Privacy Policy

Etapa — AI-Powered Cycling Companion

Effective Date: May 15, 2026

1. Introduction

Etapa ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Etapa mobile application ("App").

This policy applies to all users of the App regardless of location, and has been drafted with reference to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).

2. Data Controller

The data controller responsible for your personal data is:

Etapa
Email: helloetapa@gmail.com
Website: https://getetapa.com

If a Data Protection Officer is appointed, their contact details will be published on our website.

3. Data We Collect

3.1 Data You Provide

• Account information: email address, name, and authentication credentials
• Cycling goals: target events, distances, dates, and experience level
• Training preferences: weekly availability, preferred training days, intensity preferences
• Companion selection: your chosen AI companion persona
• Chat messages: text you send to the AI companion feature
• Feedback: any ratings, reviews, or feedback you provide through the App

3.2 Data We Collect Automatically

• Device information: device type, operating system, unique device identifiers
• Usage data: features used, session duration, screens viewed, interaction patterns
• Crash and performance data: error logs and diagnostic information
• IP address and approximate location (country/region level only)

3.3 Data We Do Not Collect

• Precise GPS location or route tracking
• Health data from Apple HealthKit, Google Health Connect, or wearable devices (unless explicitly enabled by you in a future update)
• Financial information (payments are processed by Apple/Google)

4. How We Use Your Data

4.1 Providing the Service

• Generating personalised AI training guides based on your goals and preferences
• Powering the AI companion chat feature with contextual, personalised responses
• Syncing your training data across devices
• Managing your account and subscription

4.2 Improving the Service

• Analysing usage patterns to improve features and user experience
• Monitoring App performance and diagnosing technical issues
• Developing new features based on aggregated, anonymised usage trends

4.3 Communications

• Sending transactional emails (account verification, password resets, subscription confirmations)
• Sending product updates and feature announcements (with your consent, where required)

4.4 Human Review (Opt-In)

To refine the AI companion personas and the quality of their advice, members of Etapa's review team — human staff under contract with us — may review a sample of your AI companion conversations. This processing is strictly opt-in:

• Off by default. Human review only happens after you have turned on Help improve your companion in Settings → Companion & health → Privacy.
• PII is redacted before review. Before any human sees a message, our server strips names, email addresses, phone numbers, postcodes, street addresses, URLs, and card-shaped numbers from the text and replaces them with neutral tokens such as [NAME] or [EMAIL]. Redaction runs server-side and is conservative — we err on the side of removing too much.
• What reviewers can access. Redacted companion-chat messages, your training guides and sessions, your weekly check-in answers, and metadata about ride-tip requests (when, on which activity, model + cost). Reviewers cannot see your email address, login credentials, payment details, or any data you have not shared with the AI companion.
• Reviewer notes. Reviewers may attach short text notes against any of the above to feed back into the AI training loop. These notes are internal to Etapa.
• Withdrawal. You can switch the toggle off at any time. From that point on, no new conversations are eligible for review. Existing redacted samples may be retained for an internal review window of up to 12 months and are then deleted; deleting your Etapa account removes them immediately as part of the standard account-deletion flow.

5. Legal Basis for Processing (GDPR)

Under the UK GDPR and EU GDPR, we process your data on the following legal bases:

• Contract: Processing necessary to provide the service you have requested (generating training guides, companion chat, account management).
• Legitimate interest: Improving the App, ensuring security, and preventing fraud.
• Consent: Sending marketing communications, processing any optional data you choose to provide, and the Human Review described in section 4.4 (which only proceeds where you have explicitly opted in).

You may withdraw consent at any time by adjusting your preferences in the App settings or contacting us at helloetapa@gmail.com. Withdrawing consent for Human Review stops any new conversations being eligible for review.

6. Third-Party Data Processors

We share your data with the following categories of third-party processors, solely to provide and improve the service:

• AI Service Provider (Anthropic): Your cycling goals, training preferences, companion selection, and chat messages are sent to Anthropic's Claude API to generate training guides and companion responses. Anthropic processes this data in accordance with their privacy policy and data processing agreements. Anthropic does not use your data to train their models.
• Cloud Infrastructure (Supabase / AWS): Your account data, training guides, and preferences are stored on cloud servers. Data may be processed in the United States or European Union.
• Authentication Provider: Account authentication is handled by a third-party identity provider for secure sign-in.
• Analytics: We may use privacy-respecting analytics tools to understand App usage in aggregate. Any analytics data is anonymised or pseudonymised.
• App Stores (Apple / Google): Subscription billing and payment processing are handled entirely by Apple and Google. We do not receive or store your payment details.

We do not sell your personal data to any third party.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account data: Retained until you delete your account.
• Training guides and chat history: Retained for the duration of your account. You can delete individual guides at any time.
• Usage and analytics data: Retained in anonymised or aggregated form for up to 24 months.
• After account deletion: We will delete or anonymise your personal data within 30 days, except where retention is required by law.

8. Your Rights

8.1 Under UK/EU GDPR

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

8.2 Under CCPA (California Residents)

• Right to know: Request details about the categories and specific pieces of personal information we have collected.
• Right to delete: Request deletion of personal information we have collected.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell personal information as defined by the CCPA.

To exercise any of these rights, contact us at helloetapa@gmail.com. We will respond within 30 days (or as required by applicable law).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-level security on database records to ensure users can only access their own data
• Secure authentication with hashed credentials
• Regular security reviews and dependency updates

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's participation in recognised data protection frameworks.

11. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.

12. Cookies and Tracking

The App itself does not use cookies. If you visit our website (etapa.app), we may use essential cookies for site functionality. We do not use third-party advertising cookies or cross-app tracking identifiers. We respect Apple's App Tracking Transparency framework and will request permission before any tracking, if applicable.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and, where appropriate, by email. The "Effective Date" at the top of this policy indicates when it was last revised.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: helloetapa@gmail.com
Website: https://getetapa.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at https://ico.org.uk.