Privacy Policy

1. Introduction / Data Controller

This Privacy Policy applies to Moku Coach, an AI-powered endurance coaching platform operated by Moku Labs LLC, a Florida limited liability company (“Company,” “we,” “our,” or “us”).

• Website: moku.coach / app.moku.coach
• Contact: support@moku.coach

We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services, including our web application, mobile applications, and AI coaching features.

By accessing or using Moku Coach, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

2. Information We Collect

2.1 Account Data

When you create an account, we collect:

• Full name
• Email address
• Authentication credentials (passwords are hashed; OAuth tokens are encrypted)
• Profile preferences (e.g., experience level, race goals, training availability)

2.2 Training and Fitness Data

When you use our coaching features, we collect:

• Workout plans and training schedules generated by our AI coach
• Performance metrics you enter manually (race times, perceived effort, etc.)
• Goal and race event information
• Training preferences and constraints

2.3 Strava Integration Data

If you connect your Strava account, we access:

• Activity data (runs, rides, swims, and other workouts)
• Heart rate data
• Pace and speed data
• Distance and elevation data
• Activity timestamps and durations
• Activity type classifications

We access this data through the Strava API in accordance with Strava’s API Agreement. See Section 5 (Strava Data Disclosure) for details.

2.4 AI Coaching Conversation History

When you interact with our AI coach, we collect:

• Messages you send to the AI coaching assistant
• AI-generated responses and recommendations
• Context from your training data used to personalize coaching responses
• Timestamps of coaching interactions

2.5 Device and Usage Data

We automatically collect:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Session duration and navigation patterns
• Referring website addresses
• Crash reports and error logs

2.6 Payment Data

Payments are processed by Paddle.net as our Merchant of Record. We do not store your full payment card details. Paddle collects:

• Credit/debit card details (processed and stored by Paddle, not by us)
• Billing name and address
• Email address (for receipts and invoicing)
• Transaction history

Paddle also handles sales tax, VAT, and other transaction-related taxes. See Paddle’s Privacy Policy for details on how Paddle handles your payment data.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI coaching platform, generate personalized training plans, and deliver coaching responses
• Personalization: To tailor coaching advice, training recommendations, and content to your fitness level, goals, and preferences
• AI Coaching: To send your training data and messages to our AI provider (Anthropic) to generate coaching responses and training plans (see Section 4)
• Strava Integration: To import your workout data and use it to inform coaching recommendations
• Communication: To send you service-related emails, including account verification, plan updates, billing confirmations, and support responses
• Analytics: To monitor and analyze trends, usage patterns, and feature adoption to improve our services
• Error Monitoring: To detect, diagnose, and resolve technical issues and bugs
• Security: To protect against fraud, abuse, and unauthorized access
• Legal Compliance: To comply with applicable laws, regulations, and legal obligations

We do not use your personal information for third-party advertising. We do not sell your personal information.

4. AI Processing Disclosure

4.1 How AI Coaching Works

Moku Coach uses Anthropic’s Claude API to power our AI coaching features. When you interact with the AI coach or when training plans are generated:

• Your messages, training data, fitness profile, and relevant Strava activity data are sent to Anthropic’s Claude API
• Anthropic processes this data to generate coaching responses, training plan recommendations, and performance analysis
• The AI-generated responses are returned to our application and displayed to you

4.2 Anthropic’s Role

Anthropic acts as a sub-processor of your data. Anthropic processes your data solely to provide the AI coaching functionality within Moku Coach. Specifically:

• Your data is NOT used by Anthropic to train their AI models. Anthropic’s API terms prohibit using customer-submitted data for model training.
• Anthropic processes data according to their Privacy Policy and data processing terms.
• Data sent to Anthropic is transmitted over encrypted connections.

4.3 Important Disclaimer

AI-generated coaching content is not a substitute for professional coaching, medical advice, or the guidance of a certified personal trainer. AI recommendations are generated based on patterns and your provided data, but they may not account for all individual health conditions, injuries, or medical needs. Always consult a qualified healthcare professional before starting or modifying any training program, especially if you have pre-existing medical conditions.

