Privacy Policy

Last updated: 14 April 2026

1. Who we are

Aithlo operates an endurance training platform and a cycling simulator called Aithlo-Shift, based in France. A legal entity is being prepared and will be established before production launch, at which point that entity becomes the GDPR data controller.

Contact: [email protected].

The lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL) at www.cnil.fr.

2. What this policy covers

This policy applies to:

The web app at app.aithlo.com and public website at www.aithlo.com

Aithlo-Shift, the cycling simulator

• Future mobile apps via the Apple App Store or Google Play Store

Age requirement: Aithlo is available only to users aged 16 or older. Accounts for under-16 users will not be created, and any inadvertently collected data will be deleted promptly.

Countries: At launch, availability is limited to the United Kingdom and France, enforced at signup.

Private beta notice

Aithlo is currently in private, invite-only beta with access limited to 50 invited participants. There is no public signup, no app store availability, and no payments accepted. The service operates pre-incorporation.

Users can email [email protected] to leave the beta and request data deletion.

3. What data we collect

Account and identity data

Upon account creation:

• Email address

Password (stored as bcrypt hash only)

• Date of birth

• Country

• Optional: first name, last name, username, short bio, profile picture

For Google Sign-In: Google account ID, email, and profile picture are stored.

For Strava connection: Strava user ID and OAuth tokens for activity reading are stored.

Health and fitness data (special category under Article 9 GDPR)

With explicit consent at signup:

Physiological measurements: heart rate, power (watts), cadence, calories, training stress score, intensity factor, normalised power, core temperature

Time-series streams: second-by-second heart rate, power, cadence, temperature, and speed from synced activities

Body metrics and thresholds: weight, resting heart rate, maximum heart rate, lactate threshold heart rate (LTHR), functional threshold power (FTP), critical swim speed (CSS), 5 km personal best

Injuries and limitations: current injuries, injury history, training limitations, health-related notes

This qualifies as "special category" data under Article 9 GDPR. Processing requires explicit consent, which can be withdrawn anytime in Settings. Withdrawing consent prevents personalised training and triggers health data deletion.

Location and route data

GPS traces (latitude/longitude streams) from Strava imports

Activity start and end coordinates

Saved or created routes within Aithlo

Map views: browser requests map tiles from OpenStreetMap Foundation

GPS traces may reveal home or workplace locations if training occurs there. Strava's privacy zones obscure start/end points, which Aithlo respects.

Training preferences and goals

Onboarding questions about:

• Primary sport and experience level

• Goal races and target dates

• Training availability, preferred session times, rest days, holidays

• Equipment access (gym, turbo trainer, pool, power meter, heart-rate monitor)

• Weekly training volume preferences

Conversations with the AI coach

• Full text of messages and coach responses

• Generated charts, workouts, routes, and plans

• SQL queries the coach runs against user data

Conversations are retained for the lifetime of the account to provide context. Messages are sent to OpenAI for processing.

Coaching and social features

For coaching:

• Coach–athlete relationship and start date

• Exchanged messages

• Coach's ability to view athlete's activities, plans, and health data (with explicit athlete agreement)

For Aithlo-Shift social features:

• Friend connections

• Scheduled rides created or joined

• Ride participants

During multiplayer rides, participants see in-game world position and live telemetry (power, heart rate, cadence) — not real-world location.

Security and technical data

• IP addresses from server requests

• Failed login attempts and account lockout status

• Refresh tokens for sign-in persistence

• Standard web server logs for operations and security

4. Why we use your data and on what legal basis

Account, security, age and country checks: contract and legal obligation.

Profile (name, username, bio, picture): contract — to personalise the app and display you to coaches and friends.

Google/Strava OAuth tokens: contract — to connect to services you requested.

Heart rate, power, body metrics, injuries, limitations: explicit consent (Article 9 GDPR) — to generate personalised plans and deliver AI coaching.

GPS traces, routes, activity locations: contract — to display maps, calculate metrics, and show ride history.

Training preferences, goals, races: contract — to build suitable plans.

Chat messages and history: contract (with explicit consent for health data) — to deliver AI coach responses and remember context.

Coach–athlete relationships and messages: contract + explicit consent to share with a specific coach.

Friends, scheduled rides, multiplayer sessions: contract — to enable social and multiplayer features.

IP addresses, failed login attempts, lockout state: legitimate interest — to protect accounts.

Email verification and password reset tokens: contract — to verify account ownership.

Website analytics (with consent): consent — to measure and improve the public marketing website (see section 12).

Aithlo does not: sell data, use it for advertising, share with advertisers or data brokers, or process it for purposes outside running Aithlo. The only analytics used is privacy-focused, consent-based website measurement described in section 12; the Aithlo app itself contains no analytics or advertising trackers.

5. How long we keep your data

Active accounts: data is retained while useful to the service. Inactive accounts are not automatically deleted.

Account deletion: all personal data is permanently deleted from the production database same-day, including activities, chats, plans, and profile. No backups are currently operated.

