Privacy Policy

Effective July 5, 2026

TMPRD ("we", "us", "our") is an AI coaching platform operated from the Netherlands. This policy explains what personal data we collect, how we use it, how we protect it, and the rights you have over it. We collect only what we need to coach you and we do not sell your data.


1. Who We Are

TMPRD is an AI coaching platform with curated intake: every athlete account is set up through a personal invitation from the operator. If you are reading this policy as part of a third-party OAuth flow (e.g. WHOOP, Garmin), you are being asked to connect a wearable so the TMPRD coaching system can analyze your training data. The operator's identity and registration details are published in the colofon.

2. Data We Collect

We collect and process the following categories of personal data:
  • Account data: name, email address, and authentication credentials managed through our identity provider (Supabase Auth).
  • Access-request (waitlist) data: if you request access on the public site, we store the name, email address, and primary sport you submit — nothing else — for the purpose of reviewing and answering your request.
  • Profile and intake data: sport, goals, injury history, training availability, and any notes you submit during onboarding or check-ins.
  • Training data: planned and completed workouts, session notes, subjective ratings (RPE, mood, sleep quality), and weekly check-in responses.
  • Wearable data from WHOOP: when you connect your WHOOP account, we request read-only access to your recovery score, strain, sleep stages and duration, heart-rate variability (HRV), resting heart rate, respiratory rate, workout activities, and related cycle data. We only access the scopes you explicitly authorize in the WHOOP OAuth flow.
  • Wearable data from other providers: if you connect Garmin, Apple Health, or another supported device, we collect similar physiological and activity metrics (steps, sleep, HRV, heart rate, workouts, GPS activities).
  • Body composition data: DEXA scan results you upload (total and regional lean mass, fat mass, bone density) and the original PDF files.
  • Nutrition data: daily energy, macronutrient, and hydration data you log or import from connected nutrition tools.
  • Billing data:when subscriptions are active, our payment processor Stripe holds your payment details; we store only the references we need (customer and subscription identifiers, plan, billing status, invoice history). Your card number never touches TMPRD's systems.
  • Technical data: minimal server and application logs (request timestamps, error traces) used solely to operate and debug the platform.

3. How We Use Your Data

We use your data to:
  • Deliver the core coaching features of the platform (planning, session tracking, check-ins, archive, trends, DEXA analysis).
  • Generate personalized insights, progress reports, and training adjustments using AI models acting on your behalf.
  • Review and answer access requests, and send the resulting invitations.
  • Process subscription payments and manage billing through Stripe.
  • Prevent trial abuse: when a trial starts we store a one-way hash of the email address in a trial ledger, so a deleted account cannot restart a fresh trial. The hash cannot be reversed into your address.
  • Measure site and product usage with cookieless analytics (see our cookie notice).
  • Maintain, secure, and improve the platform.
  • Comply with legal obligations where applicable (e.g. tax record-keeping for invoices).
We do not use your data for advertising, profiling for marketing, or training public AI models. We do not sell your data to anyone.

4. Legal Basis for Processing

We process personal data on three legal bases:
  • Contract: the coaching service itself and its billing — your account, training and check-in data, subscription and payment processing.
  • Consent: each wearable connection, which you authorize explicitly through its OAuth flow and can revoke at any time by disconnecting the device or deleting your account.
  • Legitimate interest: keeping the platform secure, preventing trial abuse through the hashed trial ledger, and cookieless usage analytics that involve no tracking of you as an individual.
Withdrawing consent, objecting to a legitimate-interest processing, or deleting your account works as described under "Your Rights" below.

5. WHOOP-Specific Disclosures

When you connect your WHOOP account:
  • We receive an OAuth access token that is stored encrypted and bound to your TMPRD account only.
  • We fetch only the scopes you approved and only for the periods needed to keep your dashboard up to date.
  • We do not share your WHOOP data with any third party.
  • You can revoke TMPRD's access at any time from your WHOOP account settings or by disconnecting the device inside TMPRD. Revoking access stops future syncs immediately.
  • If you ask us to delete your account, all WHOOP-sourced data stored in TMPRD is deleted along with the rest of your data.

6. How We Share Data

We share personal data only with the service providers strictly required to run the platform:
  • Supabase — database, authentication, and file storage.
  • Railway — application hosting.
  • Anthropic — large-language-model inference used by the AI coaching components. Only the data needed for a given request is sent, and Anthropic does not use this data to train models.
  • Stripe — payment processing for subscriptions. Stripe acts as its own controller for the payment data it collects; see Stripe's privacy policy.
  • Resend — transactional email delivery (invitations, notifications).
  • PostHog (EU) — cookieless product and site analytics, hosted in the European Union.
  • Wearable providers (WHOOP, Garmin, etc.) — only as read sources of your own data, via their official APIs.
We do not share data with advertisers, data brokers, or other third parties.

7. Data Retention

We retain your data for as long as your account is active. Specifics:
  • Account deletion: when you request deletion or disconnect a wearable, we remove the relevant data from our production database and storage within a reasonable operational window. Backups are overwritten on their normal rotation schedule.
  • Access requests (waitlist): kept while your request is under review or an invitation is outstanding; deleted on request at any time via the contact address below.
  • Trial ledger: the one-way email hash used for trial-abuse prevention is retained after account deletion. It contains no readable personal data and cannot be linked back to you without the email address itself.
  • Billing records: invoices and related records are kept for as long as tax law requires.
  • Aggregated, fully anonymized metrics that cannot be linked back to you may be retained indefinitely.

8. Security

Data is transmitted over HTTPS and stored in managed infrastructure with access controls, row-level security policies, and encrypted at rest. OAuth tokens for wearable providers are stored encrypted and scoped per athlete. Only the operator has administrative access to the platform. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.


9. Your Rights

Depending on where you live, you may have the right to:
  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Export your data in a portable format.
  • Withdraw consent for any processing based on consent.
  • Object to or restrict certain kinds of processing.
  • Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at the email address below. Most of these actions can also be performed directly from the Settings page of your account.

10. Cookies

TMPRD sets only the functional cookies needed to keep you signed in, and our analytics run cookieless — which is why there is no cookie banner. The full explanation lives in the cookie notice.


11. International Transfers

TMPRD's infrastructure providers may process data in the United States and the European Union. By using the platform you acknowledge that your data may be transferred to and processed in these regions under the safeguards provided by those vendors.


12. Children

TMPRD is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we will delete the data.


13. Changes to This Policy

We may update this policy as the platform evolves. Material changes will be communicated through the app or via email. The "Effective" date at the top of this page always reflects the latest version.


14. Contact

Questions, requests, or complaints about this policy or your data can be sent to privacy@tmprd.app.