Privacy Policy
How we collect, use, and protect your personal data.
How we collect, use, and protect your personal data.
Last updated: May 19, 2026
This Privacy Policy explains how CoachMoach collects, uses, and protects your personal data, in accordance with the EU General Data Protection Regulation (GDPR - Regulation 2016/679) and applicable national data protection law.
The data controller responsible for processing your personal data is Romana Korchmar, operating CoachMoach as an Einzelunternehmen. For full contact and legal entity details, see our Imprint.
Romana Korchmar
CoachMoach, Einzelunternehmen
LΓ€ndgasse 134, 84028 Landshut, Germany
Privacy contact:
Email: privacy@coachmoach.com
You may contact us at any time with questions about how we process your data or to exercise your rights under GDPR (see Section 8).
We collect the minimum data necessary to provide the Service. The table below gives an overview:
| Category | Data | Purpose | Legal Basis |
|---|---|---|---|
| Account | Email address, authentication provider ID, login method, session cookies | Identity, authentication, and account management | Contract (Art. 6(1)(b)) |
| Profile | Display name, username, bio (all optional) | Personalisation and community features | Consent (Art. 6(1)(a)) |
| Health & Fitness | Workout logs, exercise history, weights, reps, sets, personal records, schedules, streaks, XP, achievements | Core service - tracking progress and delivering coaching | Explicit consent (Art. 9(2)(a)) - special category data; contract (Art. 6(1)(b)) |
| Voice | Short microphone audio segments processed locally, resulting command transcripts, selected TTS text | Voice command recognition for hands-free workout control | Explicit consent (Art. 9(2)(a)) - optional feature |
| AI Coaching | Chat messages, workout context, exercise names, sets, reps, preferences, generated plans | Generate coaching responses, workout plans, summaries, and motivational messages | Contract (Art. 6(1)(b)); explicit consent for health-related context (Art. 9(2)(a)) |
| Music & Media | Music preferences, favourite Jamendo tracks, exercise names used for video search, YouTube video links | Provide workout music, remember music preferences, and show exercise demonstration videos | Contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Billing | Billing status, subscription IDs, checkout email, payment portal links, webhook events from the payment provider | Premium access, subscriptions, invoices, fraud prevention, and statutory accounting obligations | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Usage | Session duration, feature usage, in-app events | Service improvement, debugging, and analytics | Legitimate interest (Art. 6(1)(f)) |
| Technical | Browser type, device type, IP address, request metadata, rate-limit keys, error logs | Security, rate limiting, fraud prevention, uptime, and debugging | Legitimate interest (Art. 6(1)(f)) |
Health and fitness data (workout logs, personal records) is classified as special category data under GDPR Article 9 when it reveals health or fitness information. We process this data only with your explicit consent, given at account creation or when you use optional health-related features.
CoachMoach has two separate microphone features. Processing differs β read the case that applies to you:
Both voice features are optional. You can use CoachMoach without microphone access using manual mode and typed chat at any time. You can revoke microphone permission in your browser or device settings.
We use the following third-party processors to deliver the Service. Each processor handles your data only according to our instructions and under appropriate legal safeguards:
Database, authentication, session cookies, storage, and optional Google OAuth handling
Data processing agreement; EU Standard Contractual Clauses (SCCs) for non-EU transfers
AI coaching responses, AI workout builder, coach chat voice transcription, summaries, and motivational messages
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Text-to-speech voice synthesis for coaching cues
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Download of in-browser Whisper model files for local speech recognition
No microphone audio is sent for transcription; model download requests may include technical metadata such as IP address
Workout music streaming (Creative Commons licensed tracks)
EU-based provider; GDPR applies directly
Checkout, subscription management, customer portal, invoices, fraud prevention, and billing webhooks
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Redis-backed rate limiting and abuse prevention
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Hosting, serverless runtime, deployment, CDN, and server logs
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Optional Google sign-in, YouTube Data API video search, embedded YouTube exercise videos, and optional Google Calendar export
For OAuth/API use: processor or independent-controller terms as applicable; EU Standard Contractual Clauses for non-EU transfers
Some services, especially embedded YouTube videos and Google sign-in, may also process data as independent controllers under their own privacy terms. Where personal data is transferred outside the EEA, we rely on adequacy decisions, EU Standard Contractual Clauses, or other safeguards required by GDPR Chapter V.
We retain your personal data for as long as your account is active, plus:
You can request earlier deletion at any time (see Section 8 β Your Rights).
Your workout data and conversation context are processed by OpenAI's models to generate coaching responses. This means:
As a data subject under GDPR, you have the following rights. To exercise any of them, contact privacy@coachmoach.com. We will respond within 30 days.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Ask us to correct inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data ('right to be forgotten').
Right to Portability (Art. 20)
Receive your data in a machine-readable format to transfer elsewhere.
Right to Object (Art. 21)
Object to processing based on legitimate interest.
Right to Restrict Processing (Art. 18)
Ask us to pause processing of your data in certain circumstances.
Right to Withdraw Consent
Withdraw any consent given at any time, without affecting prior processing.
Right to Lodge a Complaint
Complain to your competent national or regional data protection authority.
Account deletion (which triggers data erasure) is available directly in the Settings page of the app.
CoachMoach is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verified parental consent (GDPR Article 8). If you believe a child has provided us with personal data without consent, please contact privacy@coachmoach.com and we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance by email or in-app notice. The "Last updated" date at the top of this page will always reflect the most recent version.
For significant changes to how we process special category data (health and fitness data), we will ask for your renewed consent.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. For CoachMoach's place of business in Bavaria, this is:
Bayerisches Landesamt fΓΌr Datenschutzaufsicht (BayLDA)
Website: www.lda.bayern.de
EU residents may also file complaints with the data protection authority in their country of residence.