Privacy Policy

Last updated: May 3, 2026

Who we are

goCaju (“we”, “us”, “our”) is a nutrition tracking platform for personal trainers, sports coaches, and their athletes. Our website is gocaju.com and our app is gocaju.app.

If you have any question about this policy, contact us at privacy@gocaju.com.

Who this policy applies to

This policy applies to two groups of people:

• Coaches — personal trainers, S&C coaches, gyms, and sports teams who use goCaju to track their athletes’ nutrition.
• Athletes — individuals invited by a coach to log their meals and nutrition data inside goCaju.

Coaches act as the data controller for their athletes’ data within goCaju. goCaju acts as the data processor on the coach’s behalf, and as the data controllerfor the coach’s own account data.

What data we collect

From coaches

• Account information: name, email address, password (hashed), profile picture (optional).
• Billing information for paid plans: handled by our payment processor (Stripe). We never see or store your full card details.
• Usage data: how you interact with the app (pages visited, features used), to help us improve the product.
• Communication: messages you send us via support or contact forms.

From athletes

• Account information: name, email address, password (hashed), profile picture (optional), date of birth, gender.
• Body composition data: weight, height, body fat percentage (optional), and goals you choose to share with your coach.
• Activity data: training schedule and sessions you log or that your coach assigns.
• Nutrition data: meals logged (text descriptions, photos), calories, macros, the time of meals, and notes.
• Coach-athlete chat messages.
• Usage data: how you interact with the app.

From visitors to gocaju.com

• Anonymous analytics (page views, country, device type) via privacy-respecting analytics tools.
• Email address if you sign up for the founding offer or newsletter.

How we use your data

We use the data we collect to:

• Provide the goCaju service (let athletes log meals, let coaches see athlete dashboards, deliver AI features).
• Process payments and manage subscriptions.
• Send transactional emails (confirmations, password resets, important account updates).
• Send product updates and marketing emails — only if you opted in. You can unsubscribe at any time.
• Improve the product (analyze usage patterns, fix bugs, prioritize features).
• Provide customer support.
• Comply with legal obligations.

We never sell your data. We never share your data with third parties for advertising purposes.

How AI features work

goCaju uses AI to recognize meals from photos and to power the AI nutrition assistant. To deliver these features:

• Meal photos and text descriptions are sent to OpenAI (GPT-4o) for processing. OpenAI does not retain or use this data for training (per their API data policy).
• The AI assistant chat is processed by OpenAI under the same conditions.

You can choose not to use AI features by logging meals manually. AI processing is required only when you snap a photo or chat with the assistant.

Where your data is stored

• Application database and authentication: Supabase, hosted in EU data centers (Frankfurt, Germany).
• File storage (meal photos): Supabase Storage, EU region.
• AI processing: OpenAI (GPT-4o), processed in transit, not retained.
• Email delivery: Processed by our email provider. Data may be processed in the US.
• Analytics: Anonymized.

Your rights

Under GDPR (EU), LGPD (Brazil), and similar laws, you have the right to:

• Access your personal data — get a copy of what we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data (“right to be forgotten”).
• Portability — export your data in a machine-readable format (CSV).
• Object — object to certain types of processing (e.g., direct marketing).
• Restrict processing — pause processing in certain situations.
• Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email us at privacy@gocaju.com. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority:

• EU: your national DPA (e.g., CNIL in France).
• Brazil: ANPD (Autoridade Nacional de Proteção de Dados).
• UK: ICO.

Athletes — your data and your coach

If you use goCaju as an athlete invited by a coach, your coach can see the data you log: meals, macros, activity, body composition, and chat messages.

You can:

• Disconnect from your coach at any time. Your coach will lose access to new data; historical data they already saw is not retroactively erased from their dashboard, but you can request its deletion.
• Export your data independently of your coach.
• Delete your account at any time.

Cookies and tracking

We use a minimal number of cookies:

• Essential cookies for authentication and session management. Required for the app to work.
• Analytics cookies for anonymized usage stats. You can opt out via the cookie banner.

We do not use advertising cookies or third-party tracking pixels.

Data retention

• Active accounts: we retain your data as long as your account is active.
• Cancelled accounts: we retain your data for 30 days after cancellation in case you change your mind, then permanently delete it. You can request immediate deletion at any time.
• Marketing email lists: we retain your email until you unsubscribe.
• Backups: routine backups are retained for 30 days, then deleted.

Children’s privacy

goCaju is not intended for use by children under 16. If a coach invites an athlete under 16, the coach must obtain verifiable parental consent before the athlete creates an account. We do not knowingly collect data from children under 16 without parental consent.

Security

We protect your data with:

• HTTPS everywhere (TLS 1.2+).
• Passwords hashed with bcrypt or equivalent.
• Row-level security at the database layer (Supabase RLS).
• Regular security reviews.

No system is perfectly secure. If we discover a data breach, we will notify affected users within 72 hours, in line with GDPR and LGPD requirements.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent version. Material changes will be communicated by email or in-app notice.

Contact

For any privacy question, request, or complaint:

privacy@gocaju.com

goCaju
Legal entity name and registered address — to be filled in once the company is registered.