Privacy Policy
Last updated: 14 April 2026
1. Who we are
Aithlo is an endurance training platform and a companion cycling simulator ("Aithlo-Shift"). Aithlo is based in France. A legal entity is currently being prepared and will be put in place before Aithlo enters production; once formed, that entity will become the "data controller" under the General Data Protection Regulation (GDPR), and this policy will be updated accordingly.
You can contact us about anything in this policy, including to exercise your rights, at privacy@aithlo.com.
Because we are based in France, our lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL). If you believe we have mishandled your personal data, you have the right to lodge a complaint with the CNIL at www.cnil.fr. We would, however, appreciate the chance to address your concerns directly first — please email us before filing a complaint.
2. What this policy covers
This policy applies to:
- The Aithlo web app at app.aithlo.com and the public website at www.aithlo.com
- Aithlo-Shift, our cycling simulator game
- Any future Aithlo mobile apps distributed through the Apple App Store or Google Play Store
It applies to everyone who creates an Aithlo account or uses any Aithlo product.
Age requirement. Aithlo is only available to users aged 16 or older. We ask for your date of birth at signup and will not create an account for anyone under 16. If we learn that we have inadvertently collected data from someone under 16, we will delete it promptly.
Countries. At launch, Aithlo is only available to users in the United Kingdom and France. We enforce this at signup. We will update this policy when we expand to other countries.
Private beta notice.
Aithlo is currently in a private, invite-only beta and is not yet a production service. Access is strictly limited to a closed list of users we have invited individually, capped at 50 participants. There is no public signup, no availability on the Apple App Store or Google Play Store, and no payments are accepted. During this phase, Aithlo is operated pre-incorporation: a legal entity is currently being prepared and will be formed before Aithlo enters public production, at which point this policy will be updated to name that entity as the data controller. By participating in the private beta, you acknowledge that the service is not final, that downtime, bugs, and data loss may occur, and that you can email privacy@aithlo.com at any time to leave the beta and have your data deleted.
3. What data we collect
Aithlo is a training platform, and the whole point of what we do depends on understanding your body, your training, and your goals. That requires collecting some sensitive data — most importantly, health and fitness data. We want to be transparent about every category.
Account and identity data
When you create an account, we collect and store:
- Email address
- Password (stored only as a secure bcrypt hash — we never store your actual password)
- Date of birth
- Country
- Optional: first name, last name, username, short bio, profile picture
If you sign in with Google, we additionally store your Google account ID and the email address and profile picture Google provides. If you connect Strava, we store your Strava user ID and the OAuth tokens required to read your activities.
Health and fitness data (special category under Article 9 GDPR)
If you consent to health data processing at signup, we collect and store:
- Physiological measurements from your activities: heart rate, power (watts), cadence, calories, training stress score, intensity factor, normalized power, core temperature (from Aithlo-Shift rides)
- Time-series physiological streams: second-by-second heart rate, power, cadence, temperature, and speed recorded during activities synced from Strava
- Body metrics and thresholds: weight, resting heart rate, maximum heart rate, lactate threshold heart rate (LTHR), functional threshold power (FTP), critical swim speed (CSS), 5 km personal best
- Injuries and physical limitations: any current injuries, injury history, training limitations, or health-related notes you choose to tell us
This data qualifies as "special category" health data under Article 9 of the GDPR. We only process it if you give us explicit consent when you create your account, and you can withdraw that consent at any time in Settings. Withdrawing consent will prevent Aithlo from providing personalised training, and we will delete your health data when you do.
Location and route data
- GPS traces (latitude/longitude streams) of your activities, imported from Strava
- Activity start and end coordinates
- Routes you save or create inside Aithlo
- Map views: when you look at a map inside Aithlo, your browser requests map tiles from the OpenStreetMap Foundation (see Section 6)
GPS traces can reveal the location of your home or workplace if you train from there. If this concerns you, Strava offers privacy zones that obscure start and end points; we recommend enabling them, and we honour them when we import your activities.
Training preferences and goals
When you complete onboarding or update your profile, we store your answers to questions about:
- Your primary sport and experience level
- Goal races and target dates
- Training availability, preferred session times, rest days, holidays
- Equipment access (gym, turbo trainer, pool, power meter, heart rate monitor)
- Weekly training volume preferences
Conversations with the AI coach
When you chat with Aithlo's AI coach, we store:
- The full text of your messages and the coach's responses
- Any charts, workouts, routes, or plans the coach generates for you
- The SQL queries the coach runs against your own data to answer your questions
These conversations are kept for as long as your account is active, so that the coach has context for future conversations. Your messages are sent to OpenAI for processing (see Section 6).
