Privacy Policy
Sensei AI ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR), the ePrivacy Directive, and applicable Irish data protection law. It also covers our disclosures under the EU AI Act.
Plain-English Summary: We collect your email, profile, coaching conversations, and (if you upload them) videos of your training. If you connect a Whoop wearable, we also receive your sleep, recovery, and strain data — this is special-category health data and we only process it with your explicit consent. We use AI to generate coaching responses. We never sell your data. You can export or delete everything from Settings at any time.
1. Who We Are (Data Controller)
- Company: Sensei AI
- Country: Ireland
- Privacy contact: privacy@senseiai.ai
- Security contact: security@senseiai.ai
2. Data We Collect
| Category | Data | Source |
|---|---|---|
| Account | Email address, hashed password, account creation date, last active timestamp | You provide at signup |
| Profile | Display name, skill level, disciplines (Muay Thai, BJJ, Boxing, MMA, Wrestling, etc.), primary sport, stance, training goals, injuries, weight/height, age band, gender (optional), training frequency, competition level | You provide during onboarding and Fighter Profile |
| Coaching | Chat messages sent to and received from the AI coach; conversation history; session summaries | Created during use |
| Fight IQ | AI-generated Fight IQ scores across six skill dimensions; score history; drill prescriptions and completion status | Generated by the AI during sessions |
| Video | Training videos you upload (sparring, technique, opponent analysis); pose-and-motion data the system derives from those videos (joint angles, strike counts, biomechanical metrics) | You provide via upload |
| Biometric (special category) | If you connect a Whoop wearable: heart rate, heart-rate variability, sleep duration and stages, recovery score, daily strain, cycle/workout summaries. Treated as data concerning health under GDPR Article 9. | Whoop API (with your explicit consent) |
| Payment | Stripe customer ID, subscription tier, subscription status. We do not store card numbers — Stripe processes those directly on their own infrastructure. | Created when you subscribe |
| Analytics | Product events (page views, feature usage, session counts), session recordings, and heatmaps — sent to PostHog. Only collected with your explicit consent. | Collected during use, consent required |
| Consent & preferences | Record of analytics consent (granted / withdrawn), date, compliance version accepted, marketing consent (granted / withdrawn), Whoop biometric consent | Captured at onboarding, settings, and connection flows |
| Technical | IP address (rate-limiting and abuse prevention only), session cookies (authentication), browser and device type, error logs | Automatically via web server |
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis (GDPR Art. 6 / 9) |
|---|---|
| Creating and managing your account; authenticating you | Contract performance — Art. 6(1)(b) |
| Delivering AI coaching sessions and video analysis | Contract performance — Art. 6(1)(b) |
| Generating and storing Fight IQ scores and progress history | Contract performance — Art. 6(1)(b) |
| Processing biometric data from Whoop (sleep, HRV, strain, recovery) | Explicit consent — Art. 9(2)(a) |
| Sending product analytics events and session recordings to PostHog | Consent — Art. 6(1)(a) |
| Sending marketing emails about new features | Consent — Art. 6(1)(a) (you can withdraw any time) |
| Sending transactional emails (password reset, subscription receipts) | Contract performance — Art. 6(1)(b) |
| Processing payments via Stripe | Contract performance — Art. 6(1)(b) |
| Preventing fraud, abuse, and rate-limiting | Legitimate interests — Art. 6(1)(f) |
| Responding to support and rights requests | Legitimate interests + legal obligation — Art. 6(1)(f), (c) |
| Complying with legal, accounting, and tax obligations | Legal obligation — Art. 6(1)(c) |
4. Biometric & Health Data (Special Category, GDPR Article 9)
Special category data: If you choose to connect a Whoop wearable, we receive data that GDPR classifies as data concerning health (Article 9). We treat this with extra protections.
- What we receive: Sleep duration and stages, heart-rate variability (HRV), resting heart rate, recovery score, daily strain, cycle summaries.
- Why: To personalise your coaching, periodise training load, surface overtraining risk, and unlock conditioning features tied to your physiological readiness.
- Legal basis: Your explicit consent under Art. 9(2)(a). We show a dedicated consent screen before initiating the Whoop OAuth flow; you must affirmatively agree.
- Withdrawal: You can disconnect Whoop in Settings at any time. Disconnecting stops further sync immediately. We delete previously synced biometric events on account deletion or on request to privacy@senseiai.ai.
