Privacy Policy

Performance of contract (Art. 6.1.b): delivery of the AI coaching service, account and subscription management.

Legitimate interest (Art. 6.1.f): service improvement, security, fraud prevention.

Consent (Art. 6.1.a): processing of fitness profile data (goal, level, practice constraints) for personalization of advice.

Zepraug uses Google Sign-In as one of several optional authentication methods (alongside email/password and Sign in with Apple). This section discloses how the application accesses, uses, stores, and shares Google user data, in accordance with the Google API Services User Data Policy and the Google APIs Terms of Service.

Scopes requested (access): openid, email, profile only. No sensitive or restricted scopes are requested. Zepraug never accesses Gmail, Drive, Calendar, Google Fit, Contacts, or any other Google API.

Data received: verified email address, full name, and Google's unique identifier (sub). No profile picture is synchronized from Google — in-app avatars come exclusively from user-uploaded images.

Purpose (use): exclusively to create a Zepraug account or to log in to an existing one. Data received from Google is never used for marketing, profiling, advertising, training AI models, or any other secondary purpose.

Storage: the verified email address and full name are stored in Supabase Auth (auth.users) and mirrored to the public.profiles table at signup. The Google sub identifier is managed inside Supabase Auth and is not duplicated elsewhere. Security measures applied to these data are detailed in section 8.

Sharing: no third-party sharing. Data only transits through the technical subprocessors already listed in section 4 (Supabase for authentication and storage, Vercel for hosting). Never sold, never disclosed to advertisers, never shared for commercial purposes.

Retention: data received from Google Sign-In follow the same retention policy as account data — kept for the duration of the subscription, then 3 years after closure (legal limitation, see section 6).

Deletion: you may delete your account at any time from the in-app account closure flow or by emailing contact@zepraug.com. Account deletion also removes the corresponding Supabase Auth entry (including the Google sub identifier) and erases the Google-derived data.

The toggle « Coach communications » in your in-app Profile is the unique opt-in for both marketing emails and push notifications sent by the human coach. It is opt-in only (off by default) and timestamped at activation.

You can disable it at any time. Toggling it off stops all coach push and marketing emails immediately. Transactional notifications (rest day reminder, streak warning) are not gated by this consent and continue to work as long as push notifications are allowed at the OS level.

Push tokens (Expo Push Token) are stored per device in our database and removed when the device unregisters or when our system detects an invalid token (DeviceNotRegistered).

Premium + Coach subscribers explicitly grant the human coach access to their fitness data (programs, workout logs, body measurements, conversations) so that personalized advice can be provided. Per GDPR data minimization, this access automatically expires 90 days after activation. You can extend it by 90 days or revoke it at any time from your Profile.

Every access by the coach to your data is logged in an audit trail (action, timestamp) viewable on request via contact@zepraug.com.

Some of our subprocessors are located in the United States. These transfers are governed by:

• ▸The EU-US Data Privacy Framework (DPF) for certified companies (Google, Apple)
• ▸Standard Contractual Clauses (SCCs) of the European Commission

Account data: kept for the duration of the subscription, then 3 years after closure (legal limitation).

Chat history: kept for the duration of the subscription. Deleted upon account closure on request.

Google Sign-In data: follow the account data policy (subscription duration + 3 years after closure). See section 4-quat for the full Google user data disclosure.

Payment data: kept by Apple App Store and Google Play according to their own retention policies. Zepraug only retains an anonymous RevenueCat customer identifier.

Connection logs: 12 months maximum.

Zepraug does not collect health data within the meaning of article 9 of the GDPR. Fitness profile information (sport goal, level, practice constraints, weight, waist measurement, hip measurement) is wellness and physical condition data, not medical data. No diagnosis, BMI calculation or medical recommendation is performed.

On the iOS mobile application, Zepraug may read your weight from Apple Health (HealthKit) with your explicit consent, in order to pre-fill measurement tracking. This data is stored only in your Zepraug profile and is not shared with any third party. You can disable this synchronization at any time from your profile.

Zepraug is intended for healthy individuals. If you have a pathology, we invite you to consult your doctor before using the service.

Zepraug uses the following cookies:

Strictly necessary cookies (consent-exempt — CNIL):

• ▸Authentication cookies (Supabase Auth)
• ▸Session cookies

Analytics and advertising cookies (Google Tag Manager):

Zepraug uses Google Tag Manager with Consent Mode v2. By default, all analytics and advertising cookies are refused (ad_storage, analytics_storage, ad_user_data, ad_personalization). Tags work in degraded mode (statistical modeling) without setting tracking cookies. A consent management banner (CookieYes) is in place to allow users to accept or refuse these cookies.