ClayAI — Privacy Policy
Effective Date: June 19, 2026 Last Updated: June 19, 2026
1. Introduction
Bored Monkey LLC ("Company," "we," "us," or "our") operates the ClayAI mobile application and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.
We are committed to protecting your privacy and processing your personal data in compliance with applicable laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
For the purposes of applicable data protection laws, the data controller is:
Bored Monkey LLC PO Box 534 Laurens, SC 29360 United States
Email: privacy@clayai.app
EU/EEA Representative (GDPR Article 27): As Bored Monkey LLC does not have an establishment in the EU/EEA, we will appoint an EU representative before launching the Service to EU/EEA users. The representative's name and contact details will be published here and within the app before EU launch. If you are reading this and no representative is listed, the Service has not yet launched in the EU/EEA.
UK Representative: A UK representative will be appointed before launching the Service to UK users, in accordance with UK GDPR Article 27. Contact details will be published here before UK launch.
3. Information We Collect
3.1 Information You Provide Directly
- Account information: Email address, display name, first name, last initial, and optionally your home club and NSCA membership number
- Profile information: Avatar image (if uploaded)
- Scoring data: Round scores, station configurations, target types, miss directions, shot timing, difficulty ratings, and notes
- Equipment data: Gun, choke, and ammunition configurations stored in equipment presets
- Weather data: Conditions, temperature, wind, and humidity recorded with rounds (entered manually or via third-party weather services)
- Squad session data: Session participation, scorer assignments, and guest names
- Communications: Messages you send to us via email or in-app support
3.2 Information Collected Automatically
- Device information: Device model, operating system version, unique device identifiers (for audit trail purposes), app version
- Usage data: Feature usage patterns, session duration, screens visited, actions performed (e.g., rounds created, squads joined)
- Performance data: App crash reports, error logs, performance metrics
- Connectivity data: Online/offline status, synchronization timestamps
- Approximate location: If you grant location permission, we may collect approximate location to suggest nearby clubs. We do not track precise GPS coordinates continuously.
3.3 Information from Third Parties
- Authentication providers: If you sign in via Google or Apple, we receive your name, email address, and a unique identifier from the provider. We do not receive your password.
- App Store platforms: Apple and Google provide us with anonymized subscription and transaction data.
4. How We Use Your Information
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service (scoring, analytics, squad sync) | Performance of contract (Art. 6(1)(b)) |
| Create and manage your account | Performance of contract (Art. 6(1)(b)) |
| Generate AI-powered performance insights and coaching analytics | Performance of contract (Art. 6(1)(b)) |
| Synchronize data between your device and cloud servers | Performance of contract (Art. 6(1)(b)) |
| Maintain audit trails for squad scoring integrity | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails (account verification, password reset) | Performance of contract (Art. 6(1)(b)) |
| Send product updates and feature announcements | Legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where required |
| Improve and develop the Service | Legitimate interest (Art. 6(1)(f)) |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Respond to your support requests | Performance of contract (Art. 6(1)(b)) |
Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. A summary of our assessments:
- Audit trails (squad scoring integrity): Our legitimate interest is in maintaining fair, transparent scoring for all squad participants. The data processed is limited to scorer identity and timestamps, which is minimally intrusive and directly expected by users participating in collaborative scoring. Users are informed at the point of data collection. The benefit to all squad members (trust, dispute resolution) outweighs the minimal impact on individual scorers.
- Product updates and feature announcements: Our legitimate interest is in keeping users informed about Service improvements. Communications are infrequent, relevant to the user's use of the Service, and include an unsubscribe option in every message. For EU/EEA users, we obtain prior consent rather than relying on legitimate interest.
- Fraud detection and security: Our legitimate interest is in protecting the Service and all users from abuse. Processing is limited to detecting anomalous patterns (e.g., automated access, credential stuffing) and does not involve profiling for unrelated purposes.
- Service improvement: Our legitimate interest is in analyzing aggregated, anonymized usage patterns to improve features. No individual user is identifiable from this data.
5. AI Analytics and Automated Decision-Making
5.1 How AI Analytics Work
The Service uses algorithmic analysis to generate performance insights, predictions, and coaching recommendations based on your scoring data. This processing is performed:
- On-device: Core analysis runs locally on your device using your stored round data. This data does not leave your device for AI processing purposes.
- Cloud-based (future): Advanced coaching features may involve server-side processing. If introduced, we will update this policy and, where required, obtain your consent.
5.2 No Use of Individual Data for Model Training
We do not use your individual scoring data, equipment configurations, or personal performance history to train machine learning models. Aggregated, anonymized, and de-identified data (e.g., average hit rates by target type across all users) may be used to improve the Service's general analytics algorithms. No such aggregated data is traceable to any individual user.
