Privacy Policy
Effective date: 16 July 2026
App: Doctor Yaad (“the App”)
Data controller: Doctor Yaad, a business registered with the Netherlands Chamber of Commerce (KvK) under number 88159396, the Netherlands.
Privacy contact: yaad@doctoryaad.com
This Privacy Policy explains what personal data the App collects, why, the legal basis for processing it, who we share it with, how long we keep it, and the rights you have. We are based in the Netherlands, so the EU General Data Protection Regulation (GDPR) applies, and this policy is written around it.
This policy is published at https://doctoryaad.com/privacy and is linked inside the App under Settings → Legal.
1. Who we are
The App is a calisthenics training tool with an adaptive AI coach. Doctor Yaad (registered with the Netherlands Chamber of Commerce under KvK number 88159396) is the data controller responsible for your personal data. If you have any question about this policy or your data, contact us at yaad@doctoryaad.com.
2. What data we collect
We only collect what we need to run the App and provide coaching. We do not sell your data.
a) Account data — your email address (the only login identifier). We use passwordless sign-in: you log in with a one-time code / magic link sent to your email. We never collect or store a password.
b) Athlete profile — the information you give us to personalise training:
- Name (or display name)
- Sex
- Body weight and height
- Training level / experience
- Training goals
- Training days / weekly availability
- Available equipment
- Strength statistics (e.g. your numbers on key lifts and holds)
c) Training data — generated as you use the App:
- Workout sessions and the sets you complete (reps, load, hold times)
- Daily / pre-session check-ins: sleep, readiness, perceived recovery, stress, and soreness levels
- Pain reports — including the body site and severity of any pain you report
- Training decisions made by the engine (e.g. load changes, regressions, deloads)
- Coach-chat conversation logs — the messages you send to the AI coach and its replies
d) Technical data — crash reports, error logs, and diagnostic information (via Sentry, see Section 5) so we can fix bugs and keep the App stable.
Sensitive / health-adjacent data. Pain reports, soreness, recovery and body-metric data describe your physical state and are sensitive. We treat them with extra care, process them only to provide the training and pain-management features you ask for, and rely on your explicit consent for them (see Section 4). You can withdraw that consent at any time by deleting your account (Section 8).
3. Why we collect it (purposes)
| Purpose | Data used |
|---|---|
| Create and secure your account, log you in | |
| Generate and adapt your training program | Athlete profile, training data, check-ins, pain reports |
| Power the AI coach chat and personalised guidance | Coach-chat messages + a context “packet” of your relevant training data (see Section 5) |
| Track and respond to pain/soreness over time | Pain reports, soreness, check-ins |
| Keep the App stable and fix crashes | Technical / crash data |
| Deliver app updates | Build + update delivery (via Expo/EAS, Section 5) |
We do not use your data for advertising or profiling unrelated to training, and we do not run ad-tracking.
4. Legal basis (GDPR Article 6 and 9)
- Contract (Art. 6(1)(b)) — processing your account and core training data is necessary to provide the App you signed up for.
- Explicit consent (Art. 9(2)(a)) — for health-adjacent data (pain, soreness, recovery, body metrics) we rely on your explicit consent, captured during onboarding. You may withdraw consent at any time (Section 8); withdrawal does not affect processing already carried out.
- Legitimate interests (Art. 6(1)(f)) — for crash reporting, security, and preventing abuse, balanced against your rights.
- Consent (Art. 6(1)(a)) — for any optional features you separately opt into.