Coaching and social features
If you use the coaching feature, we store:
- The relationship between an athlete and a coach, and when it started
- Messages exchanged between the athlete and the coach
- The coach's ability to view the athlete's activities, training plans, and health data (only with the athlete's explicit agreement to the specific coach)
If you use Aithlo-Shift's social features, we store your friend connections, any scheduled rides you create or join, and who participates in each ride. During multiplayer rides, other participants can see your in-game world position and your live telemetry (power, heart rate, cadence). They cannot see your real-world location — if you are riding on a turbo trainer, your actual GPS location is never shared with other players.
Security and technical data
We log:
- Your IP address when you make requests to our servers
- Failed login attempts and whether your account is currently locked (to protect you from brute-force attacks)
- Refresh tokens used to keep you signed in
- Standard web server logs for operational and security purposes
4. Why we use your data and on what legal basis
Under the GDPR, we must tell you the purpose of every use of your data and the lawful basis that permits it. This table summarises it:
| Data | Purpose | Legal basis |
|---|---|---|
| Email, password hash, date of birth, country | Create and secure your account; enforce minimum age and country restrictions | Contract (and legal obligation for age verification) |
| Name, username, bio, profile picture | Personalise the app and display your identity to coaches and friends | Contract |
| Google / Strava OAuth tokens | Connect Aithlo to services you asked us to link | Contract |
| Heart rate, power, cadence, body metrics, injuries, limitations | Generate personalised training plans and deliver AI coaching | Explicit consent (Article 9 GDPR) |
| GPS traces, routes, activity locations | Display maps, calculate activity metrics, show your ride history | Contract |
| Training preferences, goals, races | Build plans suited to your availability and goals | Contract |
| Chat messages and conversation history | Deliver AI coach responses and remember context between sessions | Contract (with explicit consent covering the health data inside the chats) |
| Coach–athlete relationships and coach messages | Enable the coaching feature at the athlete's request | Contract + the athlete's explicit consent to share data with a specific coach |
| Friends, scheduled rides, multiplayer sessions | Enable social and multiplayer features | Contract |
| IP addresses, failed login attempts, account lockout state | Protect accounts from abuse and brute-force attacks | Legitimate interest in securing our service |
| Email verification tokens, password reset tokens | Verify ownership of your account | Contract |
We do not:
- Sell your data to anyone
- Use your data for advertising
- Share your data with advertisers, data brokers, or analytics companies
- Process your data for any purpose other than running Aithlo
5. How long we keep your data
While your account is active, we keep your data for as long as it's useful to the service. We do not automatically delete inactive accounts.
When you delete your account, we permanently delete all your personal data from our production database on the same day, including your activities, chats, training plans, and profile. We currently do not operate backups, so there are no additional copies to purge.
A small number of items may be kept for a short period for legal or security reasons:
- Security logs containing IP addresses may be retained for up to 30 days for fraud prevention
- Minimal records proving a consent was given and withdrawn may be kept as evidence of GDPR compliance
6. Who we share your data with
We use a small number of third-party service providers to operate Aithlo. Each one only receives the specific data it needs, and we have agreements in place to protect your data when we share it.
| Service | Data shared | Location | Legal transfer mechanism |
|---|---|---|---|
| Aiven (managed PostgreSQL on DigitalOcean) | Your stored data | Amsterdam, Netherlands (EU) | EU-internal — no transfer |
| Hetzner (server hosting, managed via Ploi) | Data in transit and processing | Falkenstein, Germany (EU) | EU-internal — no transfer |
| Render (static hosting for the web app) | Access logs, IP addresses | USA | Standard Contractual Clauses |
| OpenAI (AI coach) | Chat messages, including any health data you discuss with the coach | USA | Standard Contractual Clauses. OpenAI does not use API data to train its models. |
| Strava (activity sync) | OAuth tokens and API requests to fetch your activities | USA / global | Strava's Data Processing Addendum. See Strava's privacy policy. |
| Google (Sign in with Google) | Email, name, profile picture at login | USA | EU–US Data Privacy Framework |
| Resend (transactional email) | Your email address and the content of account emails (verification, password reset) | USA | Standard Contractual Clauses |
| OpenStreetMap Foundation (map tiles) | Your IP address, browser metadata, and the tile coordinates you view. We do not send your name, email, or account identifier. | United Kingdom | Adequacy decision (UK) |
| Ploi (server management) | Incidental access to the server during support | Netherlands (EU) | EU-internal — no transfer |
A note on Aithlo-Shift multiplayer
Multiplayer rides in Aithlo-Shift are hosted on our own servers in Germany. When you join a multiplayer session, your in-game world position, power output, heart rate, and cadence are broadcast live to the other riders in the session, so that they can see and race against you. Your real-world GPS location is never shared with other players. When the session ends, the live broadcast stops; we keep a record of the ride on your account as a normal Aithlo-Shift activity.
