Privacy Policy

Stailan · Effective date: TBD · Version 1.0 (draft) · Changelog

1. Introduction

Stailan ("Stailan", "we", "us", or "our") provides a connected training platform for cyclists. We take your privacy seriously, particularly because using Stailan involves the processing of health-related data, which deserves and receives special protection.

This Privacy Policy explains what information we collect about you, how and why we use it, who we share it with, how long we keep it, and the rights you have. It applies to the Stailan web application, the installable progressive web app for desktop and mobile, the native iOS and Android apps, and any other Stailan service that links to this Privacy Policy (together, the "Service").

If you do not agree with this Privacy Policy, please do not use the Service. By creating an account or otherwise using the Service, you acknowledge that you have read this Privacy Policy.

2. Who is responsible for your personal information

The data controller for personal information processed through the Service is:

Legal entity: Stailan AS (Norwegian limited company)
Organisation number: 937 624 743
Registered address: Henrik Wergelands gate 33, 5031 Bergen, Norway
Email for privacy enquiries: support@stailan.com
Privacy policy online: https://stailan.com/privacy

If you have any questions about this Privacy Policy or how we handle your personal information, you can contact us using the email address above.

3. Scope and applicable laws

Stailan is offered globally. Depending on where you live, different privacy laws apply:

European Economic Area, United Kingdom, Switzerland: the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent national laws.
Norway: the Norwegian Personal Data Act (Personopplysningsloven), implementing the GDPR.
California: the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). See section 12.
Other US states (Virginia, Colorado, Connecticut, Utah, Texas and others): applicable state privacy laws. See section 13.

We have built this Privacy Policy on GDPR as the strictest of the applicable frameworks, with additional sections covering specific US state rights.

4. Information we collect

We collect the categories of personal information described below. Some of this information you provide to us directly; some is collected automatically when you use the Service; and some is provided by third parties such as Strava (only when you choose to connect those services).

Category	Examples	Source
Account information	Email address, name, username, profile picture (optional), hashed password, language preference, account creation date.	Provided by you at registration.
Authentication tokens	Strava OAuth access and refresh tokens, Strava athlete ID.	Issued by Strava when you link your account.
Health and fitness data (special category)	FTP (Functional Threshold Power), maximum and resting heart rate, weight (optional), date of birth (used to calculate heart rate zones), gender (optional).	Provided by you, with your explicit consent.
Workout data (special category)	Power output (watts), heart rate, cadence, speed, time-series telemetry from smart trainers and heart rate monitors, workout start and end times, duration, distance, mode (ERG or simulation), connected device names.	Collected during your training sessions through Bluetooth-connected devices.
Training plans and goals	AI-generated training plans, training goals (e.g., target events, FTP targets), training history and progression.	Generated by our AI features based on inputs you provide.
AI chat history	Messages you send to the analysis chat, AI-generated responses, conversation metadata (timestamps, references to workouts).	Generated when you use AI chat features.
Routes and location data	Planned and ridden routes (coordinates / GPX), route segments, elevation profiles, leaderboard positions.	Provided by you (route planning) or imported from Strava.
Social content	Activity feed posts, likes, comments, private messages, coach/athlete relationships, badges, challenge participation.	Created by you and other users you interact with.
Live group ride streams	Real-time video and audio streams during group rides. We do not record or store these streams.	Generated when you join a live group ride; processed by Daily.co.
Subscription and payment information	Subscription tier, entitlements, purchase history, transaction status. Card data is processed exclusively by Stripe, Apple, or Google – never by us.	Provided when you subscribe; processed by payment providers.
Device and technical data	Device type, operating system, app version, IP address, Bluetooth device names, time zone, language, push notification tokens.	Collected automatically when you use the Service.
Usage and log data	Login timestamps, error logs, feature usage statistics.	Collected automatically when you use the Service.

We do not knowingly collect any other categories of personal information. If you provide us with information about a third party (for example, by tagging another user in a post), you are responsible for ensuring that you have the right to do so.

