Privacy Policy
Last Updated: 2 May 2026Entity: Coach AI Technologies FZE LLC, a Free Zone company incorporated in Sharjah Publishing City in the Emirate of Sharjah, United Arab Emirates ("CoachAI", "Company", "we", "us" or "our")
Registered address: Sharjah Publishing City Building, Al Zahia Area – Entrance No. 2 – Ground Floor – Sheikh Mohammed Bin Zayed Road, Sharjah, UAE
Privacy contact:privacy@coachai.tech
General support:support@coachai.tech
Sub-processor list:https://coachai.tech/subprocessors
This Privacy Policy explains how CoachAI collects, uses, shares, and protects your personal data in connection with our website at https://coachai.tech, our Trainer & Business Portal, and our mobile application (collectively, the "Services"). It also explains the rights you have over your personal data and how to exercise them.
This Privacy Policy forms part of our Terms of Use. To the extent of any conflict between the Terms of Use and this Privacy Policy in respect of the processing of personal data, this Privacy Policy prevails.
If you are a personal trainer or wellness business using the Services to manage clients, separate Trainer & Business Terms and a Data Processing Addendum apply to your processing of your clients' data. See https://coachai.tech/business-terms.
1. Quick summary
Topic | Position
Workout / motion-tracking | We do not record or store video, photos, or biometric identifiers from workout sessions
Meal analysis | You can upload meal photos for nutritional analysis; we delete photos on account closure or earlier on request
AI Assistant | Conversations are processed by OpenAI and Anthropic; we contractually prohibit them from using your inputs or outputs to train their foundation models
Sale of personal data | We do not sell your personal data
Health data and ads | We do not use your health and wellbeing data, motion-tracking data, or meal photos for advertising
Children | Minimum age 13 (or 16 in the EEA, UK, Switzerland, Norway, and Iceland) with verifiable parental consent for users under 18
Your rights | Depending on your location: access, correction, deletion, portability, objection, restriction, and withdrawal of consent (see Section 9)
2. Personal data we collect
We collect personal data in three ways: (a) data you provide directly, (b) data we receive automatically from your use of the Services, and (c) data we receive from third parties.
2.1 Data you provide directly
Account and profile data. Name, email address, password (hashed), age, country, and (optionally) gender. Subscription details and transaction history if you have a paid plan.
Health and wellbeing data you choose to enter. Weight, height, body-mass index (BMI), physical parameters, workout history, fitness goals, dietary preferences, injuries or conditions you choose to disclose. This data is processed only with your consent.
AI Assistant conversations. Messages you send to and receive from the AI Assistant in the App. These are stored against your account so you can return to past conversations and so we can monitor quality and prevent abuse.
Meal photos. Photos you upload through the meal-analysis feature, plus the nutritional-analysis outputs we generate from them (estimated calories, macros, food classifications). Meal-photo handling is described in detail in Section 3.
Communications. Information you provide when you contact us (email, support tickets, feedback, social-media messages).
Social-media information. When you interact with our pages on social-media platforms (Instagram, others), the platform may share with us aggregate analytics and any information you choose to submit.
2.2 Data we collect automatically
Motion-tracking data (workouts). During a workout the App processes your image on your device to mark joint and limb positions ("motion data"). After the workout we store the motion data only — joint trajectories, range-of-motion, rep counts, posture indicators — to give you feedback and improve the feature. We do not record or store video, photographs, or biometric identifiers (within the meaning of Article 4(14) GDPR / UK GDPR) from workout sessions. Motion data is performance/behavioural data, not biometric data.
Subscription and in-app-purchase data. Time of purchase, plan, billing period, renewal status. Payment-instrument details (card numbers, etc.) are processed by Apple, Google, Stripe, or Tabby (depending on the channel) — we do not receive or store your payment-card details.
Log data. IP address, browser type, device type, operating system, app version, dates and times of access, and basic diagnostic information.
Usage details. Features used, in-app actions, time zone, country, dates and times of access, error reports.
