Privacy Policy

The data controller is Talaria (SIRET: 998 931 752 00021), a sole proprietorship registered in France, operating the service "Leo - Running Coach".

Contact: [email protected]

We collect the following categories of data:

• Identification data: name, email address (via Auth0)
• Runner profile data: age, weight, height, heart rate, preferred terrain, goals
• Sports activity data: activities synced from Strava (distance, duration, elevation, heart rate, cadence, pace)
• Health data: heart rate, wellness data (fatigue, sleep quality). This data is processed based on your explicit consent (GDPR Art. 9.2.a).
• Payment data: managed exclusively by Stripe. We do not store any credit card numbers.

Leo connects to your Strava account via OAuth 2.0 to sync your sports activities. Here are the details of this integration:

• Data retrieved: activities (type, distance, duration, elevation, heart rate, cadence, pace), athlete profile (Strava ID), gear (shoes)
• Token storage: Strava access and refresh tokens are stored securely in our database, encrypted in transit (TLS). We never store your Strava password.
• Strava Data caching: Strava Data is cached for a maximum of 7 days. Beyond this period, data is automatically deleted or refreshed from Strava. Data is refreshed automatically every 30 minutes to ensure accuracy and reflect any updates you make on Strava.
• Deletion sync: if you delete data from Strava, those deletions will be reflected in Leo within a maximum of 48 hours.
• Revocation and data deletion: you can revoke Leo's access to your Strava account at any time from Strava settings. Upon revocation, your Strava access tokens and all Strava-sourced activity data will be deleted from our database within 48 hours.
• Account deletion: if you delete your Leo account, all data including Strava-sourced data is permanently deleted from our systems.
• Read-only access: Leo never posts on your Strava account and does not modify any of your Strava data.
• Visibility: a user's Strava data is only displayed to that user. No cross-user data sharing.

Leo operates as an MCP (Model Context Protocol) server that you connect to the AI service of your choice (Claude, ChatGPT, etc.). In this context:

• Your sports data is transmitted to the AI service only within the context of your coaching conversation
• We do not control the processing performed by the third-party AI service. Please consult the privacy policy of the service you use.
• Data is not used to train AI models

Your data is processed for the following purposes:

• Provide personalized AI coaching service
• Generate adaptive training plans
• Analyze your performance and progression
• Prevent injuries through training load analysis
• Manage your subscription and billing

• Account data: retained while your account is active + 3 years after account closure
• Cached Strava data: maximum 7 days, refreshed automatically every 30 minutes
• Strava data upon revocation: all Strava-sourced activity data and access tokens are deleted within 48 hours of access revocation or account deletion
• OAuth tokens: until revocation or expiration
• Cookies: maximum 13 months
• Billing data: retained per legal obligations (10 years)

Your data is shared with the following services:

• Auth0 (Okta): authentication and session management
• Stripe: payment and subscription management
• Strava: activity sync (read-only)
• AI service of your choice: within your coaching conversations via the MCP protocol

We do not share any data with advertising platforms, data brokers, or advertisers, even with your consent (in compliance with the Strava API Agreement).

• Encryption in transit (TLS/HTTPS)
• Encrypted sensitive data at rest
• OAuth 2.0 authentication via Auth0
• Principle of least privilege for data access
• PostgreSQL database with restricted access
• Strava tokens stored server-side, not accessible to browser
• Infrastructure hosted in Europe (Cloudflare)

Breach notification: in case of a security breach involving Strava Data or personal data, we commit to notify Strava within 24 hours and the CNIL within 72 hours of discovering the incident.

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access: obtain a copy of your personal data
• Right to rectification: correct your data
• Right to erasure: request deletion of your data
• Right to portability: receive your data in a structured format (JSON/CSV)
• Right to object: object to processing of your data
• Right to restriction: restrict the processing of your data
• Consent withdrawal: you may withdraw your consent at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

We only use cookies that are strictly necessary for the service to function:

• Auth0 session cookie: required for authentication
• Auth0 transaction cookie: required for OAuth flow

We do not use any tracking, analytics, or advertising cookies.

Some of our service providers (Auth0, Stripe) may process your data outside the European Union. These transfers are governed by the European Commission's Standard Contractual Clauses (SCC) or adequate provider certifications (SOC 2).

Leo is intended for individuals aged 16 and over. We do not knowingly collect data from minors under 16 years of age.

We reserve the right to modify this privacy policy. In case of substantial changes, we will notify you by email or through an in-app notification.

In compliance with the Strava API Agreement, we commit to the following principles:

• Strava data is displayed only to the authenticated user who generated it
• Strava Data is cached for a maximum of 7 days
• We do not sell, share, or use Strava data for AI/ML model training
• We do not share any data with advertising platforms, data brokers, or advertisers
• Upon access revocation, tokens are deleted within 48 hours
• If a user deletes data on Strava, deletions are reflected in Leo within 48 hours
• We notify Strava within 24 hours in case of a data breach
• The "Powered by Strava" badge is displayed wherever Strava data is presented

For any questions regarding this policy or to exercise your rights:

Email: [email protected]

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): www.cnil.fr