Privacy Policy

1. Introduction

athletedata.health (“athletedata”, “we”, “us”, “our”) is an AI fitness coaching platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, Telegram bot, and related services. It is written to satisfy the UK GDPR, the EU GDPR, and the UK Data Protection Act 2018.

Data controller. athletedata.health is operated by Julian Flieller. For any privacy question, including subject access or erasure requests, contact privacy@athletedata.health.

2. Information We Collect

Account Information

When you sign up via Google OAuth, we receive your name, email address, and profile photo from Google. We store this to identify your account.

Connected Platform Data

When you connect third-party fitness platforms, we access and store data from those services to provide coaching. This includes:

• Strava: Activities (runs, rides, swims), heart rate, pace, distance, elevation, athlete profile and stats.
• Hevy: Gym workouts, exercises, sets, reps, weights, routines, and personal records.
• Withings: Body measurements (weight, body fat, muscle mass), daily activity (steps, calories), and sleep data (duration, stages, score).
• Garmin: Activities, daily health summaries (steps, calories, stress, body battery, heart rate), sleep data (duration, stages, quality, SpO2), and body composition (weight, body fat, BMI).
• Oura: Sleep data (duration, stages, score, latency), daily readiness score, heart rate variability (HRV), resting heart rate, and daily activity.
• WHOOP: Recovery score, strain score, sleep data (duration, stages, performance), heart rate variability (HRV), resting heart rate, and workouts.
• Apple Health (HealthKit): When you install the athletedata iPhone app and grant permission, we receive workouts, sleep analysis (duration and stages), heart rate variability (HRV), resting heart rate, body mass, body fat percentage, and VO2max. The iPhone app reads these samples from HealthKit and transmits them to our servers. We only receive the data categories you authorize in the iOS HealthKit permissions prompt.

We store OAuth tokens (access tokens and refresh tokens) to maintain your connection to these platforms. Tokens are stored encrypted in our database. For Apple Health, no OAuth token is used. Authorization lives on your device and you can revoke it at any time via Settings → Health → Data Access & Devices → athletedata on your iPhone.

Conversation Data

Messages you send to our Telegram bot are stored to maintain conversation history and provide contextual coaching. This includes text messages, voice message transcriptions, and photos you share. We also store AI-generated memories (facts about your goals, preferences, and training context) to personalize coaching across conversations.

Webhook Data

When you sync your fitness devices, connected platforms send us push notifications containing your latest activity, sleep, or measurement data. We use this data to provide proactive coaching messages.

3. Apple Health (HealthKit) Data

athletedata accesses health data through Apple’s HealthKit framework only with your explicit consent, granted via the iOS HealthKit permissions prompt when you first use the athletedata iPhone app. The following disclosures apply specifically to HealthKit data:

• What we read: Workouts, sleep analysis, heart rate variability, resting heart rate, body mass, body fat percentage, and VO2max. We do not write any data back to HealthKit.
• How we use it: Exclusively to provide you with personalized AI coaching, analysis, and proactive messages, as described in Section 4. HealthKit data is processed by our AI coaching system (see Section 5) solely to generate your own coaching responses.
• No advertising or data-mining. Data received from the HealthKit framework will not be used for advertising or other data-mining purposes, even if authorized by the user.
• No sale or disclosure to third parties. We do not sell HealthKit data, and we do not disclose HealthKit data to any third party without your explicit consent. The only processors that receive HealthKit data are the infrastructure providers listed in Section 6 (database hosting, AI inference), each acting solely on our behalf to deliver the service.
• No research use. HealthKit data is not used for research of any kind.
• Revoking access. You can revoke our access to HealthKit at any time on your iPhone via Settings → Health → Data Access & Devices → athletedata. Revoking access stops new data from flowing. To also delete HealthKit data we’ve already received, disconnect Apple Health from your dashboard or contact us (see Section 12).

4. Legal basis for processing

Under UK and EU GDPR we rely on the following legal bases:

• Contract (Art. 6(1)(b)). We process your account data, integration data, conversation history, training plan, and payment metadata because it is necessary to provide the coaching service you have signed up for. Without this processing we cannot deliver the service.
• Consent (Art. 6(1)(a) and Art. 9(2)(a)). We rely on your explicit consent for: HealthKit data on iOS (granted in the iOS permissions prompt), connecting any third-party fitness platform (granted via that platform’s OAuth flow), and analytics cookies (granted via the cookie banner). Health-related data is special-category data under Art. 9 and is only processed with your explicit consent. You can withdraw consent at any time without affecting the lawfulness of past processing.
• Legitimate interests (Art. 6(1)(f)). We rely on legitimate interests for keeping the service secure, preventing abuse and fraud, debugging, and aggregate product analytics where it does not override your rights.
• Legal obligation (Art. 6(1)(c)). We retain a limited amount of billing and tax data to comply with our accounting and tax obligations.

5. How We Use Your Information

We use your data exclusively to:

• Provide personalized AI fitness coaching based on your actual training data
• Send proactive coaching messages when you complete workouts, log sleep, or record measurements
• Generate weekly training digests and progress summaries
• Maintain conversation context and coaching memories across sessions
• Authenticate your identity and manage your account

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data to train AI models.