- Encryption at rest: Your Whoop OAuth tokens are encrypted with per-token AES-256-GCM (each token has its own initialisation vector) before storage. The key is held in Google Secret Manager and rotated independently of the database.
- No third-party sharing: Biometric data is processed only by Sensei AI to deliver the service. It is never sold, shared with advertisers, or used to train external AI models.
- Not medical advice: Biometric-informed coaching is for athletic training only. It is not a clinical assessment and does not replace medical advice.
5. Video & Pose Data
When you upload a training video, the following happens:
- The file is transmitted directly from your browser to encrypted EU-region Google Cloud Storage using a single-use signed URL.
- The backend extracts pose-and-motion data (joint angles over time, biomechanical metrics, strike counts) and a short AI-generated coaching summary.
- If a partner is visible in the frame, automated face detection blurs their face before any visible analysis output is rendered. This is a safeguard, not a guarantee — do not film identifiable third parties without their consent.
- Pose-and-motion data is associated with your Fight IQ history so the system can track your progress over time.
- Source video retention: the original uploaded file is retained in encrypted EU-region storage for up to 90 days, then automatically deleted. This window lets us re-process the file if the analysis pipeline is improved, fix issues you report, and honour data-portability requests. You can request earlier deletion at any time by emailing privacy@senseiai.ai or by deleting your account.
- The derived pose/motion data and AI coaching summary are retained while your account is active and deleted on account deletion.
6. AI Processing Disclosure (EU AI Act)
Sensei AI uses artificial intelligence to generate coaching responses, analyse video, and produce Fight IQ scores. Under Article 50 of the EU AI Act we disclose the following:
- AI system classification: Limited Risk — AI system that interacts with natural persons (Art. 50 EU AI Act).
- Underlying models: OpenAI GPT family (large language model, operated by OpenAI, L.L.C.) and Google MediaPipe (on-device pose estimation, run inside our own infrastructure).
- Purpose: Sports coaching, technique instruction, video analysis, and skill assessment for combat sports training.
- Fight IQ scores: AI-generated educational indicators based on your conversations and video. They are not clinical assessments, certifications, or qualified coaching credentials.
- Human oversight: Coaching responses are generated by AI and not reviewed by a human coach before delivery. The AI may make mistakes. Always exercise your own judgment in physical training and seek qualified in-person coaching for technique correction, sparring safety, and competition preparation.
- Training opt-out: Our OpenAI API account has the "share data to improve our models" setting disabled. Your conversations and uploaded video content are not used to train OpenAI's general models.
- Not a substitute: Sensei AI does not replace in-person coaching, medical advice, physiotherapy, or qualified instruction.
7. Third-Party Processors
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database — accounts, conversations, scores, profiles | EU | DPA, SOC 2 Type II |
| Google Cloud Run | Application hosting and compute | EU (europe-west1, Belgium) | DPA, ISO 27001, ISO 27018 |
| Google Cloud Storage | Encrypted video and asset storage | EU (multi-region) | DPA, encryption at rest, signed-URL access |
| OpenAI, L.L.C. | AI coaching responses (LLM inference) | USA | Standard Contractual Clauses (SCCs); OpenAI DPA; training opt-out enabled |
| PostHog | Product analytics, session recordings, heatmaps — consent required | EU (Frankfurt) | DPA, EU-resident ingest and storage |
| Sentry | Error and exception tracking | EU (Frankfurt) | DPA, EU-resident ingest and storage |
| Stripe | Payment processing, subscription management | Stripe Payments Europe Ltd (Ireland) for EU customers; some processing in USA | SCCs, PCI-DSS Level 1, Stripe DPA |
| Resend | Transactional email (password reset, notifications) | USA | SCCs, Resend DPA |
| Whoop | Biometric data source — only if you connect | USA | SCCs, OAuth consent flow, encrypted token storage |
We keep a current Record of Processing Activities (RoPA) under GDPR Art. 30. You can request a summary at privacy@senseiai.ai.
8. International Transfers
Where transfers of personal data to processors outside the European Economic Area occur (OpenAI, Resend, Stripe — partial, Whoop), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism in compliance with GDPR Chapter V, supplemented by technical measures (encryption in transit and at rest, data minimisation in API payloads, and pseudonymisation where feasible).