5.3 No Solely Automated Decisions with Legal Effect
The AI analytics features do not make decisions that produce legal effects or similarly significantly affect you. They provide informational insights to support your own decisions about training and performance improvement.
5.4 Your Rights Regarding Automated Processing
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Our AI analytics do not fall within this scope, but you may contact us at privacy@clayai.app with any concerns.
6. Data Sharing and Disclosure
6.1 With Other Users
- Squad sessions: When you participate in a squad session, other members can see your display name, first name, last initial, scores, and scoring activity within that session.
- Guest scorers: Guest users in your squad session can see your display name and scores for the duration of the session.
- Audit trail: Squad members can see who scored for whom (scorer identity is visible for transparency).
6.2 With Service Providers
We share personal data with third-party service providers who assist us in operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US or EU region) | Cloud database, authentication, real-time sync | Account data, scoring data, session data |
| Apple / Google | App distribution, in-app purchases | Transaction data, account identifiers |
| RevenueCat (or equivalent) | Subscription management | Account identifiers, subscription status |
| Crash reporting service (e.g., Sentry) | Error monitoring | Device info, crash logs (no scoring data) |
All service providers are bound by written Data Processing Agreements (DPAs) compliant with GDPR Article 28 and are prohibited from using your data for their own purposes. You may request a copy of the applicable DPA or our current sub-processor list by contacting privacy@clayai.app.
Sub-processor changes: If we engage a new sub-processor, we will update the sub-processor list in this Privacy Policy and notify users via in-app notification at least 30 days before the new sub-processor begins processing personal data. EU/EEA and UK users may object to a new sub-processor during this 30-day period by contacting privacy@clayai.app.
6.3 For Legal Reasons
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you via email or prominent notice within the Service before your data is transferred and becomes subject to a different privacy policy.
6.5 No Sale of Personal Data
We do not sell your personal data as defined under the California Consumer Privacy Act (CCPA). The CCPA defines "sale" broadly to include sharing personal data for monetary or other valuable consideration. Our data sharing with service providers listed in Section 6.2 does not constitute a "sale" because these providers process data solely on our behalf, under written contract, and are prohibited from using the data for any purpose other than providing services to us. We do not share your personal data with third parties for their direct marketing purposes.
7. International Data Transfers
7.1 Where Your Data is Stored
- US users: Your data is stored on servers located in the United States.
- EU/EEA users: We use Supabase's EU region infrastructure to store your data within the European Economic Area. If any processing requires transfer outside the EEA, we ensure appropriate safeguards are in place as described below.
7.2 Transfer Safeguards
When personal data is transferred from the EU/EEA to countries without an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
When personal data is transferred from the United Kingdom to countries without a UK adequacy regulation, we rely on the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to EU Standard Contractual Clauses, as issued by the UK Information Commissioner's Office (ICO).
Where applicable, we supplement these transfer mechanisms with additional technical and organizational safeguards, including encryption in transit and at rest.
You may request a copy of the applicable transfer safeguards by contacting us at privacy@clayai.app.
7.3 Data Processing Location
Your data is stored in the regions described in Section 7.1. Certain service providers may process data outside these regions for operational purposes (e.g., disaster recovery, technical support). Any such processing is subject to the transfer safeguards described in Section 7.2 and the DPAs described in Section 6.2. We do not permit sub-processors to access EU/EEA user data from outside the EEA except under these safeguards.
8. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion request |
| Scoring and round data | Duration of account (exportable before deletion) |
| Squad session data | Duration of account; anonymized 90 days after session completion for participants who delete their accounts |
| Score entry audit trail | Duration of account; upon account deletion, audit trail entries from squad sessions are anonymized (your identity is removed) rather than deleted, to preserve the integrity of other participants' records. Anonymized audit data is retained for up to 12 months after your account deletion to support dispute resolution under a legitimate interest basis (GDPR Art. 6(1)(f)), after which it is permanently deleted. Solo round audit data is deleted with your account. |
| Device and usage analytics | 24 months from collection, then aggregated/anonymized |
| Crash reports | 12 months |
| Support communications | 24 months after resolution |
After the applicable retention period, data is either deleted or irreversibly anonymized.
