Privacy Policy

1. Controller

MI Systems — Marko Ivic
Email: marko.ivic@mi-systems.at

2. What Data We Collect

• Account data: Name, email address, and password (hashed) when you sign up.
• Coaching data: Training plans, daily tracker entries, check-in submissions, and related fitness data you enter into the platform.
• Google Drive access (optional): If you connect your Google Drive, we store an encrypted OAuth refresh token to upload coaching videos on your behalf. We use the drive.file scope, which means we can only access files created by this application — we never access any other files in your Google Drive.
• Usage data: Basic server logs (IP address, browser type, timestamps) for security and debugging purposes.

3. How We Use Your Data

• To provide and operate the coaching platform.
• To upload screen recordings to your Google Drive when you use the recording feature.
• To generate AI-powered coaching insights (data is processed but not stored by the AI provider).
• To send you notifications related to your coaching activity (e.g., check-in reminders).

4. Google Drive Integration

When you connect your Google Drive account, we request the drive.file scope. This is the most restrictive scope available and only allows us to:

• Create new files (coaching video uploads) in your Drive.
• Read and manage files that were created by this application.

We cannot see, read, modify, or delete any other files in your Google Drive. Your OAuth refresh token is stored AES-256 encrypted in our database and is never exposed to the browser.

5. Data Storage & Security

• Your data is stored in a Supabase database with Row-Level Security (RLS) policies ensuring strict data isolation between coaches and clients.
• Passwords are hashed using bcrypt. OAuth tokens are encrypted with AES-256.
• All connections use HTTPS/TLS encryption in transit.
• Coaching videos are stored in your own Google Drive — we do not store video files on our servers.

6. Data Sharing

We do not sell your data. We share data only with:

• Supabase (database hosting and authentication)
• Vercel (application hosting)
• Google (only when you connect Google Drive — video uploads)
• Anthropic (AI-powered coaching insights — no personal data is stored by Anthropic)

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access: Request a copy of all data we hold about you.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and all associated data.
• Portability: Receive your data in a structured, machine-readable format.
• Withdraw consent: Disconnect Google Drive at any time in your settings — we will delete the stored token immediately.
• Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact us at marko.ivic@mi-systems.at.

8. Revoking Google Drive Access

You can disconnect Google Drive at any time from your account settings. This will delete the stored OAuth token from our database. You can also revoke access from your Google Account permissions page. Previously uploaded videos remain in your Google Drive — we do not delete them.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or in-app notification.