Privacy Policy

1. Who we are

Athlin ("we", "our", "us") is an AI-powered coaching CRM operated by Athlin. Our platform helps sports trainers manage their athletes, generate training plans, and track performance data from wearable devices.

Contact: [email protected]

2. What data we collect

We collect data necessary to provide our coaching platform services:

• Account data: Name, email address, password (hashed), account creation date.
• Athlete profile data: Name, email, sport, gender, date of birth, training goals, injuries, experience level, equipment — entered by the trainer.
• Wearable device data (Garmin, Apple Watch): Training activities (type, duration, distance, heart rate, pace, calories, elevation), daily summaries, HRV (heart rate variability), sleep data (duration, deep/light/REM, sleep score), stress levels, resting heart rate, body battery, and VO2 max estimates.
• Training plan data: AI-generated plans, planned workouts, trainer adjustments, plan compliance records.
• Usage data: Pages visited, features used, browser type, IP address (for security purposes).

3. How we use your data

• Provide the service: Display activity data to trainers, generate AI training plans, track plan compliance, compute recovery metrics.
• Improve AI plan quality: Trainer adjustments to AI-generated plans are used to improve future plan suggestions for that specific trainer. We do not share one trainer's coaching patterns with another.
• Send notifications: Weekly digest emails to trainers, athlete invite emails, account-related communications.
• Ensure security: Detect and prevent unauthorized access, fraud, and abuse.

4. Garmin Connect data

When an athlete connects their Garmin account through our platform, we receive activity and health data via the Garmin Connect API. Specifically:

• Activity data: Activity type, start time, duration, distance, heart rate (average and max), pace, calories burned, elevation gain/loss, and device name.
• Health metrics: HRV (heart rate variability), sleep duration and stages, sleep score, stress levels, resting heart rate, body battery, and daily step counts.

This data is:

• Used solely to display training progress to the trainer and athlete, generate personalized training plans, and assess recovery status for plan adjustments.
• Never sold to third parties.
• Never shared with other trainers or athletes. Each trainer can only see data for their own athletes.
• Stored securely in encrypted databases hosted on Railway (EU region).
• Deletable at any time — when a trainer removes an athlete or an athlete disconnects Garmin, all associated Garmin data is permanently deleted.

Athletes can revoke Garmin access at any time through their Garmin Connect account settings or by contacting their trainer.

5. Data sharing

We share data only with the following parties, solely to operate the service:

• Anthropic (Claude AI): Athlete profile data and recent training data are sent to Anthropic's Claude API to generate training plans. This data is processed per Anthropic's API terms and is not used to train their models.
• Resend: Email addresses for sending invite and digest emails.
• Railway: Infrastructure hosting provider (database and application hosting, EU region).
• Cloudflare: DNS and CDN services.
• Google Analytics: We use cookieless Google Analytics to understand how visitors find our site. No cookies are set; only anonymized page view data (no IP address) is shared with Google. Używamy bezplikowego Google Analytics, aby rozumieć, skąd trafiają do nas odwiedzający. Żadne pliki cookie nie są ustawiane; udostępniane są tylko zanonimizowane dane o odsłonach (bez adresów IP).

We do not sell, rent, or trade personal data to any third party for marketing or advertising purposes.

6. Data retention

• Account data: Retained as long as the account is active. Deleted within 30 days of account deletion request.
• Athlete data: Retained as long as the trainer-athlete relationship exists. Deleted when the trainer removes the athlete.
• Garmin data: Retained as long as the Garmin connection is active. Deleted when the connection is revoked or the athlete is removed.
• AI generation logs: Retained for 12 months to support the adaptive learning feature, then automatically deleted.

7. Your rights

Under GDPR and applicable data protection laws, you have the right to:

• Access your personal data.
• Correct inaccurate personal data.
• Delete your personal data ("right to be forgotten").
• Export your data in a portable format.
• Withdraw consent at any time (e.g., disconnect Garmin, delete account).
• Object to processing of your data.

To exercise any of these rights, email us at [email protected].

8. Security

We implement industry-standard security measures:

• All data transmitted over HTTPS/TLS encryption.
• Passwords hashed using bcrypt.
• Database access restricted to authenticated application services only.
• OAuth tokens stored securely with access scoped per athlete.
• Webhook endpoints protected with shared secrets.
• Trainer data isolation — no trainer can access another trainer's athletes or data.

9. Cookies

We use only essential cookies required for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.