Legal

Privacy Policy

Effective date: April 30, 2026 · Last updated: April 30, 2026

This Privacy Policy explains how Interbeing ("we," "us," "our") collects, uses, shares, and safeguards personal information when you use our website, PWA, and related services (the "Service"). It applies in addition to our Terms of Service.

1. Plain-language summary

  • For most pose sessions, your camera video stays on your device. AI pose recognition (MediaPipe) runs in real time in the browser. Only numerical metrics (joint angles, scores, hold durations) leave your browser. Exception: AI Coach mode streams camera and microphone to Google Cloud during the session — see “AI Coach mode” below.
  • We collect the minimum needed to operate the Service: account info, subscription status, session metrics, and basic device / usage telemetry.
  • Payments are processed by Stripe and RevenueCat. We do not store full card numbers.
  • You can request access, correction, deletion, or export of your data by emailing .

2. AI pose recognition — real-time, no video retention

During a pose session, the Service uses your device camera together with the MediaPipe pose-landmarker model running locally in your browser (WebAssembly). The model detects skeletal landmarks frame by frame and computes joint angles and a session score in real time.

What stays on your device. The camera video stream is rendered to the <video> element in your browser, processed in memory by MediaPipe, and discarded as soon as each frame is analyzed. Frames, photos, and any imagery of you are never recorded, uploaded, transmitted, or stored by Interbeing, our servers, or any third party.

What we receive. Only the derived numerical outputs — landmark coordinates aggregated into joint angles, rep counts, hold durations, accuracy scores, and session metadata (start/end time, pose IDs, session type) — are sent to our servers. These metrics are tied to your account so we can show your history, compute leaderboards, and award badges.

How AI feedback is generated. Brief coaching tips are produced by a third-party large-language-model provider (Anthropic) using only the numerical metrics described above as input. No images, video frames, or audio of you are sent to any AI provider. The AI evaluates posture in real time and returns corrective guidance only; it does not see, store, or replay your video.

Local caches. Your browser may cache MediaPipe model weights and assets to improve performance. You can clear these at any time using your browser's site-data controls.

3. Information we collect

  • Account data: email address, hashed password (managed by Supabase Auth), display name, age-eligibility and ToS-consent flags and timestamps, subscription tier, and optional profile fields.
  • Session metrics: pose IDs, joint angles, rep and hold scores, session duration, session type, badges, streak counters, and leaderboard placements. No video or imagery.
  • Subscription & payment metadata: plan, renewal/cancellation status, billing customer ID, invoice IDs, and last-four card digits where surfaced by the payment processor. Full card data is handled directly by Stripe and is not stored by us.
  • Communications: direct messages, social-feed posts, comments, and reports you submit.
  • Device & usage telemetry: IP address, browser and device type, language, page views, error logs, and performance metrics, used for security and reliability.
  • Cookies & local storage: session tokens, CSRF tokens, preferences, and the MediaPipe model cache described above.

4. How we use information

  • operate, maintain, and secure the Service;
  • authenticate users, enforce subscription gating, and process payments and renewals;
  • compute scores, badges, leaderboards, and personalized feedback tips;
  • moderate content, investigate abuse, and respond to support requests;
  • comply with legal obligations, including tax, accounting, and consumer-protection requirements;
  • detect, prevent, and respond to fraud, security incidents, and policy violations;
  • communicate service-critical notices and (where you have opted in) product updates.

5. Legal bases (GDPR / Korea PIPA)

  • Performance of contract — providing the Service, billing, and support.
  • Consent — age and ToS acknowledgement at sign-up; optional marketing emails; access to camera and microphone (granted via browser).
  • Legitimate interests — securing the Service, preventing fraud, improving reliability, and defending legal claims.
  • Legal obligation — tax, audit, anti-money laundering, and consumer-protection record-keeping.

