stored to improve coaching continuity.
If you use photo-based food analysis or workout import, the selected image may be sent to Gemini Vision through our proxy. Food photos and import images are not permanently stored on our servers by that processing path.
4. Camera, Media, and Biometric Data
Real-time bench press form analysis uses on-device pose estimation. Camera frames are processed on your device and are not recorded, stored, or transmitted by that feature. Body-position processing may constitute biometric information under some laws, but we do not store or transmit biometric templates from pose estimation.
Workout video attachments and progress photos are stored locally unless you explicitly use a sync, backup, share, upload, or analysis feature. Community avatars and workout-post images you upload are stored in Supabase Storage and are governed by profile visibility, post visibility, blocking rules, moderation controls, and your privacy settings.
5. Health, Nutrition, and Barcode Data
HealthKit and Health Connect access is permission-based and controlled through your device settings. We may read permitted sleep, resting heart rate, HRV, steps, and active energy or active calorie data where supported. The App does not write data back to HealthKit or Health Connect. Body weight, height, measurements, body fat, and injury notes you enter directly are stored as App data. Health data is used only for app functionality such as readiness, recovery, training, and nutrition features.
Nutrition data is stored locally by default and synced only when you enable cloud sync or use server-backed features. Barcode scanning sends the barcode number to the Open Food Facts API to retrieve product data. Open Food Facts is community-contributed and may be inaccurate or outdated.
6. Subscriptions
Premium subscriptions are processed by Apple App Store or Google Play. We do not collect or store payment-card or bank-account credentials. RevenueCat manages purchase validation, restore purchases, entitlement status, renewal status, billing issue status, refunds or revocations, grace periods, and subscription synchronization.
We store entitlement metadata such as product identifier, base plan or offer identifier where provided, store, active or expired status, expiration date, RevenueCat app user identifier, original app user identifier, webhook event identifier, transaction-related metadata supplied by the platform or RevenueCat, sandbox/production flag, and synchronization timestamps for access control, support, fraud prevention, accounting, rate-limit enforcement, restore purchases, and troubleshooting. Deleting your mAI Coach account does not cancel an Apple or Google subscription.
7. Community, Sharing, and Reddit
If you use community features, we may collect community profile details, display name, avatar, bio, profile visibility, shared programs, workout posts, post images, captions, comments, reactions, follows, blocks, reports, accountability partner data, challenge participation, import activity, training tips, notification preferences, moderation decisions, and administrative audit records.
Community features are optional. Content you publish may be visible to your selected audience or the broader mAI Coach community. Other users may view, import, react to, comment on, screenshot, or otherwise save content you make available to them. We may use automated and manual moderation tools and may preserve records where needed for safety, abuse prevention, legal compliance, dispute resolution, or enforcement.
If you link Reddit flair, we may process your Reddit username, Reddit account ID, subreddit, OAuth state, flair text, flair level, link timestamp, and sync status to connect your mAI Score with r/mAIcoach flair. Reddit linking is optional and can be unlinked.
8. Notifications, Diagnostics, and Analytics
If you enable notifications, we store APNs or FCM device tokens and delivery metadata to send community activity, accountability, reminder, and system notifications, honor notification preferences, cap notification volume, retry delivery, and remove stale tokens.
Firebase Crashlytics collects crash reports, stack traces, app version, OS version, device model, memory/disk state, and related diagnostics for stability. Crashlytics data is retained for 90 days. If you submit an in-app diagnostic report, we may collect the report text, structured test results, platform, app version, device description, optional device log text, and pass/warn/fail counts. Diagnostic reports are retained for up to 90 days.
Firebase Analytics is disabled on iOS. Android may collect limited usage data such as app opens, session duration, OS version, and device model. We do not use analytics for advertising, profiling, or cross-app tracking.
9. Storage and Security
Workout, nutrition, media, and profile data is stored locally on your device by default. If you create an account, authentication data is stored with Supabase Auth and passwords are hashed. Cloud sync, when enabled, transmits data encrypted in transit and stores it using provider-managed encryption at rest. Supabase Row Level Security restricts private data to the owning user, while community data is governed by visibility settings, access rules, and moderation controls.
Server-side data may be stored in Supabase PostgreSQL, Supabase Storage, RevenueCat, Firebase/Google Cloud, Apple or Google platform systems, Reddit, and third-party APIs described in this policy. We use access controls, server-side API key management, RLS, and least-necessary data handling, but no electronic system is completely secure.
10. Third-Party Services
We use Supabase, Google Gemini, Anthropic Claude for research digest workflows, RevenueCat, Firebase Crashlytics, Firebase Analytics on Android, Google MediaPipe, Google ML Kit, Apple HealthKit, Google Health Connect, Apple APNs, Google FCM, Reddit, Apple App Store, Google Play, and Open Food Facts. These providers process data under their own terms and privacy policies.
11. Retention and Deletion
Local data remains on your device until you delete it, clear local data, or uninstall the App. Cloud-synced account, workout, nutrition, profile, health, and related data is generally retained until you delete it, disable sync where applicable, or delete your account. Community content, moderation records, subscription records, push logs, diagnostics, and security records may be retained where needed for safety, abuse prevention, legal compliance, accounting, fraud prevention, platform records, dispute resolution, or technical operation.
Account deletion removes associated server-side personal data within 30 days except where limited retention is required or permitted for the reasons above. Account deletion does not cancel App Store or Google Play subscriptions; you must cancel through the applicable store.
12. Your Rights
You can view, export, correct, and delete much of your data in the App, and you can request account deletion in the App or by contacting us. You can revoke camera, notification, HealthKit, and Health Connect permissions through your device settings.
Depending on your location, you may have rights to access, delete, correct, port, restrict, or object to processing; to opt out of sale, sharing, targeted advertising, or certain profiling; and to limit use of sensitive personal information. These rights may apply under GDPR/UK GDPR, CCPA/CPRA, Oregon OCPA, Washington My Health My Data Act, Texas TDPSA, Colorado CPA, Connecticut CTDPA, Virginia VCDPA, PIPEDA, LGPD, and other laws. Contact us to exercise rights.
13. Health Breach Notification
We comply with the FTC Health Breach Notification Rule to the extent it applies. In the event of a breach involving unsecured health-related information, we will notify affected individuals, the FTC, and media outlets where required. For EU/EEA/UK residents, we will notify supervisory authorities and individuals as required by GDPR/UK GDPR.
14. Children's Privacy
The App is not directed at anyone under 18. We do not knowingly collect personal information from children under 13 or from users under 18. If we discover such collection, we will delete the data promptly, subject to limited safety, legal, accounting, or security retention where permitted by law.
15. Changes and Contact
We may update this policy from time to time. Material changes will be communicated through the App, website, email, or other appropriate notice.
Contact: mAI.Coach.app.contact@gmail.com