Privacy Policy
Privacy Policy
Version 2.4•Dernière mise à jour : May 2026
1. Introduction
This privacy policy describes how Ekygai collects, uses, stores, protects and shares the personal data of its users (athletes, coaches, Team/Club administrators).
Ekygai is a decision-support platform for the planning and creation of sports training programmes and sessions. We are committed to protecting your data and complying with applicable data protection legislation, including:
- •CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) for California residents
- •UK GDPR and the Data Protection Act 2018 for residents of the United Kingdom
- •EU GDPR (General Data Protection Regulation) for residents of the European Union
- •US state data protection and AI laws
By using the Ekygai platform, you agree to the practices described in this policy.
2. Data Collected
2.1 Account data
| Data | Required | Example |
|---|---|---|
| Email address | Yes | user@example.com |
| Username | Yes | athlete123 |
| Password (hashed) | Yes | Stored as a PBKDF2-SHA256 hash |
| Surname, first name | No | John Smith |
| Profile photo | No | Uploaded image |
2.2 Biometric and physiological data
| Data | Required | Purpose |
|---|---|---|
| Weight | No | Training load calculation |
| Height | No | BMI calculation for algorithms |
| Age, sex | No | Programme personalisation |
| Resting heart rate | No | Training zone calculation |
| Maximum heart rate | No | Training zone calculation |
| Heart rate variability (HRV) | No | Recovery assessment |
These data are entirely optional. They are collected only with your explicit consent and are used solely to improve the accuracy of AI suggestions. They are never used for biometric identification purposes.
2.3 Training and performance data
- •Sporting objectives and definitions
- •Generated programmes and compliance history
- •Calendar events (planned and completed sessions)
- •Performance metrics: TL, FG, RPE, heart rate zones
- •Session debrief: RPE, sleep quality, stress level, pain level
2.4 Location and external sensors (mobile app)
When you manually start an outdoor training session (Run, Bike, Hike) in the mobile app, Ekygai collects the following data:
| Data | Purpose | When |
|---|---|---|
| Precise GPS (latitude, longitude, altitude) | Route tracking, distance, pace, elevation gain | ONLY during an active session |
| Background location (Android 10+) | Maintain GPS tracking when the screen is off or the app is in the background during the session | ONLY during an active session |
| Bluetooth Low Energy (BLE) sensors | Read heart rate from external sensors (HR strap, watch, power meter) | ONLY during an active session, if a sensor is connected |
Background location is NEVER used outside of a training session that the user has explicitly started. You can stop the session at any time via the "Stop" button, which immediately ends all location and sensor data collection. No location data is shared with third parties. Bluetooth permissions use the "neverForLocation" flag (Android 12+) — they are used only to scan and connect to heart rate sensors, never to derive your location.
2.5 Governance and coach-athlete relationship data
- •Coach-athlete links (status, dates, governance mode)
- •Governance change history (timestamped audit log)
- •Recorded consent (date, method) for each link
2.6 Conversation data (EkyBot)
EkyBot is Ekygai's intelligent conversational assistant, powered by a third-party large language model (LLM). It allows you to ask questions about your training, analyse a session in detail, discuss your programme or review a week. When you use EkyBot, the following data are collected:
| Data | Required | Purpose |
|---|---|---|
| Messages sent | Yes (if you use the chat) | Processing by the LLM to generate a response |
| Assistant responses | Automatic | Display and conversation history |
| Training context | Automatic | Enables EkyBot to understand your sporting situation for relevant responses |
| Conversation identifier | Automatic | History organisation |
| Message timestamps | Automatic | Traceability and chronological display |
The training context sent to EkyBot is a summary of your active programme (objective, discipline, current week). It does not contain personally identifiable data (no email, no name, no password).
2.7 Technical data
- •IP address, browser type, operating system
- •Connection and activity logs
- •Cookie data and similar technologies
3. Purposes of Processing
| Purpose | Legal basis | Data concerned |
|---|---|---|
| Provide the service (programmes, calendar, AI suggestions) | Performance of contract | Account, training, biometric |
| Personalise AI recommendations | Consent | Biometric, performance, debrief |
| Ensure platform security | Legitimate interest | Account, technical data |
| Improve algorithms | Legitimate interest | Anonymised and aggregated data |
| Manage coach-athlete relationship | Explicit consent | Governance, links, performance |
| Provide the EkyBot conversational assistant | Performance of contract | Messages, training context |
| Sync workouts from Apple Health / Health Connect | Consent | Workout summaries, heart rate, GPS samples |
| Comply with legal obligations | Legal obligation | As required by applicable law |
Legal bases (Article 6, and Article 9 where applicable, of the GDPR / UK GDPR): "Performance of contract" = Art. 6(1)(b); "Consent" / "Explicit consent" = Art. 6(1)(a), and Art. 9(2)(a) for health and biometric data (special categories of data); "Legitimate interest" = Art. 6(1)(f); "Legal obligation" = Art. 6(1)(c). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out beforehand.
We NEVER sell your personal data to third parties. We NEVER use your data for advertising purposes.
