Privacy Policy
Last updated: February 3, 2026
1. Introduction & Scope
Welcome to Athli ("we," "us," or "our"). Athli is a fitness coaching platform that connects coaches with their clients, enabling personalized training programs, progress tracking, and communication.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including:
- The Athli web application (for coaches)
- The Athli mobile application (for clients)
- The Athli website and landing pages
By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our services.
2. Information We Collect
We collect different types of information depending on how you use our services and whether you are a coach or client.
Account & Authentication Information
| Data Type | Description |
|---|---|
| Email address | Used for account identification and communication |
| Full name | First and last name for profile display |
| Password | Securely hashed, never stored in plain text |
| Profile picture | Optional profile image or generated avatar |
| Sign-in method | Email/password, Google, Apple, or Microsoft |
Demographic Information
| Data Type | Description |
|---|---|
| Date of birth | Used for age verification and fitness planning |
| Gender | Optional, used for personalized recommendations |
| Height | Used for fitness calculations and progress tracking |
| Phone number | Optional, for coach-client communication |
| Country | For localization and unit preferences |
| Unit preferences | Metric or imperial measurement system |
Health & Fitness Data (Sensitive)
Important: Health and fitness data is considered sensitive personal information. We obtain your explicit consent before collecting this data and process it only with your permission.
| Data Type | Description |
|---|---|
| Body metrics | Weight, body fat percentage, muscle mass, and other measurements |
| Fitness goals | Your training objectives and targets |
| Habits tracking | Sleep, water intake, steps, and other daily habits |
| Injuries & limitations | Current or past injuries affecting training |
| Workout history | Exercise logs, sets, reps, weights, and performance data |
| Progress photos | Images uploaded to track physical progress |
| Check-in responses | Answers to periodic questionnaires about progress and wellbeing |
Communication Data
| Data Type | Description |
|---|---|
| Messages | Text communications between coaches and clients |
| Attachments | Files shared in conversations |
| Read receipts | Message delivery and read status |
Coach Business Information
| Data Type | Description |
|---|---|
| Company name | Business or brand name |
| Website URL | Coach's professional website |
| LinkedIn profile | Professional networking profile |
| Company logo | Brand imagery for customization |
| Specialties | Areas of coaching expertise |
Technical Information
| Data Type | Description |
|---|---|
| Device information | Device type, operating system, browser type |
| IP address | For security and fraud prevention |
| Timestamps | Login times, activity logs |
| Crash reports | Error logs to improve app stability |
3. How We Collect Information
Direct Input
Most information is provided directly by you when you:
- Create an account and complete your profile
- Log workouts and track progress
- Upload photos and files
- Send messages to your coach or clients
- Complete check-in questionnaires
- Update your settings and preferences
Automatic Collection
We automatically collect certain technical information when you use our services:
- Device and browser information
- IP address and general location
- Usage patterns and feature interactions
- Performance and error data
Third-Party Services
If you choose to sign in using a third-party provider, we receive limited information from that provider:
- Google: Email address, name, and profile picture
- Apple: Email address (or private relay email) and name
- Microsoft: Email address, name, and profile picture
We do not receive your password from these providers, and they do not have access to your Athli data.
4. How We Use Information
Core Services
- Create and manage your account
- Connect coaches with clients
- Deliver workout programs and track progress
- Enable messaging and file sharing
- Process check-ins and feedback
Personalization
- Customize your experience based on preferences
- Display relevant exercises and recommendations
- Remember your settings across sessions
Communication
- Send important account notifications
- Deliver push notifications for workouts and messages
- Respond to support requests
Security & Improvement
- Protect against fraud and unauthorized access
- Monitor for suspicious activity
- Fix bugs and improve app performance
- Analyze usage to develop new features
5. Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your data based on the following legal grounds:
| Legal Basis | Examples |
|---|---|
| Contractual Necessity | Creating your account, delivering the coaching service, processing workouts |
| Legitimate Interests | Improving our services, preventing fraud, ensuring security |
| Consent | Marketing communications, optional analytics |
| Legal Obligation | Complying with legal requirements, responding to lawful requests |
| Explicit Consent (Health Data) | Processing body metrics, fitness data, progress photos, health-related information |
6. Data Sharing
Coach-Client Access
The core function of Athli involves sharing data between coaches and their clients:
- Coaches can access: Client profile information, workout logs, progress data, check-in responses, messages, and progress photos
- Clients can access: Coach profile and business information, assigned workouts, and messages
This sharing is necessary to provide the coaching service and is covered by your agreement when establishing a coach-client relationship.