5. How and why we use your information

We process your personal information for the purposes set out below. For each purpose we identify the legal basis under the GDPR. Where we rely on consent, you can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Purpose	Categories of data used	Legal basis
Creating and operating your account	Account information, device data.	Performance of a contract (GDPR Art. 6(1)(b)).
Recording and storing your workouts	Workout data, health and fitness data, device data.	Performance of a contract (Art. 6(1)(b)) AND your explicit consent for special-category data (Art. 9(2)(a)).
Generating AI training plans and providing AI analysis chat	Health and fitness data, workout data, training plans, AI chat history.	Performance of a contract (Art. 6(1)(b)) AND your explicit consent for special-category data (Art. 9(2)(a)).
Importing activities from Strava	Authentication tokens, workout data, routes.	Performance of a contract (Art. 6(1)(b)) and your consent given via OAuth (Art. 6(1)(a)).
Live group rides with video and audio	Account information, real-time video and audio streams.	Your consent (Art. 6(1)(a)).
Social features (feed, likes, comments, messaging, coach/athlete relationships)	Account information, social content.	Performance of a contract (Art. 6(1)(b)) for the feature itself; your consent for any sharing of special-category data within social features.
Route planning and segment leaderboards	Routes and location data, account information.	Performance of a contract (Art. 6(1)(b)).
Processing subscriptions and payments	Subscription and payment information, account information.	Performance of a contract (Art. 6(1)(b)) and legal obligations under accounting law (Art. 6(1)(c)).
Sending transactional emails (verification, password reset, service notices)	Account information.	Performance of a contract (Art. 6(1)(b)).
Improving the Service, debugging, and security	Usage and log data, device data.	Our legitimate interests in operating, securing, and improving the Service (Art. 6(1)(f)).
Marketing communications (only if you opt in)	Account information.	Your consent (Art. 6(1)(a)).
Complying with legal obligations and responding to lawful requests	Any relevant data, on a case-by-case basis.	Legal obligation (Art. 6(1)(c)).

6. Health and fitness data – special category data

When you sign up or first activate features that involve health-related data, we will ask you to give explicit, separate consent to:

the recording and storage of your workout data, including time-series telemetry from connected devices;
the use of that data, together with information you provide such as FTP and goals, to generate AI training plans and to power the AI analysis chat;
the transfer of relevant subsets of that data to Anthropic in the United States, in order to use their Claude API to generate AI outputs (see section 7).

You can withdraw any of these consents at any time by changing your settings in the app or by contacting us. If you withdraw consent, the affected features will be disabled, but processing carried out before withdrawal remains lawful.

We will never use your health-related data for advertising, profiling unrelated to training, or any purpose not described in this Privacy Policy.

7. AI features and Anthropic

Stailan uses large language models from Anthropic, PBC ("Anthropic") to provide:

AI-generated multi-week training plans tailored to your FTP, goals, and training history;
the AI analysis chat, where you can ask questions about your own training data.

To deliver these features, we send relevant data to the Anthropic Claude API. We follow data minimisation principles when constructing those requests:

we send the minimum data needed to produce a useful response;
where possible we send aggregated summaries (such as weekly load, average power, peak heart rate) rather than raw second-by-second telemetry;
we do not include payment information, social messages, or unrelated personal information in AI requests.

Anthropic acts as a processor for Stailan under a written data processing agreement and processes your data in the United States. We have implemented Standard Contractual Clauses and supplementary safeguards to address the international transfer (see section 9). Anthropic does not use your data to train its models when called through the commercial API; this is contractually committed by Anthropic.

8. Who we share your information with

We share personal information only as described below. We do not sell your personal information, and we do not share it for cross-context behavioural advertising.

8.1 Service providers (subprocessors)

We use the following third-party service providers to deliver the Service. Each of them is bound by a written data processing agreement that limits how they may use your information.