5. Data Security
- •Encryption in transit: TLS 1.2+ for all communications
- •Encryption at rest: Sensitive data encrypted in the database
- •Password hashing: PBKDF2-SHA256 (ASP.NET Identity standard)
- •Authentication: Signed JWT tokens (HS512) with short expiry (10 min)
- •Rate limiting: Protection against brute-force attacks
- •Backups: Automatic daily backups
- •Audit logs: Traceability of sensitive actions (governance, consent)
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account activity |
| Training data | Duration of account activity |
| Biometric data | Duration of account activity |
| EkyBot conversations | Duration of account activity (manual deletion possible at any time) |
| Technical logs (IP, connections) | 12 months |
| Payment / accounting records | 6 years from the transaction date (HMRC / Companies Act 2006) |
| After account deletion | All deleted within 30 days |
| Anonymised data | Retained indefinitely |
7. Your Rights
7.1 Rights for all users
| Right | Description | How to exercise |
|---|---|---|
| Access | Obtain a copy of your data | Settings or privacy@ekygai.com |
| Rectification | Correct inaccurate data | Edit in your profile |
| Deletion | Delete your account and data | Settings > Delete account |
| Portability | Receive your data in JSON format | privacy@ekygai.com |
| Objection | Object to certain processing | privacy@ekygai.com |
| Withdrawal of consent | Withdraw your consent at any time | Settings or privacy@ekygai.com |
Ekygai responds to any request within one month of receipt. This period may be extended by two further months for complex or numerous requests; you will be informed of any such extension and the reasons for it (Article 12.3 of the GDPR / UK GDPR).
7.2 California residents (CCPA/CPRA)
- •Right to know the categories of data collected and purposes.
- •Right to delete your personal data.
- •Right to opt out of the sale of your data. Ekygai does not sell your data.
- •Right to non-discrimination for exercising your rights.
- •Right to correct inaccurate information.
- •Right to limit the use of your sensitive data.
7.3 European Union residents (GDPR)
- •Right to restriction of processing.
- •Right to withdraw consent at any time.
- •Right to lodge a complaint with the competent supervisory authority.
7.4 United Kingdom residents (UK GDPR)
- •Right to restriction of processing.
- •Right to withdraw consent at any time.
- •Right to lodge a complaint with the Information Commissioner's Office (ICO).
For users residing in the United Kingdom, processing is governed by the UK GDPR and the Data Protection Act 2018. The competent supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — https://ico.org.uk. EKYGAI LLP is registered with the ICO under number ZC126055.
7.5 Biometric data
Ekygai does not collect biometric identifiers within the meaning of BIPA (no facial recognition, fingerprints or voice). The physiological data collected (weight, height, HR, HRV) are fitness measurements, distinct from protected biometric identifiers.
9. AI Transparency
9.1 DEM — Deterministic AI engine (programmes and training)
The DEM (Deterministic Expert Model) is Ekygai's calculation engine. It generates training programmes and sessions deterministically:
- •Each discipline has its own specialised engine within the DEM.
- •The DEM does not use generative language models (LLMs) for programme generation.
- •The algorithms follow documented physiological rules and are reproducible: same inputs = same outputs.
- •No data is sent to a third-party service during programme generation.
- •DEM suggestions are non-binding recommendations. The user always retains the final decision.
9.2 DOME — EkyBot, conversational assistant (LLM)
The DOME (Domain Optimised Model Environment) is Ekygai's conversational environment. It operates via EkyBot, an assistant powered by a third-party large language model (LLM) provided by Anthropic (Claude). The DOME never calculates your sessions — it relies on DEM outputs to assist you and answer your questions in context. EkyBot enables you to:
- •Ask questions about your training, metrics and progression.
- •Analyse a specific session in detail (content, load, perceived effort).
- •Review a training week and understand proposed adjustments.
- •Discuss your active programme, objectives and strategy.
Regarding your data:
- •A summary of your training context is sent to the LLM to personalise responses, without personally identifiable data.
- •Conversations are processed via the Anthropic API. Anthropic does not retain your data beyond the processing of the request.
- •Your conversations are not used to train third-party AI models.
- •Security measures are applied to protect conversation content.
- •When you interact with EkyBot, you are clearly informed that it is an artificial intelligence system and not a human being.
EkyBot is an assistance and information tool. Its responses do not constitute medical advice, a diagnosis or a prescription. The user always retains the final decision.
9.3 Your rights regarding EkyBot data
- •You can delete an individual conversation at any time.
- •You can delete your entire conversation history (GDPR compliance).
- •You can export your conversation history in JSON format (right to portability).
- •You can archive conversations without deleting them.
10. International Data Transfers
Some service providers are located outside the EEA and the United Kingdom, in particular in the United States (Railway, Anthropic, Google) and Singapore (Dodo Payments). Such third-country transfers are framed by appropriate safeguards:
- •Transfers from the EU/EEA: the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914).
- •Transfers from the United Kingdom: the ICO International Data Transfer Agreement (IDTA), or the UK Addendum to the SCCs, in force since 21 March 2022.
These transfers are accompanied by supplementary technical measures (encryption, pseudonymisation).
11. Protection of Minors
Ekygai is intended for adult users aged 18 and over. We do not knowingly collect data from users under the age of 18. If we become aware that we have collected data from a user under 18, we shall delete it immediately. Parents or legal guardians who become aware that their child under 18 has provided us with personal data should contact us at privacy@ekygai.com.
12. Changes to this Policy
In the event of a material change, you will be notified by email or by notification within the platform at least 30 days before it takes effect. Continued use after the effective date constitutes acceptance.
13. Contact
For any questions regarding this policy or to exercise your rights:
- •Email: privacy@ekygai.com
- •Website: ekygai.com/privacy
- •Registered office: EKYGAI LLP (Partnership No. OC460332), 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom
EKYGAI LLP has not designated a Data Protection Officer (DPO); the need for such a designation under Article 37 of the GDPR / UK GDPR is reviewed periodically as processing activities evolve. The data protection point of contact, for any request or to exercise your rights, is privacy@ekygai.com.