Cookies and similar technologies. As described in Section 12.
2.3 Data we receive from third parties
Apple HealthKit / Google Health Connect (optional). With your consent, we may import information from Apple HealthKit or Google Health Connect: fitness activities, weight, height, BMI, calories burnt, heart rate, steps and distance, and (where applicable) menstrual-cycle data. Your use of these integrations is also subject to Apple's and Google's terms. We do not use information received through HealthKit or Health Connect for advertising or share it with advertising platforms, data brokers, or information resellers.
App store data. Apple and Google share with us anonymous app-install and crash data and (where you've made a subscription purchase through their channel) confirmation that the purchase succeeded.
Security partners. Information from fraud-prevention and security partners to protect against abuse and security threats.
2.4 Data we do NOT collect
Workout video or photos. The motion-tracking pipeline runs on your device and discards the image after extracting motion data. We do not upload or store the video stream.
Biometric identifiers from workouts. Motion data is not used to uniquely identify you and is not biometric data within the meaning of Article 4(14) GDPR / UK GDPR or Article 1 of the UAE PDPL.
Payment-card details. Apple, Google, Stripe, or Tabby handle card-on-file. We see only the fact of payment, the plan, and (where the channel discloses it) the country of the billing instrument.
3. Meal analysis (specific disclosures)
The meal-analysis feature lets you upload photos of your meals so the Services can generate nutritional estimates, food identifications, and related insights. Meal analysis is optional; the Services do not require it to function.
What you should not include. Please do not include images of other people, identification documents, or anything you do not want processed by us and our AI sub-processors.
Lawful basis. Where applicable law (including Article 6 GDPR / UK GDPR and Article 6 of the UAE PDPL) requires consent for the processing of photos you upload, your consent at the point of upload is the lawful basis. You may withdraw consent at any time in the App's settings; withdrawal does not affect processing carried out before withdrawal.
Purposes. We use meal photos and the nutritional-analysis outputs solely to: (a) provide the meal-analysis feature to you; (b) maintain, secure, and debug the Services; and (c) where you have separately opted in, improve our internal models. We do not sell meal photos or nutritional data, do not use them for advertising, and do not share them with third parties for their own purposes.
Sub-processors. Meal photos are processed by our AI vision sub-processor and our cloud-storage sub-processors, listed at https://coachai.tech/subprocessors.
Retention. Meal photos are retained for 30 days and then deleted automatically. They are also deleted on account closure or earlier on your request via privacy@coachai.tech. Nutritional-analysis outputs (the data derived from the photo, e.g. estimated calories and macros) are retained while your account is active so we can show you a continuous nutrition history; they are deleted on account closure subject to the retention rules in Section 8.
Biometric classification. We do not use meal photos to uniquely identify you. Meal photos are personal data but are not biometric data within the meaning of Article 4(14) GDPR / UK GDPR. Where a meal photo incidentally captures part of your body or face, processing is limited to nutritional analysis as described above.
Eligibility. Meal analysis is available to users aged 13 and over, subject to the verifiable parental-consent requirement in Section 10.
4. Purposes of processing and lawful bases
The table below summarises why we process your personal data and the lawful basis we rely on. For users in jurisdictions that do not require a lawful basis (most US states, etc.), the "purpose" column applies and the "lawful basis" column is informational.
