Privacy Policy
Last updated: May 18, 2026
1. Overview
CombatScore (“we”, “our”, “us”), operated by Four13 Studios LLC, based in Oklahoma, USA, is an AI-powered combat sports training platform. Four13 Studios LLC is the data controller for personal information processed through the Service. This Privacy Policy explains what data we collect, why we collect it, how it is stored, and your rights regarding that data.
By creating an account or using the CombatScore mobile app or website, you agree to the practices described in this policy.
2. Data We Collect
Account data (via Clerk)
When you sign up, we collect your email address and optionally your name. If you use Apple Sign-In or Google Sign-In, we receive the profile information authorised by those providers. Authentication is handled by Clerk.
Profile data
Belt rank, stripe count, weight class, gym name, years training, and weekly training goal. This data is stored in Clerk’s user metadata and used to personalise AI coaching responses.
Training session data
Session type, date, duration, round count, roll tags (position, technique, outcome, notes), and free-text session notes. This data is stored in our Supabase database and locally on your device in a SQLite database. This includes health & fitness information (training sessions, mental state, injuries, body composition, nutrition logs, S&C workouts) that is linked to your account for the purpose of AI coaching and progress tracking.
Session media
Photos and videos you choose to attach to training sessions are uploaded to Supabase Storage. Media files are stored in a folder keyed to your user ID and are not accessible to other users.
AI interaction data
When you use the AI Coach, your training session data and profile metadata are sent to Anthropic for processing under a Zero Data Retention agreement — prompts and responses are not retained by the vendor beyond the request and are excluded from training pipelines. We do not send your name or email address. For users under 18, names, contacts, and free-text PII (emails, phone numbers, URLs) are irreversibly scrubbed from the request before transmission. AI responses are cached on your device and in our database. We track the number of AI messages you send per day to enforce the free-tier limit.
Payment data (via Stripe)
If you subscribe to CombatScore Premium, your payment is processed by Stripe. We store only a Stripe Customer ID — we never see or store your full card number. Billing history and payment method management are available via the Stripe customer portal.
Usage data
We store a per-user, per-day AI message count in our database to enforce the free-tier rate limit. This data is automatically purged after 7 days.
3. How We Use Your Data
- To authenticate you and maintain your account
- To store and sync your training sessions across devices
- To generate personalized AI coaching advice based on your session history
- To process subscription payments and manage your Premium status
- To enforce free-tier usage limits
- To send training reminder notifications (only if you enable them)
We do not sell your data. We do not use your data for advertising.
4. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication | Email, name, OAuth tokens |
| Supabase | Database & file storage | Session data, media files |
| Anthropic (ZDR) | AI coaching responses | Session data, belt/weight metadata (PII scrubbed for minors) |
| Stripe | Payment processing | Email, Stripe Customer ID |
| Expo (EAS) | App distribution & OTA updates | App bundle (no personal data) |
5. Data Retention
- Account data: retained until you delete your account.
- Training sessions: retained until you delete them or delete your account.
- Session media: retained until you delete the session or your account.
- AI usage counts: purged automatically after 7 days.
- Payment records: retained by Stripe per their policies (typically 7 years for financial compliance).
5a. Payment Data
Card numbers are handled by Stripe. CombatScore operates under PCI DSS SAQ A scope — we do not touch raw card data. Saved payment methods linked to your account are stored as Stripe tokens, not card numbers.
Order and invoice records (amount, currency, paid date, refund amount, Stripe payment intent id, Stripe invoice id) are stored in our database to power your wallet, receipts, and the gym’s revenue dashboard. These records are retained for the period required for tax and consumer-protection compliance — typically seven years — regardless of account deletion. After that retention window the records are deleted.
Right-to-delete requests honor this retention requirement: we delete personal identifiers from the records (name, email) but retain the anonymized financial entries needed for the gym’s books and our regulatory obligations.
Stripe is a separate data controller for the payment information it processes. See stripe.com/privacy.
6. Data Security
All data is transmitted over HTTPS/TLS. Your training data in Supabase is protected by Row Level Security (RLS) policies — each user can only access their own rows. Session media in Supabase Storage is also access-controlled per user. Authentication tokens are stored in the device’s secure keychain (iOS) or encrypted shared preferences (Android) via Expo SecureStore.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: request a copy of all data we hold about you
- Correction: update inaccurate data via your profile settings
- Deletion: delete your account and all associated data via Profile → Delete Account (coming soon), or by emailing us
- Portability: export your training sessions as JSON from your profile
- Objection: opt out of AI processing by not using the AI Coach features
To exercise any of these rights, email privacy@combatscore.app.
8. Children & COPPA Compliance
CombatScore allows parents and legal guardians to create managed profiles for their children, including children under 13. We collect and use children's data only with verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).
For children under 13, we collect only the data necessary to provide the service: name, date of birth, belt rank, and training session logs. We do not engage in behavioral advertising or share children's data with third parties for marketing purposes.
Parents may review, modify, or request deletion of their child's data at any time through the Family management page or by contacting us at privacy@combatscore.app. Orphaned child profiles are automatically deleted after 30 days.
For full details on how we handle children's data, please see our Children's Privacy Notice.
9. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. Continued use of CombatScore after changes take effect constitutes acceptance of the updated policy.
10. Contact
Questions about this policy? Email us at privacy@combatscore.app.