<!--
@llm-meta
file: llms-legal.md
title: Legal — Privacy Policies, Terms, Coach Portal, DPA
description: Comprehensive legal-document reference for saturday.fit. Privacy policies, terms of service, EULA, coach-portal terms, coach privacy addendum, Data Processing Agreement template.
category: site-page
keywords: legal, privacy, terms, policy, EULA, DPA, MHMDA, GDPR, CCPA, CPRA, coach, marketplace, Stripe Connect
last-updated: 2026-04
related: llms-transparency.md, llms-homepage.md
-->

# Saturday Inc. — Legal Pages

> LLM context file for saturday.fit/legal

## Page Structure

The legal section index is at `/legal` and links to **9 separate documents** organized in three groups:

### App Policies (consumer-facing, mobile app + web)
- **App Privacy Policy** (`/app-privacy`) — Saturday: Pro Fuel & Hydration mobile app data handling
- **App Terms & Conditions / EULA** (`/app-terms`) — License and terms of use for the app

### Website Policies (saturday.fit visitors and purchasers)
- **Website Privacy Policy** (`/web-privacy`) — Data handling for saturday.fit visitors
- **Website Terms of Use** (`/web-terms`) — Terms governing saturday.fit website use

### Health Data
- **Consumer Health Data Privacy Policy** (`/health-data-privacy`) — Standalone policy compliant with WA My Health My Data Act (MHMDA), including 2024-2026 enforcement guidance

### Coach Portal (coach.saturday.fit)
- **Coach Terms of Service** (`/legal/coach-tos`) — Coach portal terms covering tier subscriptions, Stripe Connect billing, athlete relationships, organization hierarchy, FTC endorsement compliance, scope-of-practice carve-outs
- **Coach Privacy Policy** (`/legal/coach-privacy`) — Athlete-data handling by coaches, GDPR controller/processor framing, sub-processor transparency, audit logging
- **Data Processing Agreement (DPA)** (`/legal/dpa`) — Template DPA for B2B customers, includes 2021 SCCs + UK Addendum 2022, Schrems II adequacy assessment

### Commerce
- **Merch Return & Exchange Policy** (`/merch-returns`) — 14-day money-back guarantee for Saturday merch (made-to-order)

## Key Legal Details

| Field | Value |
|---|---|
| Entity | Saturday Inc. |
| Address | 8 The Green, STE A, Dover DE 19901 |
| Contact | support@saturdaymorning.fit |
| Arbitration opt-out | legal@saturdaymorning.fit |
| Governing law | State of Delaware |
| Jurisdiction | Maricopa County, Arizona (for non-arbitration matters) |
| Arbitration venue | Phoenix, Arizona via JAMS |
| Minimum age | 16 (16-17 with parental consent) |
| Health data law | WA MHMDA (separate dedicated policy) |

## Data Collected (App)

- Email address, display name, Firebase UID, authentication method
- Health & biometric data: weight, sex, year of birth, sweat level, saltiness, fitness level, satiety, cravings, weight loss preference, eating disorder flag, fueling concerns (gut distress, cramps, faintness, heat tolerance, hunger, thirst, drinking resistance, performance), max carbs, usual carbs, swim PR
- Activity data: type, duration, intensity, thermal stress, nutrition consumed, ratings, notes
- Device & technical: app version, OS version, crash data, analytics events
- Location: GPS (transient only — sent to OpenWeatherMap for weather, never stored)
- Third-party sync (user-initiated): TrainingPeaks, Intervals.icu

## Data Collected (Website)

- Identity for purchasers: name, email
- Browser, network, device info
- IP address (anonymized where possible), pages visited, referral pages
- Stripe handles all payment data — Saturday never sees credit card numbers
- Marketing emails via Klaviyo (consent-based)

## Data Collected (Coach Portal)

- Coach identity: email, display name, Firebase UID
- Coach tier subscription details (Coach free, Pro Coach $29/mo, Head Coach $79/mo, Business $149/mo, Enterprise custom)
- Athlete-coach relationship records (linked via `shared_with_coach_uids`)
- Stripe Connect account ID and status (Coach is merchant of record)
- Compliance dashboard data (computed real-time from athlete activity)
- Audit log: admin actions, impersonation events, IP, User-Agent, timestamps (90-day retention)
- Org membership and role assignments
- Billing arrangements between coach and athletes (financial-regulation 7-year retention)

## Third-Party Services

### Common to App + Website
- **Google Cloud / Firebase** (Google LLC) — Auth, Firestore, Analytics, Crashlytics, Performance, Cloud Functions
- **Stripe** (Stripe, Inc.) — Web payments + Coach Connect billing
- **Klaviyo** (Klaviyo, Inc.) — Email marketing communications
- **Cloudflare** (Cloudflare, Inc.) — CDN, DNS, DDoS protection, Workers (link.saturday.fit, get.saturday.fit)

