Privacy Policy
Last updated: May 9, 2026
1. Who we are
CoNudge is a service of P2P Concepts, trading as CoNudge, KVK 56042442, Oranjestraat 26, 2013VG Haarlem, the Netherlands. P2P Concepts is the data controller under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
Contact: privacy@conudge.com or christiaan@conudge.com.
2. Scope and roles
CoNudge is primarily a B2B tool for personal trainers (PTs). The PT is CoNudge's customer. The athlete (client) uses CoNudge via an invitation from their PT. Legacy accounts also exist for athletes who use CoNudge directly (D2C). There is no active D2C recruitment.
CoNudge as data controller: for all personal data collected to deliver the service (account data, training data, chat history, coach memory).
The PT as independent data controller: for the coaching relationship with the client, instructions to the AI coach, and reviewing training programs before the client sees them. CoNudge and the PT are joint controllers insofar as they jointly determine the purposes and means of processing (Art. 26 GDPR).
3. What data we collect
3.1 Account data
- Email address (for authentication and communication)
- Name (optional, for display in the app)
- Date of birth, height (optional, for program personalization)
3.2 Training data
- Training programs (blocks, workouts, exercises, sets, reps, weights, RPE)
- Logged workouts and sets
- Coach memory (structured JSON profile of your training status)
- PT notes on exercises or programs
3.3 Health data (special category, Art. 9 GDPR)
- Body measurements: weight, waist, chest, hips, arms, legs, body fat percentage
- Injury information (free text during intake)
- Training load (RPE, volume, adherence)
3.4 Chat history
- All messages between you and the AI coach
- Messages from your PT via the platform
4. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b) GDPR) |
| Generating and adjusting training programs | Performance of contract (Art. 6(1)(b) GDPR) |
| Tracking progress and evaluations | Performance of contract (Art. 6(1)(b) GDPR) |
| Processing health data (measurements, injuries) | Explicit consent (Art. 9(2)(a) GDPR) |
| Service notifications (account changes, policy changes) | Legitimate interest (Art. 6(1)(f) GDPR) |
Health data: we process this exclusively based on your explicit consent (Article 9(2)(a) GDPR). You provide this consent separately when you first use the app. You can withdraw this consent at any time through your account settings — as easily as you gave it. Upon withdrawal, your body measurements are immediately deleted and health data in your coach memory is anonymized.
5. Processors and international data transfers
We share your data with the following processors. Appropriate safeguards for transfers outside the EEA have been implemented with each processor, in accordance with Chapter V GDPR.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication | US | EU SCCs |
| Vercel Inc. | Hosting, edge computing | US | EU SCCs |
| Anthropic PBC | AI processing (training program generation) | US | EU SCCs |
| Sentry (Functional Software Inc.) | Error monitoring | EU | EU processing |
| Resend Inc. | Transactional email | US | EU SCCs |
Standard Contractual Clauses (SCCs) are model contract terms approved by the European Commission (Implementing Decision (EU) 2021/914) that provide an appropriate level of protection for personal data transferred outside the EEA.
We do not sell personal data. We do not display advertisements. We do not share data with anyone beyond the processors listed above.
6. AI processing and Anthropic
Your chat messages, training data, and coach memory are processed via Anthropic's Claude API to generate training programs, perform evaluations, and adjust your program.
What is shared with Anthropic:your chat messages, training profile (sport, goal, level, injuries), coach memory (structured training history), and your PT's instructions. Anthropic processes this data via their API and does not retain it for model training. See Anthropic's privacy policy for details about their processing.
After deletion of your CoNudge account, we cannot guarantee that Anthropic will immediately delete all previously processed data, as their processing is governed by their own terms.
7. AI transparency (EU AI Act)
Pursuant to Article 52 of Regulation (EU) 2024/1689 (AI Act), we inform you as follows:
- You are communicating with an AI system (the "Coach"), not a human, unless your PT sends you a direct message.
- The AI generates training programs based on your profile, goals, and training history.
