Archie Privacy Policy

Last updated: 7 February 2025
Effective for: Users in the United States, United Kingdom, and European Economic Area (EEA)

1. Who we are

This privacy policy applies to Archie (the “App”), an AI-powered archery coaching and training companion. The App is made available by Limitless 8 Digital Ltd (“we”, “us”, “our”). For the purposes of UK and EU data protection law, we are the data controller for the personal data we collect through the App.

2. What data we collect and why

We collect and process the following categories of data, for the purposes and on the legal bases described below. Where we rely on “legitimate interests”, we only do so where those interests are not overridden by your rights.

2.1 Account and identity

  • Email address and password (if you register with email), or sign-in credentials from Apple or Google (e.g. email, and on first sign-in only from Apple, name).
    Purpose: Create and manage your account, authenticate you.
    Legal basis: Contract (necessary to provide the service); consent where required (e.g. social sign-in).
  • Profile information you provide: display name, country, handedness, dominant eye, archery style preference, experience level, height, wingspan, draw length.
    Purpose: Personalise coaching, recommendations, and training plans.
    Legal basis: Contract; legitimate interests (improving the service).

2.2 Profile and social settings

  • Avatar and cover images, short title/bio (up to 125 characters), and privacy settings (e.g. public/private profile, whether to share scorecards or check-ins to the feed).
    Purpose: Run your public profile and control what others see.
    Legal basis: Contract; consent where you choose to make profile public.

2.3 Training and sessions

  • Training plans (including AI-generated plans), session logs (dates, session type, location text, perceived effort, pain flag/notes, notes), round data, and AI-generated summaries.
    Purpose: Deliver training features, session history, and AI coaching.
    Legal basis: Contract; legitimate interests (service improvement).
  • Photos and videos you attach to sessions (e.g. form checks).
    Purpose: Session logging and, if you use it, AI analysis.
    Legal basis: Contract; consent for AI analysis where applicable.
  • Interval workout configurations (e.g. draw/rest times, rounds, sets).
    Purpose: Provide the interval timer and related features.
    Legal basis: Contract.

2.4 Scorecards

  • Scorecard data: title, round configuration (sets, shots per set), location type (e.g. indoor/outdoor), target face, notes, end images (e.g. left/top/right angles), shot scores and positions (x/y on target).
    Purpose: Scorecard creation, editing, statistics, and optional sharing to the feed.
    Legal basis: Contract; consent where you choose to share scorecards.
  • Scorecards are stored on your device first (local database). When you complete a scorecard and sync is available (e.g. with subscription or credits), data is backed up to our servers.
    Purpose: Offline use and cloud backup.
    Legal basis: Contract.

2.5 Inventory and equipment

  • Equipment items (e.g. bows, risers, limbs, arrows, parts, gear) and photos you upload for them.
    Purpose: Inventory management and personalisation.
    Legal basis: Contract.

2.6 Social and community (Mingle)

  • Posts (text and up to 4 images), likes, comments, follows (users and clubs), direct messages (text and images), and club check-ins (including optional sharing to the feed).
    Purpose: Run the social feed, messaging, and club features.
    Legal basis: Contract; consent where you choose to post or share.
  • Search: If you use search, we process search terms (e.g. user names, post content) to return results.
    Purpose: Provide search.
    Legal basis: Contract.

2.7 Club finder and location

  • Address or postcode you enter for club search may be sent to Google’s Geocoding API to obtain coordinates and show nearby clubs. We do not collect or store your precise device location for this feature in the current version (GPS “use my location” is not yet active).
    Purpose: Location-based club search.
    Legal basis: Contract; legitimate interests (providing the feature).
  • Club data (names, addresses, coordinates, etc.) is app reference data, not your personal location history.

2.8 AI assistant (Archie)

  • Messages you send in chat, conversation history, and mode (e.g. coach, media analysis, training plan).
    Purpose: Provide AI coaching, analysis, and plan generation.
    Legal basis: Contract.
  • Media URLs you submit for AI analysis (e.g. form or target images).
    Purpose: AI analysis as requested.
    Legal basis: Contract; consent where required.
  • Safety and quality: We may log AI safety events (e.g. intent, mode, reason, limited output snippets) in a secure guardrail events system to improve safety and reliability.
    Purpose: Safety, abuse prevention, and quality of AI.
    Legal basis: Legitimate interests; legal obligation where applicable.

2.9 Payments and subscriptions

  • Stripe: For subscriptions and credit top-ups we use Stripe. Payment card details are handled only by Stripe; we do not store card numbers. We may receive and store customer identifiers, subscription status, and transaction metadata from Stripe.
    Purpose: Billing, subscription and credit management.
    Legal basis: Contract; legal obligation (e.g. tax/accounting).
  • In-app purchases (iOS/Android): We store transaction identifiers, product IDs, platform, tier, credits, and receipt/verification data as needed to grant access and support.
    Purpose: Fulfil purchases and prevent fraud.
    Legal basis: Contract; legal obligation.

2.10 Credits and usage

  • Credit balance, credit transactions (e.g. top-up, AI use, adjustments), and AI token usage where applicable.
    Purpose: Operate the credits system and AI features.
    Legal basis: Contract.

2.11 Device and technical data

  • Device and app identifiers, IP address, and log data (e.g. errors, API calls) as necessary to run the service, secure it, and fix issues.
    Purpose: Operation, security, and support.
    Legal basis: Contract; legitimate interests.
  • Local storage: We use local storage on your device (e.g. SQLite for scorecards, and possibly preferences/secure storage for tokens and settings) to support offline use and performance.
    Purpose: Offline functionality and app operation.
    Legal basis: Contract.

