Hybrid Athlete — Privacy Policy
_Last updated: May 2026_
1. Who we are (Data Controller)
The data controller for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Irish Data Protection Act 2018 is:
Can Ayan (sole trader) Ireland Email: info@kalibrefin.com
We are referred to in this policy as "we", "us", or "the controller".
This policy covers the iOS application "Hybrid Athlete" and the optional AI Coach proxy service (together, the "Service"). By using the Service you acknowledge the practices described below.
Looking for the legal framework around use of the Service (medical disclaimer, liability cap, subscriptions, governing law)? That's in our separate Terms of Service.
2. What data we process
We process only what's needed to make the Service work for you. There are no third-party analytics, advertising, or attribution SDKs.
2.1 Stored on your device
- Onboarding answers: sports, training days, equipment, goals,
experience level, training-style preference.
- Training history: completed workouts, exercises performed, dates,
optional difficulty feedback.
- Assessment results: any tests you record (e.g. push-up count).
- Profile fields: first name, optional birth year, optional avatar
photo (compressed locally, never uploaded), homeCity (city-level only, used for social proximity filtering — no GPS, user-typed).
- Social profile: your "Looking for" blurb (≤80 chars), training-week
visibility, list of athletes you blocked or reported.
- Chat messages: text exchanged with matched athletes (stored
locally — v1.0 has no cross-user backend so messages do not leave your device in the current shipment).
- Coach Note cache: the most recent daily note + Q&A round.
This data lives in iOS UserDefaults / SwiftData / the app sandbox. It is never uploaded to our servers as a whole. iOS handles backup and restore through your iCloud account if you have it enabled — we do not operate that path and have no access to your iCloud backup.
2.2 Apple Sign-In
When you sign in with Apple, we receive:
- A unique stable user identifier issued by Apple.
- Your email (real or relay address — your choice in the system prompt).
- Your name as you choose to share it during sign-in.
The user identifier is hashed before any network call and is the only identifier we ever transmit. We never store your real email; if you use Apple's relay address, we never see your real email at all.
2.3 AI Coach (compiled, OFF in v1.0)
v1.0 ships with the AI Coach disabled (AppStore.aiCoachEnabled = false). Coach Notes are generated entirely on your device by a deterministic renderer (or by Apple Intelligence locally on iPhone 15 Pro+ with iOS 26+) — no network calls take place and the payload described below is not transmitted in this shipment.
The proxy client code remains compiled for a future enable in v1.0.1+. When (and if) that flag flips, the payload described below will apply. We are publishing the full description now for full transparency. If you upgrade to a future version that flips the flag, this section will reflect that change with a new "Last updated" date and an in-app notice.
When the AI Coach IS enabled (future), the app would send a small JSON payload to a Cloudflare Worker we operate, which forwards it to Anthropic, PBC's API. The payload would contain:
- An anonymous, hashed user identifier (cannot be reversed).
- Your last 3 completed sessions: date, family, exercise names, optional
difficulty rating.
- Your next 1–2 scheduled sessions.
- Your training profile summary: sports, level, primary goals.
- Recent adherence signals (completion rate, streak count).
The payload contains no personal identifiers, no email, no name, no location, no health metrics beyond what you have explicitly logged in the Service. Anthropic processes the payload to generate the response and does not retain it for model training (Anthropic's API zero-retention default applies).
2.4 What we do NOT collect
- ❌ Precise location (GPS, WiFi triangulation). We collect only the
city-level homeCity string you type during onboarding.
- ❌ Photos other than the avatar you optionally pick (which never
leaves your device).
- ❌ Contacts.
- ❌ Microphone, camera, motion sensors, HealthKit data.
- ❌ Advertising identifiers (IDFA / IDFV beyond Apple's defaults).
- ❌ Any tracking across apps or websites (NSPrivacyTracking = false).
- ❌ Purchase history. v1.0 is fully free — no in-app purchases, no
subscriptions, no StoreKit transactions. (The premium tier code ships compiled-but-gated for a future revival; in v1.0 no transactions are possible.)
