CycleCoach
Sign inGet started

Privacy Policy

Effective date: 1 June 2026

1. Who we are

CycleCoach (“we”, “us”, the “Service”) operates the website cyclecoach.ai and the associated training-coaching service. We are the data controller for the personal data described in this policy. Contact us at support@cyclecoach.ai.

2. Data we collect

Account data

Email address, password hash (never the plaintext password), and profile information you enter (date of birth, sex, FTP, weight target, training goal).

Strava data

When you connect Strava, we request the read and activity:read_all scopes. We read your athlete profile (name, FTP, weight), your activity list, and per-activity streams (power, heart-rate, cadence, GPS, elevation, laps). We never write to Strava on your behalf.

Withings data

When you connect Withings, we request the user.info and user.metrics scopes and read body composition measurements (weight, body fat %, muscle mass).

Coaching data

Training plans we generate for you, workout data you import, and the messages you exchange with the in-app AI coach.

Health-related data (special category)

Some of what we read from Strava and Withings — heart rate, body weight, body composition — qualifies as “special category” health data under UK GDPR Article 9 and the equivalent EU GDPR provisions. We process this data only with your explicit consent, which you give by connecting Strava or Withings to your account. You can withdraw consent at any time by disconnecting the relevant integration from Settings.

3. Legal basis for processing

Under UK GDPR Article 6 (and equivalent EU GDPR provisions), we rely on the following legal bases:

  • Contract — processing your account data, training plans, workout data, and coaching messages is necessary to provide the service you signed up for.
  • Explicit consent (Article 9(2)(a)) — for health-related special category data read from Strava and Withings.
  • Legitimate interest — for service security, fraud prevention, and improving the product (e.g., aggregated, non-identifying usage analytics). You can object to processing on this basis by emailing us.
  • Consent — for any marketing communications (we do not currently send marketing emails; if we start, we will ask first).
  • Legal obligation — where we must retain data to comply with applicable law.

4. How we use the data

We use your data to generate personalised training plans, analyse completed workouts, produce coaching insights, and provide the chat-based coach. We send relevant context (your profile, recent workouts, current plan, your message) to Anthropic’s Claude API to produce the AI responses you see. Anthropic does not train models on this data.

5. Automated decision-making

We use an AI system (Anthropic’s Claude) to generate personalised training plans, workout reviews, and coaching responses based on your profile and training history. This involves automated processing of your data. The outputs are recommendations, not binding decisions: you remain in control of which workouts you perform and can ignore, override, or request changes to anything the system suggests.

You have the right under UK GDPR Article 22 to request human review of any automated output that significantly affects you. To do so, email support@cyclecoach.ai.

6. Where data is stored

All application data is stored in Supabase (PostgreSQL) hosted in London. The application itself runs on AWS App Runner in London (eu-west-2). OAuth tokens for Strava and Withings are encrypted at rest using AES-256-GCM. Database access is governed by row-level security tied to your account.

7. International data transfers

Some of our sub-processors are based outside the UK and EU. In particular:

  • Anthropic (AI inference) is based in the United States. When we send your context to the Claude API, that data is processed in the US.
  • AWS and Supabase are US companies, although the specific infrastructure that serves CycleCoach is hosted in the UK / EU regions named above.
  • Resend (transactional email) operates from the United States.

We rely on the UK International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses (SCCs) with these providers to ensure your data receives an essentially equivalent level of protection. You can request copies of these transfer agreements by emailing support@cyclecoach.ai.

8. Sub-processors

  • Supabase — database, authentication, file storage (EU regions).
  • Anthropic — AI inference for coaching responses (US).
  • AWS App Runner — application hosting (London).
  • Resend — transactional email delivery (US).
  • PostHog — first-party product analytics, error and performance monitoring (EU).
  • Strava — when you connect your Strava account.
  • Withings — when you connect your Withings account.

9. Cookies and similar technologies

We use a small number of strictly necessary cookies to keep you signed in and to protect your session (e.g., Supabase authentication cookies, CSRF tokens). These do not require consent under UK PECR / EU ePrivacy because they are essential for the service to function.

We use first-party product analytics (PostHog, hosted in the EU) to understand how the app is used and to monitor errors and performance. This is processed under our legitimate interest in securing and improving the product. We do not use third-party advertising or tracking cookies, and our analytics does not write cookies or persistent storage to your device. You can object to this processing by emailing us.

10. Retention

We retain your data until you delete your account. You can request deletion at any time by emailing support@cyclecoach.ai; account and associated data are deleted within 30 days. We may retain a minimal set of records (e.g., billing history, security logs) for as long as required to comply with applicable law.

11. Minimum age

CycleCoach is intended for adults. You must be at least 18 years old to create an account. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, email support@cyclecoach.ai and we will delete it.

12. Your rights

Under UK GDPR and equivalent EU GDPR provisions, you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data deleted (right to erasure).
  • Restrict how we process your data.
  • Object to processing based on our legitimate interests.
  • Receive a copy of your data in a portable format.
  • Withdraw any consent you have given (e.g., by disconnecting Strava or Withings).
  • Request human review of automated decisions that significantly affect you (see Section 5).

To exercise any of these rights, email support@cyclecoach.ai. We will respond within one month.

If you are unhappy with how we have handled your data, you also have the right to complain to a data protection supervisory authority. UK users can contact the Information Commissioner’s Office (ICO) at ico.org.uk. EU users can contact their national data protection authority.

13. Strava-specific terms

Connecting your Strava account is optional. If you connect, we read your athlete profile and activities under the scopes listed in Section 2 and use that data solely to generate your training plan, review completed workouts, and produce coaching insights. We do not share your Strava data with any third party other than the sub-processors listed in Section 8. We never write to Strava on your behalf. You can disconnect CycleCoach from Strava at any time from CycleCoach’s Settings page, or directly at strava.com/settings/apps.

14. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice.

Questions? Email support@cyclecoach.ai. See also our Terms of Service.