Privacy Policy

Effective date: 16 July 2026

App: Doctor Yaad (“the App”)

Data controller: Doctor Yaad, a business registered with the Netherlands Chamber of Commerce (KvK) under number 88159396, the Netherlands.

Privacy contact: yaad@doctoryaad.com

This Privacy Policy explains what personal data the App collects, why, the legal basis for processing it, who we share it with, how long we keep it, and the rights you have. We are based in the Netherlands, so the EU General Data Protection Regulation (GDPR) applies, and this policy is written around it.

This policy is published at https://doctoryaad.com/privacy and is linked inside the App under Settings → Legal.

1. Who we are

The App is a calisthenics training tool with an adaptive AI coach. Doctor Yaad (registered with the Netherlands Chamber of Commerce under KvK number 88159396) is the data controller responsible for your personal data. If you have any question about this policy or your data, contact us at yaad@doctoryaad.com.

2. What data we collect

We only collect what we need to run the App and provide coaching. We do not sell your data.

a) Account data — your email address (the only login identifier). We use passwordless sign-in: you log in with a one-time code / magic link sent to your email. We never collect or store a password.

b) Athlete profile — the information you give us to personalise training:

c) Training data — generated as you use the App:

d) Technical data — crash reports, error logs, and diagnostic information (via Sentry, see Section 5) so we can fix bugs and keep the App stable.

Sensitive / health-adjacent data. Pain reports, soreness, recovery and body-metric data describe your physical state and are sensitive. We treat them with extra care, process them only to provide the training and pain-management features you ask for, and rely on your explicit consent for them (see Section 4). You can withdraw that consent at any time by deleting your account (Section 8).

3. Why we collect it (purposes)

PurposeData used
Create and secure your account, log you inEmail
Generate and adapt your training programAthlete profile, training data, check-ins, pain reports
Power the AI coach chat and personalised guidanceCoach-chat messages + a context “packet” of your relevant training data (see Section 5)
Track and respond to pain/soreness over timePain reports, soreness, check-ins
Keep the App stable and fix crashesTechnical / crash data
Deliver app updatesBuild + update delivery (via Expo/EAS, Section 5)

We do not use your data for advertising or profiling unrelated to training, and we do not run ad-tracking.

4. Legal basis (GDPR Article 6 and 9)

5. Who we share data with (sub-processors)

We use a small number of trusted service providers (“sub-processors”) to run the App. Each only receives the data needed for its function, and each is bound by a data processing agreement.

Sub-processorWhat it doesWhat it receives
SupabaseAuthentication and Postgres database hostingYour email and all account, profile, and training data stored in the database
OpenAIPowers the AI coach chatYour chat messages plus a context “packet” of your relevant training data, sent to OpenAI’s API to generate a coaching reply
SentryCrash and error reportingTechnical/diagnostic data and error logs, tagged with a pseudonymous device identifier (see below)
RailwayBackend / engine hostingTraining and account data passing through the backend during processing
Expo / EASApp builds and over-the-air updatesData needed to deliver app builds and over-the-air updates to your device

About crash reporting (Sentry). Before any crash report leaves your device, we scrub the free text you typed — chat messages and pain notes are redacted on-device, so diagnostic data does not contain what you wrote. Crash reports are tagged with a pseudonymous device identifier: a random ID stored only on your device, never derived from or linked to your account, which automatically regenerates every 30 days so old reports stop correlating to your device on their own.

About the OpenAI coach specifically. When you chat with the coach, the App sends your message anda packet of your training context to OpenAI so the model can answer with awareness of your training. Under OpenAI’s API data-usage policy, data sent through the OpenAI API is not used to train OpenAI’s models, and is retained by OpenAI only for a limited period (up to 30 days) for abuse and misuse monitoring before being deleted. As a general precaution, do not share information in the coach chat that you would not want sent to OpenAI for processing.

We may also disclose data where required by law, or to protect our rights, users, or the public.

6. Where your data is stored and international transfers

Your account and training database (Supabase) is hosted in the European Union (Ireland). Where each sub-processor stores or processes your data:

Sub-processorLocation
Supabase (database + authentication)European Union (Ireland)
Railway (backend engine)European Union (Amsterdam)
OpenAI (AI coach)United States
Sentry (crash reporting)United States
Expo / EAS (app updates)United States

Where data is processed outside the European Economic Area (EEA) — currently by OpenAI and Sentry, both based in the United States — we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

7. How long we keep data (retention)

8. Your rights and how to use them

Under the GDPR you have the right to:

In-app account deletion. You can delete your account from within the App, in its settings, or by emailing us at yaad@doctoryaad.com. Deletion erases your personal data and your authentication account.

Other requests. To exercise access, portability, rectification, objection, restriction, or to withdraw consent, email yaad@doctoryaad.com. We will respond within one month as required by the GDPR (extendable by two further months for complex requests, with notice). We may ask you to verify your identity first.

9. Children

The App is intended for users aged 16 and over and is not directed at children under that age. (The Netherlands sets the GDPR digital-consent age at 16.) We do not knowingly collect data from anyone under the minimum age. If you believe a child has provided us data, contact yaad@doctoryaad.com and we will delete it.

10. Security

We use reasonable technical and organisational measures to protect your data, including encrypted transport, access controls at our sub-processors, on-device redaction of free text before crash reports are sent, and pseudonymous crash identifiers that expire on their own. No system is perfectly secure; we cannot guarantee absolute security.

11. Changes to this policy

We may update this policy. If we make material changes, we will notify you in the App or by email and update the effective date above. Continued use after changes take effect means you accept the updated policy.

12. Contact

Questions or requests: yaad@doctoryaad.com
Data controller: Doctor Yaad, registered with the Netherlands Chamber of Commerce (KvK) under number 88159396, the Netherlands.