Privacy Policy
Last updated: 14 April 2026
1. Who we are
Aithlo operates an endurance training platform and a cycling simulator called Aithlo-Shift, based in France. A legal entity is being prepared and will be established before production launch, at which point that entity becomes the GDPR data controller.
Contact: [email protected].
The lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL) at www.cnil.fr.
2. What this policy covers
This policy applies to:
• The web app at app.aithlo.com and public website at www.aithlo.com
• Aithlo-Shift, the cycling simulator
• Future mobile apps via the Apple App Store or Google Play Store
Age requirement: Aithlo is available only to users aged 16 or older. Accounts for under-16 users will not be created, and any inadvertently collected data will be deleted promptly.
Countries: At launch, availability is limited to the United Kingdom and France, enforced at signup.
Private beta notice
Aithlo is currently in private, invite-only beta with access limited to 50 invited participants. There is no public signup, no app store availability, and no payments accepted. The service operates pre-incorporation.
Users can email [email protected] to leave the beta and request data deletion.
3. What data we collect
Account and identity data
Upon account creation:
• Email address
• Password (stored as bcrypt hash only)
• Date of birth
• Country
• Optional: first name, last name, username, short bio, profile picture
For Google Sign-In: Google account ID, email, and profile picture are stored.
For Strava connection: Strava user ID and OAuth tokens for activity reading are stored.
Health and fitness data (special category under Article 9 GDPR)
With explicit consent at signup:
• Physiological measurements: heart rate, power (watts), cadence, calories, training stress score, intensity factor, normalised power, core temperature
• Time-series streams: second-by-second heart rate, power, cadence, temperature, and speed from synced activities
• Body metrics and thresholds: weight, resting heart rate, maximum heart rate, lactate threshold heart rate (LTHR), functional threshold power (FTP), critical swim speed (CSS), 5 km personal best
• Injuries and limitations: current injuries, injury history, training limitations, health-related notes
This qualifies as "special category" data under Article 9 GDPR. Processing requires explicit consent, which can be withdrawn anytime in Settings. Withdrawing consent prevents personalised training and triggers health data deletion.
Location and route data
• GPS traces (latitude/longitude streams) from Strava imports
• Activity start and end coordinates
• Saved or created routes within Aithlo
• Map views: browser requests map tiles from OpenStreetMap Foundation
GPS traces may reveal home or workplace locations if training occurs there. Strava's privacy zones obscure start/end points, which Aithlo respects.
Training preferences and goals
Onboarding questions about:
• Primary sport and experience level
• Goal races and target dates
• Training availability, preferred session times, rest days, holidays
• Equipment access (gym, turbo trainer, pool, power meter, heart-rate monitor)
• Weekly training volume preferences
Conversations with the AI coach
• Full text of messages and coach responses
• Generated charts, workouts, routes, and plans
• SQL queries the coach runs against user data
Conversations are retained for the lifetime of the account to provide context. Messages are sent to OpenAI for processing.
Coaching and social features
For coaching:
• Coach–athlete relationship and start date
• Exchanged messages
• Coach's ability to view athlete's activities, plans, and health data (with explicit athlete agreement)
For Aithlo-Shift social features:
• Friend connections
• Scheduled rides created or joined
• Ride participants
During multiplayer rides, participants see in-game world position and live telemetry (power, heart rate, cadence) — not real-world location.
Security and technical data
• IP addresses from server requests
• Failed login attempts and account lockout status
• Refresh tokens for sign-in persistence
• Standard web server logs for operations and security
4. Why we use your data and on what legal basis
Account, security, age and country checks: contract and legal obligation.
Profile (name, username, bio, picture): contract — to personalise the app and display you to coaches and friends.
Google/Strava OAuth tokens: contract — to connect to services you requested.
Heart rate, power, body metrics, injuries, limitations: explicit consent (Article 9 GDPR) — to generate personalised plans and deliver AI coaching.
GPS traces, routes, activity locations: contract — to display maps, calculate metrics, and show ride history.
Training preferences, goals, races: contract — to build suitable plans.
Chat messages and history: contract (with explicit consent for health data) — to deliver AI coach responses and remember context.
Coach–athlete relationships and messages: contract + explicit consent to share with a specific coach.
Friends, scheduled rides, multiplayer sessions: contract — to enable social and multiplayer features.
IP addresses, failed login attempts, lockout state: legitimate interest — to protect accounts.
Email verification and password reset tokens: contract — to verify account ownership.
Website analytics (with consent): consent — to measure and improve the public marketing website (see section 12).
Aithlo does not: sell data, use it for advertising, share with advertisers or data brokers, or process it for purposes outside running Aithlo. The only analytics used is privacy-focused, consent-based website measurement described in section 12; the Aithlo app itself contains no analytics or advertising trackers.
5. How long we keep your data
Active accounts: data is retained while useful to the service. Inactive accounts are not automatically deleted.
Account deletion: all personal data is permanently deleted from the production database same-day, including activities, chats, plans, and profile. No backups are currently operated.