7. International data transfers
Your core Aithlo data — everything stored in our database — lives in the European Union. Our database is hosted in the Netherlands, and our application server is hosted in Germany.
However, some of the third-party services we use (OpenAI, Strava, Google, Resend, Render) are based in the United States. When we share data with them for the purposes listed in Section 6, that data is transferred to the US. For every US-based provider, we rely on one of the legal mechanisms the GDPR recognises for international transfers: the EU–US Data Privacy Framework (for Google, which is certified) or Standard Contractual Clauses (for OpenAI, Strava, Resend, and Render). Copies of the relevant agreements are available from us on request.
8. Your rights
Under the GDPR, you have the following rights over your personal data:
- Right of access — ask us for a copy of all the data we hold about you
- Right to rectification — ask us to correct anything that's wrong
- Right to erasure ("right to be forgotten") — ask us to delete your data; we act on this same-day
- Right to restriction — ask us to stop processing your data while you contest something
- Right to data portability — ask us to export your data in a machine-readable format so you can take it elsewhere
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — revoke any consent you previously gave us, at any time, without penalty
- Right to lodge a complaint — complain to the CNIL if you believe we have mishandled your data
To exercise any of these rights, email privacy@aithlo.com. We will respond within 30 days. There is no charge for exercising your rights.
9. Coaching, social features, and what others can see
Aithlo includes features that let you share your training with other people. We want to be very clear about what this involves:
- If you accept a coach-athlete relationship, the coach you explicitly approve can see your activities, your training plan, your profile, your body metrics, and any messages you send each other. You can end the relationship at any time in Settings, and the coach will immediately lose access.
- If you add friends in Aithlo-Shift, those friends can see your Shift activity history, your profile, and any scheduled rides you create.
- During multiplayer rides in Aithlo-Shift, other participants see your live in-game position and your live power, heart rate, and cadence for the duration of the ride.
None of this happens automatically. You choose which coaches, friends, and rides to participate in.
10. AI-generated content and medical disclaimer
Aithlo's AI coach generates training plans, workouts, charts, and advice based on your data. These outputs are generated by a large language model (OpenAI) and can be wrong. Do not rely on them as medical advice, injury diagnosis, or treatment recommendations.
Aithlo is not a medical device, not a medical service, and does not replace a qualified doctor, physiotherapist, or sports physician. Please read our full Health and Training Disclaimer before using any training plan we generate. If you experience pain, unusual symptoms, or anything that feels wrong during exercise, stop and consult a medical professional.
11. How we protect your data
We take reasonable and proportionate security measures, including:
- Passwords are stored as bcrypt hashes — we cannot see or recover your password
- Transport encryption (HTTPS/TLS) for all communication between your device and our servers
- Rate limiting on login and registration endpoints to prevent brute-force attacks
- Account lockout after repeated failed login attempts
- JWT-based sessions with rotating refresh tokens
- Database encryption at rest provided by our database host
- Access to the production database is strictly restricted to the individuals responsible for operating Aithlo
No online service can be 100% secure. If we ever become aware of a breach that affects your personal data, we will notify you and the CNIL as required by the GDPR.
12. Changes to this policy
We may update this policy as Aithlo evolves. When we make changes that materially affect your rights or the data we collect, we will notify you by email and ask you to accept the new version the next time you sign in. The date at the top of the policy always reflects the most recent version.
13. Contact
For any question about this policy, your data, or your rights, please email us at:
We normally respond within a few days, and always within 30 days as required by GDPR.