Limited retention:

• Security logs with IP addresses: up to 30 days for fraud prevention

• Minimal consent records: kept as GDPR compliance evidence

6. Who we share your data with

Aiven (managed PostgreSQL) — stored data — Amsterdam, Netherlands (EU) — EU-internal.

Hetzner (server hosting) — data in transit and processing — Falkenstein, Germany (EU) — EU-internal.

Render (static hosting) — access logs, IP addresses — USA — Standard Contractual Clauses.

OpenAI (AI coach) — chat messages and health data discussed — USA — Standard Contractual Clauses; OpenAI does not use API data for model training.

Strava (activity sync) — OAuth tokens and API requests — USA/global — Strava's Data Processing Addendum.

Google (Sign in with Google) — email, name, profile picture at login — USA — EU–US Data Privacy Framework.

Resend (transactional email) — email address and account email content — USA — Standard Contractual Clauses.

OpenStreetMap Foundation (map tiles) — IP address, browser metadata, tile coordinates — United Kingdom — Adequacy decision (UK).

Ploi (server management) — incidental server access during support — Netherlands (EU) — EU-internal.

Google Analytics (website analytics, only with consent) — pseudonymous usage data with redacted IP — Google Ireland Limited (EU), with possible transfer to the USA under Standard Contractual Clauses. See section 12.

Aithlo-Shift multiplayer

Multiplayer rides are hosted on Aithlo's own servers in Germany. When you join a session, in-game world position, power output, heart rate and cadence are broadcast live to other riders. Real-world GPS location is never shared. When the session ends, the live broadcast stops; the ride is recorded as a normal activity.

7. International data transfers

Core Aithlo data lives in the European Union (database in the Netherlands, application server in Germany).

Some third-party services (OpenAI, Strava, Google, Resend, Render) are US-based. Data transferred to them uses the EU–US Data Privacy Framework (Google) or Standard Contractual Clauses (OpenAI, Strava, Resend, Render). Relevant agreements are available upon request.

8. Your rights

Under GDPR, you have the following rights:

Right of access — request a copy of all data we hold about you

Right to rectification — request correction of errors

Right to erasure ("right to be forgotten") — request data deletion; acted upon same-day

Right to restriction — request a pause in processing while contesting

Right to data portability — request a machine-readable export

Right to object — object to legitimate-interest processing

Right to withdraw consent — revoke any prior consent at any time, without penalty

Right to lodge a complaint — complain to CNIL for mishandling

To exercise rights, email [email protected]. Response within 30 days. No charge applies.

9. Coaching, social features, and what others can see

Coach–athlete relationships: the approved coach can see activities, training plan, profile, body metrics, and messages. The relationship can end anytime in Settings, immediately revoking access.

Aithlo-Shift friends: friends can see Shift activity history, profile, and scheduled rides.

Multiplayer rides: participants see live in-game position and live power, heart rate, and cadence during rides.

None of this happens automatically; users choose their coaches, friends, and ride participation.

10. AI-generated content and medical disclaimer

The AI coach generates training plans, workouts, charts, and advice. These outputs are produced by a large language model (OpenAI) and can be wrong. Do not rely on them as medical advice, diagnosis, or treatment.

Aithlo is not a medical device, not a medical service, and does not replace qualified doctors, physiotherapists, or sports physicians. Read the full Health and Training Disclaimer. If you experience pain, unusual symptoms, or anything concerning during exercise, stop and consult a medical professional.

11. How we protect your data

Security measures include:

Passwords stored as bcrypt hashes — password recovery is impossible

Transport encryption (HTTPS/TLS) for all device-to-server communication

Rate limiting on login and registration endpoints

Account lockout after repeated failed attempts

JWT-based sessions with rotating refresh tokens

Database encryption at rest from the database host

Strict database access limited to Aithlo operators

No online service is 100% secure. Any breach affecting personal data triggers notification to users and CNIL per GDPR requirements.

12. Cookies and website analytics

Our public website at www.aithlo.com uses cookies. Strictly necessary cookies keep the site working and remember your language, theme, and cookie choices. With your consent, we also use Google Analytics 4 (provided by Google Ireland Limited) to measure how the website is used so we can improve it.

Analytics cookies are only set after you accept them in our cookie banner. We use Google Consent Mode and IP-address redaction, so no analytics data is sent to Google until you consent. The legal basis is your consent (GDPR Article 6(1)(a) and the ePrivacy/PECR rules); you can change or withdraw it at any time via “Cookie preferences” in the website footer. Google may process this data on servers outside the EU/UK under Standard Contractual Clauses.

These website analytics are separate from the in-app data described elsewhere in this policy. We do not use analytics or advertising cookies inside the Aithlo app itself. For the full list of cookies and their durations, see our Cookie Policy.

13. Changes to this policy

Policy updates occur as Aithlo evolves. Material changes affecting rights or collected data trigger email notification and acceptance request at next sign-in. The top date reflects the most recent version.

14. Contact

For questions about this policy, your data, or your rights:

[email protected]. Response within a few days, always within 30 days per GDPR.

Privacy Policy | Aithlo