Privacy Policy

Last updated: February 2026

1. Introduction

SQUADFIT ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform, including our website, applications, and related services (collectively, the "Service"). This policy applies to all users, including fitness coaches ("Coaches") and their clients ("Clients").

By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service. We encourage you to read this policy in conjunction with our Terms of Service.

2. Information We Collect

We collect several types of information to provide and improve the Service:

Account Data

When you create an account, we collect your name, email address, and profile information through our authentication provider, Clerk. Coaches additionally provide qualifications, certifications, specializations, experience level, bio, and profile photos.

Fitness & Health Data

To deliver coaching services, we collect fitness-related data including body measurements (height, weight, body fat percentage), workout logs, exercise performance data, personal records, progress photos, check-in responses, difficulty ratings, nutrition logs, macro targets, and food entries. This data is necessary to provide personalized training programs and track your progress.

Payment Data

Payment processing is handled by Stripe. We do not store full credit card numbers or banking details on our servers. Stripe collects and processes payment information in accordance with their own privacy policy. We receive limited transaction information such as the last four digits of your card, billing address, and transaction history.

Usage & Analytics Data

We collect information about how you interact with the Service, including pages visited, features used, session duration, device information, browser type, IP address, and referring URLs. This data helps us understand usage patterns and improve the platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide personalized training programs, workout tracking, nutrition monitoring, progress check-ins, messaging between Coaches and Clients, and all core platform functionality.
• AI Features: To power our AI Nutrition Copilot, which uses your macro targets, current nutrition logs, and active program context to provide personalized guidance. AI interactions are processed through Anthropic's API with appropriate data minimization practices.
• Analytics & Improvement: To analyze usage patterns, identify trends, diagnose technical issues, and improve the Service. We use PostHog for product analytics.
• Communication: To send you transactional emails (check-in reminders, subscription confirmations), in-app notifications, and, with your consent, promotional communications about new features or updates.
• Safety & Security: To detect and prevent fraud, abuse, and security incidents, and to enforce our Terms of Service.

4. Information Sharing

We do not sell your personal information to third parties. We share your information only in the following circumstances:

• Coaches & Clients: When you subscribe to a Coach, that Coach can view your fitness data, workout logs, check-ins, progress photos, nutrition logs, and messages. This data sharing is essential to the coaching relationship and the core functionality of the Service.
• Stripe: Payment information is shared with Stripe for processing subscriptions, payouts, and managing Coach Connect accounts.
• Clerk: Account authentication data is managed by Clerk, our identity and authentication provider.
• Anthropic: When you use the AI Nutrition Copilot, contextual information (macro targets, current nutrition data, active program details) is sent to Anthropic's API to generate responses. We minimize the personal data included in these requests, and no personally identifiable information such as your name or email is sent to Anthropic.
• Infrastructure Providers: We use services such as Cloudflare R2 for secure file storage (progress photos, message attachments), Upstash for rate limiting, and Pusher for real-time messaging. These providers process data only as necessary to deliver their services.
• Legal Requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Security

We implement industry-standard security measures to protect your personal information. All data transmitted between your device and our servers is encrypted using TLS/SSL. Data at rest is stored in encrypted databases hosted on Supabase with row-level security policies. Progress photos and file attachments are stored securely on Cloudflare R2 with time-limited presigned URLs for access control.

We employ rate limiting on API endpoints and authentication routes to prevent abuse. User inputs, including messages, are sanitized to prevent injection attacks. While we strive to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Rights Under GDPR (European Economic Area Residents)

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data: the right to access your personal data and obtain a copy; the right to rectification of inaccurate or incomplete data; the right to erasure ("right to be forgotten") of your personal data under certain conditions; the right to data portability, allowing you to receive your data in a structured, machine-readable format; the right to restrict processing of your data; and the right to object to processing based on legitimate interests.

Rights Under CCPA (California Residents)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to opt-out of the sale of your personal information (note: we do not sell personal information); and the right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@joinsquadfit.com. We will respond to verified requests within 30 days.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Workout logs, nutrition data, and progress records are retained to maintain your training history and enable long-term progress tracking. If you request account deletion, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain information for legal, tax, or regulatory purposes.

AI conversation history is retained for 90 days to provide context for ongoing coaching sessions, after which it is automatically purged. Payment transaction records are retained for 7 years in accordance with financial reporting requirements.

8. Cookies & Tracking

We use cookies and similar tracking technologies to maintain your authentication session, remember your preferences, and analyze how the Service is used. Our analytics are powered by PostHog, which collects anonymized usage data to help us understand feature adoption, user flows, and platform performance.

Essential cookies (such as authentication session cookies provided by Clerk) are required for the Service to function and cannot be disabled. Analytics cookies can be opted out of through your browser settings or by using a browser extension that blocks tracking scripts. We do not use third-party advertising cookies or trackers.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a minor, we will take steps to delete that information as soon as possible. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@joinsquadfit.com.

10. International Data Transfers

SQUADFIT is based in the United States, and your data may be processed and stored in the United States or other countries where our service providers operate. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in a jurisdiction with different data protection laws than your own.

For transfers of personal data from the EEA to countries not deemed adequate by the European Commission, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure your data is protected in accordance with GDPR requirements.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and notify you via email or an in-app notification. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at privacy@joinsquadfit.com.

For data protection inquiries from EEA residents, you may also contact your local supervisory authority if you believe your data protection rights have been violated.