Clever Coach Club

Privacy Policy

Last updated: 31 May 2026

Controller: Brain Machine Hygeia (Company No. 16811156)

Address: 2 St. Marys Road, Tonbridge, TN9 2LB, England

Service: Clever Coach Club at clevercoachclub.com (the "Services")

Contact: support@brainmachineh.com

ICO: We pay/register the UK data protection fee where required. If you want our current registration details, email us.

1) What this policy covers

This Privacy Policy explains how we collect, use, share, store and protect personal data when you use the Services as a client or Trainer.

The Services provide AI-assisted fitness tools. They are not medical services. Please do not upload or enter clinical diagnoses, treatment details, medications, test results, or medical records.

2) Personal data we collect

A. Account and profile data

  • Name
  • Email address
  • Authentication details (handled via Firebase Authentication)
  • If you use Google sign-in: basic Google account info such as email and name (and, where provided by Google, profile image)
  • Optional profile fields: phone number, date of birth (if you provide it), sex (if you provide it)

B. Fitness and training data

  • Workout plans, workout histories, exercise completion and progress
  • Exercise logs (e.g., sets/reps/weights/notes)
  • Training preferences and survey answers (pre sign-up surveys and end-of-block surveys)
  • Habit tracking and "general wellness" information you choose to enter
  • Generic, non-medical injury labels (e.g., "knee injury", "shoulder pain")
  • Optional body metrics: height, weight, BMI

C. Messages and AI Chat

In-app messages between clients and Trainers, messages to support, and chat transcripts with our AI assistants (e.g. Coach Clever).

Messaging is not end-to-end encrypted (it is protected in transit using TLS).

D. Form analysis media and outputs (optional)

If you upload a photo/video for form analysis:

  • The raw photo/video (stored in Firebase Cloud Storage, typically under exercise-media/{userId}/)
  • Analysis-related fields stored with exercise completion records in Cloud Firestore (e.g., an exerciseCompletions record containing fields such as mediaUrl, mediaType, and analysis outputs recorded in log fields like setLogs)

E. Technical, security and analytics data

  • IP address, device/browser information, timestamps, logs needed for security and troubleshooting
  • Cookies and similar technologies required for login/session and core functionality
  • If you consent to analytics: pseudonymous identifiers, page views, route navigation, button/feature interactions, approximate location (country/region inferred from IP), referrer URLs, and UTM campaign parameters — collected via Google Analytics 4 (see Section 14)
  • For signed-in users who have accepted analytics, your Firebase user ID may be associated with analytics events so we can understand product usage across sessions and devices

F. Payments (where enabled)

Payments are processed by Stripe. We receive limited billing metadata (e.g., last 4 digits, card brand, payment status), not full card numbers.

(At times, payment functions may be disabled in code; if payments are not active, we won't collect payment data.)

G. Wearable device data (optional)

If you choose to connect a supported wearable device (currently WHOOP or Oura), we collect and store:

  • Physiological metrics retrieved from the device provider, such as readiness/recovery score, heart rate variability (HRV), resting heart rate, respiratory rate, sleep and related metrics, and trends and insights we derive from them
  • Connection metadata (which provider you connected, connection status, and last-sync time)
  • The secure access credentials (access/refresh tokens) needed to retrieve your data, which are stored encrypted and are accessible only to our backend systems — not to other users

Because metrics like HRV, resting heart rate and respiratory rate can relate to your health, we treat this as sensitive information and process it only with your explicit consent (see Sections 4 and 6B). It is used to power fitness and wellness features and is not medical monitoring or diagnosis.

3) How we collect data

  • From you (sign-up, profile, surveys, logs, messages, uploads)
  • From Trainers (invites/referral codes, coaching activity within the platform)
  • Automatically from your device (technical/security logs)
  • From service providers (e.g., sign-in and payment status)

4) Why we use your data (purposes and legal bases)

Provide the Services (Contract)

  • Create and manage accounts, authenticate users
  • Generate, store and display workouts and progress
  • Connect clients and Trainers
  • Provide in-app messaging
  • Provide form analysis when you use it

Wearable device data (Consent / Explicit consent)

  • Where you connect a WHOOP or Oura device, we collect, store, display and process your physiological metrics (such as readiness/recovery, HRV, resting heart rate, respiratory rate and sleep) on the basis of your consent, and your explicit consent insofar as this is treated as health data under UK/EU GDPR.
  • Where you have a connected Trainer, connecting a device also relies on your explicit consent to share that data with your Trainer for coaching purposes (see Section 6B).
  • Where you enable it, we use recent wearable data (typically up to the last two months) to personalise AI-generated workout programming (Coach Clever).
  • You can withdraw consent at any time by disconnecting the device and/or turning off the relevant preference; this does not affect processing carried out before withdrawal.

