Privacy Policy
Last updated: May 27, 2026
This policy describes how AdCoach AI, operated by Fitness Vendor SAS, processes your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679).
1. Data Controller
Fitness Vendor SAS
- RCS Cherbourg: 921 713 418
- Share capital: €1,000
- Registered office: 41 Les Bertrands, 50470 Tollevast, France
- Publication director: Nils Mazeaud
- Contact: contact@fitness-vendor.com
2. Platform Role in Data Processing
AdCoach AI processes two categories of data under distinct GDPR roles:
Scope A - User's Meta Advertising Data
For the synchronization and analysis of the User's Meta advertising data (campaigns, insights, leads), AdCoach AI acts as a data processor within the meaning of Article 4.8 of the GDPR. The User (the club) is the data controller. AdCoach AI only accesses this data on the User's instructions (OAuth connection, sync initiation, dashboard viewing).
Scope B - Authentication, Account, and Service Data
For data necessary for the service itself (authentication email, technical logs, billing data), AdCoach AI acts as a data controller within the meaning of Article 4.7 of the GDPR.
Scope C - CRM Imports and Prospect Data
For client contact data imported by the User, AdCoach AI acts as a data processor. The User remains the data controller and is responsible for the lawfulness of imported data. See Article 5.4 below.
3. Data Collected
Account Data (Scope B)
- Professional email address (authentication via magic link)
- Unique Supabase identifier
- Billing data: payment information processed directly by Stripe (Fitness Vendor SAS retains no raw banking data)
Meta Advertising Data (Scope A)
Collected via Meta OAuth after the User's explicit authorization:
- Ad account identifiers, campaigns, ad sets, ads
- Performance data (insights): impressions, clicks, spend, conversions, ROAS
- Ad creatives (headlines, visuals, descriptions)
- Leads (Meta Lead Ads forms): name, email, phone number of the club's prospects
AI Coach Conversations (Scope B)
- Messages exchanged with the AI Coach (plain text of questions and answers)
- Pseudonymized before transmission to the Anthropic API (no direct user identifier is sent to Anthropic)
Imported CRM Data (Scope C)
- Contact files imported by the User: names, emails, phone numbers, subscription data of their clients
Technical Data
- IP addresses, user-agent, login timestamps (security and abuse detection only)
- Error logs (Sentry, with automatic PII scrubbing)
No special category data within the meaning of Article 9 of the GDPR is collected (health data, political opinions, biometric data, etc.).
4. Processing Activity Table
| Purpose | Data Concerned | Legal Basis | Retention Period | Recipients |
|---|---|---|---|---|
| Authentication and account management | Email, identifier | Art. 6.1.b GDPR (contract performance) | Account duration + 30 days | Supabase, Resend |
| Advertising dashboard display | Meta data (campaigns, insights) | Art. 6.1.b GDPR | 365 rolling days | Supabase |
| AI Coach conversations | AI messages (pseudonymized) | Art. 6.1.b GDPR | 90 rolling days | Anthropic (via integrations.fitness-vendor.com) |
| Lead tracking and ROAS calculation | Meta leads, CRM data | Art. 6.1.b GDPR | Account duration + 30 days | Supabase |
| CRM import and LTV analysis | Contacts imported by User | Art. 6.1.b GDPR (processor) | Account duration + 30 days | Supabase |
| Billing and payment | Stripe data (tokenized) | Art. 6.1.b GDPR + Art. 6.1.c (legal obligation) | 10 years (accounting) | Stripe |
| Transactional emails | Email, notification content | Art. 6.1.b GDPR | Account duration | Resend |
| Security and logging | IP logs, user-agent, timestamps | Art. 6.1.f GDPR (legitimate interest) | 12 months | Supabase, Sentry |
| Service improvement (aggregated data) | Irreversibly anonymized data | Art. 6.1.f GDPR (legitimate interest) | Unlimited (anonymous) | Internal only |
5. Specific Processing Activities
5.1. Data Processed via the AI Coach (Anthropic)
The AI Coach is powered by Anthropic's Claude API (United States), accessed via the centralized backend service integrations.fitness-vendor.com. Messages transmitted to Anthropic are pseudonymized: no direct user identifier (email, name, UUID) is included in API requests.
Anthropic commitments:
- Anthropic contractually commits not to use data transmitted via the API to train its AI models (Anthropic Commercial Terms)
- Maximum retention period on Anthropic's side: 30 days per their policies
- Legal framework: Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework
5.2. CRM Import - Your Clients' Data
When you import a client contact file (CRM), you act as the data controller of that data. AdCoach AI is your data processor for this processing.
By importing data, you declare and warrant that:
- You have a valid GDPR legal basis for this processing
- You have informed data subjects in accordance with Articles 13 and 14 of the GDPR
- You will not import special category data (Article 9 GDPR) without the explicit consent of the data subjects
Imported CRM data is stored on the dedicated AdCoach Supabase project (eu-west-3 Paris region) and is not shared with any third party beyond the listed technical subprocessors.
