Skip to main content
← Back

Privacy Policy

Last updated: 27 April 2026

1. Who We Are

ZAAG Intelligence is operated by Sanara Ltd, a company registered in England and Wales. We are the data controller for the personal data described in this policy. You can contact us at contact@zaag.co or by post at the registered office of Sanara Ltd.

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, and password (stored securely via Firebase Authentication).
  • Profile data: age, sex at birth, training experience, goals, available equipment, training schedule, and any health limitations or injuries you disclose during onboarding.
  • Training data: workout logs, exercise performance (sets, reps, weight, RPE), programme history, and completion records.
  • Usage data: how you interact with the app, feature usage, session duration, and anonymised event data (e.g. workout started, programme generated, error shown). Event properties contain only IDs, enums, and counts — never your name, email, free-text inputs, or health responses. We use PostHog (EU-hosted) for product analytics; see Section 5 for details. We do not use advertising or tracking pixels.
  • Voice data: if you use voice logging, audio is processed in real-time to extract workout data. We do not store audio recordings — only the parsed text result.
  • Coaching conversations: messages exchanged with the AI coach during onboarding and in-app coaching. These are used to personalise your programme and provide context for future interactions.
  • Athlete intelligence: derived insights including recovery patterns, progression rates, compliance trends, and fatigue indicators — generated from your training and health data to improve coaching quality.
  • Wearable data: if you connect a wearable device (e.g. WHOOP, Oura, Garmin), we receive health metrics such as HRV, sleep, and resting heart rate via their APIs. OAuth tokens for these connections are encrypted at rest.

3. How We Use Your Data

  • To generate personalised training programmes using AI models. Your profile, training history, and any health information you have disclosed (including injuries, limitations, and health screening responses) are sent to our AI providers (Anthropic and Google) as context for programme generation. Your name and email are never included. Health data disclosed during onboarding constitutes special category data and is sent to these providers with your explicit consent given at registration.
  • To provide coaching features including weekly reviews, workout modifications, and progress tracking.
  • To authenticate your account and maintain your session.
  • To send transactional emails (password reset, account notifications). We will never send marketing emails without your explicit opt-in consent.
  • To improve the quality and safety of our AI-generated programmes through pseudonymised and aggregated analysis. This includes using pseudonymised training data (with all direct identifiers removed) to evaluate and improve our AI models, algorithms, and programme generation quality. While pseudonymised data has identifiers removed, re-identification may be theoretically possible for highly unusual training profiles. We apply appropriate technical safeguards to minimise this risk.
  • We do not sell, lease, or share your personal data with advertisers or other third parties for their commercial purposes. Wearable data received from third-party providers (e.g. WHOOP, Oura, Garmin) is only used to inform your training programme and surface insights to you within ZAAG Intelligence — never sold, redistributed, or used for advertising.

4. Legal Basis for Processing (GDPR)

  • Contract: processing your data is necessary to provide the service you signed up for (Article 6(1)(b)).
  • Legitimate interest: improving service quality, security, and AI model performance using anonymised and aggregated data (Article 6(1)(f)).
  • Consent: for optional processing such as marketing communications (Article 6(1)(a)).
  • Health data: your training data and any health information you provide may constitute special category data under GDPR. We process this on the basis of your explicit consent given at registration (Article 9(2)(a)).

5. Third-Party Data Processors

We use the following third-party services to operate ZAAG Intelligence:

  • Google Cloud Platform (Cloud Run, Cloud SQL) — hosting and database. Data stored in europe-west2 (London). Google acts as a data processor under standard contractual clauses.
  • Firebase Authentication (Google) — account management and authentication.
  • Anthropic (Claude) — our primary AI model provider, used for programme generation, coaching, and training analysis. Training context (profile, goals, performance history, and any health conditions or limitations you have disclosed — not your name or email) is sent per request. This may include special category health data. Anthropic does not train on API data and retains API inputs and outputs for a maximum of 7 days for safety monitoring, after which they are automatically deleted.
  • Google AI (Gemini) — AI model provider used for chat, voice parsing, and supporting coaching features. Same data handling as above, including potential transfer of special category health data.
  • Resend — transactional email delivery.
  • Wearable providers (WHOOP, Oura, Garmin — if connected) — health metric synchronisation via OAuth. Only connected when you explicitly authorise the integration. You can disconnect any wearable at any time from Settings → Connected devices, which immediately stops further data collection from that provider. Wearable data already received is retained alongside your training history and deleted when you delete your account.
  • PostHog — product analytics, used to understand how features are used and where people get stuck. Hosted in the European Union (Frankfurt, Germany), so no international transfer occurs for UK or EEA users. We send a defined list of typed events (e.g. signup_completed, workout_completed, programme_generated) tied to your user ID. Event properties contain only IDs, enums, and counts — never your name, email, free-text answers, injury notes, PAR-Q responses, or coaching messages. Profile properties are limited to role, days since signup, programme status, and beta-tester flag. Session replay is disabled, and autocapture is restricted to clicks only (no keystroke or form-input capture). To opt out of analytics, email contact@zaag.co — we will set a server-side suppression flag against your account. PostHog retains event data for 7 years by default under their EU plan; we will reduce this to the minimum necessary on request.
  • Sentry— error monitoring and session replay, used to diagnose and fix bugs. Hosted in the European Union (Frankfurt, Germany), so no international transfer occurs for UK or EEA users. We send exception data and a sampled subset of session recordings (approximately 10% of all sessions, plus 100% of sessions in which an error occurs). Form inputs and on-screen text are masked by default in replays. Sentry's automatic attachment of personal information (IP address, request headers, cookies) is disabled, and our error pipeline scrubs identifying patterns (such as email addresses) from error messages before transmission. Sentry retains this data for up to 90 days.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data and training history is permanently deleted within 30 days. Pseudonymised and aggregated data (with all direct identifiers removed) may be retained indefinitely for service improvement, AI model evaluation, and research purposes.

7. Your Rights

Under GDPR, you have the following rights:

  • Access: download a copy of all personal data we hold about you from your Settings page, or by contacting us.
  • Rectification: correct inaccurate data via your Settings page or by contacting us.
  • Erasure: delete your account and all associated data from Settings, or contact us.
  • Portability: export your data in machine-readable JSON format from your Settings page.
  • Restriction: request we limit processing of your data.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, email contact@zaag.co. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies and Local Storage

ZAAG Intelligence uses essential cookies and local storage for authentication and session management. PostHog (our product analytics provider) sets a first-party cookie and uses local storage to maintain a stable anonymous identifier across sessions; this is used only to attribute events you generate while signed in to your account. We do not use advertising cookies or tracking pixels. Because analytics events carry no free-text or special-category data, are tied to consent given at registration, and are processed under Article 6(1)(f) legitimate interest with appropriate safeguards (EU host, session replay disabled, click-only autocapture), we do not currently display a cookie consent banner. You can opt out of analytics at any time by emailing contact@zaag.co.

9. International Transfers

Your data is primarily stored in the UK (Google Cloud europe-west2, London). When data is sent to AI providers for programme generation, it may be processed in the United States. For Google services, these transfers are covered by Google's certification under the UK Extension to the EU-U.S. Data Privacy Framework. For Anthropic, transfers are governed by Standard Contractual Clauses incorporated into our Data Processing Addendum. Both mechanisms are recognised transfer safeguards under UK GDPR.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required under UK GDPR. If the breach poses a high risk to you, we will also notify you directly without undue delay, providing details of the breach, its likely consequences, and the measures we are taking to address it.

11. Children

ZAAG Intelligence is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If you believe someone under 18 has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notification. Continued use of ZAAG Intelligence after changes are posted constitutes acceptance of the revised policy.

13. Contact

For privacy-related enquiries, contact us at contact@zaag.co.

© Sanara Ltd. All rights reserved.