Skip to main content
← Back

Privacy Policy

Last updated: 25 April 2026

1. Who We Are

ZAAG Intelligence is operated by Sanara Ltd, a company registered in England and Wales. We are the data controller for the personal data described in this policy. You can contact us at contact@zaag.co or by post at the registered office of Sanara Ltd.

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, and password (stored securely via Firebase Authentication).
  • Profile data: age, sex at birth, training experience, goals, available equipment, training schedule, and any health limitations or injuries you disclose during onboarding.
  • Training data: workout logs, exercise performance (sets, reps, weight, RPE), programme history, and completion records.
  • Usage data: how you interact with the app, feature usage, and session duration. We do not use third-party analytics or tracking pixels.
  • Voice data: if you use voice logging, audio is processed in real-time to extract workout data. We do not store audio recordings — only the parsed text result.
  • Coaching conversations: messages exchanged with the AI coach during onboarding and in-app coaching. These are used to personalise your programme and provide context for future interactions.
  • Athlete intelligence: derived insights including recovery patterns, progression rates, compliance trends, and fatigue indicators — generated from your training and health data to improve coaching quality.
  • Wearable data: if you connect a wearable device (e.g. WHOOP, Oura, Garmin), we receive health metrics such as HRV, sleep, and resting heart rate via their APIs. OAuth tokens for these connections are encrypted at rest.

3. How We Use Your Data

  • To generate personalised training programmes using AI models. Your profile, training history, and any health information you have disclosed (including injuries, limitations, and health screening responses) are sent to our AI providers (Anthropic and Google) as context for programme generation. Your name and email are never included. Health data disclosed during onboarding constitutes special category data and is sent to these providers with your explicit consent given at registration.
  • To provide coaching features including weekly reviews, workout modifications, and progress tracking.
  • To authenticate your account and maintain your session.
  • To send transactional emails (password reset, account notifications). We will never send marketing emails without your explicit opt-in consent.
  • To improve the quality and safety of our AI-generated programmes through pseudonymised and aggregated analysis. This includes using pseudonymised training data (with all direct identifiers removed) to evaluate and improve our AI models, algorithms, and programme generation quality. While pseudonymised data has identifiers removed, re-identification may be theoretically possible for highly unusual training profiles. We apply appropriate technical safeguards to minimise this risk.

4. Legal Basis for Processing (GDPR)

  • Contract: processing your data is necessary to provide the service you signed up for (Article 6(1)(b)).
  • Legitimate interest: improving service quality, security, and AI model performance using anonymised and aggregated data (Article 6(1)(f)).
  • Consent: for optional processing such as marketing communications (Article 6(1)(a)).
  • Health data: your training data and any health information you provide may constitute special category data under GDPR. We process this on the basis of your explicit consent given at registration (Article 9(2)(a)).

5. Third-Party Data Processors

We use the following third-party services to operate ZAAG Intelligence:

  • Google Cloud Platform (Cloud Run, Cloud SQL) — hosting and database. Data stored in europe-west2 (London). Google acts as a data processor under standard contractual clauses.
  • Firebase Authentication (Google) — account management and authentication.
  • Anthropic (Claude) — our primary AI model provider, used for programme generation, coaching, and training analysis. Training context (profile, goals, performance history, and any health conditions or limitations you have disclosed — not your name or email) is sent per request. This may include special category health data. Anthropic does not train on API data and retains API inputs and outputs for a maximum of 7 days for safety monitoring, after which they are automatically deleted.
  • Google AI (Gemini) — AI model provider used for chat, voice parsing, and supporting coaching features. Same data handling as above, including potential transfer of special category health data.
  • Resend — transactional email delivery.
  • Wearable providers (WHOOP, Oura, Garmin — if connected) — health metric synchronisation via OAuth. Only connected when you explicitly authorise the integration.
  • Sentry— error monitoring and session replay, used to diagnose and fix bugs. Hosted in the European Union (Frankfurt, Germany), so no international transfer occurs for UK or EEA users. We send exception data and a sampled subset of session recordings (approximately 10% of all sessions, plus 100% of sessions in which an error occurs). Form inputs and on-screen text are masked by default in replays. Sentry's automatic attachment of personal information (IP address, request headers, cookies) is disabled, and our error pipeline scrubs identifying patterns (such as email addresses) from error messages before transmission. Sentry retains this data for up to 90 days.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data and training history is permanently deleted within 30 days. Pseudonymised and aggregated data (with all direct identifiers removed) may be retained indefinitely for service improvement, AI model evaluation, and research purposes.

7. Your Rights

Under GDPR, you have the following rights:

  • Access: download a copy of all personal data we hold about you from your Settings page, or by contacting us.
  • Rectification: correct inaccurate data via your Settings page or by contacting us.
  • Erasure: delete your account and all associated data from Settings, or contact us.
  • Portability: export your data in machine-readable JSON format from your Settings page.
  • Restriction: request we limit processing of your data.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, email contact@zaag.co. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies and Local Storage

ZAAG Intelligence uses essential cookies and local storage for authentication and session management only. We do not use advertising cookies, tracking pixels, or third-party analytics. No cookie consent banner is required as we only use strictly necessary cookies under the Privacy and Electronic Communications Regulations (PECR).

9. International Transfers

Your data is primarily stored in the UK (Google Cloud europe-west2, London). When data is sent to AI providers for programme generation, it may be processed in the United States. For Google services, these transfers are covered by Google's certification under the UK Extension to the EU-U.S. Data Privacy Framework. For Anthropic, transfers are governed by Standard Contractual Clauses incorporated into our Data Processing Addendum. Both mechanisms are recognised transfer safeguards under UK GDPR.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required under UK GDPR. If the breach poses a high risk to you, we will also notify you directly without undue delay, providing details of the breach, its likely consequences, and the measures we are taking to address it.

11. Children

ZAAG Intelligence is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If you believe someone under 18 has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notification. Continued use of ZAAG Intelligence after changes are posted constitutes acceptance of the revised policy.

13. Contact

For privacy-related enquiries, contact us at contact@zaag.co.

© Sanara Ltd. All rights reserved.