Purpose | Categories of Data | Lawful Basis (EEA/UK/CH/NO/IS) | UAE PDPL Basis
Provide the Services (account, workouts, meal analysis, AI Assistant) | Account data, motion data, meal photos, AI Assistant conversations, log data, usage data, device data | Performance of a contract (Art. 6(1)(b) GDPR) | Performance of a contract (Art. 5 PDPL); consent for health/wellbeing data (Art. 6 PDPL)
Process your health and wellbeing data | Health and wellbeing data | Explicit consent (Art. 9(2)(a) GDPR) | Explicit consent (Art. 6 PDPL)
Process meal photos | Meal photos and outputs | Consent (Art. 6(1)(a) GDPR) | Consent (Art. 6 PDPL)
Improve and develop the Services and conduct research | De-identified AI conversations, de-identified meal photos/outputs, motion data, usage data, log data, device data | Legitimate interests (Art. 6(1)(f) GDPR); consent where opted-in | Legitimate interests; consent where required
Verify age and parental consent | Account data | Performance of a contract / legal obligation | Legal obligation
Provide customer support | Account data, communications, usage data | Legitimate interests | Legitimate interests
Send service emails (security alerts, transactions, updates) | Account data, communications | Performance of a contract / legal obligation | Performance of a contract / legal obligation
Send marketing emails and in-app marketing | Account data, communications, usage data | Consent (Art. 6(1)(a) GDPR) | Consent (Art. 6 PDPL)
Find similar audiences (lookalike ads) | Account data, usage data, device data, subscription data | Consent (Art. 6(1)(a) GDPR) | Consent (Art. 6 PDPL)
Prevent fraud, abuse, and security threats | All categories as needed | Legitimate interests / legal obligation | Legitimate interests / legal obligation
Comply with legal obligations and regulator requests | All categories as needed | Legal obligation (Art. 6(1)(c) GDPR) | Legal obligation (Art. 5 PDPL)
Anonymize data for research and analytics | Health data, usage data, motion data | Legitimate interests (Art. 6(1)(f) GDPR) | Legitimate interests
We do not use health and wellbeing data, motion-tracking data, or meal photos for advertising.
5. Sub-processors and recipients
We work with the following categories of sub-processors. The current list — including the categories of personal data each processes — is published at https://coachai.tech/subprocessors and is updated when material changes occur.
No third-party model training. We contractually prohibit our AI sub-processors (currently OpenAI and Anthropic) from using your AI Assistant inputs or outputs, or your meal photos and the derived nutritional analysis, to train their foundation models. Where a sub-processor's standard terms allow such training by default, we have opted out in writing.
Regional routing. Where technically available, we route AI requests from EEA and UK users to provider regions inside the EEA or UK. Otherwise, transfers occur under an appropriate transfer mechanism described in Section 6.
We do not sell your personal data. We do not share your personal data with third parties for their own commercial purposes. We may share aggregated or de-identified information with research institutions and partners; we do not attempt to re-identify it.
6. International data transfers
The entity is in the United Arab Emirates. Many of our sub-processors are in the United States, the European Economic Area, or other regions. Where we transfer your personal data internationally we rely on the following safeguards.
6.1 Transfers from the EEA, UK, Switzerland
For transfers from the European Economic Area to a country without an adequacy decision under Article 45 GDPR, we use the European Commission's Standard Contractual Clauses (Module 1 / Module 2 / Module 3 as applicable) plus, where needed, supplementary technical and organisational measures. The European Commission's list of adequacy decisions is here.
For transfers from the United Kingdom we use the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement, whichever is appropriate, plus reliance on adequacy decisions made or recognised by the UK government.
For transfers from Switzerland we rely on the equivalent Swiss SCCs / FDPIC-recognised mechanism.
6.2 Transfers from the UAE
For transfers of personal data from the UAE to other countries we rely on (a) adequacy decisions made by the UAE Data Office under Article 22(2) of the UAE PDPL where available; or (b) appropriate contractual safeguards (including the SCCs above adapted to UAE law); or (c) where neither is available, your explicit consent under Article 22(3)(c) of the UAE PDPL.
6.3 You can request a copy
You can request a copy of the safeguards in place for transfers of your personal data by contacting privacy@coachai.tech.
7. Subscriptions and payments
If you subscribe to a paid plan, the payment is processed by Apple (App Store), Google (Google Play), or — for direct purchases where available — Stripe or Tabby. We use RevenueCat to manage subscription state across stores. Specifically:
Apple App Store and Google Play subscriptions. Apple and Google receive and store your payment-card or billing-account details. We receive only the fact of purchase, the plan, and the renewal status. Disputes about purchase, billing, refund, or subscription must first be raised through the relevant store's support channels (see ToU Section 13.5).
