Skip to content

Privacy Policy

Last Updated: May 14, 2026

Effective date: June 13, 2026

Previous versions: April 21, 2026 · September 11, 2024

Effective June 13, 2026. These updated Privacy practices govern processing of your personal data beginning June 13, 2026. Until that date, the previous version dated April 21, 2026 (linked above) remains in effect.

In its daily business operations, Nua Coach uses a variety of personal data, including data about: Current, past, and prospective employees; Clients; Users and visitors of its websites; Subscribers; Other stakeholders.

As it collects and uses this data, the organization is subject to various laws regulating how these activities can be carried out and the security measures that must be implemented to protect them. The purpose of this policy is to establish the relevant legislation and describe the steps that Nua Coach is taking to ensure compliance. This control applies to all systems, persons, and processes that are part of the organization's information systems, including board members, directors, employees, suppliers, and other third parties who have access to NUA Coach's systems.

Applicable Privacy Legislation

The following list shows the main elements of privacy legislation that apply to the countries (or groups of countries) and states in which NUA Coach operates.

  • Argentina - Personal Data Protection Law (PDPL)
  • Australia - Privacy Act
  • Australia - Personal Information and Privacy Protection Act
  • Brazil - General Data Protection Law (LGPD)
  • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Canada (Quebec) - Personal Information Protection Act in the Private Sector
  • European Union - General Data Protection Regulation (GDPR)
  • Singapore - Personal Data Protection Act
  • United Kingdom - UK GDPR Data Protection Act
  • U.S. (California) - California Consumer Privacy Act (CCPA)

Nua Coach is legally obligated to comply with the provisions of this legislation at all times. While there may be variations in these provisions, this policy establishes the key principles that generally must be observed in such legislation.

Significant fines may apply if a breach is deemed to have occurred under the applicable privacy legislation, designed to protect the personal data of citizens of the involved country (or state, region, or countries). It is NUA Coach's policy to ensure that our compliance with the applicable legislation is clear and demonstrable at all times.

Definitions

The definitions used in privacy legislation vary, and it is not appropriate to reproduce them all here. However, the common terms used in this policy are as follows:

  • Personal data: Any information that (a) can be used to identify the data subject to whom such data refers, or (b) is or may be directly or indirectly linked to a data subject.
  • Data subject: An individual to whom the personal data belongs. This term is also referred to as the data subject.
  • Processing of personal data: Operation or set of operations performed on personal data. Examples include collection, storage, modification, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination, or any other form of making available, deletion, or destruction of personal data.
  • Data controller: Stakeholder in privacy who determines the purposes and means of processing personal data, excluding individuals who use data for personal purposes.
  • Data processor: Stakeholder in privacy that processes personal data on behalf of and in accordance with the instructions of a data controller.

Principles Related to the Processing of Personal Data

  • Legality, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Processing of special categories of personal data under Article 9 of the GDPR (including health-related data, biometric data used to uniquely identify a person, genetic data, data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, and data concerning a person's sex life or sexual orientation) is subject to a stricter legal regime. Because NUA Coach is a training service for endurance athletes, it necessarily processes some health-related data (such as resting and maximum heart rate, training zones, weight, biological sex, physiological test results you choose to share, and any medical information you disclose in chat). NUA Coach processes that data on the basis of your explicit consent under Article 9(2)(a) of the GDPR; the specific category, purpose, and operational path are described in the “Health-Related Data” section below. You may withdraw your consent at any time, in which case NUA Coach will stop processing the category of data to which the withdrawal applies, without prejudice to the lawfulness of processing carried out before withdrawal.

NUA Coach shall ensure compliance with these principles both in processing and in introducing new processing methods, such as new computer systems.

Children

The Service is intended for users aged 16 and over, in accordance with the age requirement set out in Section 1 of the Terms of Service. NUA Coach does not knowingly collect personal data from individuals under the age of 16. If you become aware that a person under 16 has provided personal data to NUA Coach, please contact support@nua.coach so that we may delete the data without undue delay. Where local law permits processing of data of users aged 14 to 16 under Spain's national derogation under Article 8 of the GDPR (LOPDGDD Article 7), NUA Coach does not currently rely on that derogation.

