Privacy Policy

Etapa — AI-Powered Cycling Coach

Effective Date: March 31, 2026

1. Introduction

Etapa ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Etapa mobile application ("App").

This policy applies to all users of the App regardless of location, and has been drafted with reference to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).

2. Data Controller

The data controller responsible for your personal data is:

Etapa
Email: helloetapa@gmail.com
Website: https://getetapa.com

If a Data Protection Officer is appointed, their contact details will be published on our website.

3. Data We Collect

3.1 Data You Provide

• Account information: email address, name, and authentication credentials
• Cycling goals: target events, distances, dates, and experience level
• Training preferences: weekly availability, preferred training days, intensity preferences
• Coach selection: your chosen AI coach persona
• Chat messages: text you send to the AI coaching feature
• Feedback: any ratings, reviews, or feedback you provide through the App

3.2 Data We Collect Automatically

• Device information: device type, operating system, unique device identifiers
• Usage data: features used, session duration, screens viewed, interaction patterns
• Crash and performance data: error logs and diagnostic information
• IP address and approximate location (country/region level only)

3.3 Data We Do Not Collect

• Precise GPS location or route tracking
• Health data from Apple HealthKit, Google Health Connect, or wearable devices (unless explicitly enabled by you in a future update)
• Financial information (payments are processed by Apple/Google)

4. How We Use Your Data

4.1 Providing the Service

• Generating personalised AI training plans based on your goals and preferences
• Powering the AI coaching chat feature with contextual, personalised responses
• Syncing your training data across devices
• Managing your account and subscription

4.2 Improving the Service

• Analysing usage patterns to improve features and user experience
• Monitoring App performance and diagnosing technical issues
• Developing new features based on aggregated, anonymised usage trends

4.3 Communications

• Sending transactional emails (account verification, password resets, subscription confirmations)
• Sending product updates and feature announcements (with your consent, where required)

5. Legal Basis for Processing (GDPR)

Under the UK GDPR and EU GDPR, we process your data on the following legal bases:

• Contract: Processing necessary to provide the service you have requested (generating training plans, coaching chat, account management).
• Legitimate interest: Improving the App, ensuring security, and preventing fraud.
• Consent: Sending marketing communications and processing any optional data you choose to provide.

You may withdraw consent at any time by adjusting your preferences in the App settings or contacting us at helloetapa@gmail.com.

6. Third-Party Data Processors

We share your data with the following categories of third-party processors, solely to provide and improve the service:

• AI Service Provider (Anthropic): Your cycling goals, training preferences, coach selection, and chat messages are sent to Anthropic's Claude API to generate training plans and coaching responses. Anthropic processes this data in accordance with their privacy policy and data processing agreements. Anthropic does not use your data to train their models.
• Cloud Infrastructure (Supabase / AWS): Your account data, training plans, and preferences are stored on cloud servers. Data may be processed in the United States or European Union.
• Authentication Provider: Account authentication is handled by a third-party identity provider for secure sign-in.
• Analytics: We may use privacy-respecting analytics tools to understand App usage in aggregate. Any analytics data is anonymised or pseudonymised.
• App Stores (Apple / Google): Subscription billing and payment processing are handled entirely by Apple and Google. We do not receive or store your payment details.

We do not sell your personal data to any third party.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account data: Retained until you delete your account.
• Training plans and chat history: Retained for the duration of your account. You can delete individual plans at any time.
• Usage and analytics data: Retained in anonymised or aggregated form for up to 24 months.
• After account deletion: We will delete or anonymise your personal data within 30 days, except where retention is required by law.

8. Your Rights

8.1 Under UK/EU GDPR

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

8.2 Under CCPA (California Residents)

• Right to know: Request details about the categories and specific pieces of personal information we have collected.
• Right to delete: Request deletion of personal information we have collected.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell personal information as defined by the CCPA.

To exercise any of these rights, contact us at helloetapa@gmail.com. We will respond within 30 days (or as required by applicable law).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-level security on database records to ensure users can only access their own data
• Secure authentication with hashed credentials
• Regular security reviews and dependency updates

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's participation in recognised data protection frameworks.

11. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.

12. Cookies and Tracking

The App itself does not use cookies. If you visit our website (etapa.app), we may use essential cookies for site functionality. We do not use third-party advertising cookies or cross-app tracking identifiers. We respect Apple's App Tracking Transparency framework and will request permission before any tracking, if applicable.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and, where appropriate, by email. The "Effective Date" at the top of this policy indicates when it was last revised.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: helloetapa@gmail.com
Website: https://getetapa.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at https://ico.org.uk.