### App-only (user-initiated or transient)
- **TrainingPeaks** (Peaksware, LLC) — Workout sync via OAuth
- **Intervals.icu** — Workout sync via OAuth
- **OpenWeatherMap** (OpenWeather Ltd) — Weather data (GPS sent transiently)
- **Open Food Facts** — Product database (barcode lookups)
- **Google Gemini AI** (Google LLC) — Nutrition label image extraction
- **Apple App Store** + **Google Play Store** — In-app subscriptions
- **Apple Sign-In** + **Google Sign-In** — Authentication

### Coach Portal additions
- **Brevo / Sendinblue** — Transactional emails (org invites, impersonation alerts, billing notices)

## User Rights

- **MHMDA (WA + similar):** Confirm/access, withdraw consent, delete, annual renewal — all users worldwide via the Health Data Privacy Policy
- **CCPA/CPRA (CA):** Know, delete, correct, opt out of sale/sharing, limit sensitive PI, non-discrimination
- **GDPR (EU/UK):** Access, rectify, erase, portability, restrict, object, lodge complaint with supervisory authority
- **Multi-state US:** Access, correct, delete, opt out of sale/targeted ads/profiling, appeal — for residents of CO, CT, VA, TX, OR, MT, IA, IN, TN, FL, MN, NJ, DE, MD, NH, RI
- **Universal:** Withdraw consent, request deletion, exercise rights via support@saturdaymorning.fit
- **Global Privacy Control (GPC):** Honored as a valid opt-out signal

## Important Terms (App EULA)

- Limited, non-exclusive, non-transferable license
- No reverse engineering, sublicensing, or transferring
- Services provided "AS IS" with no warranties
- Liability capped at 12 months of fees paid
- Comprehensive assumption-of-risk for fitness/nutrition activities
- Saturday staff are not medical doctors; recommendations require user verification with healthcare provider
- Mandatory arbitration with class action waiver (JAMS, Phoenix AZ)
- 30-day arbitration opt-out window from first acceptance
- 14-day money-back guarantee on direct (Stripe) web purchases
- App store purchases: refunds via Apple/Google
- Termination: 14-day notice for company-initiated terminations with prorated refund
- User can terminate anytime; access continues through paid billing cycle

## Important Terms (Coach Portal)

- **Coach is merchant of record** for charges processed via their Stripe Connect account
- **Independent contractor relationship** between coach and Saturday — no employment, agency, or joint venture
- **Coach is independent of athlete** — Saturday facilitates the relationship but is not party to coach-athlete service contracts
- **Athlete-data scope is limited**: coaches see compliance indicators and activity summaries, NOT raw biometric or health data
- **Athlete consent is mandatory** before coach access — three documented entry paths (QR, deep-link, subscribe-to-coach)
- **Athlete revocation is immediate** — no coach-side override
- **Platform fee** is disclosed on every charge receipt and in coach billing dashboard
- **Trial grants** subject to per-athlete lifetime cap (one trial across all coaches)
- **Organization hierarchy** with cascade rules for member removal and dissolution
- **Admin impersonation** is logged with admin UID, target UID, justification, IP, User-Agent — and emailed to the impersonated coach
- **ToS versioning** enforced via Firestore `system_config/tos_current` + 428 Precondition Required middleware blocking write actions until acceptance

## Important Terms (Website / Commerce)

- Auto-renewal disclosure compliant with CA Auto-Renewal Law (CARL) and FTC's Click-to-Cancel rule
- Mandatory arbitration with class action waiver (JAMS, Phoenix AZ)
- 14-day right of withdrawal for EU/EEA consumers (Consumer Rights Directive)
- 14-day money-back guarantee on direct subscription purchases
- Force majeure, severability, and survival clauses included

## DPA / Sub-processors

For B2B customers using the Coach Portal at scale, a Data Processing Agreement template is available at `/legal/dpa`. It includes:

- **2021 EU Standard Contractual Clauses** (Module 2: Controller-to-Processor)
- **UK International Data Transfer Addendum 2022**
- Schrems II adequacy assessment placeholder
- Sub-processor list with 30-day change notification + 14-day objection window
- Encryption: TLS 1.3 in transit, AES-256 at rest (GCP default)
- 72-hour breach notification commitment
- Audit log retention (90 days), billing record retention (7 years)
- Standard data subject rights assistance
- Term auto-tied to Coach Portal subscription

## Saturday Does NOT

- Sell user data
- Serve advertisements
- Share data with advertisers or data brokers
- Use sensitive personal information for any purpose other than service delivery
- Use AI for any purpose that produces legal-significant decisions about users
- Track users across other websites for advertising purposes

## Saturday DOES

- Honor Global Privacy Control (GPC) signals as opt-out
- Provide annual MHMDA consent renewal
- Notify users of data breaches within 72 hours (GDPR-aligned, applies globally)
- Maintain a complete sub-processor list available on request
- Maintain audit logs of admin actions for forensic purposes
- Honor data subject rights requests within 30 days (or 45 days for CPRA, 60 days for appeals)