Direct purchases (Stripe / Tabby). Stripe and Tabby receive and store your payment-card details. We receive only a tokenised reference, the fact of purchase, and the plan.
No card-on-file with us. We do not receive or store your payment-card numbers, CVCs, or full bank-account details.
Auto-renewal disclosures. See ToU Section 13 for the operative auto-renewal, free-trial, and cancellation terms.
8. Retention
We retain personal data only for as long as we need it for the purposes set out in this Privacy Policy or as required by law. Specific periods:
Category | Retention
Account data (name, email, hashed password, profile) | While your account is active; deleted within 30 days after account closure (subject to legal-hold exceptions)
Health and wellbeing data | While your account is active; deleted within 30 days after account closure
AI Assistant conversations | While your account is active; deleted within 90 days after account closure
Meal photos | 30 days from upload, or earlier on account closure or your request
Nutritional-analysis outputs (derived data) | While your account is active; deleted within 30 days after account closure
Motion-tracking data | While your account is active; deleted within 30 days after account closure
Communications and support tickets | 24 months (to troubleshoot recurring issues)
Subscription and transaction records | 7 years (UAE accounting and tax requirements)
Consent logs (marketing, model-training opt-ins, etc.) | 5 years from withdrawal of consent
Log data and security logs | 12 months (longer for active security investigations)
De-identified or aggregated data | Retained indefinitely; not re-identified
Account-closure window. When you close your account you have 30 days to export your data via the in-App data-export tool before deletion begins. This 30-day window matches ToU Section 17.5. After that period, deletion proceeds according to the periods above.
Legal holds. Where we are subject to a regulatory inquiry, ongoing dispute, or specific legal obligation that requires us to retain data longer, we will retain the relevant data until the obligation is satisfied or lifted.
9. Your rights
Your rights depend on where you live. The lists below summarise your rights; the procedures for exercising them are in Section 9.6.
9.1 If you live in the EEA, UK, Switzerland, Norway, or Iceland (GDPR / UK GDPR / equivalent)
You have the right to:
Access your personal data and information about how it is processed.
Rectify inaccurate or incomplete personal data.
Erase your personal data ("right to be forgotten").
Restrict processing in certain circumstances.
Data portability — receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another controller.
Object to processing based on our legitimate interests, including for direct marketing.
Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing carried out before withdrawal).
Not be subject to automated decision-making that produces legal effects or similarly significantly affects you (Art. 22 GDPR) — see Section 11.
Lodge a complaint with your supervisory authority. A list of EU member-state authorities is here; the UK Information Commissioner's Office is here.
9.2 If you live in the United States
Depending on your state, you have rights similar to or different from those above. The matrix:
State | Statute | Key Rights
California | California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) | Right to know, delete, correct, port, opt out of “sale” or “share”, limit use of sensitive personal information, non-discrimination
Virginia | Consumer Data Protection Act (VCDPA) | Right to access, delete, correct, port, opt out of sale, targeted advertising, and profiling
Colorado | Colorado Privacy Act (CPA) | Same as VCDPA + right to opt out via a recognised universal opt-out mechanism
Connecticut | Connecticut Data Privacy Act (CTDPA) | Same as VCDPA + universal opt-out
Utah | Utah Consumer Privacy Act (UCPA) | Right to access, delete, port, opt out of sale and targeted advertising
Texas | Texas Data Privacy and Security Act (TDPSA) | Right to access, delete, correct, port, opt out of sale, targeted advertising, profiling
Oregon | Oregon Consumer Privacy Act (OCPA) | Same as VCDPA + right to a list of specific third parties to whom data was disclosed
Florida | Florida Digital Bill of Rights (FDBR) | Right to access, delete, correct, port, opt out of sale and targeted advertising (applies only to large in-state operators)
California-specific (CCPA/CPRA) details:
Categories of personal information collected in the past 12 months: identifiers; CCPA "personal information" categories under Cal. Civ. Code §1798.80(e); commercial information; internet/network activity information; geolocation data; visual information (meal photos only); inferences; and Sensitive Personal Information (defined below).