5. Strava Data Disclosure

5.1 What Strava Data We Access

When you connect your Strava account to Moku Coach, we request access to:

• Your activity feed (workouts, runs, rides, swims)
• Detailed activity data including heart rate, pace, distance, elevation, and duration
• Activity timestamps and type classifications

We request only the permissions necessary to provide coaching functionality. We do not post to your Strava account or modify your Strava data.

5.2 How We Use Strava Data

Your Strava data is used to:

• Provide context for AI coaching conversations
• Analyze your training load, fitness trends, and recovery patterns
• Generate and adjust personalized training plans
• Track progress toward your goals

5.3 How to Disconnect Strava

You can disconnect your Strava account at any time:

1. Within Moku Coach: Go to Settings > Connected Accounts > Strava > Disconnect
2. Within Strava: Go to Settings > My Apps > Moku Coach > Revoke Access

When you disconnect, we stop receiving new Strava data. Previously imported activity data may be retained as part of your training history unless you request its deletion.

6. Sub-processor List

We share your data with the following sub-processors, each of which processes data solely to provide their designated service:

• Anthropic — AI coaching (Claude API). Messages, training data, fitness profiles. anthropic.com/privacy
• Vercel — Application hosting and delivery. All application data in transit and at rest. vercel.com/legal/privacy-policy
• PostHog — Product analytics. Usage events, device info, anonymized user identifiers. posthog.com/privacy
• Sentry — Error tracking and monitoring. Error logs, device info, stack traces. sentry.io/privacy
• Paddle.net — Payment processing (Merchant of Record). Payment details, billing info, transaction history. paddle.com/legal/privacy
• Google Workspace — Business email. Email correspondence. policies.google.com/privacy
• Resend — Transactional email delivery. Email address, email content. resend.com/legal/privacy-policy

We require all sub-processors to handle your data in accordance with applicable data protection laws and to maintain appropriate security measures.

7. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Contract Performance (Art. 6(1)(b)): Processing is necessary to provide our coaching services, manage your account, and fulfill our obligations to you as a subscriber.
• Consent (Art. 6(1)(a)): You have given explicit consent for specific processing activities, such as connecting your Strava account or enabling AI coaching features. You may withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f)): Processing is necessary for our legitimate interests, including fraud prevention, network security, service improvement, and analytics, where those interests are not overridden by your fundamental rights.
• Legal Obligation (Art. 6(1)(c)): Processing is necessary to comply with applicable tax, accounting, or legal requirements.

For the processing of health and fitness data (a special category under GDPR Art. 9), we rely on your explicit consent provided when you create your account and use our training features.

8. Data Retention

We retain your data for the following specific periods:

• Account data (name, email, profile): until you delete your account, plus 90 days for backup recovery
• Training data (plans, metrics, goals): until you delete your account, plus 90 days for backup recovery
• AI conversation history: until you delete your account, plus 90 days for backup recovery
• Strava activity data: until you delete your account or disconnect Strava, plus 90 days
• Analytics data (PostHog, usage events): 12 months from collection
• Error tracking data (Sentry): 90 days from collection
• Payment records: as required by applicable tax law (up to 7 years); retained and managed by Paddle as Merchant of Record
• Transactional email records: 12 months from send date

When you request account deletion, we will:

1. Delete or anonymize your personal data within 30 days
2. Remove data from active systems immediately
3. Remove data from backups within the 90-day backup rotation cycle
4. Retain only what is required by law (e.g., tax records held by Paddle)

9. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request that we disclose what personal information we have collected about you, including:

• The categories of personal information collected
• The categories of sources from which it was collected
• The business or commercial purpose for collecting it
• The categories of third parties with whom we share it
• The specific pieces of personal information collected

9.2 Right to Delete

You have the right to request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).

9.3 Right to Correct

You have the right to request correction of inaccurate personal information.

9.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but you may still submit a request for confirmation.

