Privacy notice

Last updated: June 22, 2026

What IronCoach is

IronCoach is an adults-only endurance coaching and education beta. It is not medical care, diagnosis, treatment, emergency response, or a clinician service.

Health and training data we collect

We collect account details, onboarding answers, goals, events, training history, workouts, readiness, nutrition preferences, injury or condition notes you choose to provide, uploaded documents, generated plans, support requests, and operational security records.

Sources

Data can come from you directly, uploaded files, manual imports, connected providers you authorize, generated coaching drafts, and service logs needed to operate and secure the beta.

How we use data

We use data to operate your account, generate and explain coaching drafts, maintain safety guardrails, process files, provide exports and deletion, monitor abuse and reliability, and satisfy legal or security obligations.

Consumer health data

IronCoach treats training, health, injury, symptom, nutrition, location, uploaded document, and coaching-context data as sensitive consumer health data. We do not sell consumer health data, use it for advertising audiences, or use it for third-party model training.

Mexico sensitive personal data

For Mexico users, health-related onboarding and coaching-context data is treated as sensitive personal data. IronCoach requires express consent before processing that sensitive data and supports ARCO access, rectification, cancellation, and opposition requests through privacy@asperia.app.

Sharing

We share data only with service providers needed to run the beta, such as hosting, database, storage, security scanning, worker infrastructure, alerting, email or SMS providers, connected providers you choose, and OpenAI for server-side plan generation when enabled.

AI processing

OpenAI requests are server-side only, use store: false for user-context requests, use a hashed safety identifier, and send the minimum context needed for the requested coaching draft. IronCoach does not use hosted OpenAI files or vector stores for sensitive source documents by default.

Your controls

You can access and correct account, onboarding, document-fact, and imported training data in the product where available. Account export and deletion are available from the account page after recent sign-in. Privacy, correction, deletion, consent withdrawal, opposition, Canada/Spain rights, Latin America market-specific rights, or Mexico ARCO requests can also be made through privacy@asperia.app.

Retention and deletion

Active account data is kept while your account is active. User-generated account exports expire after seven days. Failed or rejected quarantine uploads expire after the beta retention period. Account deletion removes user-prefixed objects, deletes the Auth user for row cleanup, and records a restricted deletion tombstone so restored backups can be replayed before returning to service.

Security

IronCoach uses private storage, row-level security, recent-auth checks for sensitive privacy operations, malware scanning for uploads, strict browser security headers, sanitized operational alerts, and source secret scanning. No system can be guaranteed perfectly secure.

Breach and incident notice

If a security incident affects user data, IronCoach will assess applicable notice obligations, including FTC Health Breach Notification Rule, US state consumer-health privacy and breach laws, Canada, Spain/GDPR, Latin America, and Mexico privacy obligations where applicable.

HIPAA posture

IronCoach does not claim HIPAA compliance for this direct-to-consumer beta. If IronCoach later operates for a covered entity, business associate, employer health plan, insurer, clinician workflow, or BAA-backed service, that context requires separate legal and architecture review before launch.