Sources are described in Section 2.
Business purposes are described in Section 4.
Categories of recipients are described in Section 5.
Sensitive Personal Information ("SPI") under CPRA: account credentials; precise geolocation if you choose to share it; health and wellbeing data you choose to enter; meal photos to the extent they incidentally include images of you. You have the right to limit our use of SPI to providing the Services and a small set of permitted purposes. Exercise this right by emailing privacy@coachai.tech with subject "Limit Use of SPI".
"Sale" and "share" of personal information. We do not sell your personal data. We may "share" data (within the meaning of CPRA's cross-context-behavioural-advertising definition) with AppsFlyer, Meta Events Manager, and similar marketing-analytics providers — only if you have consented. You may opt out at any time. The opt-out link is available at https://coachai.tech/do-not-sell-or-share or by emailing privacy@coachai.tech.
Retention by category is in Section 8.
California "Shine the Light". We do not disclose personal information to third parties for those third parties' direct-marketing purposes.
Authorised agents. You may designate an authorised agent. The agent must provide signed written permission, and we may ask you to verify your identity directly.
Notice of right to opt out at point of collection. We display a "Do Not Sell or Share My Personal Information" link in the App and on our website.
Non-discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.
9.3 If you live in the United Arab Emirates (UAE PDPL)
Your rights under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") include:
Information about how we process your personal data.
Access to your personal data.
Correction of inaccurate or incomplete personal data.
Deletion of your personal data, subject to lawful retention exceptions.
Restriction of processing.
Portability of your personal data.
Objection to processing based on legitimate interests, automated decisions, or direct marketing.
Withdraw consent at any time where processing is based on consent.
File a complaint with the UAE Data Office or any other competent UAE consumer-protection or data-protection authority.
9.4 If you live in Australia (Privacy Act 1988 + APPs)
In line with the Australian Privacy Principles you have the right to access and correct your personal information, the right to make a complaint, and the right to anonymity / pseudonymity where practicable. Complaints can be made to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/.
9.5 If you live elsewhere
If you live in a jurisdiction not listed above, mandatory consumer-protection or data-protection law in your jurisdiction prevails over anything in this Privacy Policy that provides less protection. Email privacy@coachai.tech and we will work with you in good faith on any rights you have under local law.
9.6 How to exercise your rights
Submit your request to privacy@coachai.tech. We will:
Acknowledge receipt within 5 business days.
Verify your identity (we may ask for additional information; this is to make sure no one else is requesting access to your data).
Respond within 30 days. We may extend by up to 60 days for complex requests; if so, we will tell you within the original 30-day window.
We may decline manifestly unfounded or excessive requests, or charge a reasonable fee for repetitive requests, as permitted by applicable law. If we decline, we will tell you why and how to appeal or complain.
Authorised agents. You may designate an authorised agent (in writing). We may verify your identity directly.
No retaliation. We will not retaliate against you, change pricing, or degrade the Services because you exercised a privacy right.
10. Children and young people
The minimum age to register for an account on the Services depends on where you live:
16 years of age if you reside in the European Economic Area, the United Kingdom, Switzerland, Norway, or Iceland (or any other jurisdiction where the digital-services consent age is 16), unless your member state's law sets a lower age, in which case that lower age applies — but never below 13.
13 years of age if you reside in the United States, the United Arab Emirates, or any other jurisdiction not covered above.
Verifiable parental consent. Users aged 13 to 17 (or 13 to 15 in jurisdictions where the digital-services consent age is 16) may only use the Services with the verifiable consent and continued involvement of a parent or legal guardian. We may require documentary or third-party verification before granting access.
