Privacy policy

coach-m8 stores your email, your training data, and what you tell the coach. We don't sell it, don't share it for marketing, and don't use it to train AI models. You can delete it whenever you want.

The data controller for coach-m8 is Szymon Krolikowski (Poland), operating coach-m8 as a personal project. Contact: kroolixs@gmail.com.

• Account: your email address and (if you set one) password. Required to log you in.
• Profile & preferences: name (optional), preferred units, training preferences, goals, target dates, and priorities.
• Training data: activities synced from Strava (sport, duration, distance, heart rate, date), manually logged workouts, readiness check answers, workout feedback, and notes to the coach.
• Generated content: the weekly plans and coach replies generated for you.
• Technical: minimal logs from Vercel and Supabase needed to operate the service (IP, timestamps, error traces). No third-party analytics or ad trackers.

We process your data only to provide the service to you — log you in, sync your training, generate plans, save your feedback, and improve the next plan we generate. We do not use your training data to train AI models. We do not sell, rent, or share your data for marketing.

• Supabase (database & auth) — your account and all your training data.
• Vercel (hosting) — request logs, no application data.
• Strava (optional) — we read your activities via the Strava API using a token you grant. You can revoke this from your Strava settings or from coach-m8 at any time.
• Google Gemini (AI) — when we generate a plan or a coach reply, the relevant context (recent activities, readiness, goals, feedback) is sent to Gemini to produce the response. Google's API terms apply. We don't opt your data into Google's model training; we use a service-tier integration.

We keep your data as long as your account is active. When you delete your account, your personal data is removed from the primary database within 30 days. Backups may persist for up to 90 days before they are overwritten.

Under the GDPR (and equivalent local laws) you have the right to:

• Access your data and request a copy.
• Correct inaccurate data.
• Delete your account and your data.
• Revoke Strava access at any time.
• Object to or restrict processing, or withdraw consent for optional integrations.
• Complain to a supervisory authority (in Poland: UODO, uodo.gov.pl).

To exercise any of these, email kroolixs@gmail.com. We aim to respond within 30 days.

coach-m8 uses a small number of strictly necessary cookies for authentication (Supabase session) and CSRF protection during Strava OAuth. No advertising, analytics, or tracking cookies.

coach-m8 is not for users under 18. Don't use the service if you're under 18, and don't give us data about anyone who is.

We use industry-standard practices — encrypted connections (HTTPS), hashed passwords (handled by Supabase), and row-level security policies that scope every database read and write to the authenticated user. No system is 100% secure; if you spot something, please email us.

We may update this policy. Material changes will be announced via email or an in-product notice before they take effect.