5.3. Meta Integration - Read Only
AdCoach AI accesses Meta advertising data exclusively in read-only mode via the following OAuth permissions:
ads_read: read advertising performancebusiness_management: read Business Manager and ad accountsleads_retrieval: retrieve Lead Ads leads
No Meta data is resold to any third party. Data is exclusively used for display within AdCoach AI for the benefit of the User who owns the account.
Meta data deletion: the User may request deletion of synchronized Meta data at any time by contacting contact@fitness-vendor.com or via Settings - My Data. Deletion occurs within 30 days.
6. Subprocessors and Transfers Outside the EU
| Subprocessor | Service | Location | Transfer Framework |
|---|---|---|---|
| Supabase Inc. | Database, authentication, OAuth token storage | AWS Paris (eu-west-3) - EU | Signed DPA - data in EU (no transfer) |
| Vercel Inc. | Hosting, CDN, serverless functions | Edge cdg1 (Paris, EU) - US HQ | DPA + Standard Contractual Clauses (SCCs) |
| Anthropic, PBC | Claude API (AI Coach) - pseudonymized data | United States | SCCs + EU-US Data Privacy Framework |
| Meta Platforms Ireland Ltd | OAuth + read advertising data | Ireland / United States | SCCs + adequacy (Ireland) |
| Stripe Payments Europe Ltd | Payments, billing | Ireland (Dublin) - EU | DPA + PCI-DSS L1 - EU data |
| Resend Inc. | Transactional emails | United States | DPA + EU-US Data Privacy Framework |
| OVH SAS | DNS | France - EU | EU data (no transfer) |
| Sentry (Functional Software Inc.) | Error monitoring | United States | SCCs + automatic PII scrubbing |
| Upstash Inc. | Redis cache (HMAC nonce 6 min) | United States / EU | SCCs |
| Amazon Web Services | Underlying Supabase infrastructure | EU (eu-west-3 Paris) | SCCs + adequacy |
A consolidated copy of DPAs and Standard Contractual Clauses can be obtained on request to contact@fitness-vendor.com with the subject "AdCoach AI SCCs Request". Response time: 7 business days.
Analytics commitment: AdCoach AI uses no third-party advertising tracking tools (no Google Analytics, no Meta Pixel, no Hotjar, no Microsoft Clarity, no Mixpanel, no Segment). Any audience measurement uses GDPR-compliant cookieless solutions.
7. Retention Periods
| Data | Retention Period |
|---|---|
| Account data (email, identifier) | Account duration + 30 days |
| Daily Meta insights | 365 rolling days |
| Meta OAuth tokens | Until User revocation or Meta expiration (60 days) |
| Meta leads | Account duration + 30 days |
| AI Coach conversations | 90 rolling days |
| Imported CRM data | Account duration + 30 days |
| Technical logs (security) | 12 months |
| Billing data | 10 years (legal accounting obligation) |
| Aggregated anonymized data | Unlimited (no personal data) |
8. Your Rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): delete your account from Settings - My Data
- Right to portability (Art. 20): export your data in CSV/JSON format from Settings
- Right to object (Art. 21): object to certain processing based on legitimate interest
- Right to restriction (Art. 18): request restriction of processing
Response deadline: 30 days. Contact: contact@fitness-vendor.com
For requests to exercise rights relating to imported CRM data, contact the club that is the data controller directly.
9. Security
Fitness Vendor SAS implements the following technical and organizational measures in accordance with Article 32 of the GDPR:
- Encryption at rest: Meta OAuth tokens encrypted in Supabase Vault (AES-256)
- Encryption in transit: TLS 1.3 on all communications
- Data isolation: Postgres Row-Level Security (RLS) - each user only accesses their own data
- Authentication: magic link without password, single-use tokens
- Monitoring: Sentry error monitoring with automatic PII scrubbing
- EU hosting: personal data stored in AWS eu-west-3 Paris region
- HMAC nonces: Upstash Redis 6-minute cache to prevent replay attacks
- Restricted access: production data access limited to authorized technical personnel
Data Breach Notification (Articles 33-34 GDPR)
In the event of a personal data breach, Fitness Vendor SAS commits to:
- Notify the CNIL within 72 hours of becoming aware of the breach, pursuant to Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
- Notify affected Users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, pursuant to Article 34 of the GDPR;
- Document any breach (facts, effects, corrective measures) in an internal register for potential CNIL audit.
10. AI Act Compliance
Pursuant to Article 50 of Regulation (EU) 2024/1689 (AI Act), AdCoach AI informs its Users that:
- The AI Coach is a generative artificial intelligence system (Claude, Anthropic)
- Responses are generated automatically and may contain errors
- The interface clearly identifies AI-generated content
- A "Report" button allows flagging of any problematic response
11. Cookies
See our dedicated Cookie Policy.
12. Policy Changes
Any material modification to this policy is notified by email at least 30 days before it takes effect. The version in force is always the one published on this site.
13. Complaints
In case of disagreement about how your data is processed, you may contact the supervisory authority in your country. In France: Commission Nationale de l'Informatique et des Libertés (CNIL):
- Website: www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
- Phone: +33 (0)1 53 73 22 22