Privacy Policy

Your privacy matters to us. Leo generates revenue exclusively through subscriptions you pay — we do not sell, monetize, or share your data for advertising purposes.

This policy describes what data we collect, why we collect it, how we protect it, and what rights you have.

The data controller is Talaria, a sole proprietorship registered in France, operating the service "Leo - AI Running Coach".

Contact: [email protected]

We collect the following categories of data:

• Account data: name, email address (via secure authentication), Google account ID if you sign in with Google
• Runner profile data: age, weight, height, heart rate zones, preferred terrain, goals — provided voluntarily by you during coaching conversations
• Sports activity data: activities synced from Strava (distance, duration, elevation, heart rate, cadence, pace, GPS traces)
• Health data: heart rate, wellness data (fatigue, sleep quality, soreness, biomechanical observations). This data is processed based on your explicit consent (GDPR Art. 9.2.a).
• Coaching data: your conversations with the AI coach, training plans, coaching decisions, and session feedback
• Payment data: managed exclusively by Stripe. We do not store any credit card numbers or banking details on our servers.
• Security data: IP addresses, device information, usage logs, and access timestamps — collected for fraud prevention and service security
• Communication data: emails and messages exchanged with our support team

Leo connects to your Strava account via OAuth 2.0 to sync your sports activities. Here are the details of this integration:

• Data retrieved: activities (type, distance, duration, elevation, heart rate, cadence, pace), athlete profile (Strava ID), gear (shoes)
• Token storage: Strava access and refresh tokens are stored securely in our database, encrypted in transit (TLS). We never store your Strava password.
• Data caching: Strava data is cached for a maximum of 7 days. Beyond this period, data is automatically deleted or refreshed from Strava. Data is refreshed automatically every 30 minutes to ensure accuracy and reflect any updates you make on Strava.
• Deletion sync: if you delete data from Strava, those deletions will be reflected in Leo within a maximum of 48 hours.
• Revocation and data deletion: you can revoke Leo's access to your Strava account at any time from Strava settings. Upon revocation, your Strava access tokens and all Strava-sourced activity data will be deleted from our database within 48 hours.
• Account deletion: if you delete your Leo account, all data including Strava-sourced data is permanently deleted from our systems.
• Read-only access: Leo never posts on your Strava account and does not modify any of your Strava data.
• Visibility: a user's Strava data is only displayed to that user. No cross-user data sharing.

Leo operates as an MCP (Model Context Protocol) server that you connect to the AI service of your choice (Claude, ChatGPT, etc.). In this context:

• Your sports data is transmitted to the AI service only within the context of your coaching conversation
• We do not control the processing performed by the third-party AI service. Please consult the privacy policy of the service you use (e.g., Anthropic, OpenAI).
• Your data is not used by Leo to train AI models. However, the third-party AI provider's data policies apply to any data sent to their service.
• When using Leo via the web app or messaging channels (Telegram, WhatsApp), conversations are routed through our servers and processed by the AI provider we select. In this case, your data is subject to both this policy and the AI provider's policy.

Your data is processed for the following purposes:

• Provide personalized AI coaching service
• Generate adaptive training plans
• Analyze your performance and progression
• Prevent injuries through training load analysis
• Manage your subscription and billing
• Ensure the security and integrity of the service
• Respond to your support requests
• Improve the service (anonymized, aggregated usage analysis only)

• Account data: retained while your account is active + 1 year after account deletion (for compliance and dispute resolution)
• Coaching data: retained while your account is active, deleted upon account deletion
• Cached Strava data: maximum 7 days, refreshed automatically every 30 minutes
• Strava data upon revocation: all Strava-sourced activity data and access tokens are deleted within 48 hours of access revocation or account deletion
• Security data: retained for 1 year (rolling)
• Communication data: retained for 2 years from last interaction
• Billing data: retained per legal obligations (up to 10 years under French commercial law)
• Cookies: maximum 13 months

After account deletion, all personal data is permanently removed from our production systems within 30 days. Encrypted backups may retain data for up to 90 days before automatic purge.

