Privacy Policy
Matter AI
Last Updated: May 3, 2026
Effective Date: April 18, 2026
1. Introduction
Matter AI, Inc. (“Matter AI,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Matter AI mobile application (“App”), website (“Website”), and related services (collectively, “Services”).
This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data protection laws.
By using the Services, you acknowledge that you have read and understood this Privacy Policy.
2. Data We Collect
2.1 Account Information
- Email address
- Name (first and last)
- Role (athlete or coach)
- Age and biological sex (provided during onboarding, used for baseline calibration)
- Authentication credentials (managed via Apple Sign-In or Supabase Auth)
2.2 Health and Biometric Data
We collect health data that you explicitly authorize through Apple HealthKit permissions or third-party wearable connections:
- Heart rate data: Resting heart rate (RHR), heart rate variability (HRV/RMSSD/SDNN), continuous heart rate samples
- Sleep data: Total sleep duration, sleep stages (deep, REM, core/light, awake), sleep onset and wake times, sleep consistency metrics
- Activity data: Steps, active energy burned (calories), workout duration, workout type and sport
- Workout data: Planned workouts, completed workouts, exercise heart rate, RPE (rate of perceived exertion)
- Recovery metrics: Recovery scores computed from the above biometrics
2.3 Wearable Device Data
If you connect a third-party wearable, we receive data from that provider:
- Apple Watch (via Apple HealthKit): All health categories you authorize in the Apple Health permissions dialog
- WHOOP: HRV, resting heart rate, recovery score, strain, sleep stages, and sleep performance via WHOOP API (OAuth 2.0)
- Polar: Heart rate, HRV, nightly recharge, sleep stages, exercise sessions, and daily activity via Polar AccessLink API (OAuth 2.0)
We only access data categories you explicitly authorize. You can revoke access at any time through your device settings or the wearable provider's app.
2.4 User-Generated Content
- Wellness survey responses (mood, energy, soreness, stress ratings)
- AI chat messages and conversation history
- Coach notes and messages to athletes
- Activity status updates
- Onboarding preferences (goals, challenges, sport preferences)
2.5 Usage and Device Data
- Device type and operating system version
- App version
- Crash reports and diagnostic logs (anonymized)
- Feature usage patterns (aggregated)
- Timezone and locale (for score computation accuracy)
2.6 Coach-Athlete Relationship Data
- Team membership and invite codes
- Data sharing preferences (which metrics an athlete shares with their coach)
- Workout assignments and completion status
- Compliance and adherence records
3. How We Use Your Data
3.1 Core Service Delivery
- Computing daily readiness, recovery, strain, sleep, and stress scores
- Building personal baselines from your biometric history (7–14 days of data)
- Generating AI-powered daily insights and recommendations
- Creating AI-generated workouts adapted to your current readiness
- Providing AI chat responses that reference your health context
- Displaying trend charts and historical analysis
3.2 Coach Features
- Presenting shared athlete metrics on the coach dashboard
- Generating team intelligence summaries and morning briefings
- Enabling workout assignment and compliance tracking
- Producing weekly team performance reports
3.3 Personalization
- Calibrating scores to your individual baselines (not population averages)
- Adjusting AI recommendations based on health conditions you disclose
- Remembering AI chat context across conversations (ChatMemoryStore)
- Applying coach-configured metric weightings to readiness calculations
3.4 Service Improvement
- Analyzing aggregated, de-identified usage patterns to improve features
- Monitoring AI output quality and accuracy
- Debugging technical issues using anonymized diagnostic data
3.5 Communication
- Sending transactional emails (account verification, password reset)
- Delivering in-app notifications (readiness alerts, coach messages, workout reminders)
- Responding to support requests
4. AI-Powered Insights & Third-Party Data Sharing
4.1 How AI Uses Your Data
Matter AI uses two third-party AI providers, and only after you explicitly grant consent in the iOS app at Settings → Privacy → AI Insights. You can revoke consent at any time, which immediately stops all AI calls and clears any AI-generated content cached on your device.