Provider	Service	Data shared	Location
Supabase Inc.	Database, authentication, edge functions.	All categories of personal data described above (other than live video/audio).	European Union (data stored in the EU region we have selected).
Anthropic, PBC	AI training plan generation and AI analysis chat (Claude API).	Health and fitness data, training history and goals, chat messages, summaries of workout data necessary to generate the requested output.	United States.
Strava, Inc.	Account login (OAuth) and activity import.	Authentication tokens, your Strava athlete ID, activities you choose to import.	United States.
Daily.co (Daily, Inc.)	Real-time video and audio for live group rides.	Real-time video and audio streams (not recorded), basic room participation metadata.	United States, with EU regional infrastructure where available.
GraphHopper GmbH	Route calculation.	Start, end, and waypoint coordinates for the route you request.	Germany (European Union).
Map tile provider	Map rendering for route planning and analysis.	IP address and the coordinates of the map area you are viewing.	To be confirmed; identified in the current subprocessor list at stailan.com/subprocessors.
Stripe Payments Europe, Limited	Web subscription processing and billing.	Name, email, billing address, payment instrument data (handled directly by Stripe), transaction information.	Ireland (European Union), with global processing infrastructure.
Apple Inc. (App Store)	In-app purchases on iOS.	Apple ID, purchase information, device information (handled by Apple).	United States and Ireland.
Google LLC (Google Play)	In-app purchases on Android.	Google account, purchase information, device information (handled by Google).	United States and the European Union.
Resend, Inc.	Transactional email delivery.	Email address, name, content of transactional emails (e.g., verification, password reset).	European Union region.
Vercel, Inc.	Hosting and content delivery for the web application.	IP address, request logs, content cached for delivery.	United States headquarters, with European Union regional compute and edge infrastructure.

An up-to-date list of subprocessors is available at stailan.com/subprocessors. We will give reasonable advance notice of any new subprocessors that materially affect how your data is processed.

8.2 Other users

If you use social features – posting to the activity feed, commenting, messaging, joining live group rides, or accepting a coach/athlete relationship – the relevant content is visible to the users you have shared it with. You are in control of what you choose to share.

8.3 Legal disclosures

We may disclose personal information when we are legally required to do so, for example in response to a valid court order, subpoena, or other lawful request from a public authority. Where permitted by law, we will notify you of such requests.

8.4 Business transfers

If Stailan is involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal information may be transferred to the relevant counterparty as part of that transaction. We will notify you of any such change and of any choices you may have.

9. International transfers of your data

Stailan is based in Norway and our primary data store (Supabase) is located in the European Union. However, several of our service providers are based in the United States or operate global infrastructure. This means that some of your data is transferred outside the European Economic Area.

We rely on the following safeguards for these transfers:

Standard Contractual Clauses (SCCs) adopted by the European Commission, included in our agreements with Anthropic, Strava, Daily.co, Vercel, and other US-based providers.
Supplementary technical measures, including encryption in transit (TLS 1.2 or higher), encryption at rest, access controls, and data minimisation in API calls.
Supplementary organisational measures, including written processor agreements, contractual restrictions on secondary use of data, and contractual obligations to notify us of any government access requests where legally permitted.

If you would like a copy of the relevant safeguards or further information about a specific transfer, please contact us at support@stailan.com.

10. How long we keep your data

We keep personal information only for as long as is necessary for the purposes for which it was collected, or as required by law.