Your data may be shared with the following services:

• Better Auth (self-hosted on our servers): authentication and session management
• Stripe (US, EU): payment and subscription management
• Strava (US): activity sync (read-only)
• AI provider (varies): within your coaching conversations. When using MCP, you choose the provider. When using the web app or messaging, we use Anthropic (Claude) and DeepSeek.
• Hetzner (Finland): infrastructure hosting
• Cloudflare (US): CDN and DDoS protection
• PostHog (EU): Anonymous product analytics to improve the service. No personal data is stored in cookies.

We do not share any data with advertising platforms, data brokers, or advertisers, even with your consent (in compliance with the Strava API Agreement).

We may disclose data if required by law, legal process, or government request.

• Encryption in transit (TLS/HTTPS on all endpoints)
• Self-hosted authentication with encrypted sessions
• Principle of least privilege for data access
• PostgreSQL database with restricted access
• Strava tokens stored server-side, not accessible to the browser
• Infrastructure hosted in Europe (Hetzner, Finland), behind Cloudflare

Breach notification: in case of a security breach involving personal data, we commit to notify Strava within 24 hours and the CNIL within 72 hours of discovering the incident. Affected users will be notified without undue delay.

Your personal data is primarily processed within the European Economic Area (EEA), on servers located in Finland.

Some of our service providers (Stripe, Strava, AI providers, Cloudflare) may process data outside the EEA, including in the United States. These transfers are governed by:

• The European Commission's Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework certifications where applicable
• Adequate provider security certifications (SOC 2, ISO 27001)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access: obtain a copy of your personal data
• Right to rectification: correct inaccurate data
• Right to erasure: request deletion of your data
• Right to portability: receive your data in a structured, machine-readable format (JSON/CSV)
• Right to object: object to processing based on legitimate interest
• Right to restriction: restrict the processing of your data
• Consent withdrawal: you may withdraw your consent at any time, without affecting the lawfulness of processing prior to withdrawal

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

If you are a resident of the United States, you may have additional rights under state consumer privacy laws, including the California Consumer Privacy Act (CCPA) and similar state laws.

• Right to know: you may request that we disclose what personal information we have collected about you, the categories of sources, and the purposes for which it is used.
• Right to delete: you may request the deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale: we do not sell your personal information. We do not share your data with advertisers, data brokers, or any third parties for monetary or other valuable consideration.
• Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 45 days.

We only use cookies that are strictly necessary for the service to function:

• Session cookie: required for authentication and maintaining your logged-in state

We use PostHog for anonymous session analytics to improve the service. PostHog runs in cookieless mode (in-memory only) — no tracking cookies or persistent identifiers are stored on your device. We do not use any advertising cookies. No cookie consent banner is required because we only use strictly necessary cookies.

Leo is intended for individuals aged 16 and over. We do not knowingly collect data from minors under 16 years of age. If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.

In compliance with the Strava API Agreement, we commit to the following principles:

• Strava data is displayed only to the authenticated user who generated it
• Strava data is cached for a maximum of 7 days
• We do not sell, share, or use Strava data for AI/ML model training
• We do not share any data with advertising platforms, data brokers, or advertisers
• Upon access revocation, tokens are deleted within 48 hours
• If a user deletes data on Strava, deletions are reflected in Leo within 48 hours
• We notify Strava within 24 hours in case of a data breach
• The "Powered by Strava" badge is displayed wherever Strava data is presented

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.

For significant changes, we will notify you by email or through an in-app notification at least 15 days before the changes take effect. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

For any questions regarding this policy or to exercise your rights:

Talaria — [email protected]

Physical mailing address: available upon request at [email protected]

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with your local data protection authority. For users in France, this is the CNIL (Commission Nationale de l'Informatique et des Libertes): www.cnil.fr