3. Legal basis for processing (GDPR Article 6)
Each category of processing has an identified lawful basis:
| Processing | Lawful basis (GDPR Art 6) |
|---|---|
| Storing onboarding answers, plan, history on your device | Contract (Art 6(1)(b)) — necessary to provide the Service you signed up for. |
| Apple Sign-In identifier (hashed) for account identity | Contract (Art 6(1)(b)) — without it, your data cannot be associated with your account. |
| Apple Sign-In email/name (if you share them) | Contract (Art 6(1)(b)). |
| Storing chat messages locally between matched athletes | Contract (Art 6(1)(b)) — necessary to provide the social pairing feature you opted into. |
| Storing your homeCity (city-level only) for social proximity filtering | Contract (Art 6(1)(b)) — required for the matchmaking feature. |
| (Future — AI Coach enabled) Sending anonymised digest to Coach proxy | Contract (Art 6(1)(b)) — would apply when/if AI Coach is enabled in v1.0.1+; currently disabled, no processing occurs. |
| (Future — AI Coach enabled) Security, rate-limit, abuse-prevention logs on the proxy | Legitimate interest (Art 6(1)(f)) — would apply when/if the proxy is enabled. |
We do not rely on consent (Art 6(1)(a)) for any of the above because none of the processing is optional in a way that would make consent meaningful — you control whether to trigger AI Coach in the first place, which is the closest analogue to opt-in.
3.1 Special category data (GDPR Article 9)
Training history, body assessments, and recovery feedback can reasonably be considered health-adjacent data under GDPR Article 9. We process it on the following Article 9 lawful bases:
| Processing | Article 9 lawful basis |
|---|---|
| Storing training history, assessment scores, recovery feedback on your device | Explicit consent (Art 9(2)(a)) — by signing in and confirming eligibility at first launch you explicitly consent to processing of health-adjacent training data necessary to provide the Service. You may withdraw consent at any time by deleting your account in Profile → Delete account, which removes all such data immediately. |
| Sending anonymised training summary to AI Coach (if you trigger it) | Explicit consent (Art 9(2)(a)) — each AI Coach interaction is a discrete, user-initiated action that constitutes fresh explicit consent for that payload. |
We do not process Article 9 data for any purpose other than delivering the Service to you. We do not share it with third parties (apart from the AI Coach proxy when you explicitly trigger it), sell it, or use it for any kind of profiling, scoring, or decision-making with legal or similarly significant effects.
4. How we use it
- App functionality. All on-device data feeds the planner so your
next workout reflects your history and preferences.
- Social pairing. homeCity + sports + goals + training rhythm are
used to filter Discover candidates to athletes near you with compatible profiles. Chat messages with matched athletes are stored locally so you can coordinate co-training.
- (Future — AI Coach enabled) AI Coach personalisation. Currently
disabled in v1.0; if/when enabled in a future version, the proxied payload would generate your daily note and Q&A answers.
We do not use your data for advertising, profiling for marketing, automated decision-making with legal effects, or any purpose beyond delivering the Service.
5. Who we share it with (Recipients)
- Anthropic, PBC (US) — only the AI Coach payload, only when you
trigger a generation. See Anthropic's privacy policy.
- Apple, Inc. (US / Ireland) — through Sign in with Apple and
StoreKit, governed by Apple's privacy policy.
- Cloudflare, Inc. (US) — operates the proxy that fronts the
Anthropic call. See Cloudflare's privacy policy.
We do not sell or rent your data to anyone, ever. We do not share data with advertisers, data brokers, or analytics providers.
6. International transfers (GDPR Chapter V)
Anthropic, Apple, and Cloudflare are headquartered in the United States. Personal data transferred to them therefore leaves the European Economic Area (EEA).
We rely on the following GDPR-compliant transfer mechanisms:
- EU–US Data Privacy Framework (DPF): Anthropic, PBC and Cloudflare,
Inc. are self-certified under the EU–US DPF. The European Commission's adequacy decision of 10 July 2023 recognises DPF-certified US transfers as providing an adequate level of protection.
- Standard Contractual Clauses (SCCs): Where DPF coverage is not
available, we rely on the European Commission's 2021 SCCs as the transfer mechanism.
- Apple: transfers governed by Apple's published
Sign in with Apple terms and DPF certification.
You can request a copy of the relevant transfer documentation by emailing info@kalibrefin.com.