6. Sharing & processors

We do not sell personal information. We share data only with service providers who process it on our behalf under appropriate contractual safeguards:

  • Supabase — managed PostgreSQL, authentication, and storage.
  • Vercel — web hosting and edge delivery.
  • Stripe — payment processing.
  • RevenueCat — subscription state and webhook orchestration.
  • Anthropic — generation of short coaching tips from numerical session metrics (no images or video).
  • Email provider — transactional email delivery (e.g., verification, receipts).

We may also disclose information when required by law, to protect rights and safety, or in connection with a merger or asset sale, provided the recipient agrees to honor this policy.

7. International transfers

Interbeing is operated by a Delaware (USA) limited liability company. Your information may be stored and processed in the United States and other jurisdictions where our processors operate. Where transfers leave your country of residence, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms recognized by the European Commission, the UK ICO, and the Korean Personal Information Protection Commission (PIPC), as applicable.

Notice to Korean residents (PIPA Article 28-8 — overseas transfer of personal information). By creating an account and accepting this Policy, you consent to the transfer of your personal information overseas as set out below. You may withhold consent, but in that case we cannot provide the Service because our infrastructure is hosted outside Korea.

  • Recipients & countries: Supabase Inc. (United States — managed PostgreSQL, auth, storage); Vercel Inc. (United States — web hosting); Stripe, Inc. (United States — payment processing); RevenueCat, Inc. (United States — subscription orchestration); Anthropic, PBC (United States — text-only coaching tip generation); transactional email provider (United States / European Union).
  • Items transferred: account identifiers, email, hashed authentication credentials, subscription metadata, session metrics (numerical only — no images), device telemetry, and support communications.
  • Purpose & legal basis: performance of the service contract; processors operate under data-processing agreements containing SCC-equivalent safeguards.
  • Time and method of transfer: at the moment of processing, over TLS-encrypted network connections.
  • Retention by recipients: aligned with Section 8 (Retention) of this Policy and the recipient's own published terms.

8. Retention

  • Camera video / images: not retained — see section 2.
  • Account data: retained while your account is active, then deleted or anonymized within 90 days of account closure (longer where law requires, e.g., 5 years for e-commerce transaction records under Korean law).
  • Session metrics: retained while your account is active to power history and leaderboards; aggregated / anonymized for analytics where appropriate.
  • Billing records: retained for the period required by tax and consumer-protection law (typically 5 years).
  • Logs & security telemetry: retained for up to 12 months for fraud and incident investigation.

9. Your rights

Subject to your local law, you have rights to access, correct, delete, port, restrict, or object to the processing of your personal information, and to withdraw consent where processing is based on consent. Korean residents have rights under PIPA; EEA/UK residents under the GDPR/UK GDPR; California residents under the CCPA/CPRA, including the right to opt out of any "sale" or "share" (we do not sell or share personal information for cross-context behavioral advertising).

To exercise these rights, email from the address associated with your account. We respond within 30 days. If you believe we have not addressed your concern, you may lodge a complaint with your supervisory authority (e.g., the Personal Information Protection Commission in Korea).

10. Security

We use industry-standard safeguards including TLS in transit, encryption at rest, scoped access keys, Supabase Row-Level Security policies on every user-data table, principle-of-least-privilege for staff access, and security audits of changes to authentication and payment paths. No system is completely secure; please use a strong, unique password and notify us promptly of any suspected compromise.

11. Children's privacy

The Service is not directed to children under 13 in the United States (COPPA), under 14 in Korea (PIPA Article 22-2), or under the higher age of digital consent applicable in your jurisdiction (e.g., 16 in some EEA member states). We do not knowingly collect personal information from children below those ages. Adult educational content is gated and restricted to users who confirm they are 18+ at the point of access. If we learn we have collected personal information from a child without verifiable parental or legal-guardian consent, we will delete that information promptly. Parents and legal guardians may contact to review, delete, or refuse further collection of their child's information.

11a. California notice at collection (CCPA / CPRA)

For California residents, the categories of personal information we collect, the purposes of collection, and retention horizons are summarized below. We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA.