9. Data Retention
- Account & profile: Retained while your account is active. Deleted within 30 days of account deletion request.
- Coaching conversations & Fight IQ history: Retained while your account is active to enable coaching continuity and progress tracking. Deleted with the account.
- Uploaded video files: Retained in encrypted EU-region storage for up to 90 days from upload, then automatically deleted. Earlier deletion on request.
- Derived pose/motion data: Retained while account is active; deleted with account.
- Biometric data (Whoop): Retained while connection is active and account is active. Disconnecting Whoop preserves historical data for trend analysis; full deletion happens on account deletion or by request to privacy@senseiai.ai.
- Payment records: Subscription and invoice records retained for 7 years to satisfy Irish tax and accounting law (Stripe holds the card data and follows their own retention).
- Analytics events (PostHog): Up to 12 months from collection. Session recordings: 30 days. Only collected with consent.
- Session cookies: Expire when the session ends or after 7 days of inactivity.
- Server logs & IP addresses: Up to 30 days for rate-limiting, abuse prevention, and security, then deleted.
- Consent records: Retained for the lifetime of the account plus 3 years after deletion as evidence of lawful processing under Art. 7(1).
10. Your Rights (GDPR)
As a data subject in the European Union, you have the following rights:
- Right of Access (Art. 15): Request a copy of all data we hold about you — use "Export my data" in Settings or email privacy@senseiai.ai.
- Right to Erasure (Art. 17): Delete your account and all associated data — use "Delete my account" in Settings. Processed within 30 days, with a confirmation email when complete.
- Right to Rectification (Art. 16): Correct inaccurate data — most fields are editable in Settings; otherwise email privacy@senseiai.ai.
- Right to Data Portability (Art. 20): Download your data in JSON via "Export my data" in Settings.
- Right to Object (Art. 21): Object to processing based on legitimate interests — contact us.
- Right to Restrict Processing (Art. 18): Ask us to pause processing in specific circumstances — contact us.
- Right to Withdraw Consent (Art. 7(3)): Change analytics, marketing, or biometric consent at any time in Settings. Withdrawal does not affect processing that already occurred lawfully.
- Right to Lodge a Complaint: You have the right to lodge a complaint with the Data Protection Commission (DPC) of Ireland: dataprotection.ie.
We respond to all rights requests within 30 days (Art. 12 deadline). If a request is complex, we may extend this by up to two months and will tell you why.
11. Children and Age Minimum
Sensei AI is not intended for children under 16. Under the Irish Data Protection Act 2018 (s. 31), 16 is the digital age of consent. We require users to confirm they are 16 or older at registration. If we become aware that a user is under 16, we will delete their account and data promptly. Contact privacy@senseiai.ai if you believe a child has registered.
12. Security
We implement appropriate technical and organisational measures, including:
- All data in transit encrypted via TLS 1.2+
- Passwords hashed using bcrypt via Supabase Auth — we never store plaintext passwords
- Authentication tokens stored in HttpOnly, Secure, SameSite=Lax cookies
- Whoop OAuth tokens encrypted with per-token AES-256-GCM before storage; encryption key held in Google Secret Manager
- Database access via service-role key, never exposed to the client
- Application-layer authorisation on every endpoint; payment-tier and counter fields are not user-writable
- Rate limiting on authentication and chat endpoints
- Production access restricted to authorised personnel; secrets held in Google Secret Manager
- Error tracking and intrusion detection via Sentry (EU-resident)
No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@senseiai.ai.
13. Data Breach Notification
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Data Protection Commission of Ireland within 72 hours of becoming aware of it (Art. 33), and
- Notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Art. 34).
We maintain an internal breach response playbook and log every incident, regardless of severity, in our breach register.
14. Automated Decision-Making
Fight IQ scores and AI coaching responses are generated by automated systems. They do not produce legal effects or similarly significant effects on you within the meaning of GDPR Art. 22. You can request human review or contest any AI output by emailing privacy@senseiai.ai.
15. Changes to This Policy
We may update this policy as the service evolves. Material changes will be notified via the app's onboarding compliance screen and / or by email. The version number and effective date at the top of this page will be updated. Continued use after 30 days' notice constitutes acceptance of the updated policy.
16. Contact
- Privacy: privacy@senseiai.ai
- Security: security@senseiai.ai
- Supervisory authority: Data Protection Commission of Ireland — dataprotection.ie