Because NUA Coach is a training optimization service, it processes several categories of data that, under Article 9 of the GDPR, are treated as “special category” health-related data. This section describes what those categories are, why we process them, and what control you have over them.

Categories of health-related data we process:

  • Physiological metrics imported from connected fitness platforms or entered manually: resting heart rate, maximum heart rate, heart-rate training thresholds, functional threshold power (FTP), heart-rate variability, oxygen uptake estimates, calorie estimates, weight, body composition where you provide it.
  • Physiological test results you choose to share: ergometric tests, cardiopulmonary exercise tests (CPET), lactate tests, blood-panel values, sport-medical assessments. You share these voluntarily; we do not require them.
  • Profile information you provide: biological sex, date of birth, current training status (returning from injury, pregnant, recovering from a medical event, taking medication that may affect training).
  • Content of your conversations with the AI coach: any medical information, symptoms, restrictions, or physician instructions you disclose by chat, voice message, image, or shared document, on WhatsApp, Telegram, or any other supported channel.
  • Derived memory (the “user summary”): NUA Coach maintains a structured summary of what you have told the AI coach over time, including any health-related disclosures. This summary is generated from your conversations and is reused to inform future AI responses and training recommendations. It is part of your personal data and you can ask to see, correct, or delete it (see the “Individual Rights” section).

Purposes for which we process this data: generating personalised training plans and workouts, adapting plans to your fitness state and trajectory, providing the AI coach's responses and proactive messages, scoring training compliance and performance, and improving the AI's capabilities over time.

Important scope clarification. NUA Coach processes health-related data to inform its training output, not to provide medical safety guarantees. NUA Coach's algorithms are not designed to recognise, honour, or enforce specific medical restrictions you disclose. The legal scope of NUA Coach's responsibility regarding medical restrictions is set out in Section 2.f of the Terms of Service.

Consistent with Article 5(b) of Regulation (EU) 2024/1689 (the EU AI Act), NUA Coach is not designed to exploit any vulnerability that may arise from your age, physical condition, or medical state in order to materially distort your behavior in a manner likely to cause physical or psychological harm. The data described in this section is processed solely to inform training recommendations under the Service's declared purpose, and the user retains the decision authority described in Section 2.f of the Terms of Service.

You are interacting with an AI system, not a human coach. Responses, recommendations, and proactive messages generated by the Service are produced by large language model technology operated by NUA Coach in combination with the deterministic components described under “Automated Decision-Making” below. The Service uses the “AI coach” and “AI assistant” naming conventions throughout to make this AI nature clear.

Lawful basis. We process the categories listed above on the basis of your explicit consent under Article 9(2)(a) of the GDPR, given when you complete onboarding and accept these Privacy practices together with the Terms of Service. You may withdraw that consent at any time by writing to support@nua.coach or via in-app deletion controls where available; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Individual Rights

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision-making and profiling

These rights are subject to the following timeframes for compliance:

  • The right to be informed: When data is collected (if provided by the data subject) or within one month (if not provided by the data subject)
  • The right of access: One month
  • The right to rectification: One month
  • The right to erasure: Without undue delay
  • The right to restrict processing: Without undue delay
  • The right to data portability: One month
  • The right to object: Upon receiving the objection
  • Rights related to automated decision-making and profiling: One month

Right to delete chat memory. In addition to the right to erasure of your account data, you may specifically request the deletion of the AI coach's derived memory of your conversations (the “user summary” described in the Health-Related Data section). Submit such requests to support@nua.coach. Deletion of the user summary takes effect without undue delay; the underlying raw chat history is governed by the retention schedule below.

Right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes applicable data protection law. In Spain, the competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you reside in another EU or EEA Member State, you may lodge a complaint with your local supervisory authority. For matters specifically concerning the AI-driven aspects of the Service, the competent supervisory authority in Spain for the EU AI Act is the Agencia Española de Supervisión de Inteligencia Artificial (AESIA), www.aesia.gob.es.

NUA Coach shall ensure that data subjects may exercise their rights without NUA Coach taking action to prevent or discourage data subjects from exercising those rights.