Data category	Retention period	Reason
Account information	For as long as your account is active, plus 30 days after deletion.	To allow you to recover an accidentally deleted account during a 30-day grace period.
Health, fitness, and workout data	For as long as your account is active, plus 30 days after deletion.	Same recovery grace period; you can export your data at any time before deletion.
AI chat history	Up to 12 months, or until you delete it, whichever comes first.	Balances usefulness of historical context against data minimisation.
Routes and location data	For as long as your account is active, plus 30 days after deletion.	Same as account.
Social content (posts, comments, messages)	Until deleted by you or 30 days after account deletion.	Other users may have interacted with this content.
Subscription and payment records	5 years from the end of the relevant accounting year.	Norwegian Bookkeeping Act (Bokføringsloven) §13 and equivalent obligations.
Support communications	24 months.	To provide continuity of support and resolve recurring issues.
Security and error logs	90 days.	Operational security and troubleshooting.
Marketing consent records	As long as consent is active, plus 3 years after withdrawal.	To document compliance with your consent choices.
Live group ride streams	Not retained.	We do not record or store live group rides.

Account deletion

You can delete your account at any time from within the Service. When you do:

your account is immediately deactivated and is no longer visible to other users;
you have a 30-day grace period during which you can recover the account by contacting us;
after 30 days, your personal information is permanently deleted from our active systems, except for data we are legally required to keep (such as accounting records) which is isolated and not used for any other purpose;
backups containing personal information are overwritten in our normal backup rotation.

11. Your rights under European data protection law

If the GDPR or UK GDPR applies to you, you have the following rights in respect of your personal information:

Right of access (Article 15) – to obtain a copy of the personal information we hold about you.
Right to rectification (Article 16) – to have inaccurate personal information corrected and incomplete personal information completed.
Right to erasure (Article 17) – to have your personal information deleted, subject to certain exceptions.
Right to restriction of processing (Article 18) – to restrict our processing of your personal information in certain circumstances.
Right to data portability (Article 20) – to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller. Stailan supports export of your training data in standard formats including JSON, GPX, and FIT.
Right to object (Article 21) – to object to processing based on our legitimate interests, including any profiling.
Right to withdraw consent (Article 7) – to withdraw any consent you have given, at any time, without affecting the lawfulness of processing carried out before withdrawal.
Right not to be subject to solely automated decision-making (Article 22) – AI training plans generated by Stailan are recommendations and do not produce legal or similarly significant effects on you. You can always review, modify, or reject any AI-generated plan.
Right to lodge a complaint with a supervisory authority. In Norway this is the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no). You can also complain to the supervisory authority in the EU country where you live or work.

To exercise any of these rights, please contact us at support@stailan.com. We will respond within one month, or sooner where possible.

12. Notice for California residents (CCPA/CPRA)

If you are a resident of California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively the "CCPA"), gives you the rights described below in addition to those described elsewhere in this Privacy Policy.

12.1 Categories of personal information

In the past twelve months, we have collected the following categories of personal information defined under the CCPA:

identifiers (such as name, email address, user identifiers, IP address);
personal information described in Cal. Civ. Code §1798.80(e) (such as account credentials, payment information processed by Stripe);
commercial information (subscription and purchase history);
internet or other electronic network activity (login times, error logs, usage of features);
geolocation data (where you provide route information);
inferences drawn from the above (such as fitness level estimates used to generate training plans);
sensitive personal information, including health and fitness data and account log-in credentials.

12.2 Sources, purposes, and recipients

The sources of this information, the business purposes for collecting it, and the categories of third parties with whom we share it are described in sections 4, 5, and 8 of this Privacy Policy.

12.3 Sale and sharing of personal information

We do not sell your personal information for monetary or other valuable consideration, and we do not share your personal information with third parties for cross-context behavioural advertising. We have not done so in the preceding twelve months, and we do not knowingly do so with respect to any consumer.

12.4 Sensitive personal information

We use sensitive personal information (in particular health and fitness data) only to provide the Service, including its AI features, and to perform the purposes that an average consumer would reasonably expect. You may request that we limit the use of this sensitive personal information by contacting us. Limiting this use will disable AI training plan generation, AI analysis chat, and other features that depend on health-related data.