Photo content restrictions for minors. Users under 18 must not upload photos that include their body or any other person's body. Meal-analysis uploads must depict only food and packaging. Where we become aware that a minor has uploaded a photo that violates this restriction, the photo will be deleted and the account may be suspended pending parental review.
COPPA (United States). Our Services are not directed at children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information to us without your consent, contact us at privacy@coachai.techand we will take prompt steps to delete the information and the account. Your rights under the Children's Online Privacy Protection Act (15 U.S.C. §6501 et seq.) and its implementing regulations are not limited by this Privacy Policy.
Children in the UK and EEA. We follow the UK Children's Code (Age-Appropriate Design Code) and applicable EEA member-state child-protection rules. Where a user is identified as a likely child, we apply privacy-by-default settings and avoid profiling for advertising.
11. Automated decision-making and AI
The Services use AI to generate workout plans, AI Assistant conversational responses, motion-tracking feedback, and nutritional analysis of meal photos.
General AI logic. Our AI features take inputs you provide (your goals, profile, conversation, motion data, meal photos) and produce outputs (a workout plan, a chat reply, a form-feedback signal, a nutritional estimate). Where we use third-party language models or vision models (currently OpenAI and Anthropic), they receive only the inputs needed for the specific task and contractually do not use those inputs or outputs to train their foundation models.
Significance and consequences. AI outputs are generated automatically and may contain errors. They are provided for general wellness purposes only and do not constitute medical advice, diagnosis, or treatment. You are responsible for independently verifying the suitability of any recommendation before acting on it. See the Health and Medical Disclaimer in our Terms of Use.
Human review. We do not guarantee human review of every AI output. If you believe an AI-generated recommendation is inappropriate or harmful, contact us at support@coachai.tech and we will investigate. This is your route for human review under Article 22(3) GDPR and equivalent provisions.
Right to object. Where applicable law (including Article 22 GDPR) gives you the right not to be subject to automated decisions producing legal effects or similarly significant effects, you may object by emailing privacy@coachai.tech.
12. Cookies and similar tracking technologies
We and our service providers use cookies and similar technologies (HTML5 local storage, beacons, pixels, software development kits) on our website and in the App.
Categories. We classify cookies by purpose:
Strictly necessary. Required to operate the website and provide features you've requested (security, login, cookie-consent record). Cannot be declined.
Performance. Help us understand how visitors use the website (which pages, errors, traffic patterns). Used only with your consent in the EEA, UK, Switzerland, Norway, and Iceland.
Marketing. Help us measure and improve marketing campaigns. Used only with your consent.
Consent (EEA / UK / similar). When you first visit our website from an EEA, UK, Swiss, Norwegian, or Icelandic IP, we display a consent banner that lets you accept all, reject all, or choose granular preferences. You can change your choices at any time via the "Cookie preferences" link in our website footer. We will not load non-essential cookies before you make a choice.
Software development kits (SDKs). Our App includes SDKs from analytics, crash-reporting, and marketing partners (Firebase, Amplitude, AppsFlyer, Meta Events Manager). Marketing SDKs operate only with your in-App consent. You can change your in-App consent in Settings → Privacy at any time.
Advertising IDs. On Apple devices you can enable "Limit Ad Tracking" / use App Tracking Transparency. On Android devices you can enable "Opt out of Ads Personalization". Doing so does not stop us from showing in-product content but stops third-party measurement of in-App ad attribution.
Interest-based advertising opt-outs. You can opt out of interest-based advertising via the Digital Advertising Alliance (https://www.aboutads.info/), the DAA's mobile app program (https://www.aboutads.info/appchoices), or the Network Advertising Initiative (https://optout.networkadvertising.org/). Opting out does not stop you receiving ads from us — it stops them being tailored.
Disabling cookies. Most browsers let you refuse or delete cookies. Some Services features may not work properly with cookies disabled.
13. Communications
We may send you:
Service emails (security alerts, transaction confirmations, ToU/Privacy Policy updates) — required to operate the Services. These cannot be unsubscribed from while your account is active.
