Settings

Privacy Policy

Effective 2026-04-23. This policy is plain English, not legalese.

Who we are

ShotRx is operated by 17452217 Canada Inc. (operating as Metriview), based in Outremont, Quebec, Canada. Contact: founders@metriview.info.

What we collect

  • Account info — email, display name, avatar (when you sign in with Google or Apple). Password hash if you register with email.
  • Golf profile — handicap, typical distances, preferred ball flight, launch monitor used, goals, physical considerations. You enter this in onboarding and can edit or delete it at any time.
  • Launch monitor photos — the images you upload for AI analysis. Stored in our encrypted Supabase Storage bucket and attached to your account.
  • Session data — extracted metrics (club speed, ball speed, smash factor, launch angle, spin, club path, face angle, attack angle, carry distance), diagnosis text, drill recommendations, notes, tags, ratings, conditions.
  • Subscription status — whether you have Full Bag active, from RevenueCat (iOS) or Stripe (web).
  • Usage events — which analyses you've run (count + timestamp only), used to enforce the free-tier limit and rate limit.

We do not collect your location, browser fingerprint, advertising ID, or track you across other apps or websites.

How we use your data

  • To run the AI analysis: your launch monitor photo + golf profile are sent to Anthropic's Claude API for metric extraction and coaching diagnosis.
  • To recommend practice drills and link YouTube videos: the drill title + diagnosis keywords are sent to the YouTube Data API (Google).
  • To show your session history, trends, and goals across sessions (the longitudinal tracking is the core product).
  • To enforce free-tier limits and rate limits on analyze calls.
  • To process subscription payments (Stripe on web, StoreKit via Apple on iOS, validated by RevenueCat).
  • To authenticate you (Supabase Auth).

You can turn off AI processing at any time via Settings → Privacy & AI. With it off, no new data leaves your device for Claude or YouTube; existing sessions are preserved.

Who we share data with

ShotRx uses the following third-party processors. Each has their own privacy policy; we minimize what we send.

  • Anthropic (Claude API) — your launch-monitor image + golf profile + session context. Anthropic does not train models on API data and does not retain it beyond the request, per their API terms. anthropic.com/legal/privacy
  • Supabase — hosts the database, authentication, and encrypted photo storage. EU + US hosting. supabase.com/privacy
  • Vercel — hosts the web app. We don't store user data at Vercel; it's only the application runtime. vercel.com/legal/privacy-policy
  • Google (YouTube Data API) — drill name + issue keywords, so we can embed the most relevant training video. No personal identifiers sent. policies.google.com/privacy
  • Google / Apple Sign-In — only if you choose that sign-in option. We receive your email + name from the provider. No ongoing data exchange.
  • RevenueCat — iOS subscription receipt validation. Your Supabase user id links to a RevenueCat customer record. revenuecat.com/privacy
  • Stripe — web subscription billing only. Handles card data directly; ShotRx never sees card numbers. stripe.com/privacy

We do not sell your data. We do not share it with advertisers. We do not run any analytics SDK that tracks you across apps.

Your rights

  • Access + export — Settings → Data → Export All Data exports every session to CSV.
  • Correct — edit your profile (ProfileDrawer) or individual sessions any time.
  • Delete — Settings → Danger Zone → Delete Account removes your account, profile, all sessions, all drill recommendations, and all Storage photos. This is irreversible and happens within seconds.
  • Revoke AI consent — Settings → Privacy & AI toggle stops all Claude / YouTube calls from your account. Previously-saved sessions remain until you delete them.
  • Object / restrict / complain — email us at founders@metriview.info. Quebec residents have additional rights under Law 25 (Quebec private-sector privacy law); EU/UK residents have GDPR rights. We respond within 30 days.

Data retention

Sessions, photos, profile data: kept as long as your account exists. On account deletion, removed within minutes and purged from backups within 30 days. Log entries used for security/abuse prevention may be retained up to 90 days before automatic deletion.

Security

All traffic is HTTPS-only with HSTS. Row-level security on the database prevents users from reading each other's data. Images in Supabase Storage are access-controlled. We don't log image content to edge function logs. See our public GitHub repo for security-audit commits.

Children

ShotRx is not directed at children under 13. We do not knowingly collect data from children. If you're a parent and believe your child has created an account, email us and we'll delete it.

Changes

When we change this policy materially, we'll notify you via email and an in-app banner before the change takes effect. Past versions available on request.

Contact

Privacy questions: founders@metriview.info

See also: AI Disclaimer & Legal