Privacy Policy
Last updated: 2026-05-15
This Privacy Policy explains what personal data SunCoach collects, why we process it, who else processes it on our behalf, and what rights you have. We've tried to write it in plain language. If anything is unclear, email us at privacy@suncoach.app.
1. Who is responsible (Data Controller)
The data controller for SunCoach is:
Gökhan KayaUntere Vogelsangstrasse 205
8400 Winterthur
Switzerland
Email: privacy@suncoach.app
SunCoach is operated as a sole proprietorship. We do not have a separate Data Protection Officer; please direct all privacy questions to the email above.
2. Scope of this Policy
This Policy applies to the SunCoach mobile app (iOS and Android), the web app at app.suncoach.app, and the marketing website at suncoach.app. The primary legal framework is the Swiss Federal Act on Data Protection (revFADP / nFADP). For users in the European Economic Area, the EU General Data Protection Regulation (GDPR) applies in parallel.
3. What personal data we collect
3.1 Account data
When you create an account, we collect your email address, a display name, and a password (stored only as a salted hash by our authentication provider, Supabase Auth — we never see your plaintext password). We also store your selected language preference.
3.2 Profile and goal data
To personalize nutrition recommendations, you may provide your birth date, gender, height, weight, activity level, dietary preferences, and nutrition goals (e.g. target calories and macronutrients). Providing this data is optional but the app's core features depend on it.
3.3 Meal log data
When you log a meal, we store the meal name, ingredients, estimated macronutrients, the timestamp, and — if you choose to capture them — a photo of the meal and/or a voice recording describing it. Photos and voice recordings are stored in our Supabase Storage bucket and are accessible only to you (and, if applicable, your linked coach — see section 3.5).
3.4 Health data (optional)
With your explicit consent, SunCoach can read selected data from Apple HealthKit (iOS) or Android Health Connect, such as steps, body weight, and active energy. This consent is requested separately and can be revoked at any time in your device settings. Health data is treated as sensitive personal data (Art. 5 revFADP / Art. 9 GDPR) and is processed only to display your progress and adjust recommendations.
3.5 Coach-client relationship data
SunCoach supports a two-sided model: clients can link to a coach to receive guidance. If you link to a coach, your coach can view your profile, goals, meal logs, photos, voice notes, and progress data for the duration of the link. You can unlink at any time. Coaches are independent users and are not employed by SunCoach; we act as a technical service provider that makes data-sharing possible. When you link, this counts as your explicit consent to share that data with your chosen coach.
3.6 Subscription data
Subscriptions are processed by RevenueCat, which in turn uses the Apple App Store or Google Play Store for payment. We receive an anonymized subscription identifier, your subscription tier, and the active/expiring status. We never see your credit card or bank details; those are handled exclusively by Apple or Google.
3.7 Technical and device data
For operational and security purposes, we automatically collect the device type, operating system version, app version, approximate language / region, and timestamps of certain actions (e.g. login). On Android, we do not collect the advertising ID.
3.8 AI processing (meal recognition)
When you log a meal via photo, voice, or text, the content is sent to
Google's Gemini API via our secure backend (a Supabase
Edge Function called gemini_handler) for analysis. Google
returns an estimate of the meal's ingredients and macronutrients. We do
not send your name, email, or coach information to Gemini — only the
meal content needed for the analysis. According to Google's terms for
the paid Gemini API, your inputs are not used to train their models.
4. Why we process your data (purposes and legal bases)
| Purpose | Legal basis (GDPR / revFADP) |
|---|---|
| Provide the SunCoach service (account, meal logging, sync) | Performance of contract (Art. 6(1)(b) GDPR / Art. 31 revFADP) |
| Process subscription payments | Performance of contract |
| Send service-related notifications (e.g. password reset) | Performance of contract |
| Process health data and meal photos | Your explicit consent (Art. 9(2)(a) GDPR / Art. 6 revFADP) |
| Share data with a coach you link to | Your explicit consent |
| Send marketing emails (only if you opt in) | Your consent |
| Security, abuse prevention, debugging | Legitimate interest (Art. 6(1)(f) GDPR) |
| Comply with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c) GDPR) |
5. Who we share data with (sub-processors)
We use the following service providers to operate SunCoach. Each provider is bound by a Data Processing Agreement and processes your data only on our instructions.
- Supabase, Inc. (USA, with EU data residency available) — database, authentication, file storage, edge functions. supabase.com/privacy
- Google LLC (USA / EU) — AI processing of meal data via the Gemini API. policies.google.com/privacy
- RevenueCat, Inc. (USA) — subscription management. revenuecat.com/privacy
- Apple Inc. (USA) — App Store distribution, in-app purchases on iOS, push notifications.
- Google LLC (Play) (USA) — Play Store distribution, in-app purchases on Android, push notifications, Health Connect.
- Cloudflare, Inc. (USA) — domain registration, DNS, email routing for the suncoach.app domain.
- Vercel, Inc. (USA) — hosting of the marketing website and web app.
We do not sell your personal data, and we do not share it with advertising networks.
6. International data transfers
Some sub-processors listed above are based in the United States. When personal data is transferred outside Switzerland or the EEA, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Where offered by a provider, we choose EU data residency.
7. How long we keep your data
- Account and profile data: for the lifetime of your account.
- Meal logs, photos, voice notes: for the lifetime of your account.
- Health data: for the lifetime of your account, or until you revoke consent.
- Subscription records: retained as required by Swiss commercial and tax law (typically 10 years).
- Backups: rotating backups are retained by our hosting providers for up to 30 days after deletion.
- Aggregated, anonymized usage data: may be retained indefinitely.
You can delete your account at any time — see Delete your account.
8. Your rights
Under Swiss revFADP and the EU GDPR, you have the right to:
- Access the personal data we hold about you (Art. 25 revFADP / Art. 15 GDPR)
- Have inaccurate data corrected (Art. 32 revFADP / Art. 16 GDPR)
- Have your data deleted (Art. 32 revFADP / Art. 17 GDPR)
- Restrict or object to processing (Art. 18, 21 GDPR)
- Receive your data in a portable format (Art. 28 revFADP / Art. 20 GDPR)
- Withdraw your consent at any time, with future effect
- Lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, the data protection authority of your country of residence.
To exercise these rights, email privacy@suncoach.app from the address linked to your account. We will respond within 30 days.
9. Children
SunCoach is not directed at children under 16. We do not knowingly collect data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Security
We protect your data using industry-standard measures including TLS encryption in transit, encryption at rest on our hosting infrastructure, Row Level Security policies in our database to ensure you can only access your own data, and authentication via salted password hashes. No system is perfectly secure; if you become aware of a security issue, please email legal@suncoach.app.
11. Cookies and tracking
The marketing website (suncoach.app) does not use tracking cookies or analytics that identify you personally. The web app at app.suncoach.app uses essential cookies / local storage to keep you logged in. We do not use third-party advertising or behavioural tracking.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we'll notify you by email (if you have an account) and via an in-app notice. The "Last updated" date at the top reflects the most recent revision.
13. Contact
Questions about this Policy or your data? Email privacy@suncoach.app or write to the postal address above.