Third-Party Service Providers
We work with trusted third parties who process data on our behalf:
| Provider | Purpose |
|---|---|
| Supabase | Database hosting, authentication, file storage |
| OAuth authentication (optional) | |
| Apple | OAuth authentication (optional) |
| Microsoft | OAuth authentication (optional) |
| Intercom | Customer support and help desk |
| PostHog | Product analytics (when enabled) |
We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Your data is used solely to provide and improve our services.
Legal Disclosures
We may disclose your information when required by law, such as:
- Responding to valid legal requests or court orders
- Protecting our rights, property, or safety
- Preventing fraud or illegal activities
- Complying with regulatory requirements
7. Data Storage & Security
Infrastructure
Your data is stored on Supabase infrastructure, which runs on Amazon Web Services (AWS). Supabase provides enterprise-grade security including:
- Encryption at rest and in transit (TLS 1.2+)
- Regular security audits and compliance certifications
- Automated backups and disaster recovery
- Row-level security policies
File Storage
Files and images are stored in secure storage buckets:
- Profile pictures
- Coach company logos and files
- Client progress photos
- Message attachments
- Exercise demonstration videos
Access Controls
We implement strict access controls:
- Row-level security ensures users can only access their own data
- Coach-client relationships are explicitly established before data sharing
- Administrative access is limited and logged
- Two-factor authentication is available for additional security
8. Data Retention
| Scenario | Retention Period |
|---|---|
| Active accounts | Data retained while account is active |
| Inactive accounts | 24 months before potential deletion notice |
| Post-deletion | 30-90 days in backups before permanent deletion |
| Legal requirements | As required by applicable law |
When you delete your account, we will delete your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently removed. We may retain anonymized, aggregated data for analytical purposes.
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise these rights, please contact us using the information in the Contact section below. We will respond to your request within 30 days.
10. Your Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request information about what personal data we collect, use, and disclose
- Right to Delete: Request deletion of your personal data
- Right to Correct: Request correction of inaccurate personal data
- Right to Opt-Out of Sale: We do not sell your personal information
- Right to Limit Use of Sensitive Personal Information: Request limitations on how we use sensitive data
- Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights
To exercise these rights, please contact us using the information in the Contact section below. We will verify your identity before processing your request.
11. International Transfers
Your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved contractual terms with service providers
- Adequacy Decisions: We transfer to countries recognized as providing adequate data protection
- Data Processing Agreements: All service providers are bound by strict data protection obligations
Our primary data infrastructure is hosted by Supabase, with data centers located in regions that comply with applicable data protection regulations.
12. Children's Privacy
Athli is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16 years of age.
For users between 16 and 18 years of age, we recommend parental or guardian consent before using our services, particularly for the collection of health and fitness data.
If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us immediately.
14. Third-Party Links
Our services may contain links to third-party websites and integrations:
- MuscleWiki: External links to exercise information and demonstrations
- Intercom: Help documentation and customer support chat
- External websites: Links provided by coaches or in content
These third-party services have their own privacy policies and practices. We are not responsible for the privacy practices of external websites and encourage you to review their policies before providing any personal information.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will notify you via email or in-app notification for significant changes
- We may provide additional notice for changes affecting sensitive data
We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes become effective constitutes your acceptance of the updated policy.
16. Contact Information
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Privacy Inquiries
Email: privacy@athli.io
General Support
Email: support@athli.io
We aim to respond to all privacy-related inquiries within 30 days. For complex requests, we may need additional time and will keep you informed of our progress.