Google LLC (Gemini, accessed via Firebase AI and Supabase Edge Functions) powers:
- Daily health insights and recommendations
- AI chat assistant responses (athlete and coach)
- Workout generation and adaptation
- Photo or whiteboard scans
- Class post-session summaries
- Coach morning briefings and draft message generation
OpenAI, LLC (GPT models, accessed via Supabase Edge Functions) powers:
- Athlete and coach readiness narratives
- Team intelligence reports
- Document and journal summaries
When either AI provider processes your data, a compressed summary of your relevant health context is sent as part of the prompt. The summary may include: recent readiness/recovery/strain/sleep scores, personal baselines and trends, workout history and exercise logs, health conditions and medications you've entered, journal entries and behavioral signals, and demographics (age, biological sex, sport, training level). Raw biometric time-series data and unaggregated HealthKit waveforms are never sent to either provider.
Each request is per-user and is not used by either provider to train their AI models. Both providers are contractually obligated under their published privacy policies to provide protection equal to ours:
4.2 Third-Party AI Processors
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, acts as a data processor for AI inference through the Google Gemini API (accessed via Firebase AI and Supabase Edge Functions). Google processes data under the Gemini API Terms of Service and the Google Privacy Policy.
OpenAI, LLC, 3180 18th Street, San Francisco, CA 94110, United States, acts as a data processor for AI inference through the OpenAI API (accessed via Supabase Edge Functions). OpenAI processes data under the OpenAI Privacy Policy.
Data fields sent to AI providers as part of prompt construction:
- Health metrics (HRV, resting heart rate, sleep, readiness)
- Workout history and exercise logs
- Health conditions and medications you've entered
- Journal and behavioral trend data
- Demographics (age, biological sex, sport, training level)
What is NOT sent to any AI provider:
- Name, email address, or phone number
- Home address or precise GPS location
- Raw HealthKit sample IDs or continuous sensor time-series
All data is transmitted over TLS 1.2+.
4.3 Data Sent to AI Providers (Detailed Breakdown)
| Data Category | Examples |
|---|---|
| Computed health scores | Readiness, recovery, strain, sleep, and stress scores (numeric, not raw sensor data) |
| Personal baselines | Your individual HRV, RHR, and sleep baseline ranges derived from historical data |
| Trend indicators | Short-term trend direction for key metrics (e.g., “HRV trending down 3 days”) |
| Disclosed health conditions | Conditions you voluntarily provide during onboarding or in AI chat |
| Wellness survey responses | Self-reported mood, energy, soreness, and stress ratings |
| AI chat history | Recent messages and stored memory entries used to maintain conversation context |
| Athlete profile attributes | Age, biological sex, sport, goals, and onboarding preferences (for personalization) |
| Workout context (coaches) | Anonymized team readiness summaries and athlete adaptation signals used in coach intelligence features |
4.4 Retention and Model Training
- Neither Google nor OpenAI retains data from API requests beyond each individual request — your health context is not stored by either provider after the response is returned
- AI prompts and responses are cached locally on your device (UserDefaults LRU cache) and in-memory for performance
- We do not use your personal health data to train or fine-tune AI foundation models
- Per Google's Gemini API terms, your data is not used to train or improve Google's general-purpose models; per OpenAI's API terms, your data is not used to train OpenAI models
4.5 Equal Protection
Both Google's and OpenAI's protection of your data is at least equal to the protections we provide under this Privacy Policy.
4.6 Consent and Revocation
Before any health data is sent to Google or OpenAI for AI processing:
- New users see a dedicated onboarding consent screen that names Google LLC (Gemini) and OpenAI, LLC and lists the exact data fields above before any AI feature activates
- Existing users affected by material changes to AI data sharing see a re-consent sheet on next app launch
- Revoking consent: go to Settings → Privacy → AI Insights and toggle off AI features. This immediately stops all AI calls to both providers and clears cached AI content on your device
4.7 Your AI Data Rights
- Export: Settings → Privacy → Download My Data provides a copy of your health data and AI interaction history
- Deletion: Settings → Account → Delete Account permanently removes your data from our systems; Google retains no data per-request
- GDPR / UK GDPR: EEA and UK residents retain all rights under applicable law including access, rectification, erasure, restriction, portability, and the right to object. Contact privacy@matterperformance.com to exercise these rights
4.8 AI Limitations
AI-generated outputs may be inaccurate, incomplete, or inappropriate. Matter AI applies deterministic fallback engines and rule-based systems to supplement AI when API calls fail or daily limits are reached (governed by AIRequestGovernor).
5. Data Sharing
5.1 We Do NOT Sell Your Data
Matter AI does not sell, rent, or trade your personal information or health data to third parties for advertising or marketing purposes.
