Privacy Policy

Last updated: February 16, 2026

Fight Coach AI is a trading name of [Company Name] Ltd, a company registered in England and Wales (Companies House registration number: [Registration Number]) ("we", "us", "our"). We operate the fight-coach.app website and mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

[Company Name] Ltd (trading as Fight Coach AI) is the data controller responsible for your personal data. If you have questions about this policy or your data, contact our Data Protection Lead at:

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Age
  • Weight
  • Sport/discipline
  • Maximum heart rate

2.2 Training Session Data

When you use strike testing features, we collect:

  • Video clips of training sessions
  • Pose keypoint data extracted from video via on-device ML processing
  • Strike classification results (jab, cross, hook, uppercut, roundhouse, teep)
  • Session timestamps and duration

2.3 Connected Service Data

When you connect third-party services, we collect:

  • Strava: OAuth tokens (encrypted), activity data, training history
  • Garmin: OAuth tokens (encrypted), activities, heart rate data, sleep metrics, HRV, body battery

2.4 AI Coaching Data

When you use the AI coaching features, we collect:

  • AI-generated coaching analysis and briefings
  • Your interactions with the AI coach
  • Training plans and periodization data

2.5 Technical Data

We automatically collect:

  • Device type and operating system
  • IP address
  • Browser type (for web access)
  • Usage analytics

3. How We Use Your Data

We use your personal data for the following purposes:

  • Provide the Service: Deliver strike detection, training analytics, and AI coaching based on your data
  • Personalize coaching: Generate training plans, daily briefings, and periodization recommendations tailored to your metrics
  • Improve the Service: Analyze usage patterns to improve strike detection accuracy and coaching quality
  • Communicate: Send service updates, security alerts, and support messages
  • Comply with legal obligations: Meet regulatory requirements

4. Lawful Basis for Processing

We process your personal data under the following legal bases (UK GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including account management, training analysis, and AI coaching
  • Consent (Art. 6(1)(a)): For connecting third-party services (Strava, Garmin) and processing health-related data. You may withdraw consent at any time
  • Legitimate interest (Art. 6(1)(f)): For service improvement, security, and fraud prevention
  • Legal obligation (Art. 6(1)(c)): Where required by law

4.1 Special Category Data

Some data we process qualifies as special category data under UK GDPR Article 9 (health data), including heart rate, HRV, sleep metrics, and physical training data. We process this data based on your explicit consent (Art. 9(2)(a)).

Explicit consent mechanism: When you connect a health data service (such as Garmin), you are presented with a separate, specific consent flow before any health data is accessed. This consent flow clearly identifies the categories of special category health data that will be processed (e.g. heart rate, HRV, sleep metrics, body battery), the purposes for which it will be used (training analysis and AI coaching), and your right to withdraw consent at any time. This consent is distinct from the general account registration and must be actively granted before any health data is collected. You may withdraw this consent at any time by disconnecting the health service from your account settings, which will stop further health data collection and trigger deletion of stored health data.

4.2 Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted in accordance with Article 35 of UK GDPR, given the processing of special category health data. This assessment evaluates the risks to individuals' rights and freedoms and the measures in place to mitigate those risks. The DPIA is reviewed periodically and updated when there are significant changes to processing activities.

5. Data Storage and Security

  • All OAuth tokens (Strava, Garmin) are encrypted at rest using Fernet symmetric encryption
  • Data is stored on secure servers with access controls
  • We use HTTPS/TLS for all data in transit
  • On-device ML processing means pose estimation data is processed locally on your device before any server transmission
  • We implement regular security reviews and access audits

6. Third-Party Services

We share data with the following third-party services to operate the Service:

Service Purpose Data Shared
Strava Activity sync OAuth tokens, activity queries
Garmin Activity, health metric sync OAuth tokens, activity/health queries
Anthropic (Claude API) AI coaching analysis Anonymized training summaries for generating coaching insights
Cloudflare Website hosting and CDN Standard web traffic data

We do not sell your personal data to any third party.

7. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion
  • Training session data: Retained for the duration of your account. Video clips may be deleted after pose keypoint extraction unless you choose to retain them
  • OAuth tokens: Retained until you disconnect the service or delete your account, then immediately purged
  • AI coaching history: Retained for the duration of your account
  • Technical logs: Retained for 90 days

8. Your Rights (UK GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate personal data
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18): Request restriction of how we process your data
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON)
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

11. Cookies

We use cookies and similar technologies. For details, see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not complied with applicable data protection laws. The ICO can be contacted at ico.org.uk. If you are located in the EEA, you may also contact your local data protection supervisory authority.

14. Contact Us

For questions about this Privacy Policy or to exercise your data rights: