Who we are

VeloCoach AI is an AI-powered cycling coaching app for iPhone, operated by VeloCoach AI Ltd, a company registered in England & Wales. For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), VeloCoach AI Ltd is the data controller of the personal data described in this policy.

This policy explains how we handle your personal data when you use the VeloCoach AI app and this website. If you have any questions, contact us at hello@velocoach-ai.com.

What we collect

Account data Required

Your name, email address, and an encrypted password when you create an account. Passwords are hashed — we never store them in plain text.

Training profile & workout data Required

Your FTP (functional threshold power), body weight, preferred discipline (road, gravel, MTB), training goals, and gender (Man, Woman, Other, or Prefer not to say). Gender is used to personalise coaching — specifically to determine whether to offer cycle-aware coaching recommendations.

We also store your ride and workout history, including activity files, power, pace, distance, duration, and the Fitness, Fatigue and Form training-load metrics derived from your activities. This is retained until you delete your account.

Health & fitness metrics Permission required

With your explicit permission, we read health metrics from Apple Health and Google Health, including heart rate, heart rate variability (HRV), resting heart rate, sleep duration, active energy, VO2 max estimates, and workout summaries. We only read this data after you grant permission, and it is never sold or shared for advertising.

AI coaching interactions Collected

Your coaching messages and any generated training plans are stored so VeloCoach can remember your history and give continuity across sessions. This is what makes coaching feel personal rather than starting from scratch every time.

Menstrual cycle data Explicit consent

If you choose to enable cycle tracking in Settings, VeloCoach collects your last period start date, average cycle length, and whether cycle tracking is active. This is optional — you are never asked for this data unless you actively switch it on.

This data falls under UK GDPR Article 9 (special category health data) and is collected only on the basis of your explicit consent. You can withdraw consent and delete all cycle data at any time via Settings > Cycle Tracking > Turn Off, which removes the data from our servers immediately. It is used solely to tailor coaching commentary, is never shared with third parties, and is never used for advertising.

Device & usage data Limited

To deliver push notifications we process a device push token and basic device information (such as operating system version). We do not embed third-party advertising or analytics SDKs, and we do not track your activity across other apps or websites.

Sources & integrations

Most of your training data reaches VeloCoach through integrations you choose to connect. You control these and can disconnect them at any time.

  • intervals.icu — ride activities, workout files, and your athlete profile, fetched using OAuth tokens you grant.
  • Wahoo — activities and device data; we can also push structured workouts to your Wahoo ELEMNT device.
  • Strava (push-only) — VeloCoach does not pull ride data from Strava. We only write AI coaching feedback back to your Strava activity descriptions when you use the "Send to Strava" feature. We make no other changes to your Strava account.
  • Apple Health — health and fitness metrics read on-device with your permission.
  • Google Health — health and fitness metrics read with your permission on Android-connected accounts.

You can revoke access to any integration through that platform's connected-apps settings, or from within VeloCoach under Profile > Integrations.

How we use your data

  • To generate personalised training plans and daily coaching advice using AI (Claude, made by Anthropic).
  • To display your fitness history, recent activities, training-load metrics, and recovery status inside the app.
  • To push structured workouts to your Wahoo ELEMNT device.
  • To maintain coaching memory so your coach knows your history without you repeating yourself.
  • To send you push notifications about your training (where you have enabled them).
  • To operate, secure, and improve the service, and to provide customer support.

We never sell your data. We never use it for advertising. We never share it with any company except the processors listed below, which are strictly necessary to run the service.

Third-party processors

These are the third-party services we use to run VeloCoach. We have no other data-sharing arrangements.

Provider Purpose Data shared Notes
Supabase Database & authentication All stored account and training data EU-region hosting
Railway Backend / API hosting Data passes through the backend in transit No separate persistent data store
Anthropic (Claude) AI coaching & plan generation Your coaching messages and relevant training context Not used to train Anthropic's models under our API agreement
Apple (APNs) Push notifications & App Store billing Device push token; subscription status iOS devices
Google (FCM) Push notifications Device push token Android-connected delivery

International transfers

We host your core data in the EU region. Some of our processors (for example, Anthropic and Apple/Google push services) may process data in the United States or other countries outside the UK/EEA. Where data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum and the EU Standard Contractual Clauses, or an adequacy decision, to protect your data.

Data retention

  • Your data is kept for as long as your account is active.
  • If you delete your account, all stored data is permanently removed within 30 days.
  • Backups containing your data are purged on the same rolling 30-day schedule.

How to delete your data

You can delete your account and all associated data directly in the app: Profile > Account > Delete Account. This permanently removes your data within 30 days.

You can also request deletion by emailing hello@velocoach-ai.com with the subject "Delete my account". If you revoke VeloCoach's access from a connected platform (for example Strava's connected-apps settings), the related credentials are deleted automatically — for Strava, within minutes via the deauthorisation webhook.

Your rights

If you are in the UK or EU, you have the following rights. To exercise any of them, email hello@velocoach-ai.com and we will respond within 30 days.

📋

Right to access

Request a copy of all data we hold about you. Email with subject "Data access request".

🗑️

Right to deletion

Ask us to permanently delete your account and all associated data. Email with subject "Delete my account".

📦

Right to portability

Request an export of your data in a machine-readable format. Email with subject "Data export request".

You also have the right to rectification, to restrict or object to processing, and to withdraw consent at any time where we rely on it.

Children

VeloCoach AI is not directed at children. The service is intended for users aged 16 and over, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Security

  • All data is transmitted over HTTPS/TLS.
  • Passwords are hashed using industry-standard algorithms — we cannot recover them.
  • OAuth tokens for intervals.icu, Wahoo, and Strava are stored encrypted.
  • We do not log or store raw API tokens in application logs.

Changes to this policy

We may update this page from time to time. The "last updated" date at the top always reflects the most recent version. Where changes are material, we will take reasonable steps to notify you. Continued use of the app after changes are posted constitutes acceptance of the updated policy.

Contact

Data controller: VeloCoach AI Ltd (England & Wales)

For any privacy questions, data requests, or concerns, email hello@velocoach-ai.com. We aim to respond to all requests within 5 business days and to complete them within 30 days.

If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK, or your local data protection authority.