Privacy Policy

Last updated: 2026

Athletion Coach (“Athletion,” “we,” “us”) operates a coaching platform for personal trainers and the clients they coach. This policy explains what personal data we collect, why we collect it, how we use it, and the choices you have. It applies to everyone who uses the Athletion service — both trainers operating a workspace and clients who have been invited into one.

Information we collect

We collect only the data needed to run the service and provide coaching insights:

  • Account information. Your name, email address, and authentication credentials. If you sign in with Google, we receive your name and email address from Google as part of the sign-in flow.
  • Client profile data. When a trainer adds you as a client, basic profile data may be stored about you — name, date of birth, biological sex, height, weight, training goals, timezone, and similar fields the trainer uses to plan your training and nutrition.
  • Wearable and health data. If you connect a Google Health account, Athletion fetches the activity, sleep, heart-rate, heart-rate variability, body-weight, and related health metrics you have authorised. We pull only the metric scopes you grant during the OAuth consent flow.
  • Training and nutrition records. Workout plans, meal plans, daily check-ins, workout logs, and any subjective notes either a trainer or client adds to the system.
  • AI-generated content.Recommendations, weekly reviews, and chat transcripts produced by Athletion's AI features. We retain these to provide history and continuity across coaching cycles.
  • Usage data. Standard server logs (IP address, user-agent, request timing) and product-analytics events necessary to operate and secure the service.

How we use your information

We use the information above to:

  • Authenticate you, maintain your session, and route you to the correct workspace.
  • Surface wearable data, training history, and nutrition history to the trainer responsible for your account.
  • Generate AI-assisted recommendations, workout plans, meal plans, and chat answers. These are suggestions for the trainer to review; the trainer remains the responsible coach.
  • Send transactional emails — account verification, password reset, and notifications you explicitly opt into.
  • Investigate security incidents, prevent abuse, and comply with legal obligations.

We do not sell personal data, do not rent it, and do not use it for advertising. We do not run third-party tracking pixels on authenticated pages.

Who can access your data

Access is limited to:

  • You. You can see your own data through the Athletion app.
  • Your trainer. If you are a client, the trainer who invited you to the workspace can see your profile, wearable metrics, training history, nutrition history, and check-ins. This is the point of the product.
  • Service providers we use to run Athletion. Each processor is contracted to use the data only to deliver the service to us:
    • Supabase — managed Postgres database and file storage. Health, training, and account data is stored here.
    • Vercel — application hosting and serverless compute for the web app and API routes.
    • Inngest — background-job processing (wearable syncs, scheduled AI runs, email delivery orchestration).
    • Anthropic and OpenAI — large-language-model providers powering the AI coaching features. We send the minimum context needed for each generation; both providers contractually do not train their foundation models on API inputs.
    • Google — source of wearable data when you connect a Google Health account, and identity provider when you sign in with Google.
    • Resend — transactional-email delivery.
    • Upstash — rate-limit and ephemeral caching.
    • Sentry — error and performance observability.

Beyond the trainer-client relationship and the processors above, we do not share your data with third parties except where required by law or to investigate suspected abuse of the service.

Health data specifically

Athletion is a coaching tool, not a medical device. Health metrics imported from Google Health are stored in our Supabase Postgres database and used solely to generate insights for you and your trainer. We do not sell health data. We do not use it to train AI models. We do not share it with insurers, employers, or advertising networks. The only third parties that receive any health-derived content are the AI providers we use to summarise it for you (Anthropic and OpenAI), and only in the minimum form needed to generate a coaching recommendation or chat answer.

Cookies and sessions

We use first-party cookies to keep you signed in. These cookies are essential to the service — disabling them will prevent you from using Athletion. We do not use advertising cookies, cross-site tracking cookies, or third-party marketing pixels on authenticated pages.

Data retention

We retain account, training, and health data for as long as your account is active. When you close your account (or your trainer removes you from a workspace), we delete the associated personal data within a reasonable window — typically within 30 days — retaining only what we are required to keep for legal, accounting, or security purposes (e.g. abuse logs).

Your rights

You can:

  • Request an export of the personal data we hold about you in a portable format.
  • Request correction of inaccurate data.
  • Request deletion of your account and the personal data associated with it.
  • Withdraw consent for wearable data syncing at any time, either by disconnecting Google Health inside Athletion or by revoking access at myaccount.google.com/connections.

To exercise any of these rights, email support@athletion.app. We will respond within a reasonable time and verify your identity before acting on requests that involve your data.

Security

Data is encrypted in transit (HTTPS) and at rest by our hosting and database providers. Access to production systems is limited to a small number of Athletion personnel and is audited. No system is perfectly secure; we work to follow current best practice and to respond promptly to any incident.

Children

Athletion is intended for adults. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us at support@athletion.app and we will delete it.

Changes to this policy

If we make material changes to this policy, we will update the “Last updated” date above and notify active users by email or in-app message before the changes take effect.

Contact

Questions about this policy or your data: support@athletion.app.