6. AI-Powered Systems

athletedata is an AI-powered platform. The core coaching functionality is powered by artificial intelligence throughout the service:

• AI coaching engine: All coaching responses, training analysis, and personalized recommendations are generated by AI models hosted on AWS infrastructure via Amazon Bedrock. When you interact with the Telegram bot, your messages and training data are processed by these models to generate coaching responses.
• Proactive analysis: When you complete a workout, log sleep, or record a measurement, the AI automatically analyzes the data and may send you a coaching message via Telegram.
• Conversation summaries: The AI automatically generates summaries of past coaching sessions to maintain context across conversations.
• Athlete profile maintenance: The AI builds and updates a structured profile of your training history, goals, and preferences to personalize coaching over time.

Your data is sent to Amazon Bedrock (hosted on AWS infrastructure) solely to generate coaching responses. Data processed through Bedrock is not used to train or improve AI models. We do not use your data to train or fine-tune any AI models. No AI system makes autonomous decisions about your account, billing, or data - all such actions require your explicit input.

7. Sub-processors and third-party services

The services below process your personal data on our behalf as processors under Art. 28 UK GDPR. We have a data processing agreement (DPA) in place with each of them, including the standard contractual clauses (UK addendum / EU SCCs) where data leaves the UK or EEA.

• Supabase Inc. (USA, EU region): Authentication and PostgreSQL database hosting. Our primary database region is in the European Union.
• Amazon Web Services, Inc. (USA): AI model hosting (Amazon Bedrock) for generating coaching responses (see Section 6 above) and application hosting (AWS App Runner).
• Anthropic PBC (USA): Claude API used for coaching responses, summarization, and reasoning. Anthropic does not train its public models on data sent through the API.
• Stripe Payments Europe, Ltd. (Ireland): Payment processing and subscription management. We do not store full card numbers; Stripe holds them.
• Vercel Inc. (USA): Web frontend hosting and edge delivery.
• Resend (USA): Transactional email delivery (welcome, billing, re-engagement).
• PostHog Inc. (USA, EU region available): Product analytics. Only loaded after you accept analytics cookies. See our Cookie Policy.
• Google Ireland Ltd. (Ireland): Google Analytics for aggregate site analytics. Only loaded after you accept analytics cookies.
• Telegram FZ-LLC (UAE) / Meta Platforms Ireland Ltd. (Ireland): Chat platforms for delivering coaching messages. Subject to their own privacy policies.
• Terra Inc. (USA): Aggregator that brokers connections to Polar, COROS, Suunto, Zwift, TrainerRoad, TrainingPeaks, Cronometer, MyFitnessPal, Clue, and Flo. Only used when you connect one of those providers.
• Strava, Hevy, Withings, Garmin, Oura, WHOOP and similar fitness providers: These act as independent data controllers for the data on their platforms. We access them via their official APIs with your authorization.
• Apple Inc. (HealthKit): On-device health data framework. Data is read from your iPhone with your consent and transmitted to our servers by the athletedata iOS app. See Section 3 for HealthKit-specific disclosures.

8. International data transfers

Some of our processors are based in the United States or transfer personal data to the United States. Where personal data of UK or EEA users is transferred outside the UK or EEA, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the safeguard required by Art. 46 UK/EU GDPR. You can request a copy of the relevant clauses by emailing privacy@athletedata.health.

9. Data Storage and Security

Your data is stored in a Supabase-hosted PostgreSQL database with encryption at rest. OAuth tokens are stored in the database and used only to access your connected platform data on your behalf. We use HTTPS for all data transmission.

API keys generated for your account are hashed and can be revoked at any time from your dashboard.

10. Data Retention

We retain your data for as long as your account is active. You can disconnect any integration at any time from your dashboard, which stops data syncing from that platform. Conversation history can be cleared using the /clear command in Telegram. You can unlink your Telegram account using the /unlink command.

You can permanently delete your account and all associated data at any time from Settings → Danger zone → Delete my account. Once deleted, data is removed from our primary database immediately. Encrypted backups are retained for up to 30 days, after which they are overwritten. We retain a small amount of billing and tax records for the period required by law (typically up to 6 years).

11. Your rights under UK and EU GDPR

If you are in the UK or the EEA you have the following rights in relation to your personal data. To exercise any of them, email privacy@athletedata.health. We will respond within one month.

• Right of access (Art. 15). Get a copy of the personal data we hold about you.
• Right to rectification (Art. 16). Correct inaccurate or incomplete data. You can edit your athlete profile directly in the dashboard.
• Right to erasure (Art. 17). Have your account and associated data deleted. You can do this yourself from Settings → Danger zone.
• Right to restriction of processing (Art. 18). Ask us to stop processing your data while a request is being resolved.
• Right to data portability (Art. 20). Receive your data in a structured, commonly used, machine-readable format and have it transferred to another controller where technically feasible.
• Right to object (Art. 21). Object to processing based on legitimate interests, including any direct marketing.
• Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting prior processing. You can revoke HealthKit access in iOS settings, disconnect any integration in the dashboard, and change cookie preferences on the Cookie Policy page.
• Right to lodge a complaint with a supervisory authority. If you are in the UK you can complain to the Information Commissioner’s Office (ico.org.uk). If you are in the EEA you can complain to your local data protection authority. We’d appreciate the chance to resolve your concern first, but you can complain directly at any time.

12. Children’s Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect personal information from children.

13. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing within the meaning of Art. 22 UK GDPR. The AI generates coaching suggestions, but those are advisory and you remain in control of your training, billing, and account.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via the Telegram bot or dashboard. The “Last updated” date at the top of this page reflects when the policy was last modified.

15. Contact

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at: privacy@athletedata.health