Privacy Policy
Sensei AI ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Irish data protection law.
1. Who We Are (Data Controller)
The data controller for Sensei AI is:
- Company: Sensei AI
- Country: Ireland
- Contact: privacy@senseiai.ai
2. Data We Collect
| Category | Data | Source |
|---|---|---|
| Account | Email address, hashed password, account creation date | You provide at signup |
| Profile | Skill level, discipline (Muay Thai / BJJ / MMA / Wrestling), training goals | You provide during onboarding |
| Coaching | Chat messages sent to and received from the AI coach; conversation history | Created during use |
| Fight IQ | AI-generated Fight IQ scores across 6 skill dimensions; score history | Generated by AI during sessions |
| Analytics | Events (page views, feature usage, session counts) sent to Mixpanel — only if you consent | Collected during use, consent required |
| Consent | Record of analytics consent (yes/no), date, compliance version accepted | Captured at onboarding and settings |
| Technical | IP address (rate-limiting only), session cookies (auth), browser/device type | Automatically via web server |
We do not collect biometric data, payment card details, or sensitive special-category data as defined under GDPR Article 9.
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Delivering AI coaching sessions | Contract performance (Art. 6(1)(b)) |
| Generating and storing Fight IQ scores | Contract performance (Art. 6(1)(b)) |
| Preventing fraud and rate-limiting abuse | Legitimate interests (Art. 6(1)(f)) |
| Analytics and product improvement via Mixpanel | Consent (Art. 6(1)(a)) |
| Responding to your support requests | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. AI Processing Disclosure (EU AI Act)
- AI System Classification: Limited Risk — AI system that interacts with humans (Art. 50 EU AI Act)
- Underlying Model: OpenAI GPT (ChatGPT), operated by OpenAI, Inc., USA
- Purpose: Sports coaching, technique instruction, and skill assessment for martial arts training
- Fight IQ Scores: These are AI-generated assessments based on your conversations. They are educational indicators only — not clinical assessments, medical diagnoses, or certified coaching credentials
- Human Oversight: Coaching responses are not reviewed by human coaches before delivery. The AI may make errors. Always exercise personal judgment in physical training
- Not a Substitute: Sensei AI does not replace in-person coaching, medical advice, or qualified instruction
5. Third-Party Processors
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database — stores accounts, conversations, scores | EU (West Europe) | DPA, SOC 2 |
| OpenAI, Inc. | AI coaching — chat messages sent for processing | USA | Standard Contractual Clauses (SCCs); OpenAI DPA |
| Google Cloud Run | Application hosting | EU (europe-west1, Belgium) | DPA, ISO 27001 |
| Mixpanel | Analytics — consent required | USA | SCCs; Mixpanel DPA |
| Resend | Transactional email (password reset) | USA | SCCs; Resend DPA |
Your coaching messages are transmitted to OpenAI for AI response generation. OpenAI's data retention and processing practices are governed by their Privacy Policy and our Data Processing Agreement with them.
6. Data Retention
- Account & Profile data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Coaching conversations: Retained while your account is active to enable coaching continuity and Fight IQ scoring. Deleted with account.
- Fight IQ history: Retained while account is active. Deleted with account.
- Analytics events (Mixpanel): Retained per Mixpanel's standard retention (90 days for events). Only collected with consent.
- Session cookies: Expire when session ends or after 7 days of inactivity.
- Server logs / IP: Retained for up to 30 days for rate-limiting and security, then deleted.
7. Your Rights (GDPR)
As a data subject under GDPR, you have the following rights:
- Right of Access (Art. 15): Request a copy of all data we hold about you — use the "Export my data" button in Settings or email privacy@senseiai.ai.
- Right to Erasure (Art. 17): Delete your account and all associated data — use "Delete my account" in Settings. Processed within 30 days.
- Right to Rectification (Art. 16): Correct inaccurate data — contact privacy@senseiai.ai.
- Right to Data Portability (Art. 20): Download your data in JSON format via "Export my data" in Settings.
- Right to Object (Art. 21): Object to processing based on legitimate interests — contact us.
- Right to Withdraw Consent: Change analytics consent at any time via "Cookie & analytics settings" in Settings.
- Right to Lodge a Complaint: You have the right to lodge a complaint with the Data Protection Commission (DPC) of Ireland: dataprotection.ie.
8. Children and Age Minimum
Sensei AI is not intended for children under 16. We require users to confirm they are 16 or older at registration. If we become aware that a user is under 16, we will delete their account and data promptly. Contact privacy@senseiai.ai if you believe a child has registered.
9. Security
We implement the following technical and organisational measures:
- All data in transit encrypted via TLS 1.2+
- Passwords hashed using bcrypt via Supabase Auth — we never store plaintext passwords
- Authentication tokens stored in HttpOnly, Secure, SameSite=Lax cookies
- Database access uses service-role key, not exposed to client
- Rate limiting on all auth endpoints
- Access to production systems restricted to authorised personnel only
No system is 100% secure. If you discover a security vulnerability, please responsibly disclose it to security@senseiai.ai.
10. International Transfers
Your data is processed in the EU (Supabase, Google Cloud) where possible. Where transfers occur to the USA (OpenAI, Mixpanel, Resend), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism in compliance with GDPR Chapter V.
11. Changes to This Policy
We may update this policy. Material changes will be notified via the app's onboarding compliance screen or by email. The effective date at the top of this page will be updated. Your continued use after 30 days' notice constitutes acceptance.
12. Contact Us
For any privacy questions, data requests, or complaints:
- Email: privacy@senseiai.ai
- Response time: We aim to respond within 30 days (GDPR Art. 12 deadline)