9.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

9.6 How to Exercise Your Rights

To exercise any of these rights, contact us at support@moku.coach. We will verify your identity before processing your request and respond within 45 days.

10. Health and Fitness Data

10.1 Classification

Moku Coach collects and processes data related to your physical fitness, training activities, and athletic performance. This includes workout data, heart rate information, pace, distance, training plans, and performance metrics. We classify this information as sensitive personal data and apply heightened protections accordingly.

10.2 Washington My Health My Data Act Compliance

For residents of Washington State, we comply with the My Health My Data Act (MHMDA):

• We collect health and fitness data only with your consent and for the purpose of providing coaching services
• We do not sell your health data
• We do not use your health data for advertising purposes
• You may request deletion of your health data at any time
• We will not discriminate against you for exercising your rights under this law

10.3 How We Protect Fitness Data

• Fitness data is encrypted in transit and at rest
• Access is limited to systems and sub-processors that require it for service delivery
• We do not sell fitness data to any third party
• We do not use fitness data for advertising, marketing profiling, or any purpose unrelated to providing coaching services
• AI processing of fitness data is governed by Section 4 (AI Processing Disclosure)

11. Your Rights (GDPR + CCPA Combined)

Regardless of your location, we honor the following rights to the extent applicable under your local law:

• Access: Request a copy of the personal information we hold about you
• Rectification: Request correction of inaccurate or incomplete information
• Erasure (“Right to be Forgotten”): Request deletion of your personal information
• Restriction: Request that we limit how we process your information
• Data Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is consent-based
• Lodge a Complaint: File a complaint with your local data protection authority
• Know (CCPA): Know what data we collect and how we use it
• Opt-Out: Opt out of sale of personal information (we do not sell data)
• Non-Discrimination: Not be treated differently for exercising your rights

To exercise any of these rights, email us at support@moku.coach. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA). We may need to verify your identity before processing your request.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest
• Access Controls: Role-based access controls limit data access to authorized personnel and systems
• Authentication: Secure authentication with hashed passwords and encrypted OAuth tokens
• Infrastructure: Hosted on Vercel’s secure infrastructure with SOC 2 compliance
• Monitoring: Continuous error monitoring and security logging via Sentry
• Sub-processor Security: All sub-processors are required to maintain appropriate security measures

Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using industry-standard practices.

If you become aware of a security vulnerability or suspect a data breach, please contact us immediately at support@moku.coach.

13. Children’s Privacy

Moku Coach is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@moku.coach, and we will take steps to delete that information.

If we discover that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly.

14. International Data Transfers

Moku Coach is operated from the United States. If you are accessing our services from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the EEA, UK, or Switzerland, we ensure appropriate safeguards for international transfers, including:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to sub-processors outside the EEA
• Data Processing Agreements: In place with all sub-processors that handle personal data
• Adequacy Decisions: Where applicable, reliance on adequacy decisions by the European Commission

By using Moku Coach, you consent to the transfer of your data to the United States and other jurisdictions where our sub-processors operate.

15. Cookie Policy

15.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate our service, remember your preferences, and analyze usage.

15.2 Types of Cookies We Use

• Essential Cookies: Required for the application to function. These include authentication tokens and session identifiers. Cannot be disabled.
• Analytics Cookies: Used by PostHog to understand how users interact with our application. These help us improve features and user experience. Can be disabled.
• Preference Cookies: Store your settings and preferences (e.g., theme, notification preferences). Can be disabled.

15.3 What We Do NOT Use

• We do not use third-party advertising or marketing cookies
• We do not use cookies for cross-site behavioral tracking
• We do not sell data collected via cookies

15.4 Managing Cookies

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using core features of Moku Coach.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes:

• We will update the “Last Updated” date at the top of this page
• For material changes, we will notify you via email or a prominent notice within the application
• Your continued use of Moku Coach after the effective date of changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Moku Labs LLC

Operating as Moku Coach

Email: support@moku.coach

Website: moku.coach

Application: app.moku.coach

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.

For CCPA/CPRA-related inquiries, California residents may also contact the California Attorney General at oag.ca.gov.