Privacy Policy

1. Who we are

This privacy policy describes how Maddie Lifts Weights (“we,” “us,” or “our”), operated by {{BUSINESS_ENTITY}} with a principal place of business at {{BUSINESS_ADDRESS}}, collects, uses, shares, and protects information about you when you use our website and coaching services (the “Service”). If you have questions, email us at hello@maddiecoaching.com.

2. Information we collect

We collect the following categories of personal information:

• Identifiers: name, email address, phone number, date of birth, Instagram handle, country, and (for paying clients) billing address through Stripe.
• Account credentials: hashed password or OAuth identifier from Google if you sign in with Google.
• Health and fitness data: height, weight, measurements, training history, injuries, medical conditions, allergies, medications, menstrual cycle information if you choose to share it, workout logs, nutrition logs, habit logs, and subjective check-in answers (mood, sleep, energy). In some jurisdictions this is treated as a special category of personal data.
• Progress photos and images: front, side, and back photos you voluntarily upload during check-ins, plus profile avatar.
• Communications: messages you send Maddie through the platform, voice notes, video responses, and application answers.
• Payment information: handled by Stripe. We receive only the last four digits of the card, the brand, expiration month/year, and the Stripe customer and subscription identifiers. We never see or store your full card number or CVC.
• Technical information: IP address, browser type, device type, operating system, pages viewed, referring URL, and timestamps. Collected through server logs and cookies.
• Cookies and similar technologies: see Section 9 for the full list.

3. How we use your information

We use the information above to:

• Deliver your coaching program, including personalized training, nutrition, and feedback.
• Operate your account, process payments, manage subscriptions, and respond to support requests.
• Send transactional emails (signup confirmation, check-in reminders, receipts, password resets, cancellation notices).
• Monitor progress and adjust your program over time.
• Generate AI assisted draft responses for Maddie to review and send (see Section 5).
• Operate and improve the Service, including analytics, debugging, and fraud prevention.
• Comply with legal obligations and enforce our Terms of Service.
• Send occasional marketing emails, only if you opt in. You can unsubscribe at any time.

4. Legal basis for processing (EEA and UK users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

• Contract: to deliver coaching you have purchased.
• Consent: for health and fitness data, progress photos, marketing emails, and non-essential cookies. You may withdraw consent at any time.
• Legitimate interest: to operate and secure the Service, prevent fraud, and analyze usage in aggregate.
• Legal obligation: to keep tax, accounting, and similar records required by law.

5. Artificial intelligence

Maddie may use an AI assistant (currently Anthropic Claude) to draft suggested replies to your check-ins and messages. Every AI generated draft is reviewed and edited by Maddie before it is sent. When a draft is generated, a limited excerpt of your recent check-in and conversation data is sent to the AI provider under a data processing agreement. The AI provider does not use your data to train their models. You can opt out of AI assisted drafting by emailing us at the address in Section 1.

6. Progress photos, body data, and other sensitive information

Progress photos and body measurements are treated with extra care. They are stored in a private, access controlled bucket and only Maddie and you can see them. We will never share, sell, use for marketing, display publicly, or use to train any AI model without your explicit written consent. You may request deletion of all photos at any time.

7. How we share information

We do not sell your personal information. We share data only with the service providers we need to operate the platform, each of whom is contractually bound to protect it:

• Supabase for authentication, database hosting, and file storage (United States)
• Stripe for payment processing (United States)
• Vercel for website hosting and edge delivery (United States)
• Google for analytics, authentication (Sign in with Google), and calendar integration
• Meta for the Meta Pixel, only if you consent to marketing cookies
• GoHighLevel for transactional and marketing email delivery
• Anthropic for AI assisted response drafting (see Section 5)
• Instagram for the public feed displayed on our site

We may also disclose information if required by law, subpoena, or to protect the rights, property, or safety of our clients or others. If we ever sell, merge, or restructure the business, your information may be transferred as part of that transaction, subject to the continuing protections of this policy.

8. International data transfers

Our service providers are primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We rely on Standard Contractual Clauses and equivalent safeguards when required by law.

9. Cookies and similar technologies

We use three categories of cookies and similar technologies:

• Essential cookies are required for core functionality, such as keeping you signed in, remembering your onboarding progress, and protecting payment sessions. These cannot be turned off.
• Analytics cookies (Google Analytics) help us understand how the site is used. We enable IP anonymization where available.
• Marketing cookies (Meta Pixel) are used for ad measurement and retargeting on Instagram and Facebook.

Analytics and marketing cookies are off by default. You can accept, reject, or customize cookie categories through our cookie banner when you first visit, and change your choice at any time from the “Cookie preferences” link in the footer.

10. Your rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

• Access a copy of the information we hold about you.
• Correct information that is inaccurate or incomplete.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to, or restrict, certain processing.
• Withdraw consent at any time, without affecting prior lawful processing.
• Opt out of marketing communications.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email hello@maddiecoaching.com. We will respond within 30 days. We will not discriminate against you for exercising your rights.

11. California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you additional rights:

• Know the categories of personal information we collect and disclose.
• Request deletion of personal information subject to certain exceptions.
• Correct inaccurate personal information.
• Limit the use of sensitive personal information.
• Opt out of the sale or sharing of personal information. We do not sell personal information.
• Designate an authorized agent to make a request on your behalf.

We have not sold personal information in the preceding 12 months and do not plan to. To exercise any California right, email us with “California request” in the subject line.

12. Children

The Service is intended for adults. We do not knowingly collect personal information from anyone under 18. If we learn we have collected personal information from a minor, we will delete it. Parents or guardians who believe their child has provided us with personal information should contact us immediately.

13. Security

We protect your data with TLS in transit, encryption at rest where our providers support it, role based access control, strict access logging for administrator actions, and principle of least privilege for staff access to client data. Payment card processing is handled exclusively by Stripe, which is PCI DSS Level 1 compliant. No system is perfectly secure. If we discover a breach that affects your personal information, we will notify you and any required authorities as soon as reasonably possible and in any event within any period required by applicable law.

14. Data retention

We keep your information only as long as we need to, based on the following schedule:

• Account and coaching data: for as long as your account is active and for up to 24 months after cancellation, then deleted or fully anonymized.
• Progress photos: deleted within 30 days of account deletion, or sooner on request.
• Payment and tax records: retained for the period required by law (typically 7 years in the United States).
• Server logs: 90 days, then aggregated or deleted.
• Marketing contacts: until you unsubscribe, then removed within 30 days.

15. Changes to this policy

We may update this privacy policy. If we make a material change, we will notify you by email or through the platform at least 14 days before it takes effect. The “last updated” date at the top of this page always reflects the current version.

16. Contact

For privacy questions, requests, or complaints, contact us at hello@maddiecoaching.com or by mail at {{BUSINESS_ADDRESS}}.