Hybrid Athlete Pro — Privacy Policy

Last updated: June 2026


1. Who we are (Data Controller)

The data controller for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Irish Data Protection Act 2018 is:

Can Ayan (sole trader) Ireland Email: info@kalibrefin.com

We are referred to in this policy as "we", "us", or "the controller".

This policy covers the iOS application "Hybrid Athlete Pro" and the optional AI Coach proxy service (together, the "Service"). By using the Service you acknowledge the practices described below.

Looking for the legal framework around use of the Service (medical disclaimer, liability cap, subscriptions, governing law)? That's in our separate Terms of Service.


2. What data we process

We process only what's needed to make the Service work for you. We use one privacy-respecting analytics provider (Google Firebase Analytics) to understand anonymous, aggregate product usage — see §2.5. There are no advertising or attribution SDKs, and we never sell your data.

2.1 Stored on your device

This data lives in iOS UserDefaults / SwiftData / the app sandbox. It is never uploaded to our servers as a whole. iOS handles backup and restore through your iCloud account if you have it enabled — we do not operate that path and have no access to your iCloud backup.

2.2 Apple Sign-In

When you sign in with Apple, we receive:

The user identifier is hashed before any network call and is the only identifier we ever transmit. We never store your real email; if you use Apple's relay address, we never see your real email at all.

2.3 AI Coach (enabled in v1.0.2)

Starting in v1.0.2 the optional AI Coach path is live. When your device supports Apple Intelligence (iPhone 15 Pro+ on iOS 26+) Coach Notes are generated entirely on-device by Apple Intelligence — no network calls take place. On every other device the app sends a small JSON payload to a Cloudflare Worker we operate, which forwards it to Groq, Inc. (api.groq.com) running Meta's Llama 3.3 70B model.

The payload sent to the Worker contains:

Before the payload leaves our Worker we strip your display name to a single initial (e.g. "C."). The athlete's plan content is the only data the model actually receives.

The payload contains no persistent personal identifiers, no email, no real name, no location, no health metrics beyond what you have explicitly logged in the Service. Groq processes the payload to generate the response and, per Groq's free-tier policy effective at the time of this update, does not retain or use the data for model training. We log only error codes and rate-limit counters; we never log prompt content.

Topic guard. The AI Coach is configured to discuss only training, exercise, recovery, sport-relevant nutrition, sport performance, injury-prevention concepts, and your own plan. Off-topic questions (politics, finance, medical diagnosis, general chat, etc.) are refused with a fixed bilingual message and do not result in any model output.

Disabling the AI Coach. You can disable the remote AI Coach at any time from Profile → AI Coach Settings → "Use AI enrichment". With it off, Coach Notes are generated by the deterministic on-device renderer and no network calls leave your device.

2.4 What we do NOT collect

2.5 Anonymous product analytics

To understand how the app is used — and, honestly, where people get stuck so we can fix it — we use Google Firebase Analytics. This is limited to anonymous, aggregate product-usage measurement:

2.6 AI Form Check (video)

AI Form Check is an optional Pro feature. When you choose to record a short clip of yourself performing an exercise — or upload one you already filmed from your photo library — and request feedback:


3. Legal basis for processing (GDPR Article 6)

Each category of processing has an identified lawful basis:

| Processing | Lawful basis (GDPR Art 6) | |---|---| | Storing onboarding answers, plan, history on your device | Contract (Art 6(1)(b)) — necessary to provide the Service you signed up for. | | Apple Sign-In identifier (hashed) for account identity | Contract (Art 6(1)(b)) — without it, your data cannot be associated with your account. | | Apple Sign-In email/name (if you share them) | Contract (Art 6(1)(b)). | | Storing chat messages locally between matched athletes | Contract (Art 6(1)(b)) — necessary to provide the social pairing feature you opted into. | | Storing your homeCity (city-level only) for social proximity filtering | Contract (Art 6(1)(b)) — required for the matchmaking feature. | | Sending anonymised training digest to the AI Coach proxy (when your device cannot run Apple Intelligence) | Contract (Art 6(1)(b)) — necessary to deliver the AI Coach feature on devices without an on-device model. | | Security, rate-limit, abuse-prevention logs at the proxy | Legitimate interest (Art 6(1)(f)) — protecting the Service from abuse without identifying individual users. |

We do not rely on consent (Art 6(1)(a)) for any of the above because none of the processing is optional in a way that would make consent meaningful — you control whether to trigger AI Coach in the first place, which is the closest analogue to opt-in.

