Your data, plainly handled.

Coach Casey is a reflective training partner. We read your runs from Strava, store your training plan and our conversations, and use those to write debriefs and answer your questions. That data belongs to you. We don't sell it. We don't use it to train AI models. You can disconnect Strava, export everything we hold about you, and delete your account at any time.

The longer version below covers exactly what we collect, where it's stored, who it's shared with, and the rights you have under Australian, New Zealand, UK, EU (GDPR), and US (including California) privacy laws.

Coach Casey is operated by Jason Hunt, based in Sydney, Australia. For privacy enquiries, deletion requests, questions about this policy, or anything else, contact hello@coachcasey.com.

In this policy, “Coach Casey”, “we”, “us” and “our” refer to that operating entity. “You” means the athlete using the service.

Information you give us

• Account details, email address, password (hashed), display name. Used to sign you in.
• Onboarding answers, your training plan (pasted as text), goal race, current niggles or injuries, and notification preferences. Used to write debriefs and respond to you in context.
• Conversation history, messages you send Coach Casey and the responses generated. Stored so future replies can reference earlier context.
• Effort and feedback, RPE (rate of perceived exertion) ratings you submit after runs.

Information from Strava

When you connect Strava, we receive the data Strava's API returns under the scopes you grant (read, activity:read_all, and profile:read_all):

• Profile, your Strava athlete ID, name, and profile photo.
• Activities, runs and other activities, including distance, time, pace, heart rate, elevation, workout laps, GPS-derived summary fields, and any title/description you wrote.

Strava writes are minimal and under your control. Debriefs, follow-up questions, notes, and training context stay inside Coach Casey. The one thing Casey writes to Strava is the verdict line: after each debrief, a single coaching line and signature appended to the bottom of that activity's description on your own profile. This is on by default; anything you wrote there is kept, never replaced. You can turn the feature off, and disconnect Strava entirely, from your settings page.

Information collected automatically

• Usage analytics, pages viewed, features used, errors encountered. Pseudonymous; we use this to fix bugs and decide what to improve.
• Device and connection, browser, operating system, approximate region, IP address (used for rate-limiting and security; not stored long-term).

We do not use advertising trackers. We do not sell your data to anyone, full stop.

• Generate your debriefs and replies.Your runs, plan, and recent conversation context are sent to a large language model (Anthropic Claude) to produce the response. See “AI models” below.
• Operate the service. Authenticating you, routing notifications, syncing new Strava activities, billing if you become a paid subscriber.
• Improve the product. Pseudonymised usage analytics tell us which moments are working and where people get stuck. We do not feed your training data into any analytics product.
• Keep it secure. Detect abuse, prevent unauthorised access, comply with legal obligations.

Coach Casey uses Anthropic's Claude models at inference time to write debriefs and respond in chat. When we call the API, only the data needed for that specific response is included. Anthropic is configured under standard zero-data-retention terms, and is not permitted to train models on your data. You can read their published policy at anthropic.com/privacy.

We use Langfuse to monitor and debug the AI calls (latency, cost, prompt versions). Langfuse stores trace metadata short-term so we can find regressions; this never includes raw Strava data and is never used for model training.

We never train AI models on your data.Strava data is never included in any dataset used for model training, fine-tuning, or evaluation. This is a hard rule, in line with Strava's API agreement.

Your account data, training plans, conversations, and ingested Strava activities are stored on Supabase, in the Tokyo (ap-northeast-1) region. The database is encrypted at rest. Connections are encrypted in transit (TLS).

Hosting and serverless compute run on Vercel. Some serverless functions may execute in other regions, including Australia, for latency reasons; the canonical store of your data remains in Tokyo. AI model calls are routed to Anthropic, which may process the request in the United States.

By using Coach Casey you consent to these international transfers, which are made under standard contractual safeguards.

• Account, plan, and conversation data, kept for as long as your account is active.
• Strava activity data, kept for as long as your account is active and your Strava connection is in place. If you disconnect Strava, we stop syncing new activities. Previously-ingested activities remain (so your history is intact) unless you ask us to delete them.
• Account deletion, when you delete your account, your data is soft-deleted immediately and hard- deleted within 30 days. Backups roll off in line with our hosting provider's standard retention. Aggregated, fully de-identified statistics may be retained.
• Logs, operational logs are kept short-term for debugging and security, in line with our hosting providers' default retention.