Security and misuse prevention (Legitimate interests)

  • Protect accounts and the platform
  • Prevent fraud/abuse and enforce our Terms
  • Investigate user reports and platform misuse (note: we do not run automated moderation today)

Improve and maintain the Services (Legitimate interests; Consent for analytics cookies)

  • Debugging and reliability improvements based on error/technical logs
  • Measuring how the Services are used (which features are used, where users drop off in signup/checkout, conversion rates), using Google Analytics 4. We only set analytics cookies after you consent via our cookie banner; if you decline, GA4 may still receive minimal cookieless pings for aggregated conversion modelling, but no identifiers are stored on your device.
  • (We do not use Crashlytics or Remote Config. The mobile app declares push-notification capability so we can deliver transactional alerts in future; no push notifications are being sent today.)

Communications (Contract / Legitimate interests)

Transactional messages such as invitations, password resets, automated dashboard progress reports, account notices, and support responses.

Marketing (if introduced) (Consent where required)

We do not run ads trackers (no Google Ads pixel/Facebook Pixel) and we do not send SMS marketing. If we introduce marketing emails beyond essential service messages, we'll provide appropriate choices and obtain consent where required.

Model training

We do not use your identifiable content to train our models beyond providing the Services unless we explicitly introduce an opt-in and you choose it.

5) Trainers, invitations, and what Trainers can see

Invitations and referral codes

Trainers can add clients by:

  • entering a client email address, or
  • sharing a referral code.

We may send transactional invitation/reminder emails to support sign-up.

Legacy Data Imports

Trainers may use our bulk import features (e.g., CSV upload) to transfer historic training records (such as past workouts and completion logs) from legacy platforms into the Services. Trainers are responsible for ensuring they have a lawful basis to transfer this data.

Trainer visibility (while connected)

When you connect to a Trainer, the Trainer can view, for coaching purposes (as applicable):

  • Name and contact details (email; phone number if provided)
  • Profile fields you provide (date of birth/age if provided; sex if provided)
  • Height/weight/BMI if provided
  • Workout plans, workout history, completion rates, and progress
  • Training preferences and surveys (pre sign-up and end-of-block)
  • Habit tracking and general wellness information you enter
  • Wearable device data, if you connect a WHOOP or Oura device while connected to that Trainer — your readiness/recovery score, HRV, resting heart rate, respiratory rate, sleep and related metrics, and the trends derived from them (see Section 6B)
  • Non-medical injury labels (e.g., "knee injury")
  • In-app messages between you and that Trainer
  • Form analysis media you share and analysis outputs linked to that media

Disconnecting a Trainer

You can disconnect a Trainer in-app (using active/archived flags). This stops their ongoing access through the platform. However, while connected, a Trainer may be able to manually copy information they can view (for example, by taking notes or downloading what is displayed). We cannot guarantee that content viewed while connected cannot be retained by the Trainer outside the Services.

Roles with Trainers

We are the controller for operating the Services. Trainers may be independent controllers for personal data they process outside the platform for their own purposes (e.g., their own business records, offline sessions, or copies they retain).

6) Google Drive export and "Anyone with the link"

We offer an optional feature where a Trainer may export/store client videos in the Trainer's Google Drive. If a Trainer chooses to use this feature, they may be required to set sharing to "Anyone with the link" for those exported files.

Once a file is in a Trainer's Google Drive and shared using "Anyone with the link", anyone who has the link may be able to access the file, and links can be forwarded.

This exported copy is outside our platform security controls and is governed by Google's terms and the Trainer's Drive settings.

The Trainer is responsible for how they store, share, and secure exported files in Google Drive, and for complying with data protection law for that exported data.

If you want an exported file removed from a Trainer's Drive, you should request deletion from the Trainer directly. You can also contact us and we will assist where we reasonably can, but we do not control Trainers' Google Drive accounts.

6A) Exercise demonstration videos (Bunny.net)

Trainers may upload exercise demonstration videos to the Services. These videos are hosted on Bunny.net ("Bunny CDN" / "Bunny Stream"), a third-party video hosting and content delivery platform that processes and delivers video data on our behalf.

What is stored: The video file itself is stored in Bunny Storage and made available for streaming via Bunny Stream. A reference URL pointing to the Bunny-hosted video is stored in Cloud Firestore alongside the relevant exercise data.