3.1 Special category data (GDPR Article 9)

Training history, body assessments, and recovery feedback can reasonably be considered health-adjacent data under GDPR Article 9. We process it on the following Article 9 lawful bases:

| Processing | Article 9 lawful basis | |---|---| | Storing training history, assessment scores, recovery feedback on your device | Explicit consent (Art 9(2)(a)) — by signing in and confirming eligibility at first launch you explicitly consent to processing of health-adjacent training data necessary to provide the Service. You may withdraw consent at any time by deleting your account in Profile → Delete account, which removes all such data immediately. | | Sending anonymised training summary to AI Coach (if you trigger it) | Explicit consent (Art 9(2)(a)) — each AI Coach interaction is a discrete, user-initiated action that constitutes fresh explicit consent for that payload. |

We do not process Article 9 data for any purpose other than delivering the Service to you. We do not share it with third parties (apart from the AI Coach proxy when you explicitly trigger it), sell it, or use it for any kind of profiling, scoring, or decision-making with legal or similarly significant effects.


4. How we use it

We do not use your data for advertising, profiling for marketing, automated decision-making with legal effects, or any purpose beyond delivering the Service.


5. Who we share it with (Recipients)

We do not sell or rent your data to anyone, ever. We do not share data with advertisers, data brokers, or analytics providers.


6. International transfers (GDPR Chapter V)

Groq, Apple, and Cloudflare are headquartered in the United States. Personal data transferred to them therefore leaves the European Economic Area (EEA).

We rely on the following GDPR-compliant transfer mechanisms:

You can request a copy of the relevant transfer documentation by emailing info@kalibrefin.com.


7. How long we keep it (Retention)

| Data | Retention | |---|---| | On-device data (onboarding, history, profile, cache) | Stored on your device for as long as you keep the app installed. Wiped immediately if you delete your account or uninstall. | | Apple Sign-In credential (Keychain) | Held in your iOS Keychain until you delete the account or revoke Apple Sign-In access. | | AI Coach payload at our Cloudflare Worker | Not persisted. Processed in-memory, anonymised, forwarded to Groq, response returned, request discarded. | | AI Coach payload at Groq | Processed under Groq's free-tier policy in force at the time of this update — not retained for model training. | | Rate-limit counters at the proxy | Rolling 24-hour / 30-day window; aggregate counts only (no payload content). |

If you delete your account via Profile → Manage data → Delete account, every layer of our local state is wiped immediately and irreversibly.


8. Your rights under GDPR (Articles 12–22)

You have the following rights with respect to your personal data. To exercise any of them, email info@kalibrefin.com with a brief description. We respond within one month (extendable by two months for complex requests, per GDPR Art 12(3)) and do not charge a fee for reasonable requests.

| Right | What it means here | |---|---| | Access (Art 15) | Receive confirmation of what we hold and a copy. Most of what we hold lives on your device — the in-app Profile → Manage data screen is the fastest export route. | | Rectification (Art 16) | Correct inaccurate or incomplete data. Onboarding and profile fields are user-editable in the app at any time. | | Erasure / "right to be forgotten" (Art 17) | Wipe your data. Tap Profile → Manage data → Delete account for immediate, irreversible deletion of all local state, the Keychain credential, and the migration flag. Email us to confirm if needed. | | Restriction of processing (Art 18) | Ask us to stop processing while a dispute is resolved. In practice the easiest path is to stop using the AI Coach feature (the only off-device processing). | | Data portability (Art 20) | Receive your data in a machine-readable format. The on-device store is JSON; we can produce a copy on request. | | Object (Art 21) | Object to processing based on legitimate interest. Applies to our security/abuse-prevention logs on the proxy. | | Withdraw consent (Art 7(3)) | We do not rely on consent (see §3) so there is nothing to withdraw. You can always stop using the Service and delete the account. | | Automated decision-making (Art 22) | We do not perform automated decision-making with legal or similarly significant effects. |

Sign-In revocation

You can revoke Sign in with Apple at any time via iOS Settings → Apple ID → Password & Security → Apps Using Apple ID. The Service catches the revocation on next launch and wipes local state automatically.

Right to lodge a complaint (GDPR Art 77)

If you believe our processing infringes GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The Irish supervisory authority (lead authority for this Service) is:

Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: <https://www.dataprotection.ie>
Online complaint form: <https://www.dataprotection.ie/en/contact/how-make-complaint>

We would appreciate the chance to address your concern first — email info@kalibrefin.com — but you are not required to contact us before contacting the DPC.


9. Security

We apply commercially reasonable safeguards:

No system is perfectly secure. We will notify affected users without undue delay if we become aware of a personal data breach likely to result in a risk to your rights and freedoms, per GDPR Art 33–34.


10. Children

The Service is not directed at children. Under the Irish Data Protection Act 2018 (§31), the digital age of consent in Ireland is 16. We do not knowingly process data from anyone under 16. If you believe a child under 16 has used the Service, contact us at info@kalibrefin.com and we will delete any associated data immediately.

Our Terms of Service additionally require all users to be at least 18 years old (see Terms §3).


11. Changes to this policy

We will update the "Last updated" date at the top of this page and post the new version at the same URL. Material changes (new categories of data, new recipients, new purposes) will trigger an in-app notice the next time you open the Service.


12. Contact

Questions, deletion requests, data subject rights, or anything else:

Can Ayan (Data Controller) Email: info@kalibrefin.com

For complaints to the Irish supervisory authority, see §8 above.