Connector & API Privacy Disclosure
Saturday Connector & Coach API — June 9, 2026
This disclosure describes the data behavior of the Saturday Claude connector and Coach API. It is an addendum to the App Privacy Policy and Website Privacy Policy; where this addendum is silent, those policies govern.
1. Purpose and Scope
The Saturday connector lets a person connect their Saturday account to an AI assistant (such as Claude) over the Model Context Protocol, so the assistant can read their endurance-nutrition data and, for coaches, configure their own monitoring. The Coach API exposes the same coach surface over a REST API and coach API keys. This disclosure explains what data the connector and Coach API access, how that data is used, how long it is kept, and how a user disconnects.
Throughout, "you" and "your" refer to the athlete or coach who connects their account. "Athlete" refers to the individual whose fueling data is accessed. "Saturday," "we," "us," and "our" refer to Saturday Inc.
2. Who Connects, and What They Connect
There is one Saturday connector. The data it can reach depends on who signs in:
- Athlete (consumer). Any active Saturday subscriber. Reaches their own Saturday data only — their profile and their activities/sessions.
- Coach (Pro-Coach tier or higher). A subscriber who also holds a coach tier. Reaches everything an athlete can for themselves, plus read access to the fueling data of athletes on their own roster, and write access to their own alerting and report configuration.
A coach is also an athlete; the same sign-in serves both facets. An athlete-only subscriber can never reach any coach data or another person's data.
3. What Data the Connector Accesses
For an athlete connecting their own account
- Profile: the athlete's Saturday profile fields used to personalize fueling — body metrics, fueling preferences, account email, and settings the app already stores.
- Activities and sessions: planned and completed activities, the fuel/hydration/electrolyte prescriptions Saturday's engine produced, post-session adherence and feedback (what was actually consumed, symptoms, ratings), and associated context (e.g. weather, sleep) the app already records.
- Derived nutrition outputs: prescriptions and product-fit analysis computed by Saturday's engine on demand.
The connector can write only a limited, athlete-owned subset: an athlete may create or update their own activities and product choices. The connector can never write a prescription by hand — prescriptions come only from Saturday's calculator engine. It cannot delete the athlete's account or write to another user.
For a coach connecting (additional, roster-scoped)
- Roster: the list of athletes the coach is actively linked to, plus per-athlete "needs-attention" markers derived from the one shared concern definition.
- Per-athlete fueling reads (only for athletes actively on the coach's roster): the same fueling rollup, AI report (narrative plus structured data), and per-session detail the coach already sees in the Coach Portal. Access is gated by an active, athlete-consented coaching relationship — a coach can reach a given athlete's data only while that athlete is linked to them on the roster, and access ends the moment that relationship ends (see Section 8). Within that consented relationship, reads use the athlete's full identity — the same names and data the coach already sees in the portal — because the coach is managing identified athletes they already work with; the connector and API add no de-identification layer beyond the relationship gate itself.
- The coach's own configuration (read and write): alert rules, AI-report settings, concern thresholds, groups, quiet hours, and webhook endpoints — scoped to the coach (overall / group / per-athlete). A coach can configure only their own monitoring; a coach can never author or alter an athlete's fueling data, debriefs, or prescriptions through the connector or API.
4. Scope-by-Scope Data Access
The connector requests OAuth scopes; each maps to a specific, minimal data surface, shown on the consent screen before a user grants.
| Scope | Data access granted |
|---|---|
athlete:read | Read the signed-in athlete's own profile/settings. |
athlete:write | Update the signed-in athlete's own profile/settings. |
activity:read | Read the signed-in athlete's own activities and prescriptions. |
activity:write | Create/update the signed-in athlete's own activities (never prescriptions). |
nutrition:read | Compute nutrition prescriptions for the signed-in athlete. |
coach:roster | (Coach) Read the coach's roster and per-athlete needs-attention markers. |
coach:reports | (Coach) Read roster athletes' fueling rollups, AI reports, and the roster digest. |
coach:alerts | (Coach) Create/update the coach's own alert rules and report settings. |
coach:webhooks | (Coach) Register/manage the coach's own concern webhooks. |
The connector requests only the scopes its tools need. When a coach grants coach:* scopes, the consent screen additionally discloses that the assistant will be able to read the coach's athletes' fueling data and manage the coach's alert settings.