5. Who we share data with (sub-processors)
We use a small number of trusted service providers (“sub-processors”) to run the App. Each only receives the data needed for its function, and each is bound by a data processing agreement.
| Sub-processor | What it does | What it receives |
|---|---|---|
| Supabase | Authentication and Postgres database hosting | Your email and all account, profile, and training data stored in the database |
| OpenAI | Powers the AI coach chat | Your chat messages plus a context “packet” of your relevant training data, sent to OpenAI’s API to generate a coaching reply |
| Sentry | Crash and error reporting | Technical/diagnostic data and error logs, tagged with a pseudonymous device identifier (see below) |
| Railway | Backend / engine hosting | Training and account data passing through the backend during processing |
| Expo / EAS | App builds and over-the-air updates | Data needed to deliver app builds and over-the-air updates to your device |
About crash reporting (Sentry). Before any crash report leaves your device, we scrub the free text you typed — chat messages and pain notes are redacted on-device, so diagnostic data does not contain what you wrote. Crash reports are tagged with a pseudonymous device identifier: a random ID stored only on your device, never derived from or linked to your account, which automatically regenerates every 30 days so old reports stop correlating to your device on their own.
About the OpenAI coach specifically. When you chat with the coach, the App sends your message anda packet of your training context to OpenAI so the model can answer with awareness of your training. Under OpenAI’s API data-usage policy, data sent through the OpenAI API is not used to train OpenAI’s models, and is retained by OpenAI only for a limited period (up to 30 days) for abuse and misuse monitoring before being deleted. As a general precaution, do not share information in the coach chat that you would not want sent to OpenAI for processing.
We may also disclose data where required by law, or to protect our rights, users, or the public.
6. Where your data is stored and international transfers
Your account and training database (Supabase) is hosted in the European Union (Ireland). Where each sub-processor stores or processes your data:
| Sub-processor | Location |
|---|---|
| Supabase (database + authentication) | European Union (Ireland) |
| Railway (backend engine) | European Union (Amsterdam) |
| OpenAI (AI coach) | United States |
| Sentry (crash reporting) | United States |
| Expo / EAS (app updates) | United States |
Where data is processed outside the European Economic Area (EEA) — currently by OpenAI and Sentry, both based in the United States — we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
7. How long we keep data (retention)
- Account, profile, and training data: kept while your account is active. Deleted when you delete your account (Section 8).
- Coach-chat logs: kept while your account is active, and deleted when you delete your account.
- Pain / health-adjacent data: kept while your account is active, and deleted when you delete your account.
- Crash / diagnostic data: kept for 90 days, then automatically deleted. Crash reports are scrubbed on-device before they are sent — free text you typed (chat messages, pain notes) is redacted, so diagnostic data does not contain what you wrote.
- After account deletion: your data and authentication account are erased (Section 8). Backups that may contain residual copies are overwritten on our hosting provider's standard backup rotation.
8. Your rights and how to use them
Under the GDPR you have the right to:
- Access a copy of your data
- Rectify inaccurate data (you can edit most profile data in the App)
- Erase your data (“right to be forgotten”)
- Port your data (receive it in a portable format)
- Object to / restrict certain processing
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
In-app account deletion. You can delete your account from within the App, in its settings, or by emailing us at yaad@doctoryaad.com. Deletion erases your personal data and your authentication account.
Other requests. To exercise access, portability, rectification, objection, restriction, or to withdraw consent, email yaad@doctoryaad.com. We will respond within one month as required by the GDPR (extendable by two further months for complex requests, with notice). We may ask you to verify your identity first.
9. Children
The App is intended for users aged 16 and over and is not directed at children under that age. (The Netherlands sets the GDPR digital-consent age at 16.) We do not knowingly collect data from anyone under the minimum age. If you believe a child has provided us data, contact yaad@doctoryaad.com and we will delete it.
10. Security
We use reasonable technical and organisational measures to protect your data, including encrypted transport, access controls at our sub-processors, on-device redaction of free text before crash reports are sent, and pseudonymous crash identifiers that expire on their own. No system is perfectly secure; we cannot guarantee absolute security.
11. Changes to this policy
We may update this policy. If we make material changes, we will notify you in the App or by email and update the effective date above. Continued use after changes take effect means you accept the updated policy.
12. Contact
Questions or requests: yaad@doctoryaad.com
Data controller: Doctor Yaad, registered with the Netherlands Chamber of Commerce (KvK) under number 88159396, the Netherlands.