7. How long we keep it (Retention)
| Data | Retention |
|---|---|
| On-device data (onboarding, history, profile, cache) | Stored on your device for as long as you keep the app installed. Wiped immediately if you delete your account or uninstall. |
| Apple Sign-In credential (Keychain) | Held in your iOS Keychain until you delete the account or revoke Apple Sign-In access. |
| AI Coach payload at our Cloudflare Worker | Not persisted. Processed in-memory, forwarded to Anthropic, response returned, request discarded. |
| AI Coach payload at Anthropic | Processed under Anthropic's API default zero-retention policy; not retained for training. |
| Rate-limit counters at the proxy | Rolling 24-hour / 30-day window; aggregate counts only (no payload content). |
| Subscription state | Held by Apple per the App Store / StoreKit agreement, outside our control. |
If you delete your account via Profile → Manage data → Delete account, every layer of our local state is wiped immediately and irreversibly.
8. Your rights under GDPR (Articles 12–22)
You have the following rights with respect to your personal data. To exercise any of them, email info@kalibrefin.com with a brief description. We respond within one month (extendable by two months for complex requests, per GDPR Art 12(3)) and do not charge a fee for reasonable requests.
| Right | What it means here |
|---|---|
| Access (Art 15) | Receive confirmation of what we hold and a copy. Most of what we hold lives on your device — the in-app Profile → Manage data screen is the fastest export route. |
| Rectification (Art 16) | Correct inaccurate or incomplete data. Onboarding and profile fields are user-editable in the app at any time. |
| Erasure / "right to be forgotten" (Art 17) | Wipe your data. Tap Profile → Manage data → Delete account for immediate, irreversible deletion of all local state, the Keychain credential, and the migration flag. Email us to confirm if needed. |
| Restriction of processing (Art 18) | Ask us to stop processing while a dispute is resolved. In practice the easiest path is to stop using the AI Coach feature (the only off-device processing). |
| Data portability (Art 20) | Receive your data in a machine-readable format. The on-device store is JSON; we can produce a copy on request. |
| Object (Art 21) | Object to processing based on legitimate interest. Applies to our security/abuse-prevention logs on the proxy. |
| Withdraw consent (Art 7(3)) | We do not rely on consent (see §3) so there is nothing to withdraw. You can always stop using the Service and delete the account. |
| Automated decision-making (Art 22) | We do not perform automated decision-making with legal or similarly significant effects. |
Sign-In revocation
You can revoke Sign in with Apple at any time via iOS Settings → Apple ID → Password & Security → Apps Using Apple ID. The Service catches the revocation on next launch and wipes local state automatically.
Right to lodge a complaint (GDPR Art 77)
If you believe our processing infringes GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
The Irish supervisory authority (lead authority for this Service) is:
Data Protection Commission (DPC) 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland Website: <https://www.dataprotection.ie> Online complaint form: <https://www.dataprotection.ie/en/contact/how-make-complaint>
We would appreciate the chance to address your concern first — email info@kalibrefin.com — but you are not required to contact us before contacting the DPC.
9. Security
We apply commercially reasonable safeguards:
- All network traffic (Apple Sign-In, AI Coach proxy, StoreKit) uses
TLS 1.2+ over HTTPS.
- The Apple Sign-In credential is stored in the iOS Keychain with
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly — not synced to iCloud Keychain, not exported on backup.
- The AI Coach proxy requires a shared secret to authenticate requests
from the app, rate-limits per hashed user ID, and does not log payload contents.
- The Service ships an Apple-required privacy manifest declaring
exactly what data is collected and which Apple APIs are used.
No system is perfectly secure. We will notify affected users without undue delay if we become aware of a personal data breach likely to result in a risk to your rights and freedoms, per GDPR Art 33–34.
10. Children
The Service is not directed at children. Under the Irish Data Protection Act 2018 (§31), the digital age of consent in Ireland is 16. We do not knowingly process data from anyone under 16. If you believe a child under 16 has used the Service, contact us at info@kalibrefin.com and we will delete any associated data immediately.
Our Terms of Service additionally require all users to be at least 18 years old (see Terms §3).
11. Changes to this policy
We will update the "Last updated" date at the top of this page and post the new version at the same URL. Material changes (new categories of data, new recipients, new purposes) will trigger an in-app notice the next time you open the Service.
12. Contact
Questions, deletion requests, data subject rights, or anything else:
Can Ayan (Data Controller) Email: info@kalibrefin.com
For complaints to the Irish supervisory authority, see §8 above.