Last updated: 5 May 2026 Effective date: 5 May 2026
This policy explains what data Coachly collects, how it's used, who it's shared with, and the rights you have over it. It covers the iPhone app ("the App") and the backend service at coachly-backend-mu.vercel.app ("the Service").
Coachly is operated by Coachly App Ltd, a company registered in Scotland (company number SC887439). In this policy "we" / "us" means Coachly App Ltd. You can reach us at privacy@getcoachly.fit.
If you prefer the short version: your data is stored on your device and in your EU-hosted Coachly account, your Apple Health data stays on your device with one disclosed exception (your daily step count goes to the AI coach when both Apple Health and the coach are enabled and you send a message), we don't sell anything, and we don't use your data to train AI models.
Every field below is only collected when the corresponding feature is turned on. Coachly ships with everything defaulting to off except the local workout / nutrition log (which is what the app is for).
localStorage as coachly_device_id. Used to meter your per-user coach budget.This data is stored in your device's local storage and synced to your Coachly account, hosted by Supabase in the EU (Ireland). Row-level security gates every read and write to your authenticated user. Uninstalling the app erases the local copy; the account copy persists until you delete your account from Profile → Account → Delete account.
Read: step count, active calories, heart rate (including live heart rate during workouts), distance, body-mass samples, workouts logged by other apps (Apple Fitness, Apple Watch, Strava, Runna, Peloton, etc.). Write: food entries and weight entries you log in Coachly.
HealthKit data is processed on your device and is never stored on our servers.
One disclosed exception — the AI coach. When Apple Health is enabled AND you send a message to the AI coach, your step-related context is included in the message we transmit to Anthropic so the coach can reference your activity. Specifically: today's step count, your 7-day average, how many of the last 7 days you hit your step target, and your current step streak. No other Apple Health data type (heart rate, weight, distance, individual workouts, sleep) ever leaves your device. See section 1.3 for the full coach data flow.
If you don't want any HealthKit data sent to the AI coach, you can either turn off the Apple Health toggle (Profile → Apple Health) or stop using the AI coach — both prevent the transmission.
You can revoke any HealthKit permission at any time in iOS Settings → Privacy & Security → Health → Coachly.
When you send a message to the coach, we transmit to Anthropic's API (the "Claude" model):
We do not transmit:
Anthropic processes the request, returns a reply, and under our agreement does not retain it for training. We do not keep the message content server-side beyond the per-request lifetime.
Coachly requires an account so your data follows you between devices and so subscription entitlements can be checked. We collect via Supabase (our auth + database provider, hosted in the EU):
The data in section 1.1 is also synced to your Supabase-hosted account automatically so you can use Coachly across devices. You can delete your account and all synced data at any time from Profile → Account → Delete account; deletion is hard-deleted within 30 days.
If you opt in to "Help improve Coachly" in Profile, we collect via PostHog (product analytics) and Sentry (crash reports):
workout_completed, coach_message_sent, onboarding_completed, etc.We do not opt anyone in by default. You can turn this off again at any time.
We track the cost of your AI coach usage, keyed by your device ID or (when signed in) your Supabase user ID. This is solely to enforce the $0.50/month cap — we don't use these counters for anything else.
We do not use App Tracking Transparency because we don't track you across other apps.
Under UK GDPR / EU GDPR, our legal bases are:
| Processing | Legal basis |
|---|---|
| Running the app on your device | Performance of a contract — you asked us to provide a fitness app |
| Your account + sync | Performance of a contract — you asked us to sync |
| HealthKit read/write | Explicit consent — your in-app toggle |
| Sending coach messages to Anthropic (incl. step-related context if Apple Health is enabled) | Performance of a contract + explicit consent (the coach consent gate, which discloses the Apple Health step pass-through) |
| Analytics + crash reports | Consent — opt-in only |
| Enforcing the coach budget | Legitimate interests — keeping the service sustainable |
You can withdraw consent at any time by flipping the relevant toggle in Profile. Withdrawal doesn't affect processing that happened before.
We use these service providers ("data processors") and share only what section 1 lists:
| Provider | What | Where |
|---|---|---|
| Anthropic, PBC (US) | Coach messages → Claude API | US |
| Supabase, Inc. (US) | Account + data sync | EU (Ireland) |
| Upstash, Inc. (US) | Rate-limit + quota counters (Redis) | EU region available |
| Vercel, Inc. (US) | Backend function hosting | EU region available |
| RevenueCat, Inc. (US) | Subscription management (if you subscribe) | US |
| PostHog, Inc. (US) | Analytics (opt-in) | EU instance available |
| Sentry, Inc. (US) | Crash reports (opt-in) | EU instance available |
We also call these third-party data sources to look up nutrition info when you search for a food in the Eat tab. Your search query (the typed text or scanned barcode, e.g. "weetabix") is sent to them; nothing else about you is sent — no account ID, no IP-linked identifier:
| Source | Data | Licence |
|---|---|---|
| Open Food Facts (community project, FR) | Branded + generic food nutrition facts | Open Database License (ODbL) v1.0 — open data, no commercial restriction |
| Edamam, LLC (US) | Branded + generic food nutrition facts (used as a fallback when Open Food Facts has thin coverage) | Edamam API Terms — commercial licence held by Coachly |
Transfers to the US rely on Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum.
We do not sell your data. We do not share it with advertisers. We do not share it with data brokers.
| Data | Retention |
|---|---|
| On-device data | Until you uninstall the app or reset it from Profile |
| Supabase account data | Until you delete your account (at which point it's hard-deleted within 30 days) |
| Coach message content | Not retained beyond the per-request processing window (Anthropic applies a 30-day safety-moderation retention window per their terms; we don't receive it back) |
| Coach budget counters | 40 days (daily) / 30 months (monthly backstop), then auto-expired |
| Analytics events | 12 months, then aggregated and stripped of session IDs |
| Crash reports | 90 days |
| Rate-limit counters | 24 hours maximum |
Under UK / EU GDPR and similar laws, you can:
To exercise any of these rights, email privacy@getcoachly.fit. We respond within 30 days.
You can also complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
No system is 100% secure. If a breach affects your data, we'll notify you within 72 hours per GDPR Article 34.
Coachly is intended for users aged 18 and over. Our onboarding asks for your age and refuses to proceed if you're under 18. If you believe a child under 18 has created an account, email us and we'll delete it.
The Service is operated from the UK. If you use Coachly outside the UK, your data is transferred to the UK and to the US-based processors listed in section 4, with appropriate safeguards.
If we change this policy materially, we'll:
Non-material changes (spelling fixes, clarifications) we'll make silently.
Coachly App Ltd — privacy@getcoachly.fit
Registered in Scotland, company number SC887439.
Postal address (for GDPR-required correspondence only): available on request via the email above.