Access: Bunny-hosted video URLs may be accessible to anyone who obtains the URL. URLs are not publicly listed but are not individually access-controlled beyond URL knowledge.

No biometric identification: We do not use exercise demonstration videos for facial recognition or biometric identification.

Retention: Exercise demonstration videos are retained on Bunny.net while actively associated with exercises in the Services. If a Trainer removes or replaces a video, the previous version may be deleted from Bunny Storage. Videos are not automatically deleted upon account closure; deletion of Bunny-hosted content follows our standard retention schedule as described in Section 10.

6B) Wearable device integrations (WHOOP & Oura)

You may optionally connect a supported wearable device — currently WHOOP or Oura (Ōura) — to the Services from your Profile page. This is optional, and the Services work without it.

How the connection works: Connecting uses a secure authorisation flow (OAuth 2.0) operated by WHOOP or Oura. You log in to your device account and grant us permission to access defined categories of your data. We store the resulting access credentials encrypted on our backend, and use them to retrieve your metrics on a periodic and/or on-demand basis.

What we receive and store: readiness/recovery score, heart rate variability (HRV), resting heart rate, respiratory rate, sleep and related metrics, and trends and insights we derive from them. We store these in Cloud Firestore associated with your account and display them to you (for example on your dashboard and on the Physiology page).

Explicit consent to share with your Trainer: if you connect a device while you have a connected Trainer, you explicitly consent to share all data we receive from that device — including your readiness/recovery score, HRV, resting heart rate, respiratory rate, sleep and related metrics, and the derived trends and insights — with your connected Trainer(s) for coaching purposes. If you do not want a Trainer to see this data, do not connect a device while connected to that Trainer, or disconnect it.

Use for AI programming (optional): where you (or your Trainer, with your agreement) enable the relevant preference, we provide your recent wearable data (typically up to the last two months) to our AI assistant (Coach Clever, powered by our AI provider) to help personalise and adjust your workout programming. You can turn this off in the relevant preferences.

Disconnecting and withdrawing consent: you can disconnect a device at any time from your Profile page, which stops further retrieval of your data through the Services. You can also revoke our access directly from your WHOOP or Oura account. Data already retrieved before you disconnect is retained and deleted in line with Section 10.

Third-party providers: WHOOP and Oura are independent third parties with their own terms and privacy policies, which govern your device and your account with them. When we request your data from them, that request is processed by the provider (including, where applicable, in the United States — see Section 9).

No biometric identification: We do not use wearable data for facial recognition or biometric identification, and we do not use it to make decisions about you that produce legal or similarly significant effects without human involvement.

7) Generative AI processing (Google Gemini API)

Our platform uses Google's Gemini API (e.g., models within the Gemini 2.5 Flash family) to power various features, including:

  • AI Form Analysis: We send your uploaded instructional media to the Gemini API to generate form feedback outputs. We store the resulting outputs linked to your exercise records.
  • Conversational Assistants ("Coach Clever"): If you interact with our AI assistants, we send your chat prompts and relevant workout history to the Gemini API to generate workout plans and advice. We store these chat transcripts securely.
  • Profiling ("Coach DNA"): We may process your training history and submitted preferences through the Gemini API to generate summarised coaching profiles for your Trainer.

No biometric identification: We do not use AI features for facial recognition or biometric identification.

Your responsibility: Only upload media you have the right to share, including permission from anyone who appears in it.

8) Who we share data with

Our processors/service providers

We use service providers that process personal data on our behalf under contract, including:

  • Google Firebase (Authentication, Hosting, Cloud Firestore, Cloud Storage, Cloud Functions)
  • Google Gemini API (AI processing for form analysis)
  • Google Analytics 4 (product usage analytics — only if you consent via the cookie banner)
  • Bunny.net (Bunny CDN / Bunny Stream) for exercise demonstration video hosting, streaming, and content delivery
  • Resend (transactional emails)
  • Stripe (payments, where enabled)
  • WHOOP and Oura (Ōura) — where you connect a wearable device, these providers supply your physiological data to us via their APIs, in line with the permissions you grant

We can provide a current sub-processor list on request (email support@brainmachineh.com).

Other disclosures

We may share data:

  • With your connected Trainer (as described above), including wearable device data where you connect a device and consent to share it (Section 6B)
  • With professional advisers (legal/accounting) where needed
  • With authorities where required by law

We do not sell your personal data.

9) International transfers

Our Cloud Functions are deployed in europe-west2 (London).

Firestore/Storage location depends on the region configured for our Firebase project (contact us to confirm our current configuration).