Limited retention:
• Security logs with IP addresses: up to 30 days for fraud prevention
• Minimal consent records: kept as GDPR compliance evidence
6. Who we share your data with
Aiven (managed PostgreSQL) — stored data — Amsterdam, Netherlands (EU) — EU-internal.
Hetzner (server hosting) — data in transit and processing — Falkenstein, Germany (EU) — EU-internal.
Render (static hosting) — access logs, IP addresses — USA — Standard Contractual Clauses.
OpenAI (AI coach) — chat messages and health data discussed — USA — Standard Contractual Clauses; OpenAI does not use API data for model training.
Strava (activity sync) — OAuth tokens and API requests — USA/global — Strava's Data Processing Addendum.
Google (Sign in with Google) — email, name, profile picture at login — USA — EU–US Data Privacy Framework.
Resend (transactional email) — email address and account email content — USA — Standard Contractual Clauses.
OpenStreetMap Foundation (map tiles) — IP address, browser metadata, tile coordinates — United Kingdom — Adequacy decision (UK).
Ploi (server management) — incidental server access during support — Netherlands (EU) — EU-internal.
Google Analytics (website analytics, only with consent) — pseudonymous usage data with redacted IP — Google Ireland Limited (EU), with possible transfer to the USA under Standard Contractual Clauses. See section 12.
Aithlo-Shift multiplayer
Multiplayer rides are hosted on Aithlo's own servers in Germany. When you join a session, in-game world position, power output, heart rate and cadence are broadcast live to other riders. Real-world GPS location is never shared. When the session ends, the live broadcast stops; the ride is recorded as a normal activity.
7. International data transfers
Core Aithlo data lives in the European Union (database in the Netherlands, application server in Germany).
Some third-party services (OpenAI, Strava, Google, Resend, Render) are US-based. Data transferred to them uses the EU–US Data Privacy Framework (Google) or Standard Contractual Clauses (OpenAI, Strava, Resend, Render). Relevant agreements are available upon request.
8. Your rights
Under GDPR, you have the following rights:
• Right of access — request a copy of all data we hold about you
• Right to rectification — request correction of errors
• Right to erasure ("right to be forgotten") — request data deletion; acted upon same-day
• Right to restriction — request a pause in processing while contesting
• Right to data portability — request a machine-readable export
• Right to object — object to legitimate-interest processing
• Right to withdraw consent — revoke any prior consent at any time, without penalty
• Right to lodge a complaint — complain to CNIL for mishandling
To exercise rights, email [email protected]. Response within 30 days. No charge applies.
9. Coaching, social features, and what others can see
• Coach–athlete relationships: the approved coach can see activities, training plan, profile, body metrics, and messages. The relationship can end anytime in Settings, immediately revoking access.
• Aithlo-Shift friends: friends can see Shift activity history, profile, and scheduled rides.
• Multiplayer rides: participants see live in-game position and live power, heart rate, and cadence during rides.
None of this happens automatically; users choose their coaches, friends, and ride participation.
10. AI-generated content and medical disclaimer
The AI coach generates training plans, workouts, charts, and advice. These outputs are produced by a large language model (OpenAI) and can be wrong. Do not rely on them as medical advice, diagnosis, or treatment.
Aithlo is not a medical device, not a medical service, and does not replace qualified doctors, physiotherapists, or sports physicians. Read the full Health and Training Disclaimer. If you experience pain, unusual symptoms, or anything concerning during exercise, stop and consult a medical professional.
11. How we protect your data
Security measures include:
• Passwords stored as bcrypt hashes — password recovery is impossible
• Transport encryption (HTTPS/TLS) for all device-to-server communication
• Rate limiting on login and registration endpoints
• Account lockout after repeated failed attempts
• JWT-based sessions with rotating refresh tokens
• Database encryption at rest from the database host
• Strict database access limited to Aithlo operators
No online service is 100% secure. Any breach affecting personal data triggers notification to users and CNIL per GDPR requirements.
12. Cookies and website analytics
Our public website at www.aithlo.com uses cookies. Strictly necessary cookies keep the site working and remember your language, theme, and cookie choices. With your consent, we also use Google Analytics 4 (provided by Google Ireland Limited) to measure how the website is used so we can improve it.
Analytics cookies are only set after you accept them in our cookie banner. We use Google Consent Mode and IP-address redaction, so no analytics data is sent to Google until you consent. The legal basis is your consent (GDPR Article 6(1)(a) and the ePrivacy/PECR rules); you can change or withdraw it at any time via “Cookie preferences” in the website footer. Google may process this data on servers outside the EU/UK under Standard Contractual Clauses.
These website analytics are separate from the in-app data described elsewhere in this policy. We do not use analytics or advertising cookies inside the Aithlo app itself. For the full list of cookies and their durations, see our Cookie Policy.
13. Changes to this policy
Policy updates occur as Aithlo evolves. Material changes affecting rights or collected data trigger email notification and acceptance request at next sign-in. The top date reflects the most recent version.
14. Contact
For questions about this policy, your data, or your rights:
[email protected]. Response within a few days, always within 30 days per GDPR.
