Privacy Policy

1. Who is responsible

Corporate Athlete is operated as an independent project by the HybridOS team. For privacy questions or data-subject requests you can reach us at privacy@corporateathlete.app.

2. What data we collect

We collect only what we need to run the App:

• Account data: email address, password hash, language and theme preference, account creation date.
• Profile and goal data: training goal, race date if any, availability, equipment, training history you choose to enter.
• Training data: generated sessions, completion status, skip / move / shorten actions, readiness check-ins.
• Nutrition data: macro targets and any nutrition inputs you provide.
• Feedback and support: messages, screenshots, or content you send us.
• Technical data: device type, browser, locale, basic logs needed for security and reliability.
• Product analytics: aggregated, event-level usage data (for example "session_started", "plan_generated") used to improve the App.

3. Why we process this data

We process your data on these legal grounds (GDPR Art. 6):

• Performance of a contract: to provide the App you signed up for.
• Legitimate interest: to keep the App secure, to debug issues, to improve features, to protect against abuse.
• Consent: for optional features that ask for it, such as marketing emails or non-essential analytics. You can withdraw consent at any time.
• Legal obligation: when we must keep records or respond to lawful requests.

4. Third-party processors

We work with carefully selected sub-processors. Each one acts under a data-processing agreement and only on our instructions:

• Supabase: authentication and database hosting.
• Vercel: application hosting and content delivery.
• OpenAI: AI processing for plan and coaching suggestions. We send only the inputs needed to generate the response. We do not send your raw email address or password.
• Email delivery providers: transactional email such as account confirmation.
• Product-analytics provider (if enabled): aggregated event data, with no sensitive content payloads.

5. International transfers

Some of our sub-processors may store or process data outside the European Economic Area. Where that is the case we rely on appropriate safeguards (for example EU Standard Contractual Clauses) so that your data continues to receive an essentially equivalent level of protection.

6. Cookies and local storage

We use a minimum of cookies and browser storage. Essential storage is used to keep you signed in, to remember your language and theme, and to keep your in-progress plan. We do not run third-party advertising cookies. Where non-essential analytics is used, it runs only with your consent or in an anonymized form.

7. Retention

We keep your data for as long as your account is active. After account deletion, personal data is removed from the production database within 30 days. Backups containing your data are rotated and aged out within 90 days. We may keep aggregated, non-identifying statistics longer.

8. Your rights

Under the GDPR you can:

• Access the personal data we hold about you.
• Correct data that is wrong or incomplete.
• Delete your account and personal data.
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Withdraw consent at any time, where we relied on it.
• Lodge a complaint with your local supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

9. How to exercise your rights

Most actions are available directly in the App under Account. You can also email privacy@corporateathlete.app and we will respond within 30 days. We may ask for proof of identity before acting on a request.

10. Security

We apply reasonable technical and organizational measures: TLS in transit, encryption at rest provided by Supabase, hashed passwords, access controls, and audit logging on sensitive operations. No system is 100% secure. If we ever become aware of a personal-data breach affecting you, we will notify you and the supervisory authority as required by law.

11. Children

The App is for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

12. Changes to this policy

We will update this Privacy Policy when our processing changes. Material changes will be communicated in-app or by email before they take effect.

13. Contact

privacy@corporateathlete.app for privacy matters. legal@corporateathlete.app for everything else.