- In B2B mode, your PT reviews and approves each program before you see it. The PT remains responsible for the training content.
- AI output is not medical advice. CoNudge is not a medical device within the meaning of Regulation (EU) 2017/745 (MDR).
- Your PT is not a BIG-registered healthcare provider (unless they are also a physiotherapist). Advice from CoNudge and your PT does not replace medical advice.
8. Automated decision-making
The AI coach generates training programs. This does not constitute automated decision-making under Article 22 GDPR, because:
- The programs have no legal effects and do not significantly affect you.
- You always decide whether to accept or reject a program.
- In B2B mode, your PT reviews the program before it is presented to you.
9. Cookies
CoNudge uses only functional cookies for authentication via Supabase. These cookies are strictly necessary for the service to function and do not require consent under the ePrivacy Directive (2002/58/EC).
We do not place tracking cookies, analytics cookies, or third-party cookies. No cookie banner is displayed because there are no non-essential cookies.
10. Data retention
| Category | Retention period |
|---|---|
| Account data (email, name) | As long as the account is active |
| Training programs and logged sets | As long as the account is active |
| Chat history | As long as the account is active |
| Coach memory | As long as the account is active |
| Body measurements (health data) | As long as health data consent is active; immediately deleted upon withdrawal |
| After account deletion | All data erased within 30 days from our systems |
After account deletion, we cannot guarantee that processors (notably Anthropic) will immediately delete previously processed data. See section 6.
11. Your rights under the GDPR
You have the following rights regarding your personal data:
- Right to information (Art. 13-14): you have the right to be informed about the processing of your data. This privacy policy fulfills that right.
- Right of access (Art. 15): you may request what data we hold about you.
- Right to rectification (Art. 16): you may have inaccurate data corrected.
- Right to erasure (Art. 17): you may request deletion of all your data. This can be done via your account settings or by email.
- Right to restriction (Art. 18): you may request limitation of processing.
- Right to data portability (Art. 20): you may request your data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21): you may object to processing based on legitimate interest.
- Right regarding automated decision-making (Art. 22): see section 8 — no automated decision-making within the meaning of Art. 22 GDPR takes place.
- Withdraw consent: you can withdraw your consent for health data processing at any time through your account settings. Withdrawal is as easy as giving consent and does not affect the lawfulness of prior processing.
Email privacy@conudge.com to exercise any of these rights. We will respond within 30 days.
12. Complaints
You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (Bezuidenhoutseweg 30, 2594 AV The Hague, the Netherlands).
If you reside outside the Netherlands within the EU/EEA, you may also file a complaint with the supervisory authority in your own member state.
13. Security
We take appropriate technical and organizational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data transfers
- Row Level Security (RLS) in the database — you can only see your own data
- Content Security Policy (CSP) headers to prevent cross-site scripting
- Cookie-based authentication without tracking
- Rate limiting on all API endpoints
- Input validation on both frontend and backend
14. Geographic scope
CoNudge primarily targets the Benelux region. The service is available in Dutch and English. This privacy policy is drafted in accordance with the GDPR.
15. United Kingdom
CoNudge does not actively target users in the United Kingdom. If you use CoNudge from the UK, the UK GDPR (Data Protection Act 2018) may apply in addition to this policy. For complaints, you may contact the Information Commissioner's Office (ICO). CoNudge has not appointed a representative in the UK.
16. No medical advice
The AI coach generates training programs based on information you provide. AI output is not medical advice and does not replace the judgment of a physician, physiotherapist, or other registered healthcare provider. In case of pain, injuries, or medical complaints, we always refer you to a professional. CoNudge is not a medical device within the meaning of Regulation (EU) 2017/745.
17. Changes
For material changes to this policy, we will notify you at least 14 days in advance by email. If the change concerns the processing of health data, we will request your explicit consent again. Non-material changes (such as typos or clarifications) may be made without notice.
18. Terms of Service
Please also read our Terms of Service.