Privacy Policy

1. Who runs this

Hybrid Coach is operated by Christoph Kopka, a private individual based in Vienna, Austria, as a non-commercial hobby project. Contact: hello@hybridcoach.ai. Full operator details on our Imprint.

The operator is the data controller in the sense of Art. 4(7) GDPR.

2. What we collect

We collect only what we need to coach you. Specifically:

• Account data. Email, hashed password, display name. Stored when you sign up.
• Training profile. Goals, target events, current fitness markers (VO2max, paces, 1RMs), injury history, training constraints. You enter this during onboarding.
• Training data. Sessions you log manually, CSV imports, and — if you connect Garmin — activity summaries pulled from Garmin Connect (last 60 days at link time, then incremental).
• Garmin tokens. If you link Garmin, we store the OAuth refresh token encrypted at rest using Fernet symmetric encryption. We never see your Garmin password.
• Coach conversations. Messages you send to the coach and the coach's replies. Used to provide chat continuity and the next coaching turn. We do not use your conversations to train or fine-tune any model.
• Operational telemetry. Request logs, error reports, latency metrics. Used to keep the service running and debug failures. Logs are pseudonymous (user ID, not email).

We do not collect: location, contact lists, payment data (no payments yet), social-media profiles, or any tracking identifier from third-party ad networks.

3. Why we collect it (legal basis under GDPR)

• Contract performance (Art. 6(1)(b) GDPR). We process account, training, and conversation data because you asked us to coach you — it's the service you signed up for.
• Legitimate interest (Art. 6(1)(f) GDPR). We process operational telemetry to keep the service running and secure. We balance this against your privacy by pseudonymising logs and minimising retention.
• Consent (Art. 6(1)(a) GDPR). Garmin linking and any future marketing emails are opt-in. You can withdraw at any time from Settings.

4. Where your data lives

• Application database: Neon Postgres, EU region (Frankfurt, eu-central-1). Encrypted at rest and in transit.
• Application servers: Microsoft Azure Container Apps, Germany West Central. TLS 1.2+ in transit.
• AI processing: Azure OpenAI Service, EU region. Per the Azure OpenAI Service Terms, Microsoft does not use prompts or completions to train their foundation models.
• Marketing site: Cloudflare Pages. Public pages only — no app or account data passes through the CDN.
• Inbound email: Cloudflare Email Routing forwards mail you send to our @hybridcoach.ai addresses to a private mailbox the operator reads.
• Outbound email (sign-up confirmation, account approval): Resend, EU sending region.
• Error monitoring: Sentry, EU region. Stack traces only — no chat or profile content.

Several of our sub-processors (Cloudflare, Resend, Sentry, Neon) are US-incorporated companies that process your data in EU regions. Where any data does cross the EU/EEA border, it is covered by the European Commission's Standard Contractual Clauses.

5. How long we keep it

• Account & training data: as long as your account is active.
• Coach conversations: as long as your account is active.
• Operational logs and error reports: kept only as long as needed for operations and security analysis, then automatically discarded by our infrastructure providers' default retention.
• Deleted accounts: scrubbed from the live database promptly after a deletion request. Encrypted database backups roll over within the database provider's standard retention window.

6. Your rights under GDPR

You have the right to: access your data (Art. 15), correct it (Art. 16), delete it (Art. 17), restrict its processing (Art. 18), receive it in a portable format (Art. 20), and object to processing (Art. 21). You can also lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).

To exercise any of these rights, email privacy@hybridcoach.ai from the address on your account. We respond within 30 days.

7. Cookies

The marketing site (hybridcoach.ai) sets no tracking cookies. The app (app.hybridcoach.ai) uses localStorage only for keeping you logged in (your access token) and your theme preference. Authentication uses Bearer tokens, not cookies — there is no cross-site session cookie.

8. Third parties

We use the following sub-processors. EU regions are used wherever offered. US-incorporated providers operate under EU Standard Contractual Clauses.

• Microsoft Azure — application hosting and AI inference. Processed in Germany West Central. Contracting entity for EU customers is Microsoft Ireland Operations Ltd.
• Neon — Postgres database. Processed in Frankfurt (eu-central-1). US-incorporated; SCCs in place.
• Cloudflare — marketing site CDN and inbound email routing. US-incorporated; SCCs in place. No app or account data flows through Cloudflare.
• Resend — transactional email, EU sending region. US-incorporated; SCCs in place.
• Sentry — error monitoring, EU region. US-incorporated; SCCs in place.
• Garmin — only if you opt in to Garmin sync. Garmin processes activity data globally under their own privacy policy.

9. Security

Passwords are hashed with bcrypt. Garmin tokens are encrypted at rest with Fernet. All traffic uses TLS 1.2+. The application enforces rate limits, JWT authentication with short-lived access tokens, and CORS restricted to our own domains. We follow OWASP guidance for the basics.

No system is perfectly secure. If you discover a vulnerability, please email security@hybridcoach.ai — we'll respond within 72 hours.

10. Changes to this policy

When we change anything material, we will email registered users and update the date at the top of this page. The current version is always the one published at hybridcoach.ai/privacy.

11. Contact

Privacy questions: privacy@hybridcoach.ai
General contact: hello@hybridcoach.ai