PRIVACY POLICY

Effective date: March 14, 2026

The short version: Palaistra processes your camera feed entirely on your device. We do not store your video. We collect only the minimum data needed to coach you and improve the app. We never sell your data to anyone.

1. Who We Are

Palaistra ("we," "us," "our") is an AI-powered athletic coaching application. This Privacy Policy explains how we collect, use, share, and protect your information when you use the Palaistra mobile application, website, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address — used for authentication (magic link sign-in) and account recovery
Display name — optional, used for personalization within the app
Age — optional, used to tailor coaching recommendations
Sport preference — which sport(s) you use Palaistra for (tennis, pickleball, golf, weightlifting)
Skill level — your self-reported skill level (e.g., NTRP rating for tennis)
Improvement goals — what you want to work on (e.g., forehand consistency, serve power)
Coach personality preference — your preferred AI coaching style (Alex, Jordan, or Sam)

2.2 Session and Performance Data

When you use the Service for coaching sessions, we collect:

Movement/stroke counts, types, and quality scores per session
Biomechanical metrics (joint angles, rotation, weight transfer, etc.) derived from pose estimation
Session duration, start/end times, and coaching observations
Improvement tracking data across sessions (progress trends, coaching plans)
Coaching effectiveness data (which coaching cues helped you improve)
Drill completions and drill performance metrics
Rally and point data during tennis/pickleball sessions
Curriculum progress (training plan advancement)

2.3 Subscription and Payment Data

Subscription tier and status — stored in your profile (e.g., Free, Starter, Pro, Elite)
Trial dates — when your free trial started and whether it has been used
Stripe customer ID or Apple transaction ID — a reference linking your account to your payment provider. We do not store credit card numbers, bank account details, or other payment credentials

2.4 Device and Usage Data

Anonymized analytics events (e.g., features used, session started/ended, onboarding steps completed)
Device type and browser information
Crash reports and error logs (no personally identifiable information included)

3. Information We Do NOT Collect

Your camera feed stays on your device. All pose estimation (via MediaPipe) runs locally in your browser or on your phone. We do not record, upload, or store any video or images from your camera on our servers.

No video storage: We do not store video recordings of your sessions. Temporary individual frames may be sent to Google's Gemini API for real-time visual analysis during a session, but these frames are not retained by us or by Google after processing
No biometric identifiers: While pose estimation analyzes body positions, we do not create or store biometric identifiers (e.g., facial recognition templates, fingerprints)
No location data: We do not collect GPS coordinates, location history, or any geolocation data
No contacts or social data: We do not access your contacts, social media accounts, or phone data
No advertising profiles: We do not build advertising profiles or sell data to advertisers
No data selling: We never sell your personal information to third parties

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used
Personalized coaching — real-time feedback, improvement tracking, coaching plans	Session data, skill level, goals, coaching preferences
AI-powered analysis — generating coaching observations and visual form analysis	Session context (text-based) sent to OpenAI; temporary frames sent to Google Gemini
Account management — authenticating you, syncing data across devices	Email address, profile data
Subscription management — processing payments, managing tier access	Subscription status, Stripe/Apple customer IDs
Product improvement — understanding how features are used and fixing bugs	Anonymized usage analytics, crash reports
Communication — sending account-related emails (magic links, critical updates)	Email address

We do not use your data for advertising, profiling for third parties, or any purpose not listed above.

5. Third-Party Services

We rely on the following third-party services to operate Palaistra. Each service only receives the minimum data necessary to perform its function:

5.1 Supabase (Authentication and Database)

Your account data, session history, and coaching records are stored in a Supabase-hosted PostgreSQL database. Supabase provides row-level security (RLS), meaning each user can only access their own data. Supabase infrastructure is hosted in the United States.

Supabase Privacy Policy: supabase.com/privacy

5.2 Google Gemini (Visual Form Analysis)

During active coaching sessions, individual video frames may be sent to Google's Gemini API for visual analysis of your athletic form (e.g., racket face angle, grip, contact point, body positioning). These frames are processed in real-time and are not stored by Palaistra or by Google after the analysis is complete. No frames are sent when you are not actively in a coaching session. On the free tier, Gemini usage is limited to 10 quality-scoring calls per day.

Google AI Privacy: ai.google.dev/terms

5.3 OpenAI (Voice and Text Coaching)

Palaistra uses OpenAI's GPT-4o Realtime API for voice coaching conversations. Text-based session context (your stroke data, coaching plan, improvement history) is sent to OpenAI to generate coaching feedback. No video or images are sent to OpenAI. Voice audio from coaching conversations is processed by OpenAI's real-time API and is subject to OpenAI's data usage policies.