12.5 Your California rights

As a California resident you have the rights described in the table below:

Right	Description
Right to know / right to access	You can request information about the categories of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you.
Right to delete	You can request that we delete the personal information we hold about you, subject to limited legal exceptions.
Right to correct	You can request that we correct inaccurate personal information.
Right to opt out of sale or sharing	We do not sell your personal information, and we do not share it for cross-context behavioural advertising. You therefore have nothing to opt out of in this respect, but you may submit a request at any time to confirm this and to ensure no future change.
Right to limit use of sensitive personal information	You can request that we limit the use of sensitive personal information (including health and fitness data) to what is necessary to provide the Service. Note that limiting this use may make features such as AI training plans and AI analysis chat unusable.
Right to non-discrimination	We will not discriminate against you for exercising any of these rights.
Right to appeal (Virginia, Colorado, Connecticut and others)	If we decline to act on your request, you may appeal that decision by replying to our response within 60 days. We will respond within 60 days of receiving your appeal.

To exercise any of these rights, contact us at support@stailan.com. We will verify your identity using the information associated with your account before responding. You may also designate an authorised agent to make a request on your behalf, in which case we will require written authorisation from you.

12.6 No discrimination

We will not deny you access to the Service, charge you different prices, or provide a different level of service because you have exercised any of your CCPA rights.

13. Notice for residents of other US states

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or any other US state with a comprehensive privacy law in force, you have rights similar to those described in section 12. In particular, you generally have the right to:

access the personal data we hold about you;
correct inaccurate personal data;
delete personal data;
obtain a portable copy of your personal data;
opt out of any sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects (we do not engage in any of these activities);
appeal a decision we make in response to a privacy request.

To exercise any of these rights, contact us at support@stailan.com. If we decline a request, you may appeal that decision by replying within 60 days. We will respond within 60 days. If we do not act on your appeal, you may contact your state attorney general.

We process sensitive data, including health and fitness data, only with your consent, in accordance with the laws of states that require this.

14. Children's privacy

Stailan is intended for users aged 16 and over. We do not knowingly collect personal information from anyone under 16. If you are under 16, please do not use the Service or provide any personal information to us.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at support@stailan.com and we will delete the relevant information.

Where additional protections apply to minors under local law (for example, the US Children's Online Privacy Protection Act for users under 13, or specific provisions for users aged 16 and 17 in California), we comply with those protections.

15. How we keep your data secure

We use a combination of technical and organisational measures designed to protect personal information, including:

encryption in transit using TLS 1.2 or higher;
encryption at rest for our databases;
strict access controls, including row-level security in our database and multi-factor authentication for administrative access;
hashed password storage using industry-standard algorithms;
audit logging of administrative actions;
regular backups with periodic recovery testing;
vulnerability monitoring and dependency updates;
written agreements with all service providers requiring them to maintain appropriate security.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Norwegian Data Protection Authority within 72 hours, and we will notify you without undue delay where required by law.

No system is perfectly secure. You can help protect your account by choosing a strong, unique password and by keeping your devices up to date.

16. Cookies and similar technologies

The Stailan web application uses a small number of cookies and similar technologies that are strictly necessary for the Service to function – for example, to keep you logged in and to remember your language preference. We do not use cookies for advertising or for cross-site tracking.

If we add any non-essential cookies or analytics in the future, we will update this Privacy Policy and, where required by law, ask for your consent before setting them.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The date at the top of the Privacy Policy will always tell you when it was last updated. If we make material changes, we will notify you in advance, for example by email or through a notice in the Service, before the changes take effect. We encourage you to review this Privacy Policy periodically.

18. How to contact us

If you have any questions about this Privacy Policy, want to exercise any of your rights, or want to make a complaint, please contact us at:

Email: support@stailan.com
Postal address: Stailan AS, Henrik Wergelands gate 33, 5031 Bergen, Norway

If you are in the European Union and we have appointed an EU representative, their contact details will be listed here. Likewise, if we appoint a UK representative or US privacy contact, those details will be added here.

You can also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no, or with the supervisory authority in your country of residence.

End of Privacy Policy. This document is a draft prepared as a starting point for review by qualified legal counsel before publication.