3. Who we share data with

We share data only as follows:

  • Service providers that process data on our instructions (e.g. Supabase for auth, database, and storage; Stripe for payments; Anthropic and OpenAI for AI; Google for Sign-in and Geocoding). Each is bound by contract and, where required, by data processing or transfer terms.
  • Other users only as you choose (e.g. public profile, posts, likes, comments, messages, shared scorecards or check-ins).
  • Authorities where we are legally required to do so (e.g. court order, law enforcement).
  • In connection with a merger, sale, or restructuring, in which case we will notify you and explain your choices where the law requires.

We do not sell your personal data.

4. International transfers (UK & EEA users)

Your data may be processed in and transferred to countries outside the UK and EEA (e.g. United States), including by our service providers (Supabase, Stripe, Anthropic, OpenAI, Google, Apple). We ensure appropriate safeguards, such as:

  • UK and EEA: Standard Contractual Clauses (SCCs) and/or UK International Data Transfer Agreement (IDTA) where relevant.
  • US: Where we or a provider rely on US-based processing, we use mechanisms recognised by UK and EU regulators (e.g. SCCs, adequacy decisions, or other approved transfer tools).

You can ask for details of the safeguards we use for a specific transfer.

5. How long we keep data

  • Account and profile: For the duration of your account plus a reasonable period after deletion for backup and legal obligations (e.g. up to 3 years where required).
  • Training, scorecards, inventory, social content: Until you delete it or close your account, plus any retention needed for backups, disputes, or legal obligations.
  • Payments and IAP: As required for tax, accounting, and legal compliance (often several years).
  • AI chat and guardrail logs: As long as needed for safety and quality, then deleted or anonymised in line with our retention policy.
  • Local device data: Until you uninstall the App or clear app data; synced data is subject to the same retention as above once on our systems.

You can request deletion of your account and associated data; we will honour that subject to legal and operational constraints (e.g. anonymisation instead of deletion where we must retain records).

6. Your rights (UK & EEA)

If you are in the UK or EEA, you have the right to:

  • Access your personal data.
  • Rectification of inaccurate data.
  • Erasure (“right to be forgotten”), subject to exceptions.
  • Restrict processing in certain cases.
  • Data portability for data you provided and that we process by automated means under contract or consent.
  • Object to processing based on legitimate interests (including profiling where applicable).
  • Withdraw consent where processing is based on consent, without affecting lawfulness of earlier processing.
  • Lodge a complaint with a supervisory authority (e.g. in the UK: ICO; in the EU: your country’s data protection authority).

To exercise these rights, contact us using the details in Section 10. We will respond within the time required by applicable law (e.g. one month under UK GDPR/GDPR).

7. Your rights (California and other US states)

If you are a California resident, you may have:

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete personal information, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to limit use and disclosure of sensitive personal information (we use it only as necessary to provide the service).
  • Right to non-discrimination for exercising these rights.

We do not sell or share personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information beyond what is necessary to provide the service.

To exercise these rights, contact us (Section 10). You may designate an authorised agent. We may verify your identity before processing requests.

Residents of other US states with similar privacy laws (e.g. Virginia, Colorado) have comparable rights where applicable; contact us to exercise them.

8. Children

The App is not directed at children under 16 (or higher age where the law requires). We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.

9. Security and data storage

We use technical and organisational measures (e.g. encryption in transit and at rest where applicable, access controls, secure hosting) to protect your data. User data is stored in Supabase in the eu-central-1 region unless otherwise stated. Payment card data is processed by Stripe and not stored by us. You are responsible for keeping your password and device secure.

10. Contact and data controller

For privacy requests, questions, or complaints:

  • Email: [your privacy/contact email]
  • Post: [your address]
  • Data Protection Officer (if applicable): [DPO contact]

For UK: Our lead supervisory authority is the Information Commissioner’s Office (ICO) (ico.org.uk).
For EEA: You may contact the supervisory authority in your country of residence.

11. Changes to this policy

We may update this privacy policy from time to time. We will post the updated version in the App and/or on our website and change the “Last updated” date. If changes are material (especially where we use your data in new ways), we will notify you as required by law (e.g. in-app notice or email). Continued use after the effective date constitutes acceptance of the updated policy where permitted by law.

Summary of functionality covered

Area Data involved Third parties / notes
AuthEmail, password, Apple/Google credentials, name (Apple first sign-in)Supabase, Apple, Google
ProfileDisplay name, body stats, avatar, cover, title, privacy/sharing settingsSupabase (storage)
Training & Skill UpPlans, sessions, rounds, notes, media, interval configsSupabase, storage
ScorecardsScores, shot positions, end images; local then optional cloud syncSupabase, local SQLite
InventoryEquipment items and photosSupabase, storage
MinglePosts, likes, comments, follows, DMs, check-insSupabase, storage
Club finderAddress/postcode for search (geocoding)Google Geocoding
AI (Archie)Chat, media URLs, guardrail logsAnthropic, OpenAI, Supabase Edge
PaymentsStripe payment flows; IAP transaction/receipt dataStripe, Apple/Google app stores
CreditsBalance and transaction historySupabase
AdsRewarded ads for credits (currently disabled in code)AdMob when enabled