OpenAI Privacy Policy: openai.com/privacy

5.4 Stripe (Web Payment Processing)

If you subscribe via the web, payment is processed by Stripe. We do not store your credit card number or payment credentials. Stripe receives your email address and payment details directly. We store only a Stripe customer ID to link your payment status to your account.

Stripe Privacy Policy: stripe.com/privacy

5.5 Apple (iOS In-App Purchases)

If you subscribe via the iOS app, payment is processed by Apple through In-App Purchases. Apple handles all payment credentials. We store only an Apple transaction ID to verify your subscription status.

Apple Privacy Policy: apple.com/legal/privacy

5.6 MediaPipe (On-Device Pose Estimation)

MediaPipe runs entirely on your device (in your browser or on your phone). It analyzes your camera feed locally to detect body positions. No data from MediaPipe leaves your device — only the resulting pose coordinates (numerical joint positions) are used by the app.

6. Data Retention

We retain your data as follows:

Account data — retained until you delete your account
Session and performance data — retained as long as your account is active, so you can track long-term improvement across sessions
Coaching memory — retained as long as your account is active (up to the last 200 coaching effectiveness entries per user)
Anonymized telemetry — automatically purged after 90 days
Usage rate-limiting data — automatically purged after 30 days
Gemini video frames — not stored at all; processed in real-time and immediately discarded
Local storage data — stored on your device only, under your control; cleared when you sign out or clear browser data

7. Your Rights

You have the following rights regarding your personal data:

7.1 Access

All your session history, performance data, and coaching observations are visible within the app. You can view your complete data at any time through the Home, Profile, and session history screens.

7.2 Deletion

You can delete your account and all associated data at any time through the Settings screen in the app. Account deletion is permanent and removes:

Your profile and account information
All session history and stroke records
Coaching memory and improvement tracking data
Curriculum and drill history
Coaching effectiveness records
Any active Stripe subscriptions (automatically cancelled)

You can also request account deletion by emailing privacy@palaistra.ai. We will process deletion requests within 30 days.

7.3 Data Export

Session summaries, performance scores, and coaching observations are available within the app. You can request a full export of your data by emailing privacy@palaistra.ai. We will provide your data in a machine-readable format (JSON) within 30 days.

7.4 Correction

You can update your profile information (display name, skill level, goals, coach preference) at any time through the app's Settings screen.

7.5 Opt Out of Analytics

Anonymized telemetry can be disabled through your device settings. The coaching service will continue to function without analytics.

7.6 Regional Privacy Rights

If you are a resident of the European Economic Area (EEA), United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, or CCPA respectively, including:

Right to know what personal information we collect and how we use it
Right to delete your personal information
Right to opt out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising your privacy rights
Right to data portability — receive your data in a structured, machine-readable format
Right to object to certain types of processing

To exercise any of these rights, contact us at privacy@palaistra.ai. We will respond within 30 days (45 days for complex requests, with notice).

8. Children's Privacy

Palaistra is not intended for children under 13.

We do not knowingly collect personal information from children under the age of 13, in compliance with the Children's Online Privacy Protection Act (COPPA). If you are under 13, do not use the Service or provide any personal information.

If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us at privacy@palaistra.ai. We will promptly delete the child's account and all associated data.

Users between the ages of 13 and 18 should use the Service with parental or guardian consent.

9. Data Security

We take the security of your data seriously and implement the following measures:

Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS
Row-level security: Our database uses Supabase row-level security policies, ensuring each user can only access their own data
Server-side secrets: All API keys (OpenAI, Gemini, Stripe) are stored as server-side Edge Function secrets and are never exposed to the client application
Subscription protection: Database-level constraints prevent client-side manipulation of subscription tiers — paid tiers can only be set by our secure payment webhooks
CORS restrictions: All Edge Functions enforce origin restrictions (no wildcard CORS)
Rate limiting: API usage is rate-limited per user per day to prevent abuse

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

10. Cookies and Local Storage

Palaistra uses browser localStorage (not traditional cookies) to store:

Your authentication session token
Your sport and coaching preferences for faster loading
Improvement tracking data (as a local backup)
Onboarding progress

This data is stored only on your device and is not transmitted to third parties. You can clear this data at any time through your browser settings or by signing out of the app.

11. International Data Transfers

Palaistra's infrastructure is hosted in the United States via Supabase. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure that third-party services we use provide adequate data protection measures.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

We will update the "Effective date" at the top of this page
We will notify you via the app or email for significant changes
Continued use of the Service after changes are posted constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding your privacy or this policy, contact us at:

Email: privacy@palaistra.ai

We aim to respond to all privacy inquiries within 30 days.