We share data only with service providers who help us operate Coach Casey. Each is bound by a written agreement, processes data only on our instructions, and is contractually prohibited from using your data for any other purpose.

• Supabase, database and authentication. Data stored in Tokyo.
• Vercel, application hosting and serverless compute.
• Anthropic, AI inference (see “AI models”).
• Langfuse, observability for the AI calls (latency, cost, prompt versions).
• PostHog, pseudonymous product analytics.
• Resend, transactional email (sign-in, account notices).
• Stripe(future), when paid plans launch, Stripe will process payments. The trial doesn't require any payment details, so no card data is collected today.

We do not sell, rent, or trade your personal information. We will only disclose data to law enforcement or other third parties when legally required to do so, and where possible we will notify you first.

The specific rights you have depend on where you live. The practical effect is the same: you can see, correct, export, or delete your data, and disconnect Strava, at any time. To exercise any of these rights, email hello@coachcasey.com or use the controls inside Coach Casey's settings page.

Australia: Privacy Act 1988 (Cth)

We handle personal information in accordance with the Australian Privacy Principles (APPs). You can request access to, or correction of, your personal information. If you believe we have breached the APPs, you can complain to us first; if not satisfied, you can complain to the Office of the Australian Information Commissioner (OAIC).

New Zealand: Privacy Act 2020

You have the right to access and correct personal information we hold about you. If we cannot resolve a complaint, you can contact the Office of the Privacy Commissioner.

United Kingdom and European Economic Area: UK GDPR / EU GDPR

If you are in the UK or EEA, you have the right to: access your data; rectify inaccurate data; erase data (“right to be forgotten”); restrict processing; object to processing; data portability (export); and withdraw consent at any time. We rely on the following lawful bases: performance of our contract with you (running the service), your consent (e.g., notifications), and legitimate interests (e.g., security and fraud prevention). You can complain to your local supervisory authority, in the UK, the Information Commissioner's Office (ICO).

United States

If you live in California, you have rights under the California Consumer Privacy Act(CCPA) as amended by the CPRA: to know what personal information we collect about you; to delete it; to correct inaccuracies; to opt out of “sales” or “sharing” (we do neither); and to limit use of sensitive personal information. We do not knowingly sell or share personal information for cross-context behavioural advertising. Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other US states with comprehensive privacy laws have analogous rights, which we honour on the same basis. To exercise any of these rights, email hello@coachcasey.com with the subject line “Privacy Request”. We will verify your identity (typically by replying to the email address on your account) before acting on the request and respond within the applicable statutory window.

We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

You can disconnect Strava at any time from Settings › Strava connection inside Coach Casey, or from Strava's authorised apps page. When you disconnect, we revoke our access token with Strava and stop syncing new activities. Your existing thread and debriefs remain so you can read them; you can delete them with the account-deletion flow if you want them gone too.

You can export everything we hold about you from Settings › Export my data. We return a single JSON file with your account, training plan, activities, conversations, RPE responses, and memory items. Strava OAuth tokens are excluded for security.

To delete your account, use Settings › Delete account, or email hello@coachcasey.com. We will soft-delete immediately (you're signed out and can no longer sign back in) and hard-delete within 30 days.

We use industry-standard safeguards: TLS in transit, encryption at rest, scoped database access via row-level security policies, and least-privilege service credentials. No system is impenetrable, but we take this seriously. If you believe you've found a vulnerability, please email hello@coachcasey.com.

Coach Casey uses essential cookies to keep you signed in and a small number of pseudonymous analytics cookies (PostHog) to measure how the product is used. We do not use advertising or cross-site tracking cookies. You can clear cookies at any time from your browser settings; some functionality (notably sign-in) will not work without them.

If we make a material change to this policy, we will email registered users and update the “Last updated” date above. Continued use of the service after a change constitutes acceptance of the updated policy.

For privacy enquiries, security disclosures, or anything else, email hello@coachcasey.com.