Privacy Policy
This Privacy Policy describes how Gainloop ("we," "us," "our") collects, uses, and protects information when you use our tennis development archive application (the "Service"). By using the Service, you agree to the practices described here.
If you do not agree with this policy, do not use the Service.
Who we are
Gainloop is a software application that helps tennis players and their families capture, organize, and review developmental data over time.
For privacy-related questions or requests, contact us at: privacy@gainloop.com
What information we collect
We collect information you provide directly, information automatically generated through your use of the Service, and information from third-party services you choose to connect.
Information you provide directly
- Account information: name, email address, password (stored hashed, never in plain text), and authentication credentials.
- Player profile: name, date of birth, dominant hand, height, weight, dominant playing characteristics, and other development-related profile information you choose to enter.
- Captured content: video clips, photographs, voice recordings, written reflections, match notes, training notes, body and recovery notes, and other content you capture or upload to the Service.
- Team information: invitation codes, team membership, role assignments (owner, contributor, coach), and communication preferences.
Information generated through use of the Service
- Synthesis output: developmental observations, narratives, threads, plans, and similar content that the Service generates by analyzing your captured material.
- Usage metadata: timestamps of captures and edits, features used, error logs, and similar operational data.
- Device information: device type, operating system version, application version, and similar technical identifiers needed to deliver the Service.
Information from connected services
If you choose to connect Whoop or other physiological data providers to your account, we collect:
- Physiological data: sleep duration and quality, recovery scores, strain metrics, heart rate variability, workout data, and similar information provided by the connected service.
- Connection metadata: access tokens (stored encrypted), connection status, and synchronization timestamps.
We only collect data from connected services that you explicitly authorize through the service's standard authorization flow. You can revoke access at any time.
How we use information
We use the information we collect to:
- Provide the Service's core functionality: capturing, organizing, and synthesizing developmental data.
- Generate the analytical content the Service offers: arcs, threads, plans, summaries, and answers to questions.
- Maintain and improve the Service: diagnose issues, fix bugs, refine features based on observed usage patterns.
- Communicate with you about your account, important changes to the Service, and (with your consent) product updates.
- Comply with legal obligations and protect against fraud, abuse, or unauthorized access.
We do not sell your personal information. We do not use your captured content or physiological data to train AI models or for any purpose other than providing the Service to you.
Who we share information with
We share information only as needed to operate the Service or as required by law.
Service providers
We use third-party services to operate the Service. These providers process information on our behalf under contractual obligations to handle data appropriately. The categories of providers include:
- Hosting and database services that store account data, captured content metadata, and operational state.
- Object storage services that store video clips, audio recordings, and other media files.
- AI synthesis providers that process captured content to generate analytical output. Content processed by these providers is governed by their own terms regarding retention and use; we use providers whose terms protect against use of submitted content for training their models.
- Background processing services that run scheduled and on-demand analysis jobs.
- Authentication services that manage account authentication and session security.
- Connected services you choose to authorize (currently Whoop) exchange data with the Service per their respective terms. See the section on connected services below.
We do not share your information with providers beyond what is necessary for them to perform their function. We do not sell your information to any third party.
Within your team
Information captured for a player is visible to other members of that player's team based on the role assigned to each member:
- Owners see all captured content for the player.
- Contributors see all team-visible and parents-only content; they cannot see content the owner marks as private.
- Coaches see team-visible content; they cannot see content marked parents-only or private.
You control who joins your team and what role each member holds. You can remove members at any time.
Legal requirements
We may disclose information if required by law, court order, or other legal process, or if necessary to investigate fraud, abuse, or threats to safety.
Business transfers
If the Service or its operator is acquired or merged with another entity, your information may be transferred as part of that transaction. We will notify you before such a transfer and offer reasonable options regarding your data.
How we protect information
- Passwords stored as cryptographic hashes, never in plain text.
- Third-party service access tokens (including Whoop) encrypted at rest using AES-256-GCM.
- Encrypted connections (HTTPS/TLS) for all data transmission.
- Access controls restricting which Service personnel can view what data, with logging of administrative access.
No system is perfectly secure. We cannot guarantee absolute security, and you use the Service at your own risk.
How long we keep information
- Captured content and synthesis output remain in your account until you delete it or close your account.
- Connected service data (Whoop, etc.) is retained until you disconnect the service. Disconnecting removes the connection but does not automatically delete historical data the Service has already received. You can request deletion through the Service's "Wipe" options or by contacting us.
- Account data is retained while your account is active. After account closure, account data is retained for approximately 90 days to support recovery if requested, then permanently deleted.
- Operational logs are retained for 30–90 days for debugging and security purposes.
Your rights and choices
Depending on where you live, your rights may include:
- Access: request a copy of information we hold about you.
- Correction: update inaccurate or incomplete information through the Service or by contacting us.
- Deletion: delete captured content through the Service, or request full account deletion by contacting us.
- Data portability: request an export of your information in a machine-readable format.
- Consent withdrawal: revoke consent for optional data uses at any time.
- Connected service disconnection: disconnect Whoop or other connected services at any time through the Service's Connections settings.
To exercise any of these rights, contact us at privacy@gainloop.com. We will respond within the timeframes required by applicable law.
Children's information
The Service supports two player types: adult players (18 and older) who manage their own accounts, and junior players (under 18) whose accounts are managed by a parent or guardian.
For junior players:
- The parent or guardian creates and controls the account.
- The parent or guardian provides consent for the collection and use of the junior player's information.
- We do not knowingly collect information directly from children under 13 without verifiable parental consent.
- We do not show advertising to junior players.
- We do not sell junior players' information for any purpose.
Connected services with their own age requirements (such as Whoop, which requires users to be 16 or older) are not available for direct junior player use. Where a parent uses their own connected service account, the data reflects the parent's physiology and is treated as parent-side context, not as the junior player's data.
If you believe we have collected information from a child in violation of applicable law, contact us at privacy@gainloop.com and we will delete it.
International users
If you use the Service from another country, your information may be transferred to, stored in, and processed in countries where our service providers operate. By using the Service, you consent to such transfers.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy to our website and, where appropriate, by email or in-app notification. The "Last updated" date at the top indicates when the policy was last revised.
Your continued use of the Service after changes become effective indicates your acceptance of the updated policy.
Contact us
For questions, concerns, or requests related to this Privacy Policy or your information:
We aim to respond to privacy-related requests within 30 days.
Connected services
Whoop
When you connect a Whoop account to Gainloop:
- We request access to your cycles, sleep, recovery, workouts, and body measurements.
- We store this data in our database in association with your Gainloop player profile.
- We use this data only for the synthesis and analysis features of the Service.
- We do not share Whoop data with any third party except the service providers necessary to operate the Service.
- You can disconnect Whoop at any time through the Connections section of the Service. Disconnecting revokes our future access; you can also choose to delete historical Whoop data via the "Wipe all Whoop data" action.
- Access tokens are encrypted at rest using AES-256-GCM and are never exposed to the client application.