Privacy Policy

DrivePhase LLC ("DrivePhase," "Company," "we," "us," or "our"), an Indiana limited liability company, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the DrivePhase mobile application, website, and related services (collectively, the "Service").

This Privacy Policy is incorporated into and subject to our Terms of Service.

1.1 Information You Provide Directly

Account Information:

• Email address (required)
• Name (required)
• Username (required)
• Password (hashed, never stored in plaintext)
• Phone number (optional, for phone authentication)

Profile Information:

• Profile picture (optional)
• Biography (optional)
• Age, height, weight (optional)
• Location/city (optional, user-entered text, not GPS coordinates)
• Sport and athletic background (optional)
• Personal records and goals (optional)

Content You Create:

• Sprint analysis videos
• Video titles, descriptions, notes, and tags
• AI chat conversations and questions
• Nutrition logs (meals, calories, macronutrients)
• Food photos for AI analysis
• Training plans and workout data
• Daily check-ins (sleep, soreness, energy levels)

Payment Information:

• Subscription tier and status
• Payment history (transaction dates, not payment card details)
• Note: We do NOT collect or store credit card numbers, bank account information, or other payment credentials. All payment processing is handled by Apple App Store and Google Play Store.

1.2 Information Collected Automatically

Usage Data:

• Features used and actions taken within the app
• Video upload timestamps and frequency
• AI chat usage (message count, not content stored long-term)
• Analysis results and biomechanical metrics
• Session duration and frequency
• Error logs and crash reports

Device Information:

• Device type and model
• Operating system and version
• App version
• Unique device identifiers (for analytics and fraud prevention)
• IP address (for security and rate limiting, not precise geolocation)

Performance Metrics (derived from your videos):

• Sprint velocity and acceleration curves
• Biomechanical angles (hip, shin, torso lean)
• Ground contact times
• Phase detection data (drive, acceleration, max velocity, deceleration)
• Performance trends over time

1.3 Information from Third Parties

Authentication Providers:

• If you sign in via Google or Apple, we receive your name, email, and profile picture as authorized by you

AI Service Providers:

• AI-generated analysis results and feedback
• Nutrition recognition results from food photos

1.4 Sensitive Information

We may collect the following categories of sensitive information with your consent:

Health-Related Data:

• Physical attributes (height, weight, age)
• Training load and recovery metrics
• Sleep quality and duration
• Soreness and energy levels
• Nutrition and dietary information

Biometric-Derived Data:

• Biomechanical analysis derived from video (not biometric identifiers)

Note: We do NOT collect biometric identifiers (fingerprints, facial recognition data for identification), genetic information, or medical records.

2.1 To Provide the Service

• Create and manage your account
• Process and analyze your sprint videos using AI and computer vision
• Generate coaching feedback and performance insights
• Provide AI chat coaching responses
• Track nutrition and generate dietary insights
• Create and manage training plans
• Process subscription payments

2.2 To Improve the Service

• Train and improve our proprietary AI models using anonymized data
• Analyze usage patterns to enhance features
• Identify and fix bugs and performance issues
• Develop new features and capabilities
• Conduct internal research and analytics

2.3 To Communicate with You

• Send service-related notifications (account security, feature updates)
• Respond to your support requests and inquiries
• Send subscription and billing notifications
• Notify you of material changes to our Terms or Privacy Policy

2.4 For Safety and Security

• Detect, prevent, and respond to fraud and abuse
• Enforce our Terms of Service and Community Guidelines
• Moderate content and investigate policy violations
• Protect against security threats and unauthorized access
• Rate limit API requests to prevent abuse

2.5 For Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal process (subpoenas, court orders)
• Protect our legal rights and interests
• Cooperate with law enforcement when legally required

2.6 With Your Consent

• Marketing communications (only with opt-in consent)
• Participation in surveys or research studies
• Any other purpose for which we obtain your explicit consent

3.1 Data Visibility

Your data is private by default. We do not share your personal information, videos, or analysis results with other users unless you explicitly choose to export or share them outside the platform.

3.2 With Service Providers

We share data with third-party service providers who assist us in operating the Service. These providers are contractually bound to protect your data and use it only for the purposes we specify.

3.3 For Legal Purposes

We may disclose your information when we believe it is necessary to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from government authorities
• Enforce our Terms of Service or protect our rights
• Investigate potential violations of our policies
• Protect the safety of our users, employees, or the public
• Prevent fraud, security threats, or illegal activity

3.4 Business Transfers

If DrivePhase LLC is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

3.5 Aggregated and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for any purpose, including research, marketing, and analytics.

