Privacy Policy
Last updated: May 19, 2026
This Privacy Policy explains how CoachMoach collects, uses, and protects your personal data, in accordance with the EU General Data Protection Regulation (GDPR - Regulation 2016/679) and applicable national data protection law.
1. Data Controller
The data controller responsible for processing your personal data is Romana Korchmar, operating CoachMoach as an Einzelunternehmen. For full contact and legal entity details, see our Imprint.
Romana Korchmar
CoachMoach, Einzelunternehmen
Ländgasse 134, 84028 Landshut, Germany
Privacy contact:
Email: privacy@coachmoach.com
You may contact us at any time with questions about how we process your data or to exercise your rights under GDPR (see Section 8).
2. Data We Collect & Why
We collect the minimum data necessary to provide the Service. The table below gives an overview:
| Category | Data | Purpose | Legal Basis |
|---|---|---|---|
| Account | Email address, authentication provider ID, login method, session cookies | Identity, authentication, and account management | Contract (Art. 6(1)(b)) |
| Profile | Display name, username, bio (all optional) | Personalisation and community features | Consent (Art. 6(1)(a)) |
| Health & Fitness | Workout logs, exercise history, weights, reps, sets, personal records, schedules, streaks, XP, achievements | Core service - tracking progress and delivering coaching | Explicit consent (Art. 9(2)(a)) - special category data; contract (Art. 6(1)(b)) |
| Voice | Short microphone audio segments processed locally, resulting command transcripts, selected TTS text | Voice command recognition for hands-free workout control | Explicit consent (Art. 9(2)(a)) - optional feature |
| AI Coaching | Chat messages, workout context, exercise names, sets, reps, preferences, generated plans | Generate coaching responses, workout plans, summaries, and motivational messages | Contract (Art. 6(1)(b)); explicit consent for health-related context (Art. 9(2)(a)) |
| Music & Media | Music preferences, favourite Jamendo tracks, exercise names used for video search, YouTube video links | Provide workout music, remember music preferences, and show exercise demonstration videos | Contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Billing | Billing status, subscription IDs, checkout email, payment portal links, webhook events from the payment provider | Premium access, subscriptions, invoices, fraud prevention, and statutory accounting obligations | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Usage | Session duration, feature usage, in-app events | Service improvement, debugging, and analytics | Legitimate interest (Art. 6(1)(f)) |
| Technical | Browser type, device type, IP address, request metadata, rate-limit keys, error logs | Security, rate limiting, fraud prevention, uptime, and debugging | Legitimate interest (Art. 6(1)(f)) |
Health and fitness data (workout logs, personal records) is classified as special category data under GDPR Article 9 when it reveals health or fitness information. We process this data only with your explicit consent, given at account creation or when you use optional health-related features.
3. Voice & Microphone Data (Special Notice)
If you use voice coaching features, your microphone is accessed. Here is exactly what happens:
- Local detection only: Voice Activity Detection (VAD) runs in your browser using WebAssembly. No audio leaves your device at this stage.
- Local transcription: When speech is detected, a short audio clip is transcribed in your browser by an in-browser Whisper model. The model files may be downloaded from Hugging Face or served from our own app, but your audio is not sent to Hugging Face for transcription.
- No permanent audio storage: We do not store audio recordings. Only the text transcript is temporarily retained for the active session context.
- Voice output: Text selected for spoken coach cues may be sent to Inworld AI for text-to-speech generation. This is text only, not your microphone audio.
- Optional: You can use CoachMoach without microphone access using manual mode at any time.
You can revoke microphone permission at any time in your browser or device settings.
4. Third-Party Processors
We use the following third-party processors to deliver the Service. Each processor handles your data only according to our instructions and under appropriate legal safeguards:
Database, authentication, session cookies, storage, and optional Google OAuth handling
Data processing agreement; EU Standard Contractual Clauses (SCCs) for non-EU transfers
AI coaching responses, AI workout builder, summaries, and motivational messages
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Text-to-speech voice synthesis for coaching cues
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Download of in-browser Whisper model files for local speech recognition
No microphone audio is sent for transcription; model download requests may include technical metadata such as IP address
Workout music streaming (Creative Commons licensed tracks)
EU-based provider; GDPR applies directly
Checkout, subscription management, customer portal, invoices, and billing webhooks
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Redis-backed rate limiting and abuse prevention
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Hosting, serverless runtime, deployment, CDN, and server logs
Data processing agreement; EU Standard Contractual Clauses (SCCs)
Optional Google sign-in, YouTube Data API video search, embedded YouTube exercise videos, and optional Google Calendar export
For OAuth/API use: processor or independent-controller terms as applicable; EU Standard Contractual Clauses for non-EU transfers
Some services, especially embedded YouTube videos and Google sign-in, may also process data as independent controllers under their own privacy terms. Where personal data is transferred outside the EEA, we rely on adequacy decisions, EU Standard Contractual Clauses, or other safeguards required by GDPR Chapter V.
5. Data Retention
We retain your personal data for as long as your account is active, plus:
- Account data: deleted within 30 days of account deletion request
- Workout and session logs: deleted within 30 days of account deletion
- Voice audio: not stored; voice transcripts are deleted at the end of each session unless saved as part of chat/session context
- AI chat and generated workout context: retained while your account exists so the coaching features can work, unless you delete it earlier
- Billing and invoice data: retained for statutory tax and accounting periods, typically up to 10 years under German law
- Server access logs: retained for up to 90 days for security purposes
- Backup copies: may persist for up to 60 days after deletion for disaster recovery, then permanently purged
You can request earlier deletion at any time (see Section 8 — Your Rights).
7. AI Processing
Your workout data and conversation context are processed by OpenAI's models to generate coaching responses. This means:
- Exercise names, weights, reps, goals, preferences, and your coaching chat messages may be sent to OpenAI's API
- We do not send your name, email, or other directly identifying information to OpenAI
- OpenAI's API data processing is governed by their data processing agreement and SCCs with CoachMoach
- OpenAI states it does not use API data to train models by default (as of the date of this policy)
- Microphone audio is not sent to OpenAI for transcription in the current implementation; speech-to-text runs in your browser
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of them, contact privacy@coachmoach.com. We will respond within 30 days.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Ask us to correct inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data ('right to be forgotten').
Right to Portability (Art. 20)
Receive your data in a machine-readable format to transfer elsewhere.
Right to Object (Art. 21)
Object to processing based on legitimate interest.
Right to Restrict Processing (Art. 18)
Ask us to pause processing of your data in certain circumstances.
Right to Withdraw Consent
Withdraw any consent given at any time, without affecting prior processing.
Right to Lodge a Complaint
Complain to your competent national or regional data protection authority.
Account deletion (which triggers data erasure) is available directly in the Settings page of the app.
9. Children's Privacy
CoachMoach is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verified parental consent (GDPR Article 8). If you believe a child has provided us with personal data without consent, please contact privacy@coachmoach.com and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance by email or in-app notice. The "Last updated" date at the top of this page will always reflect the most recent version.
For significant changes to how we process special category data (health and fitness data), we will ask for your renewed consent.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. For CoachMoach's place of business in Bavaria, this is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Website: www.lda.bayern.de
EU residents may also file complaints with the data protection authority in their country of residence.