5. How the Data Is Used
- Solely to power the connected assistant's tools at your request — answering your questions about your (or your roster's) fueling, computing prescriptions on demand, and writing your own activities or configuration when you ask.
- Saturday does not use connector-accessed data to train or fine-tune machine-learning or AI models, build competing algorithms, or sell or redistribute it. This is the same prohibition that governs the Saturday partner API.
- Data flows only between your MCP client (e.g. Claude), Saturday's API, and Saturday's existing infrastructure — the connector introduces no new third-party data path. Saturday's sub-processors for connector-accessed data are Google Cloud (application hosting and data storage) and Google Cloud Vertex AI (the large-language-model service used to generate on-demand AI reports). The connector does not send email, so Saturday's email providers are not part of the connector data path.
6. The X-Saturday-Data-License Terms (No Training, No Reverse Engineering)
Every Saturday API response carries data-license headers that bind how the data may be used: X-Saturday-Data-License: display-only (data may be displayed to the end user and cached for UX, not repurposed) and X-Saturday-Data-Training: prohibited (training or fine-tuning models on response data is prohibited).
Prohibited uses, binding on any connector or API consumer: training or fine-tuning models on response data; building a competing nutrition-prescription algorithm; reverse-engineering Saturday's calculation algorithms; aggregating response data across athletes for resale or statistical products; redistributing response data to third parties; or creating derivative databases from the product catalog. Saturday's prescriptions, product database, AI report voice, and knowledge base are proprietary intellectual property.
7. Data Retention
- Connector-accessed data is read live from your existing Saturday account — the connector does not create a separate long-lived copy of athlete data. Saturday's retention of the underlying account data is governed by the App Privacy Policy and the API data policy (account data retained while the account is active, plus a 30-day grace period after deletion).
- OAuth credentials: access tokens are short-lived (1 hour); refresh tokens last up to 90 days and rotate on every use. A lapsed subscriber loses connector access within roughly 1 hour (the next token refresh is denied).
- AI reports generated on demand are cached only until superseded — a newer session or an explicit refresh regenerates and replaces the cached report; there is no fixed retention clock on the cache. Connector usage and audit logs are retained for up to 1 year for security, support, and abuse-prevention purposes.
- Webhook delivery: a coach's registered webhook endpoint and its (hashed) signing secret persist until the coach deletes the endpoint; delivery attempts retry with backoff and auto-disable after repeated failures.
- A connected MCP client (e.g. Claude) may retain tool results within your own conversation per that client's retention policy — that retention is governed by the client, not by Saturday.
8. Deletion and Disconnect
- Disconnect the connector: you can revoke the connection at any time from your Saturday account settings, or programmatically via the token-revocation endpoint. Revocation immediately invalidates the refresh token; access ends within roughly 1 hour as the access token expires. Disconnecting does not delete any of your underlying Saturday data — it only ends the assistant's access to it.
- Delete account data: account/athlete data deletion follows Saturday's existing privacy controls and the API's data-export and right-to-erasure endpoints (cascading deletion), subject to the 30-day grace period.
- Coach webhooks: a coach can delete or disable any registered webhook endpoint, immediately stopping deliveries.
- Roster changes: if an athlete leaves a coach's roster (the relationship is no longer active), they are immediately excluded from all of that coach's roster reads, digests, and webhook scope.
9. Safety Posture
Nutrition prescriptions surfaced through the connector are guidance, not medical instructions, and every response carries safety metadata that must be presented to you, not stripped. The connector cannot autonomously act on prescriptions (for example, ordering products); it surfaces guidance for human consideration.