Privacy Policy

Y Performance ("we," "us," or "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use and share it, and the choices you have. It applies to our web application and any related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

2.1 Information You Provide Directly

• Account information: name, email address, password (hashed), and role (coach or athlete) when you register.
• Profile information: any updates you make to your profile, such as a display name or contact details.
• Training content (coaches): programs, phases, weeks, training days, exercise blocks, exercise descriptions, and associated notes you create.
• Workout logs (athletes): completed sets, reps, weight, RPE (rate of perceived exertion), and timestamps you record during workouts.
• Communications: messages or support inquiries you send us.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, session duration, and interactions within the Service.
• Device and log data: IP address, browser type and version, operating system, referring URLs, and error logs.
• Cookies and local storage: session tokens and preference data (see Section 8).

2.3 Files You Upload

• Exercise videos: coaches may upload short demonstration videos (mp4/m4v/mov/webm, up to 45MB). Videos are stored in Microsoft Azure Blob Storage and served back to athletes via short-lived signed URLs.
• AI program source files: when you use the AI program-import feature, the file you upload (PDF, image, spreadsheet, CSV, or text) is sent to a third-party AI provider for parsing and is also mirrored to Azure Blob Storage as a backup so the original source remains recoverable.

2.4 Information We Do Not Collect

We do not collect payment card numbers directly (payments, if any, are processed by third-party providers). We do not collect biometric data, medical records, or any sensitive health information beyond the voluntary workout metrics you log.

The AI program-import feature sends the contents of files you upload to a third-party AI service provider (currently OpenAI, Anthropic, or an OpenAI-compatible regional provider, depending on configuration) so it can parse the file into a structured training program draft. Only the file content and minimal metadata (file name, MIME type, requested locale) are sent. We do not send your account email, name, or password to AI providers.

AI provider APIs are bound by their own privacy and data-retention policies. We use providers under enterprise terms that contractually prohibit using your data to train their public models, where such terms are available.

If you do not want your content processed by an AI provider, do not use the AI import feature — you can still build programs manually.

We use the information we collect to:

• Create and maintain your account and authenticate your identity
• Deliver the core Service — enabling coaches to build programs and athletes to execute them
• Provide workout history, progress analytics, and performance dashboards
• Send transactional emails (account confirmation, password reset) and, where permitted, service-related communications
• Respond to support requests and resolve technical issues
• Monitor and improve platform security, stability, and performance
• Comply with applicable legal obligations
• Aggregate and anonymize data for internal analytics (no individual is identifiable)

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.

If you are located in the European Economic Area or United Kingdom, we process your data under the following legal bases:

• Contract performance: processing necessary to provide the Service you signed up for.
• Legitimate interests: fraud prevention, security, and improving the Service — balanced against your rights.
• Consent: where we ask for consent (e.g., optional marketing communications), you may withdraw it at any time.
• Legal obligation: where we are required to process data by law.

We do not sell your personal information. We may share data in the following circumstances:

• Between coaches and athletes: a coach can see the workout logs of athletes enrolled in their programs; athletes can see the programs assigned to them.
• Service providers: trusted third parties who assist us in operating the Service (cloud hosting, email delivery, error tracking) under confidentiality obligations and data processing agreements.
• Legal requirements: when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Y Performance, our users, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is subject to a materially different privacy policy.

Any third-party service providers are contractually required to use your data only as directed by us and to maintain appropriate security measures.

We use Microsoft Clarity, an analytics service provided by Microsoft Corporation, to understand how users navigate the Service. Clarity records session replays and click / scroll heatmaps so we can identify UI friction and reproduce reported bugs.

What Clarity collects

• Pages visited within the Service
• Mouse / touch positions, click events, scroll depth, and viewport size
• Device type, browser, and operating system
• An anonymous Clarity-issued session identifier (not linked to your account email)

What Clarity does not collect (masked at capture)

• Text typed into form fields including passwords, athlete names, and workout notes
• Image and video content rendered in the page

Recipient and location: Microsoft Corporation, United States.

Retention by processor: Clarity retains processed session data for up to 13 months.

For users in mainland China: data captured by Clarity is transferred from China to Microsoft servers in the United States. By continuing to use the Service after the effective date above you provide separate consent to this cross-border transfer, as required by Article 38 of the Personal Information Protection Law (PIPL). You may withdraw this consent at any time by emailing y-performance-support@corevinus.com; we will exclude your user ID from Clarity collection going forward.

For users in Australia: Clarity is an overseas recipient under Australian Privacy Principle 8. We remain accountable under the Privacy Act 1988 (Cth) for the handling of your information by Microsoft.

For users in California: we do not sell personal information collected by Clarity, and we do not share it for cross-context behavioral advertising. The Clarity session identifier is used solely for product analytics.

中文摘要：我们使用 Microsoft Clarity（境外接收方：Microsoft Corporation，美国）记录会话回放与热图，用于产品体验分析。采集内容包括访问页面、点击位置、设备信息与匿名会话标识符；表单文本（密码、运动员姓名、训练记录）与图片视频内容在采集时即被遮蔽。Clarity 保存期最长 13 个月。中国大陆用户请注意：相关数据出境至美国，继续使用本服务即视为按《个人信息保护法》第 38 条提供单独同意；如需撤回，请邮件 y-performance-support@corevinus.com，我们将停止对你账号的 Clarity 采集。

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained until you request deletion or your account is terminated.
• Workout logs and training programs are retained for the lifetime of the coach-athlete relationship and up to 12 months after account closure, unless earlier deletion is requested.
• Server logs and usage data are retained for up to 90 days for security and debugging purposes.
• We may retain de-identified, aggregated data indefinitely for analytical purposes.

To request deletion of your data, contact us at y-performance-support@corevinus.com.

Depending on your location, you may have the following rights:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request erasure of your personal data, subject to legal retention obligations.
• Portability: receive your data in a structured, machine-readable format.
• Restriction: request restriction of processing in certain circumstances.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email y-performance-support@corevinus.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We use the following types of storage mechanisms:

• Session cookies: required to authenticate your session. These expire when you close your browser or log out.
• Persistent cookies: used to remember preferences such as your selected language.
• Local storage: used for demo mode state and certain UI preferences. No personal information is stored in local storage.

We do not use third-party advertising or tracking cookies. You can configure your browser to refuse cookies, but this may impair certain functionality of the Service.

We implement industry-standard technical and organizational measures to protect your data, including:

• Passwords stored using strong cryptographic hashing (never in plain text)
• HTTPS/TLS encryption for all data in transit
• Access controls and authentication requirements for all administrative systems
• Regular security reviews and dependency updates

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users as required by law.

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal information from children under 18. If we discover that a child under 18 has provided us with personal information, we will delete it promptly. If you believe a child under 18 has created an account, please contact us at y-performance-support@corevinus.com.

Your information may be processed and stored in countries other than your own, including countries that may not provide the same level of data protection as your home jurisdiction. When we transfer data internationally, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

The Service may contain links to third-party websites or services (such as video demonstration links). We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any external sites you visit.

We may update this Privacy Policy periodically. When we make material changes, we will notify you by updating the effective date at the top of this page and, where appropriate, sending an email notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

y-performance-support@corevinus.com

Y Performance