3.6 What We Do NOT Share

• We do NOT sell your personal information to third parties
• We do NOT share your data with advertisers for targeted advertising
• We do NOT provide data brokers access to your information
• We do NOT share your content publicly without your consent

4.1 Cloud Infrastructure and Storage

Supabase

• Purpose: Database hosting, user authentication, file storage
• Data shared: Account information, user content, authentication credentials
• Location: United States

Google Cloud Platform

• Purpose: Backend API hosting, video processing
• Data shared: Videos (temporarily for processing), API requests
• Location: United States (us-central1)

4.2 AI and Machine Learning Services

OpenAI

• Purpose: AI chat responses, coaching feedback, food photo recognition
• Data shared: Chat messages, sprint metrics context, food photos
• Data retention: Per OpenAI's data usage policies
• Note: OpenAI may use data to improve their services unless you opt out via OpenAI's policies

Anthropic (Backup Provider)

• Purpose: Backup AI provider for chat when OpenAI is unavailable
• Data shared: Chat messages (only when used as fallback)

MediaPipe (Google)

• Purpose: Pose estimation for biomechanical analysis
• Data shared: None — MediaPipe runs locally on our backend servers
• Note: Video frames are processed locally; no data is sent to Google

4.3 Nutrition Data APIs

FatSecret Platform API

• Purpose: Nutrition database lookups, barcode scanning
• Data shared: Food search queries, barcode numbers (no user identifiers)

USDA FoodData Central

• Purpose: Food composition data for whole foods
• Data shared: Food search queries (no user identifiers)
• Note: Public government API, no privacy policy required

Open Food Facts

• Purpose: Community nutrition database for packaged foods
• Data shared: Barcode lookups (no user identifiers)

4.4 Payment Processing

Apple App Store

• Purpose: iOS subscription payments
• Data shared: Subscription status (not payment details)

Google Play Store

• Purpose: Android subscription payments
• Data shared: Subscription status (not payment details)

4.5 Analytics

Note: DrivePhase does NOT use third-party analytics services such as Firebase Analytics, Google Analytics, Amplitude, Mixpanel, or similar services. All analytics are performed internally using first-party data only.

5.1 Active Accounts

We retain your data for as long as your account is active and as necessary to provide the Service.

5.2 Video Archival

To manage storage costs, videos may be archived after periods of inactivity:

• Free tier: Videos may be archived after 30 days of inactivity
• Pro tier: Videos may be archived after 90 days of inactivity
• Archived videos: Video file is deleted; analysis metrics are preserved
• Notification: You will receive notice before archival

5.3 Deleted Accounts

Upon account deletion:

5.4 Legal Retention Requirements

We may retain certain data longer if required by:

• Applicable law or regulation
• Legal proceedings or government requests
• Dispute resolution or fraud prevention
• Enforcement of our Terms of Service

6.1 Technical Safeguards

Encryption:

• Data in transit: TLS 1.2+ encryption for all network communications
• Data at rest: AES-256 encryption for databases and file storage
• Passwords: Bcrypt hashing (never stored in plaintext)

Access Controls:

• Role-based access control (RBAC) for internal systems
• Multi-factor authentication for administrative access
• Principle of least privilege for employee access
• Regular access reviews and audits

Infrastructure Security:

• Cloud infrastructure with SOC 2 compliance (Supabase, Google Cloud)
• Regular security patching and updates
• Network segmentation and firewalls
• DDoS protection

6.2 Operational Safeguards

• Security awareness training for employees
• Incident response procedures
• Regular security assessments
• Vulnerability scanning and penetration testing

6.3 Monitoring and Detection

• Automated threat detection and alerting
• Logging of security-relevant events
• Anomaly detection for suspicious activity
• Rate limiting to prevent abuse

6.4 Limitations

No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. You are responsible for:

• Maintaining the confidentiality of your password
• Using strong, unique passwords
• Notifying us immediately of any unauthorized access
• Keeping your device and app updated

6.5 Security Incident Response

In the event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours (or as required by law)
• Notify relevant regulatory authorities as required
• Provide information about the breach and steps to protect yourself
• Take immediate action to mitigate harm

7.1 Access Your Data

You have the right to access your personal information:

• View your profile, videos, messages, and settings within the app
• Request a copy of your data by emailing support@drivephase.com
• We will provide your data in a machine-readable format within 30 days

7.2 Correct Your Data

You can update or correct your information:

• Edit your profile directly in the app
• Contact support for assistance with data corrections

7.3 Delete Your Data

You can request deletion of your data:

• Delete your account: Settings > Account > Delete Account
• Email support@drivephase.com with a deletion request
• Deletion will be completed within 30 days

Note: Some data may be retained for legal compliance, dispute resolution, or fraud prevention.