If requests are clearly unfounded or excessive, in particular because of their repetitive character, NUA Coach may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the requested action, or refuse to act on the request.

Where NUA Coach has reasonable doubts concerning the identity of the individual making the request, NUA Coach may request additional information necessary to confirm the identity of the data subject.

NUA Coach shall take reasonable steps to inform controllers and processors that are processing the data about the data subject's request.

Legality of Processing

Consent

Unless otherwise permitted by applicable legislation, NUA Coach shall obtain consent from data subjects before processing their personal data. The request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw consent at any time.

Fulfillment of a Contract

Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, NUA Coach may process the data without obtaining additional consent.

Legal Obligation

Where the processing of personal data is necessary for compliance with a legal obligation to which NUA Coach is subject, NUA Coach may process the data without obtaining additional consent.

Vital Interests of the Data Subject

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, NUA Coach may process the data without obtaining additional consent.

Task Carried Out in the Public Interest

Where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, NUA Coach may process the data without obtaining additional consent.

Legitimate Interests

Where the processing of personal data is necessary for the purposes of the legitimate interests pursued by NUA Coach or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, NUA Coach may process the data without obtaining additional consent.

Automated Decision-Making

NUA Coach uses automated decision-making, including profiling, to generate personalised training plans and the AI coach's responses. The principal automated decisions made about you are:

  • Training-plan generation and adaptation: a combination of deterministic algorithms and large language model (LLM) reasoning decides, based on the data described in the Health-Related Data section, which workouts to schedule, at what duration, intensity, and frequency.
  • AI coach responses: the AI assistant's conversational replies, proactive messages, and recommendations are generated by LLM-based systems.
  • Training-compliance and performance scoring: after each session, algorithms score your execution against the prescribed workout and update your fitness model accordingly.

Importantly, NUA Coach's automated decisions do NOT include medical-safety determinations. The algorithms do not evaluate whether a given session is safe for you in light of any medical condition or physician restriction you may have. This is set out in Section 2.f of the Terms of Service, which forms part of the contract under which you use the service.

Your rights regarding automated decision-making. You have the right to (i) obtain human intervention regarding the automated decisions described above, (ii) express your point of view, and (iii) contest the decision. Submit such requests to support@nua.coach; we will respond within one month.

Privacy by Design

NUA Coach has adopted the principle of privacy by design and ensures that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

The privacy impact assessment shall include:

  • Consideration of how personal data will be processed and for what purposes
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
  • Assessment of the risks to individuals in the processing of personal data
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation

The use of techniques such as data minimization, pseudonymization, and encryption shall be considered when applicable and appropriate.

Where a privacy impact assessment indicates that the processing of personal data would result in a high risk to data subjects and the organization cannot adequately address these risks, the supervisory authority shall be consulted before starting the processing of personal data.

Contracts Involving the Processing of Personal Data

NUA Coach shall ensure that all relationships in which personal data is processed on behalf of others are subject to a documented contract that includes the specific information and terms required by the applicable legislation. For more information, see NUA Coach's data processing agreement guidelines.

Sub-Processors

NUA Coach relies on a number of third-party service providers (“sub-processors”) to operate the service. Each sub-processor is bound by a data processing agreement that requires them to process your personal data only on NUA Coach's instructions and to apply appropriate security measures. The sub-processors NUA Coach currently uses are:

  • OpenAI (United States) – large language model inference for AI coach responses, training-plan reasoning, and natural-language understanding of your chat content.
  • Anthropic (United States) – large language model inference for AI coach responses, training-plan reasoning, and natural-language understanding of your chat content.
  • Meta Platforms Ireland Ltd. / WhatsApp (Ireland) – delivery of messages between you and the AI coach via the WhatsApp Cloud API. Meta acts as an upstream controller for the metadata of WhatsApp messages.
  • Telegram Messenger Inc. – delivery of messages between you and the AI coach for users on Telegram.
  • Stripe Payments Europe Ltd. (Ireland) – payment processing for subscriptions, including delivery of billing receipts directly to your registered email address.
  • Amazon Web Services (AWS) (United States, with regional storage; data may be stored in eu-west-1, eu-central-1, or us-east-1 depending on service) – serverless compute (AWS Lambda), chat-history storage (Amazon DynamoDB), media-output storage (Amazon S3, for shareable workout cards, activity graphs, and workout PDFs), inter-service messaging (Amazon SQS), relational data storage for the customer-support function (Amazon RDS PostgreSQL), and runtime logging (Amazon CloudWatch).
  • Heroku (Salesforce Inc.) (United States, with EU region) – hosting of the training-engine API and its PostgreSQL database (profile, training plans, workouts, billing metadata).
  • Vercel Inc. (United States) – hosting and edge delivery of the marketing and account-management website (nua.coach).
  • Langfuse GmbH (Germany) – observability of large language model interactions: traces, latencies, scores, and limited content of AI coach interactions for quality and cost monitoring.
  • Functional Software Inc. (Sentry) (United States) – error tracking and runtime telemetry for the training-engine API and AI coach.
  • Google Ireland Ltd. (Google Workspace / Gmail) (Ireland) – receipt and sending of customer-support email via the support@nua.coach inbox. All non-billing customer-facing email flows through Google Workspace; billing receipts are sent by Stripe directly.

NUA Coach reviews this list periodically and will update this Privacy Policy whenever a sub-processor is added or removed. Transfers to sub-processors located in the United States rely on the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) where the recipient is DPF-certified, and on Standard Contractual Clauses adopted by the European Commission together with supplementary measures where DPF certification does not apply. Transfers to sub-processors located in other third countries rely on Standard Contractual Clauses and, where appropriate, supplementary measures. The specific legal mechanism applicable to each sub-processor is available on request at support@nua.coach.

Separately, the connected fitness platforms (Garmin, Strava, Wahoo, COROS, Polar, Intervals.icu) are described in the “Third-Party Fitness Platform Data” section below. Those platforms are independent controllers of the data you hold with them; NUA Coach receives data from them only with your consent and does not transmit your data back to them.

Data Retention

NUA Coach retains personal data only for as long as necessary for the purposes for which it was collected, with the following category-specific defaults:

  • Conversation history with the AI coach: retained for as long as your account is active, so that the AI coach can refer back to past context when generating recommendations. Upon account deletion, conversation history is permanently deleted within 30 days. You may also request earlier deletion at any time using the right to delete chat memory described in the Individual Rights section above.
  • Derived “user summary” memory: until you delete your account, plus a 30-day grace period.
  • Profile and training data (training plans, workouts, performance scores, training-zone thresholds): until you delete your account, plus a 30-day grace period.
  • Activity data from connected fitness platforms: until you delete your account or disconnect the platform, plus a 30-day grace period.
  • Billing records and tax-relevant invoices: six years, as required by Spanish tax law (Ley General Tributaria / AEAT).
  • Server logs and error telemetry (Sentry, AWS CloudWatch and equivalents): 90 days.
  • Marketing and product analytics: up to 26 months by default, in line with industry analytics standards.

Where legal-obligation processing requires us to retain data for longer than the period stated above (for example, tax or accounting records), we will retain only the minimum data necessary for that purpose, and only for the period legally required.

Third-Party Fitness Platform Data

NUA Coach integrates with third-party fitness platforms (including Garmin Connect, Strava, Wahoo, COROS, Polar, and Intervals.icu) to import activity and health data with your consent.

Data obtained from Garmin Connect, Strava, Wahoo, COROS, Polar, and Intervals.icu APIs is processed exclusively by NUA Coach's proprietary algorithms within our own systems. This data is not shared with, processed by, or otherwise made available to any third-party, including external AI or data processing services.

You may disconnect any linked fitness platform at any time through your account settings or by contacting support@nua.coach. Upon disconnection, NUA Coach will cease importing new data from the disconnected platform.

International Transfers of Personal Data

NUA Coach may transfer personal data outside the country or region in which it was collected, in accordance with applicable legislation. In such cases, NUA Coach shall ensure that the transfer is subject to appropriate safeguards, such as adequacy decisions or standard contractual clauses, to ensure that the data is protected to the same standard as required by the applicable legislation.

