Privacy Policy

Coara ("we", "our", "us") is operated as a private platform serving personal trainers and their clients. Contact: privacy@coara.app.

Account data. Your name, email, profile photo, password (hashed), and Google account ID if you sign in with Google.

Coaching data. Programs, exercises, sets/reps/weights, workout logs, meal plans, nutrition logs, step counts, body weight, scheduled sessions, notes, health score history.

Payment data. Invoices and transaction metadata. Card and bank details are handled directly by Stripe — Coara never sees or stores them.

Health data (future). When connected, Apple Health step data flows through your device with your explicit permission. We only ingest the metrics you authorize and we never sell or share Apple Health data with third parties for advertising.

Device & usage. Standard server logs (IP, user agent, timestamps) for security and performance. Cookies for keeping you signed in.

To run the product (show you your dashboard, sync schedules, generate AI programs, charge invoices), to detect abuse and secure accounts, to fix bugs and improve the experience, and to communicate important account or billing notices.

We do not sell your data. We do not share Apple Health data for advertising. We do not run third-party ad trackers.

Trainers see only their own clients' coaching data — never another trainer's.

Clients see their own data plus the programs and workouts their trainer has shared with them.

Coara staff may access account data only when needed to provide support, debug an issue, or comply with the law. All such access is logged.

Stripe — payments processing, KYC for trainers using Connect, subscription billing. Subject to Stripe's privacy policy.

Google — optional sign-in (we receive your name, email, profile picture, and Google ID).

Anthropic / OpenAI / Google Gemini — AI program & meal plan generation. Prompts are sent without your client's identifying information; we share only the goal/level/inputs you provide on the AI screen.

Resend — transactional email delivery.

MongoDB Atlas — encrypted database hosting.

Data is encrypted in transit (HTTPS) and at rest. Passwords are hashed with bcrypt. Authentication uses signed JWTs. Stripe handles all PCI-relevant card data. Backups are encrypted. Access to production data is limited to a small set of authorized engineers and audited.

While your account is active. If you cancel or delete a client, we retain core data for 30 days to allow recovery, then permanently delete it. Invoice records may be retained longer for tax / accounting compliance.

You can view, edit, export, or delete most of your data directly inside the app. To request deletion of all data, change something we don't expose, or get a portable export, email privacy@coara.app — we'll respond within 30 days.

If you're in the EU/UK, you have additional rights under GDPR (access, rectification, erasure, portability, objection). California residents have rights under CCPA. Contact us to exercise any of them.

Coara is not intended for use by anyone under 16. We don't knowingly collect data from children.

If we make material changes we'll notify you in-app and by email before they take effect. The "Last updated" date at the top tracks every revision.

Questions, concerns, or requests: privacy@coara.app.