7.4 Data Portability

You can request a portable copy of your data:

• Email support@drivephase.com with "Data Export Request"
• We will provide your data in JSON or CSV format within 30 days

7.5 Restrict Processing

You can request that we limit how we use your data:

• Opt out of marketing communications
• Opt out of AI training contribution
• Adjust privacy settings in the app

7.6 Object to Processing

You can object to certain data processing activities:

• Legitimate interest processing
• Direct marketing
• Automated decision-making

7.7 Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time:

• Withdrawal does not affect prior lawful processing
• Some features may become unavailable without consent

7.8 Privacy Settings

Control your privacy in Settings > Privacy:

• Analytics opt-out
• Marketing opt-out

7.9 Do Not Track

We do not currently respond to "Do Not Track" browser signals. This may change as industry standards develop.

8.1 Age Requirements

• Minimum age: Users must be at least 13 years old
• Parental consent: Users 13–17 must have parental or guardian consent
• COPPA compliance: We comply with the Children's Online Privacy Protection Act

8.2 Information from Children

We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we discover such collection has occurred, we will promptly delete the information.

8.3 Parental Rights

Parents and guardians of users under 18 have the right to:

• Review their child's personal information
• Request correction of their child's data
• Request deletion of their child's account and data
• Consent to or refuse collection of their child's data

8.4 How to Exercise Parental Rights

To exercise parental rights, email support@drivephase.com with:

• Your name and contact information
• Your child's name and account email
• Proof of your relationship to the child
• The specific request (access, correction, or deletion)

We will respond within 30 days.

8.5 Parental Guidance

We recommend that parents:

• Review their child's use of the app
• Discuss appropriate use of AI coaching features
• Monitor nutrition tracking if used by young athletes

9.1 Data Location

DrivePhase LLC is based in the United States. Your data may be stored and processed in:

• United States (primary)
• Other countries where our service providers operate

9.2 Transfer Mechanisms

For transfers outside your jurisdiction, we rely on:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data processing agreements with service providers
• Adequacy decisions where applicable

9.3 Your Consent

By using DrivePhase, you consent to the transfer of your data to the United States and other countries that may have different data protection laws than your jurisdiction.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

10.1 Right to Know

You have the right to know:

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of third parties with whom we share data
• Specific pieces of personal information collected

10.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions (legal obligations, security, etc.).

10.3 Right to Correct

You can request correction of inaccurate personal information.

10.4 Right to Opt-Out of Sale/Sharing

We do NOT sell your personal information. We do not share personal information for cross-context behavioral advertising.

10.5 Right to Limit Use of Sensitive Information

You can limit our use of sensitive personal information to what is necessary to provide the Service.

10.6 Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.7 Categories of Information Collected

10.8 How to Exercise Rights

Submit a request:

• Email: support@drivephase.com
• Subject: "California Privacy Request"

Verification:

We will verify your identity before processing requests. You may be asked to confirm account information.

Response time:

We will respond within 45 days (may be extended by 45 days with notice).

Authorized agents:

You may designate an authorized agent to submit requests on your behalf with written authorization.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent laws.

11.1 Legal Basis for Processing

We process your data based on the following legal bases:

11.2 Your Rights Under GDPR

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion ("right to be forgotten")
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a portable format
• Right to object: Object to processing based on legitimate interest
• Rights related to automated decision-making: Object to purely automated decisions with legal effects

11.3 How to Exercise Rights

Submit a request:

• Email: support@drivephase.com
• Subject: "GDPR Privacy Request"

Response time:

We will respond within 30 days (may be extended by 60 days for complex requests).

11.4 Data Protection Inquiries

For data protection inquiries:

• Email: support@drivephase.com

11.5 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

11.6 International Transfers

Transfers from the EEA to the United States are conducted under Standard Contractual Clauses approved by the European Commission.

12.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

12.2 Notification

Material changes: We will notify you via email and/or in-app notification at least 30 days before material changes take effect.

Non-material changes: Will be reflected in the "Last Updated" date.

12.3 Your Acceptance

Your continued use of DrivePhase after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree, you should stop using the Service.

12.4 Version History

• Version 2.0 (March 19, 2026): Comprehensive update for DrivePhase LLC
• Version 1.0 (January 1, 2025): Initial release

13.1 General Privacy Inquiries

• Email: support@drivephase.com
• Subject: Privacy Inquiry
• Response time: Within 5 business days

13.2 Data Requests

• Email: support@drivephase.com
• Subject: "Data Access Request" / "Data Deletion Request" / "Data Export Request"
• Include: Your name and email associated with your account
• Response time: Within 30 days

13.3 Data Protection Inquiries

• Email: support@drivephase.com

13.4 Security Issues

• Email: support@drivephase.com
• Subject: Security Vulnerability / Suspicious Activity
• Response time: Within 24 hours for security issues

13.5 Mailing Address

DrivePhase LLC
Attn: Privacy Team
United States

13.6 Website

https://drivephaseai.com