  • Identifiers (email, account ID, IP) — to create and secure your account; retained per Section 8.
  • Commercial information (subscription tier, billing metadata) — to operate billing; retained per tax law.
  • Internet/network activity (page views, error logs) — for security and reliability; retained up to 12 months.
  • Inferences (pose-accuracy scores, badges) — to provide personalized history and feedback; retained while your account is active.
  • Sensory data — none retained. Camera frames are processed in real time on your device and discarded; we do not collect or retain audio or video.

California residents may exercise rights to know, delete, correct, and limit use of sensitive personal information by contacting . We will not discriminate against you for exercising any CCPA/CPRA right.

12. Cookies & similar technologies

We use strictly necessary cookies (auth tokens, CSRF) to operate the Service, and limited preference and analytics technologies to understand reliability and usage. Where required by law, we request consent before using non-essential cookies. You can manage cookies via your browser settings; disabling strictly necessary cookies will prevent the Service from working.

13. Automated decisions & AI feedback

Logic involved. The Service computes pose-accuracy scores from numerical joint-angle deltas detected on your device (deterministic geometric scoring). Brief coaching tips are then produced by Anthropic's large-language-model API using only those numerical metrics, the pose name, and the rep score as input. No images, video frames, audio, or biometric identifiers are sent to any AI provider.

Significance and consequences. AI-generated coaching tips and pose scores are informational only. They do not produce legal or similarly significant effects, do not determine eligibility for the Service, and are not used for credit, hiring, insurance, or health-diagnostic decisions. You can disregard them at any time and continue using the Service.

Your rights. Where applicable law (GDPR Article 22, PIPA Article 37-2) grants a right to obtain human review, challenge an automated decision, or refuse automated processing, you may exercise that right by contacting our privacy team at .

14. Data Protection Officer & Korean privacy contacts

In accordance with Korean PIPA Article 30 and (where applicable) GDPR Article 13, the following contacts are designated:

  • Privacy Officer / Data Protection Officer: available via . Operator name, representative, and registered address are published on our Business information page.
  • Personal Information Grievance Department: the same address handles access, correction, deletion, suspension, and complaint requests.
  • Supervisory authorities (Korea): Personal Information Protection Commission (privacy.go.kr); Korea Internet & Security Agency Privacy Call Center (118); Cybercrime Investigation Department, Supreme Prosecutors' Office (1301); Cyber Bureau, National Police Agency (182).
  • Supervisory authorities (other regions): EEA/UK residents may contact their national data-protection authority; California residents may contact the California Privacy Protection Agency (cppa.ca.gov).

AI Coach mode

AI Coach is an optional 5-minute coaching mode powered by Google Gemini Live. While active, your camera and microphone stream to Google Cloud servers (US/EU) so the AI can give real-time movement coaching. Google processes the stream in-flight and discards it after the session; we never store the raw stream. We log session metadata (duration, AI quality rating, AI summary) for the audit trail required by Korean PIPA (Art. 22) and GDPR (Art. 7(1)).

Each session requires explicit opt-in via a confirmation dialog. You can opt out by simply not starting an AI Coach session — all other modes keep your video on-device.

14a. Cookies

We use four categories of cookies on Interbeing:

  • Necessary — session, authentication, and consent storage. Always on.
  • Preferences — theme and locale memory across visits. Optional.
  • Analytics — usage measurement to improve the product. Optional. (Not in use today; this category exists so we can introduce analytics later without re-asking consent for users who already opted in.)
  • Marketing — campaign measurement and personalization. Optional. (Not in use today.)

Your decision is stored in the ib-consent cookie and, for signed-in users, in our database for audit purposes. Consent expires after 13 months by default; we will ask you again afterwards. You can review or change your decision at any time on the privacy settings page.

15. Changes

We will post any changes to this Policy on this page and update the "Last updated" date above. Material changes will be communicated by email or in-app notice at least 7 days before taking effect (or longer where required by law). Where a change adversely affects your rights, we will obtain renewed consent where required by applicable law.

16. Contact

Privacy questions, requests, and complaints should be sent to . Operator and registration details are available on our Business information page.