Back to home

Privacy Policy

Effective date: 30 May 2026 · Last updated: 30 May 2026

ShotCoach (“we”, “our”, or “us”) is operated by Thalerys Systems. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website at shotcoach.eu and the ShotCoach application (together, the “Service”).

If you have questions or wish to exercise your rights, contact us at privacy@shotcoach.eu.

1. Who We Are (Data Controller)

The data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable national data-protection laws is:

Thalerys Systems
privacy@shotcoach.eu

2. Information We Collect

2.1 Information you provide directly

  • Account data — email address, display name, and password (stored as a secure hash; we never see your plain-text password).
  • Training data — session records, target photos you upload, shot coordinates, scores, and notes you enter.
  • Payment data — billing name and payment method details. Card numbers and bank details are processed directly by Stripe and are never transmitted to or stored on our servers.

2.2 Information collected automatically

  • Usage data — pages visited, features used, and aggregate usage patterns, collected through Vercel Analytics (a cookieless, privacy-friendly analytics tool that does not identify individual users).
  • Technical data — IP address, browser type, device type, and operating system, collected by our hosting infrastructure (Vercel) as part of standard server logs. Logs are retained for a maximum of 30 days.

2.3 Information from third-party sign-in

If you sign in with Google or Apple, we receive only your email address and the display name you have set with that provider.

3. How We Use Your Information

  • To create and manage your account.
  • To provide the ShotCoach training features (session tracking, shot detection, analytics).
  • To process subscription payments and manage billing.
  • To send transactional emails (e.g. account confirmation, password reset).
  • To detect, investigate, and prevent fraud and abuse.
  • To improve the Service through aggregate, anonymised analysis.
  • To comply with legal obligations.

We do not use your data for advertising, and we do not sell your data to any third party.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal bases for processing personal data are:

  • Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Service you have subscribed to (account management, training features, billing).
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, security, and aggregate service-improvement analysis, where these interests are not overridden by your fundamental rights.
  • Legal obligation (Art. 6(1)(c)) — retention of financial records as required by law.
  • Consent (Art. 6(1)(a)) — where we specifically request your consent (you may withdraw it at any time without affecting prior processing).

5. Third-Party Services and Sub-Processors

We share your data only with the service providers listed below, who process it on our behalf. Each has been assessed for adequacy or has appropriate safeguards in place (Standard Contractual Clauses where required).

  • Supabase (database, authentication, file storage) — United States / European Union. Privacy policy.
  • Stripe (payment processing) — United States. Privacy policy.
  • Roboflow (AI-powered shot detection) — United States. Privacy policy. Target images are transmitted to Roboflow for analysis and are not retained beyond the duration of the API call.
  • Vercel (hosting and analytics) — United States / European Union. Privacy policy.

We do not share your personal data with any other third parties except as required by law.

6. Data Retention

  • Account and training data — retained for as long as your account is active. When you delete your account, your personal data is deleted within 30 days, except where we are required to retain it by law.
  • Financial and billing records — retained for 7 years to comply with accounting and tax obligations.
  • Server logs — retained for a maximum of 30 days.

7. Cookies and Tracking

We use only the following cookies and local-storage tokens on shotcoach.eu:

  • Authentication session cookies — strictly necessary cookies set by Supabase to keep you signed in. These cannot be disabled without breaking the Service.

We do not use advertising cookies, cross-site tracking pixels, or fingerprinting techniques. Vercel Analytics is cookieless and does not track individuals.

Because we use only strictly necessary cookies, we do not display a cookie consent banner. If this changes in the future, we will update this policy and add an appropriate consent mechanism.

8. Your Rights

8.1 Rights under GDPR (EEA, UK, Switzerland)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data (“right to be forgotten”), subject to legal retention requirements.
  • Restriction — ask us to limit how we use your data in certain circumstances.
  • Portability — receive your personal data in a machine-readable format and transfer it to another controller.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Lodge a complaint — with your national supervisory authority. In the EU, find your authority at edpb.europa.eu.

8.2 Rights under CCPA (California residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you and how it is used.
  • Delete personal information we have collected, subject to certain exceptions.
  • Opt-out of sale — we do not sell personal information, so this right does not apply.
  • Non-discrimination — we will not discriminate against you for exercising any CCPA rights.

To submit a request under the CCPA, contact us at privacy@shotcoach.eu. We will respond within 45 days.

8.3 How to exercise your rights

You can update or delete your account directly within the app settings. For any other request, email privacy@shotcoach.eu. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. International Data Transfers

Our primary sub-processors are based in the United States. Where we transfer personal data from the EEA, UK, or Switzerland to the US or another third country, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The EU–US Data Privacy Framework, where the sub-processor is certified.

You may request a copy of the relevant safeguards by contacting us at privacy@shotcoach.eu.

10. Children's Privacy

The Service is not directed to children under 16 (or under 13 in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice within the app at least 14 days before the change takes effect. The “last updated” date at the top of this page always reflects the current version.

12. Contact Us

For privacy-related questions or to exercise any of the rights described above, contact us at:

Thalerys Systems — ShotCoach Privacy
privacy@shotcoach.eu