Privacy Policy

1. Who we are

Corsa Coaching (“Corsa,” “we,” “our,” “us”) provides AI-powered endurance training plans through a web app and mobile apps available at app.corsa.coach. This Privacy Policy explains what data we collect, why, and what you can do about it.

For privacy questions or to exercise any rights described below, email [email protected] with the subject “Privacy.”

2. What we collect

2.1 Information you give us

• Account: name, email, password (stored as a salted hash), and date of birth.
• Training profile: sports, experience level, goals, weekly availability, unit preference (km/mi), recent training history.
• Performance metrics (optional): resting/max heart rate, lactate threshold, FTP, recent race results — only if you provide them.
• Parental consent (under 13): guardian name, email, relationship, and consent timestamp.
• Communications: messages you send to support or via the contact form.

2.2 Information from connected services (with your permission)

If you connect Garmin Connect, Apple Health, Wahoo, or Strava, we read activities (date, duration, distance, sport, HR, power, pace, GPS summary) to feed back into your plan. These connections are read-only — Corsa does not write to those accounts. You can disconnect any source at any time from the app.

2.3 Information collected automatically

• Device & log data: device type, OS version, app version, IP address (truncated for analytics), and crash reports.
• Usage analytics: page views and feature usage, in aggregated form, to improve the product.

3. How we use your data

• Generate your weekly training plan and explain it in plain language.
• Adapt the plan based on your synced activities and any rebuild context you provide.
• Apply tier-based safety guardrails (volume, intensity, recovery) appropriate for your athlete category.
• Run our service: account management, billing, support, security, fraud prevention.
• Send transactional email (password reset, account changes, billing). Marketing email only if you opt in.
• Improve the product through aggregated, de-identified usage analytics.

We do not use your training data to train third-party AI models. We pass relevant context to our AI provider (Anthropic) at plan-generation time under their data-processing terms; that data is not retained for training.

4. Athletes under 13 (COPPA)

Corsa supports youth athletes, including under-13 with verified parental consent. For users under 13:

• A guardian must complete a consent form during signup.
• We collect only what’s needed to build a safe, age-appropriate plan.
• We do not show third-party advertising to children.
• Guardians can review, modify, or delete the child’s data at any time by emailing [email protected].
• We will not condition participation on collecting more information than needed.

5. Sharing & service providers

We share data only with vendors that help us run the service, under contracts that restrict their use of your data:

• Cloud hosting: our backend and database run with a US-based cloud provider.
• AI processing: Anthropic (Claude API) processes plan-generation prompts; Voyage AI generates embeddings for our knowledge base. Neither provider retains your data for model training.
• Payments: Stripe handles subscription payments. Corsa never sees your full card number.
• Email delivery: a transactional email vendor delivers password-reset and account email.
• Activity sync: Garmin, Apple Health, Wahoo, Strava — only when you authorize the connection.

We do not sell your data, and we do not share it with advertisers.

6. Your rights

• Access: request a copy of your data — email [email protected] with “data export.”
• Correction: update your training profile in-app any time.
• Deletion: request account deletion — we’ll process within 7 days. Some data may persist briefly in encrypted backups before rotating out.
• Withdraw consent: disconnect any synced service in-app, or cancel your subscription.
• EU/UK residents: you have GDPR rights including portability and the right to lodge a complaint with your supervisory authority.
• California residents: CCPA rights apply; we do not sell personal information.

7. Security

Passwords are stored as salted hashes. Sessions use revocable JWTs (revoked on password change). Connections to the service use TLS. We follow standard practices for backups, access controls, and dependency hygiene. No system is perfectly secure; if you spot something, please email [email protected] with “security.”

8. Retention

We retain account and training data while your account is active and for a short period after cancellation in case you return. On deletion request, we remove your data within 7 days, except where we need to keep limited records for legal or financial obligations (e.g. payment receipts).

9. International transfers

Our infrastructure is based in the United States. If you use Corsa from outside the US, your data is processed in the US under appropriate safeguards (Standard Contractual Clauses where applicable).

10. Cookies

The marketing site (this domain) uses minimal cookies — strictly functional only at this time. The web app uses authentication cookies for sign-in. We do not use third-party advertising cookies.

11. Changes

We’ll post material changes to this page and, where required, notify you by email. The “Last updated” date at the top reflects the current version.

12. Contact

For privacy questions, data requests, or to report a concern: [email protected].