5.2 Service Providers
We share data with the following service providers solely to operate the Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google LLC (Firebase AI / Gemini) | AI insights, chat, workout generation, photo scans, coach briefings — only after opt-in via Settings → Privacy → AI Insights | Compressed health context summaries (not raw data) |
| OpenAI, LLC (GPT models) | Readiness narratives, team intelligence reports, document summaries — only after opt-in via Settings → Privacy → AI Insights | Compressed health context summaries (not raw data) |
| Apple (HealthKit) | Health data source | Read-only; Apple does not receive data from us |
| Supabase | Database, auth, edge functions | All user data (encrypted, RLS-protected) |
| WHOOP | Wearable data sync | OAuth tokens; WHOOP sends data to us |
| Polar | Wearable data sync | OAuth tokens; Polar sends data to us |
5.3 Coach Access
If you join a coach's team, the coach can see metrics you have chosen to share. You control sharing granularity and can leave a team at any time, which immediately revokes coach access to your data.
5.4 Legal Requirements
We may disclose data if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of Matter AI, our users, or the public.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
6. Data Storage and Security
6.1 Where Data Is Stored
- Your device (iOS): Locally, AI response caches (UserDefaults), authentication tokens
- Supabase cloud (AWS): Account data, health daily metrics, sleep stages, workout records, wearable data, team data. Hosted in the United States.
- Wearable provider servers: Your data on WHOOP, Polar, and Apple platforms is governed by their respective privacy policies
6.2 Security Measures
- All data in transit is encrypted via TLS 1.2+
- Supabase database access is controlled by Row Level Security (RLS) policies ensuring users can only access their own data
- OAuth 2.0 for third-party wearable authentication
- Wearable tokens are stored encrypted in Supabase
- Edge functions use secure environment variables for API keys and secrets
- AI request governance limits API call frequency to prevent abuse
6.3 Data Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities within 72 hours as required by applicable law.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Health metrics and scores | Until account deletion or manual clearing |
| AI chat memories | Core: persistent until deletion; Short-term: 7-day TTL |
| Wearable OAuth tokens | Until disconnection or account deletion |
| Usage analytics | Aggregated indefinitely (de-identified) |
8. Your Rights
8.1 All Users
You have the right to:
- Access your personal data (export your health data from the App)
- Correct inaccurate personal data (update your profile in App settings)
- Delete your account and personal data (via App settings or by emailing contact@matterperformance.com)
- Withdraw consent for health data collection (revoke HealthKit permissions in device settings)
- Disconnect third-party wearables at any time
- Leave coach teams to revoke shared data access
8.2 European Economic Area (EEA) Residents — GDPR
In addition to the above, you have the right to:
- Data portability — receive your data in a structured, machine-readable format
- Restrict processing — request we limit how we use your data
- Object to processing — object to processing based on legitimate interests
- Lodge a complaint with your local data protection authority
Our legal basis for processing your data:
- Consent — for health/biometric data collection (Apple HealthKit permissions, wearable OAuth)
- Contract performance — for providing the Services you signed up for
- Legitimate interests — for service improvement using aggregated, de-identified data
8.3 California Residents — CCPA/CPRA
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt-out of sale — we do not sell personal information, so no opt-out is necessary
- Non-discrimination — we will not discriminate against you for exercising your privacy rights
California residents may submit requests to: contact@matterperformance.com
9. Children's Privacy
Matter AI is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13 without parental consent, we will delete that data promptly.
Users between 13 and 18 must have parental or guardian consent to use the Services. Coaches are responsible for ensuring that minor athletes on their team have appropriate consent.
10. International Data Transfers
If you access the Services from outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms to ensure adequate protection for international data transfers.
11. Third-Party Links and Services
The Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of:
- Apple Privacy Policy
- WHOOP Privacy Policy
- Polar Privacy Policy
- Google Privacy Policy
- Supabase Privacy Policy
- OpenAI Privacy Policy
12. Cookies and Tracking
The Matter AI App does not use cookies. The Website may use essential cookies for functionality (session management, preferences). We do not use advertising cookies or third-party tracking pixels.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App or by email. The “Last Updated” date at the top of this policy indicates when it was last revised. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
14. Contact Information
Matter AI, Inc.
For privacy questions or data requests:
- Privacy: privacy@matterperformance.com
- General support: contact@matterperformance.com
For EEA / UK GDPR data rights requests, contact: privacy@matterperformance.com