9. Your Rights
9.1 Rights for All Users
Regardless of your location, you may:
- Access your personal data through the app's data export feature or by contacting us
- Correct inaccurate personal data through your account settings
- Delete your account and associated data through app settings or by contacting us
9.2 Additional Rights for EU/EEA and UK Users
Under GDPR and UK GDPR, you also have the right to:
- Restrict processing of your personal data in certain circumstances
- Data portability — receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
- Object to processing based on legitimate interest, including for direct marketing
- Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal
- Lodge a complaint with your local data protection authority (a list of EU DPAs is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
9.3 Additional Rights for California Users
Under the CCPA, California residents have the right to:
- Know what personal information is collected, used, and shared
- Request deletion of personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
9.4 How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@clayai.app.
Response timelines: - GDPR (EU/EEA and UK users): We will respond within 30 days of receiving your request. For particularly complex requests or a high volume of requests, we may extend this period by up to two additional months. If we need an extension, we will notify you within the initial 30-day period and explain the reason for the delay. - CCPA (California residents): We will respond within 45 days of receiving your request. In certain circumstances, we may extend this by an additional 45 days with notice.
We may need to verify your identity before processing your request. For account holders, we will verify your identity through your authenticated account session. For non-account requests, we may ask for information sufficient to confirm your identity. The response timeline begins after identity verification is complete.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Row-level security (RLS) ensuring users can only access their own data
- Append-only audit trails preventing unauthorized modification of scoring records
- Secure authentication via industry-standard providers (Supabase Auth with bcrypt hashing)
- Regular security reviews of our infrastructure and codebase
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
11. Health and Fitness Data
The Service does not request or access Apple HealthKit, Google Health Connect, or any other health or fitness platform data. Scoring and performance data within ClayAI is sports analytics data, not health data. If we integrate with any health platform in the future, we will update this Privacy Policy and obtain your explicit consent before accessing such data.
12. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete that information within 7 days of discovery.
If you believe a child under 16 has provided us with personal data, please contact us at privacy@clayai.app.
13. Offline Data and Local Storage
The Service stores data locally on your device (via SQLite) to enable offline functionality. This local data:
- Remains on your device until synchronized with our cloud servers
- Is subject to your device's own security measures (passcode, biometrics)
- May persist after app deletion depending on your device's operating system behavior
We recommend enabling device-level security (passcode, biometrics) to protect locally stored data. If you wish to ensure complete removal of local data, you can manually clear the app's storage before uninstalling: - iOS: Settings > General > iPhone Storage > ClayAI > Delete App (this removes all local data) - Android: Settings > Apps > ClayAI > Storage > Clear Data, then uninstall
14. Cookies and Tracking
The ClayAI mobile application does not use browser cookies. We may use mobile analytics tools to collect anonymized usage data as described in Section 3.2.
Analytics consent and opt-out: You may opt out of analytics collection at any time through Settings > Privacy > Analytics within the app. Opting out of analytics does not degrade any app functionality — all scoring, squad, and AI coaching features continue to work identically. For EU/EEA and UK users, analytics data collection is disabled by default and requires your affirmative opt-in consent before any analytics data is collected.
15. Account Deletion
You may delete your account at any time by navigating to Settings > Data > Delete Account within the app, or by contacting us at privacy@clayai.app.
Deletion process: 1. You will be asked to confirm your intent by typing "DELETE" 2. Upon confirmation, your account is immediately deactivated and you are signed out 3. All personally identifiable data is permanently deleted from our cloud servers within 30 days, including your profile, rounds, scores, equipment presets, and course configurations 4. Squad session audit trail entries where you were a participant are anonymized (your identity is replaced with a generic placeholder) to preserve the integrity of other participants' records. Anonymized data is deleted 12 months after your account deletion. 5. Anonymized, aggregated data that is not traceable to you may be retained indefinitely 6. Data stored locally on your device is cleared when the app's local database is reset (which occurs automatically on account deletion if the app is open)
Important: Deleting your account does not cancel an active subscription. You must cancel your subscription through the Apple App Store or Google Play Store separately. See our Terms of Service, Section 5.3 for cancellation instructions.
We recommend using the Export My Data feature (Settings > Data > Export My Data) before deleting your account if you wish to retain a copy of your data.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email at least 30 days before the changes take effect.
For EU/EEA and UK users: where changes affect processing based on consent, we will request renewed consent where required by law.
We encourage you to review this policy periodically. The "Last Updated" date at the top indicates the most recent revision.
17. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Bored Monkey LLC PO Box 534 Laurens, SC 29360 United States
Privacy inquiries: privacy@clayai.app General support: support@clayai.app
For EU/EEA data protection inquiries, contact our EU representative (details in Section 2 — to be appointed before EU launch).
For UK data protection inquiries, contact our UK representative (details in Section 2 — to be appointed before UK launch).
You also have the right to lodge a complaint with your local data protection authority: - EU/EEA: Find your local DPA at https://edpb.europa.eu/about-edpb/about-edpb/members_en - UK: Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/
This Privacy Policy was last reviewed on April 4, 2026. It should be reviewed by qualified legal counsel, including counsel familiar with GDPR and UK GDPR, before publication.