Data Protection Officer

Applicable legislation may require NUA Coach to designate a Data Protection Officer (DPO). The DPO must be an expert in data protection law and practices, and although the DPO may be a member of NUA Coach's existing staff, they shall be able to perform their duties and tasks independently. NUA Coach has designated an internal DPO to ensure compliance with the applicable legislation. The DPO is responsible for advising on data protection obligations, monitoring compliance, and serving as a point of contact for data subjects and the supervisory authority.

You may contact the DPO at support@nua.coach with the subject line “DPO request” or “Data protection request.” Requests received at this address are routed to the DPO and answered within the legally required timeframes set out in the “Individual Rights” section.

Cookies and Web Tracking

The NUA Coach marketing and account-management website (nua.coach) uses cookies and similar technologies to provide and improve the service. These fall into the following categories:

  • Strictly necessary cookies: used for authentication, secure session management, language preference, and core site functionality. These cookies do not require consent.
  • Analytics cookies: used to understand aggregate site usage and improve the website. Where these are used, they are loaded only after you have given consent.
  • Marketing cookies and tracking pixels: used to measure the effectiveness of campaigns and to deliver relevant content. Where these are used, they are loaded only after you have given consent.

Where required by the ePrivacy Directive and applicable national implementing rules, non-essential cookies are set only after you have accepted them via a cookie banner. You can withdraw or change your cookie preferences at any time using the cookie controls on the site, or by clearing your browser's cookies. The AI coach itself (in WhatsApp, Telegram, and other supported channels) does not rely on web cookies; processing of conversation data in those channels is governed by the rest of this Privacy Policy.

Data Breach Notification

It is NUA Coach's policy to be fair and proportionate when considering the actions to take to inform affected parties regarding breaches of personal data. In accordance with the applicable legislation, where a breach is known to have occurred that is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority shall be informed within 72 hours. This will be managed in accordance with our security incident response process. NUA Coach shall keep a record of personal data breaches, regardless of whether notification is required. Failure to notify the supervisory authority of a breach may result in a fine, in addition to the fine imposed for the breach itself.

Compliance with Applicable Privacy Legislation

The following actions are carried out to ensure that NUA Coach complies at all times with the applicable privacy legislation:

  • The legal basis for the processing of personal data is clear and unambiguous
  • A Data Protection Officer with specific responsibility for data protection compliance has been designated
  • All staff involved in handling personal data understand their responsibilities for following good data protection practices
  • Data protection training has been provided to all staff
  • Rules regarding consent are followed
  • Routes are available for data subjects wishing to exercise their rights regarding personal data, and such inquiries are handled effectively
  • Regular reviews of procedures involving personal data are conducted on a regular basis
  • Privacy by design is adopted for all new or changed systems and processes

The following documentation of processing activities is maintained:

  • Organization name and relevant details
  • Purposes of processing personal data
  • Categories of individuals and personal data processed
  • Categories of recipients of personal data
  • Agreements and mechanisms for transfers of personal data to third-party countries or international organizations
  • Retention periods for personal data
  • Relevant technical and organizational controls in place

These actions are regularly reviewed as part of the management process related to privacy and data protection.

Exceptions

Any exception to the policy must be approved in advance by NUA Coach. Exceptions shall be documented and reviewed on a regular basis to ensure that they remain valid and that the risk associated with each exception is understood and accepted.

Compliance

Any violation of this policy may result in disciplinary action, up to and including termination of employment or contract, depending on the nature and severity of the violation. NUA Coach reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Complaints about non-compliance with this policy should be directed to support@nua.coach. Any employee found to have violated this policy may be subject to disciplinary action, including but not limited to reprimand, suspension, or termination of employment. Any such action shall be applied consistently, regardless of the position of the employee, and shall serve as a deterrent for future violations.

Accountability, Review, and Audit

NUA Coach shall conduct regular reviews and audits of its data processing activities to ensure ongoing compliance with this policy and the applicable privacy legislation. The results of these reviews and audits shall be reported to senior management and, where applicable, to the supervisory authority. NUA Coach shall update this policy as necessary to reflect changes in the applicable legislation, industry best practices, and the organization's own practices.

Legal NoticePrivacy PolicyTerms of Servicesupport@nua.coach
Talk to NUA