AI & GDPR

AI & GDPR — How we handle your data

Last updated: May 4, 2026

This page explains exactly how our AI assistant (the Black Belt Assistant) processes data, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and similar laws (UK GDPR, Swiss FADP, etc.).

If anything here is unclear, contact us at contact@kombatevolve.com. We will respond within 30 days as required by GDPR Article 12.

1. What data the AI sees

The AI assistant only processes data that already exists in your gym's account: students, attendance, payments, sparring sessions, class feedback, coach journal notes. It never touches data from other gyms.

For each conversation, the platform builds a context payload in JSON, sends it to Anthropic's Claude API, and receives a response. The payload contains:

  • Student names — pseudonymised: only first name + last initial (e.g. "Yosi B."). The full last name never leaves our servers.
  • Aggregate metrics: attendance counts, MRR, overdue subscription counts, belt distribution.
  • Recent activity samples: up to ~5–10 entries per category (recent journal notes, low-rated class feedback comments, etc.).
  • Internal IDs: opaque identifiers needed by the AI to propose actions on specific students. These IDs are not personal data on their own.

The payload is capped at roughly 1,500 tokens. No raw email addresses, phone numbers, postal addresses, payment card details, or government identifiers are ever sent to the AI.

2. Why we use AI

We use AI under GDPR Article 6(1)(f) — legitimate interest: providing useful insights and time-saving automation to gym owners.

The processing has been balanced against your rights:

  • We pseudonymise personal data before sending it.
  • We only send what's needed to answer the question.
  • You can opt out of the AI assistant at any time — your gym remains fully functional without it.
  • We never use your data to train Anthropic's models (see §4 below).

3. Sub-processors

We rely on third parties to deliver the service. Each one processes a defined slice of your data under a Data Processing Agreement (DPA):

| Sub-processor | Purpose | Where data is hosted | DPA | |---|---|---|---| | Supabase (Postgres + storage) | Primary database + file storage | EU (Frankfurt) | Yes | | Anthropic, PBC (Claude API) | AI assistant inference | USA — Standard Contractual Clauses + Zero Data Retention requested | Yes | | Stripe | Subscription + one-time payments, KYC | EU + USA (SCCs) | Yes | | Resend / Brevo / Plunk / Postmark (one of, depending on team config) | Transactional email delivery | EU | Yes | | OneSignal | Push notifications to coach + student apps | USA (SCCs) | Yes | | PostHog | Product analytics (no PII) | EU | Yes | | Vercel | Web app hosting | EU + USA edge | Yes |

We will update this list whenever we add or change a sub-processor. Material changes will be announced to OWNERs via email at least 30 days in advance, giving you time to object.

4. International data transfers

Some of our sub-processors are based in the United States (notably Anthropic, Stripe, OneSignal, parts of Vercel's edge network). For each, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and
  • Zero Data Retention with Anthropic — meaning prompt + response data is not stored or used for model training. We have requested ZDR via Anthropic support; the status of this request is updated below.

Anthropic ZDR status: requested / pending / active (this line is updated whenever the status changes).

If ZDR is not yet active for your account, Anthropic retains prompts and responses for up to 30 days for safety review and support purposes only. They are not used to train models for any customer who is on the standard API tier.

5. Your GDPR rights

You can exercise the following rights at any time by emailing contact@kombatevolve.com:

  • Right of access (Art. 15) — get a copy of all data we hold about you.
  • Right to rectification (Art. 16) — correct anything wrong.
  • Right to erasure (Art. 17) — delete your account and all associated data within 30 days. Backups are purged within 90 days.
  • Right to restrict processing (Art. 18) — pause AI processing on your data while keeping your account active.
  • Right to data portability (Art. 20) — export your data in a machine-readable format.
  • Right to object (Art. 21) — opt out of legitimate-interest processing including AI.
  • Right to lodge a complaint (Art. 77) — with your national data-protection authority (in France: CNIL · in Germany: BfDI · etc.).

Coaches can also self-serve account deletion at Settings → Team → Delete team.

6. Audit trail & transparency

Every action the AI takes on a student's account (sending an email, promoting them, freezing a subscription, etc.) is recorded with:

  • The coach who triggered it
  • The exact parameters used
  • The result (success or failure)
  • A timestamp

You can review this audit log at Assistant → History. It is retained for as long as your account is active. After deletion, audit logs are purged within 90 days.

7. AI quotas & rate limits

To prevent runaway data flow to the AI, every team has a per-plan monthly message quota and a per-hour rate limit. These are enforced at the application layer and visible to OWNERs at Settings → Team → AI usage.

8. Children's data

We process belt and attendance data for minors only when their parent or legal guardian has registered the child via the parent-account flow. We do not knowingly process data of children under 13 without verifiable parental consent.

9. Data retention

| Data | Retention | |---|---| | Student profile, attendance, payments | While your gym account is active | | Coach journal entries | While your gym account is active | | AI conversation history | Stored locally in your browser only — never on our servers | | AI cost log + AI action log | 24 months | | Audit logs | 24 months | | Backups | Rolling 90-day window |

Account deletion triggers full data purge within 30 days; backups are then purged in the next rolling cycle (≤ 90 days).

10. Conversation memory

AI conversations are stored exclusively in your browser's localStorage. They are never transmitted to our servers or to Anthropic between turns (except as part of the active prompt). Clearing browser data clears the conversation history.

11. Contact

Data controller Kombat Evolve contact@kombatevolve.com

For data-protection requests (access, deletion, restriction, portability, objection, complaints) please use the same address — your message is routed to the right team.

For supervisory authority complaints, contact the data-protection authority of the EU member state where you live or where the alleged infringement occurred.

12. Changes

This page is versioned. Material changes are announced to OWNERs via email at least 30 days before they take effect. Non-material changes (typo fixes, sub-processor location updates) are reflected on this page with the Last updated date.

For the general privacy policy, see Privacy Policy.