US processing does occur for:

  • Gemini API requests (which route to US-based endpoints),
  • Google Analytics 4 (event data is processed via Google's global infrastructure, which includes US-based servers; we have enabled IP anonymisation and have not enabled advertising features),
  • Resend (US-hosted email delivery infrastructure), and
  • Bunny.net (video content is delivered via Bunny's global CDN edge network; storage may be located in EU or other regions depending on configuration), and
  • WHOOP and Oura (where you connect a device, our requests to retrieve your data are processed by these providers, which may process data on US-based infrastructure).

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards (such as the UK IDTA / UK Addendum and equivalent contractual protections used by our providers), plus additional measures where appropriate.

10) Retention

We keep personal data only as long as needed for the purposes in this policy:

  • Account/profile, training data, surveys, habits, body metrics, and messages: generally retained while your account is active.
  • After account closure: we aim to delete or anonymise most account-related data within 90 days, unless we need to keep some records longer for legal/accounting reasons (typically up to 6 years for business records).
  • Form analysis media and outputs: you may be able to delete media in-app (where available). Otherwise, we generally retain it while your account is active and aim to delete/anonymise within 90 days after closure.
  • Wearable device data: connection credentials are retained until you disconnect the device or close your account, after which they are revoked/deleted. Physiological metrics and derived trends are retained while your account is active and we aim to delete/anonymise them within 90 days after closure. Disconnecting a device stops further collection.
  • Backups: deletion may not be immediate across backups; backups may persist for up to around 90 days.
  • Google Drive exports: any copies exported to a Trainer's Google Drive are outside our retention control; you must request deletion from the Trainer for those copies.

11) Security

We use reasonable technical and organisational measures designed to protect data, including encryption in transit (TLS), access controls, and secure cloud infrastructure. In-app messaging is not end-to-end encrypted. We do not currently implement automated moderation; we may review content where needed for support, security, or in response to reports.

No system is 100% secure; please keep your credentials confidential and use secure devices.

12) Your rights

Under UK GDPR (and, where applicable, EU GDPR), you may have rights to:

  • access your data
  • correct inaccurate data
  • request deletion (you can permanently delete your account at any time via the Profile Settings page in the app, or by contacting support)
  • restrict processing
  • object to certain processing based on legitimate interests
  • data portability (where applicable)
  • withdraw consent where processing is based on consent (if we introduce consent-based features)

To exercise rights, email support@brainmachineh.com. We respond within one month (subject to lawful extensions) and may ask for verification.

You can also complain to the ICO (www.ico.org.uk).

13) Children and age

The Services are intended for people aged 16+. We do not currently verify age at sign-up, and date of birth is optional. If we become aware or reasonably suspect that a user is under 16, we may request confirmation and may suspend/terminate the account.

14) Cookies and similar technologies

We use cookies and similar technologies (such as browser localStorage and IndexedDB) for two purposes: keeping you signed in, and — only with your consent — understanding how the Services are used.

Strictly necessary (no consent required)

These are required to operate the Services. You cannot opt out and still use the site.

  • Firebase Authentication session storage (stored in browser IndexedDB and localStorage) — keeps you signed in across pages and reloads.
  • App preferences (stored in browser localStorage, e.g. ccc_consent, ccc_app_version, pending trainer intent flags) — remember UI state and your consent choice between visits.
  • Stripe session cookies on the checkout page — required for payment fraud prevention.

Analytics (consent required)

When you accept analytics via our cookie banner, we use Google Analytics 4 to understand product usage. GA4 sets the following first-party cookies on clevercoachclub.com:

  • _ga — distinguishes unique visitors. Expires after 2 years.
  • _ga_G-6JJVMP5KGS — persists session state. Expires after 2 years.

We have configured Google Consent Mode v2 so that, until you accept analytics, these cookies are not set. We have not enabled Google Analytics advertising features (no Google Signals for ad personalisation, no remarketing audiences, no Google Ads link). We do not run advertising trackers (no Google Ads pixel, no Facebook Pixel, no TikTok pixel).

Changing your choice

You can change your cookie choice at any time using the Cookie preferences link in the website footer, or by clearing your browser's site data for clevercoachclub.com (which will cause the consent banner to reappear on your next visit).

You can also opt out of Google Analytics across all sites by installing the Google Analytics Opt-out Browser Add-on, or by enabling "Do Not Track" / Global Privacy Control in your browser.

15) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and provide notice of material changes where appropriate.

16) Contact

Brain Machine Hygeia

2 St. Marys Road, Tonbridge, TN9 2LB, England

Email: support@brainmachineh.com