Athlai — Privacy Policy
Last updated: March 16, 2026
Athlai is designed with a privacy-first architecture. Your data is self-hosted, never sold, and never used to train AI models. You can request full export or deletion at any time.
1. Data Controller
Athlai ("we", "us") is operated as a private beta service. The data controller is the service operator, reachable at admin@athlai.me. Athlai is governed by the laws of the Federal Republic of Germany, including the EU General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Data from connected services
When you connect your accounts, we access data from the following services on your behalf:
| Service | Data accessed | Auth method |
|---|
| Whoop | HRV, resting heart rate, sleep duration and quality, recovery scores, strain, body metrics, skin temperature | OAuth 2.0 |
| Strava | Activities (type, duration, distance, heart rate, power, elevation, kudos, suffer score) | OAuth 2.0 |
| Intervals.icu | Training calendar, planned workouts, athlete profile (FTP, weight, timezone), activities | API key |
| Hevy | Strength training logs, exercises, sets, reps, volume | API key |
2.2 Data you provide directly
- Onboarding profile: name, sport, experience level, training goals, race targets, injury history, weekly availability
- Conversations: all messages you send via Telegram, including text, voice notes, and photo captions
- Photos: images you send for analysis (food, workout screenshots, recovery data, exercise form)
- Location: GPS coordinates when you share your location (used for weather and air quality)
- Meal logs: food descriptions and estimated macronutrients
2.3 Data generated by the service
- AI coaching recommendations and conversation history
- Training load calculations (CTL, ATL, TSB)
- Photo analysis summaries and structured insights
- Coaching outcome tracking (whether recommendations were followed)
- API usage metrics (token counts, costs per request)
2.4 Automatically collected data
- Weather: forecasts and conditions based on your location (via Open-Meteo, a free public API)
- Air quality: AQI data based on your location (via AQICN)
3. How We Use Your Data
All data is used exclusively for providing personalised coaching. Specifically:
- Generating training recommendations based on your fitness data, recovery status, and goals
- Analysing photos you send (food for nutrition tracking, workout screenshots, recovery data)
- Tracking training load and recovery trends over time
- Adapting training plans based on your response to training
- Providing weather-aware training suggestions
Your data is never sold, rented, or used for advertising. It is never used to train AI models.
4. Data Storage & Security
4.1 Where your data is stored
All data is stored on a self-hosted server infrastructure:
- SQLite database: conversations, wellness history, activities, nutrition logs, coaching state, photo analysis summaries
- Neo4j graph database: relationships between your wellness, activities, and life events for pattern detection
- ChromaDB vector store: coaching knowledge rules (not personal data)
No cloud storage services (AWS, GCP, Azure) are used for your personal data. All databases run in Docker containers on the same server.
4.2 Security measures
- OAuth tokens are encrypted at rest using Fernet symmetric encryption
- API keys are stored in environment variables, not in code
- The server is accessible only via SSH and HTTPS
- No external analytics or tracking scripts are used
4.3 Photos
When you send a photo, it is downloaded temporarily into memory for AI analysis. Photos are not stored on disk. Only a text summary and structured insights from the analysis are saved. The image data is discarded after processing.
5. Third-Party Data Sharing
Your data is shared with the following third parties solely to provide the coaching service:
| Service | What is shared | Why |
|---|
| Anthropic (Claude API) | Conversation text, athlete context, wellness summaries, photos (for vision analysis) | AI coaching engine. Anthropic does not store or train on API data per their data policy. |
| Telegram Bot API | Coaching messages, replies | Delivering responses to you |
| Open-Meteo | GPS coordinates | Weather forecasts |
| AQICN | GPS coordinates | Air quality data |
| OpenStreetMap (Nominatim) | GPS coordinates | Reverse geocoding (city name from coordinates) |
Whoop, Strava, Intervals.icu, and Hevy data flows are inbound only — we read your data from these services but do not write data back to them.
6. Legal Basis for Processing (GDPR)
- Consent (Art. 6(1)(a)): You consent to data processing by connecting your accounts and using the service. You may withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)): API usage logging for cost management and service reliability.
- Health data (Art. 9(2)(a)): Processing of health-related data (HRV, heart rate, sleep, recovery) is based on your explicit consent provided during onboarding.
7. Data Retention
- Active users: data is retained for as long as you use the service.
- Inactive users: if you stop using the service, your data remains until you request deletion.
- Cached data: weather and API caches expire automatically (15 minutes to 24 hours).
- OAuth tokens: refreshed automatically; revoked when you disconnect an integration.
8. Your Rights
Under the GDPR, you have the following rights:
- Access (Art. 15): request a full export of your data at any time via the admin panel or by contacting us.
- Rectification (Art. 16): request correction of inaccurate data.
- Erasure (Art. 17): request complete deletion of all your data. This removes your profile, all conversation history, wellness data, activity data, nutrition logs, and analysis results.
- Data portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
- Restriction (Art. 18): request that we stop processing your data while a dispute is resolved.
- Objection (Art. 21): object to data processing based on legitimate interest.
- Withdraw consent: disconnect integrations via Telegram commands or request full account deletion.
To exercise any of these rights, contact us at admin@athlai.me or use the /delete_my_data command in Telegram.
9. Cookies & Tracking
The Athlai web dashboard uses no cookies for tracking or analytics. A single localStorage entry stores your dashboard API key for authentication. No third-party tracking scripts, pixels, or analytics services are used.
10. Children
Athlai is not intended for use by anyone under 16 years of age. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy as Athlai evolves. Material changes will be communicated via Telegram before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact
For questions about this privacy policy or to exercise your data rights:
Email: admin@athlai.me