Privacy Policy

Prova ("we," "us," "our") operates prova.fit, a fitness tracking and workout platform. You can reach us at privacy@prova.fit.

• Account data: email address, password (hashed), display name, avatar
• Player profile: position, fitness level, age band (e.g. "16–17", "18–24"), playing level, season phase, build category, equipment access, training schedule
• Health data (special category under GDPR Art. 9): injury notes, muscle tightness, energy level — collected only with your explicit consent and used solely to personalise sessions
• Session data: generated workouts, completion records, ratings, session notes, training history
• Usage data: session timestamps, IP address, device and browser info
• Push notification subscription: browser endpoint URL and encryption keys (if you opt in to push notifications) — used only to deliver your daily session notification
• Communications: messages or support requests you send us

We collect an age band (not exact date of birth) during onboarding to personalise training appropriately and comply with COPPA/GDPR age requirements. By registering you confirm you are at least 13 years old.

• Provide, operate, and personalize the service
• Authenticate your account and manage sessions
• Send transactional emails (account verification, password reset, training reminders)
• Power AI-generated workout features (see Section 5)
• Deliver push notifications about your daily session (only if you opt in)
• Improve the product through aggregated, anonymized analytics
• Comply with legal obligations

Health data lawful basis (GDPR Art. 9(2)(a)): injury notes and session wellness data are processed only on the basis of your explicit consent, which you may withdraw at any time via account settings.

• Data is stored in Supabase PostgreSQL, hosted in the United States
• Passwords are hashed with bcrypt — plaintext passwords are never stored
• Sessions are managed via JWT tokens in an HTTP-only cookie (prova_token)
• Temporary session and cache data is stored via Upstash Redis

We do not sell your personal data. We share data only with these service providers:

AI workout prompts sent to Anthropic contain your soccer position, fitness level, age band, season phase, and session context (energy level, session type) — but never your email, name, or any account identifier. Anthropic's data handling is governed by their Privacy Policy.

We may also disclose data to law enforcement when legally required.

You may request to:

• Access — receive a copy of your data
• Correct — update inaccurate data via account settings
• Delete — request deletion of your account and data
• Export — receive a portable copy of your workout data

Email privacy@prova.fit. We will respond within 30 days.

• prova_token — HTTP-only session cookie, required for authentication
• localStorage for UI state: email verification status, avatar preference
• IndexedDB for offline session caching — today's workout is cached on-device so you can train without a network connection; cached data is overwritten daily and never sent anywhere except back to the Prova API when you complete a session

We do not use advertising trackers or third-party analytics cookies.

Data is retained while your account is active. Deleted accounts are purged within 30 days, except where retention is required by law.

Prova is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If we learn a user is under 13, we will delete their account promptly. To report a minor, contact privacy@prova.fit.

Our servers are located in the United States. If you access Prova from outside the US, your data will be transferred to and processed in the US. By using Prova, you consent to this transfer.

We will notify you of material changes via email or in-app notice at least 14 days before they take effect. Continued use after that date constitutes acceptance.

privacy@prova.fit