Marketing emails and in-app marketing communications — only with your consent in jurisdictions that require it (and only opt-out where they don't). You can unsubscribe at any time via the "Unsubscribe" link in any marketing email.
Push notifications — manageable in your device's notification settings (Settings → Notifications → CoachAI on iOS; equivalent on Android).
You can manage your communication preferences in App settings or by emailing privacy@coachai.tech.
14. Security
We use technical and organisational measures to protect your personal data, including:
Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Access controls and least-privilege role-based access for staff.
Periodic vulnerability scanning and penetration testing.
Secure development practices, code review, and dependency monitoring.
Background checks and confidentiality obligations for staff with access to personal data.
Logging and monitoring of administrative access.
Separation of production, staging, and analytics environments.
A documented incident-response plan.
No security system is perfect and we cannot guarantee absolute security. If you suspect unauthorised access to your account, contact us at security@coachai.tech.
14.1 Personal data breach notification
In the event of a personal data breach we will:
Investigate the breach promptly and take all reasonable steps to contain and remediate it.
Notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required by GDPR Art. 33, UK GDPR, UAE PDPL Art. 9, or any other applicable law, unless the breach is unlikely to result in a risk to your rights and freedoms.
Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34) or where US state breach-notification laws require direct notice. We will use the email on file plus, where appropriate, an in-App notice.
Cooperate with regulators and investigations as required.
To report a security incident or suspected breach, email security@coachai.tech.
15. Apple HealthKit and Google Health Connect
Where you choose to connect Apple HealthKit or Google Health Connect to the App:
We import only the categories of data you explicitly authorise.
HealthKit / Health Connect data is processed for the in-product purpose you authorised (e.g. workout history, calorie tracking) and not for any other purpose.
We do not share, sell, or use HealthKit / Health Connect data for advertising, lookalikes, or marketing.
We do not disclose HealthKit / Health Connect data to advertising platforms, data brokers, or information resellers.
Your use of these integrations is also subject to Apple's and Google's terms.
You can disconnect at any time in your device settings (and in the App).
16. Trainers and wellness businesses
If you use the Services to manage clients (as a personal trainer or wellness business), separate Trainer & Business Terms and a Data Processing Addendum (DPA) apply. Available at https://coachai.tech/business-terms.
For data your clients submit through your trainer account, you act as the controller and CoachAI acts as your processor under the DPA. This Privacy Policy continues to govern your individual personal data as a user of the Services.
17. Changes to this Privacy Policy
We may modify this Privacy Policy from time to time. The "Last updated" and "Effective date" at the top reflect the most recent version. We will:
Post the updated Privacy Policy at https://coachai.tech/privacy-policy.
For material changes that adversely affect your rights, email you at the address on file at least 30 days before the change takes effect, and display an in-App notice.
For users in the EEA, UK, Switzerland, Norway, and Iceland, where a change would adversely affect your rights under applicable consumer-protection or data-protection law, we will seek your affirmative consent before the change takes effect.
If you do not agree with a change, you may close your account before the effective date. Continued use of the Services after the effective date constitutes acceptance.
We maintain a change log of past versions; email privacy@coachai.tech to request a copy.
18. Contact
For privacy questions, requests to exercise your rights, or to report concerns:
Privacy contact:privacy@coachai.tech
Security incidents:security@coachai.tech
General support:support@coachai.tech
Postal address: Coach AI Technologies FZE LLC Sharjah Publishing City Building, Al Zahia Area – Entrance No. 2 – Ground Floor – Sheikh Mohammed Bin Zayed Road, Sharjah, UAE
EU/UK Article 27 representative. Where required by GDPR Art. 27 / UK GDPR Art. 27, we will publish our designated representative on our sub-processor page at https://coachai.tech/subprocessors.
If you are an EU or UK data subject and prefer to contact our representative, email privacy@coachai.tech and we will route your enquiry.