Legal

PRIVACY POLICY

Last updated: March 22, 2026

Effective date: March 22, 2026

1. WHO WE ARE

Ryan Park, operating as Velox("Velox", "we", "us", "our") operates the AI-powered endurance training platform accessible at https://veloxapp.siteand associated mobile or web applications (the "Service"). We are based in Ontario, Canada.

Privacy contact: hello@velox.training

This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have regarding your information. Please read it carefully.

2. INFORMATION WE COLLECT

2.1 Information you provide directly

  • Account information: email address, name, profile photo.
  • Onboarding data: sport type, experience level, weekly training hours, recent race results, fitness metrics (FTP, CSS, heart rate zones, VO2 max estimates), injury history, sleep habits, and life stress indicators.
  • AI coaching chat: messages you send to the Velox AI coach.
  • Race schedule: upcoming races, distances, and priority levels you enter.

2.2 Health and activity data from integrations

When you connect a third-party fitness platform, we receive the following categories of data. This data constitutes health information and, for users in the European Economic Area (EEA), is considered special category data under GDPR Article 9. We collect it only with your explicit consent (see Section 4).

  • Workout data: activity type, duration, distance, heart rate, power output, pace, cadence, elevation, and calories.
  • Recovery data: HRV (heart rate variability), resting heart rate, recovery scores, sleep duration and quality, body battery, and stress scores.
  • GPS and route data (where provided by the integration).

2.3 Automatically collected data

  • Usage data: pages visited, features used, session duration, button clicks.
  • Device and technical data: browser type, operating system, IP address, time zone.
  • Cookies and local storage: session tokens and preference data. See Section 9 for details.

2.4 Billing data

Subscription and payment processing is handled by Stripe, Inc. We store only your subscription status and Stripe customer ID. We never receive or store full credit card numbers, CVV codes, or bank account details.

3. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

  • Generating and adapting your personalised training plan.
  • Providing AI coaching chat responses that are contextualised to your fitness profile and training history.
  • Tracking your training progress and displaying analytics (fitness, fatigue, form scores).
  • Sending weekly training digest emails (you may opt out at any time).
  • Processing payments and managing your subscription.
  • Providing customer support.
  • Detecting and preventing fraud, abuse, and security incidents.
  • Improving the Service, fixing bugs, and developing new features.
  • Complying with legal obligations.

We do not sell your personal information to third parties. We do not use your health or training data for advertising purposes. We do not use your data to train AI models that are shared with or sold to third parties.

4. LEGAL BASIS FOR PROCESSING (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases under the General Data Protection Regulation (GDPR):

  • Contract performance (Article 6(1)(b)): Processing your account information and training data is necessary to provide the Service you signed up for.
  • Explicit consent (Article 6(1)(a) and Article 9(2)(a)): We rely on your explicit consent to process health and activity data synced from third-party integrations (heart rate, HRV, recovery scores, etc.). You may withdraw this consent at any time by disconnecting the relevant integration from your account settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Legitimate interests (Article 6(1)(f)): We process usage and technical data to improve the Service, detect fraud, and ensure security. We have assessed that these interests are not overridden by your data protection rights.
  • Legal obligation (Article 6(1)(c)): We may process your data where required to comply with applicable law.

5. THIRD-PARTY INTEGRATIONS AND SHARING

5.1 Fitness platform integrations

When you connect Garmin, Strava, Wahoo, or WHOOP, you authorise us to receive activity and health data from those platforms. We request only the minimum permissions required to sync your workouts. You can disconnect any integration at any time from Settings, which will stop future data collection from that platform. Historical data already synced will remain unless you delete your account.

5.2 Service providers (sub-processors)

We share your data with the following categories of service providers who process it on our behalf:

  • Supabase, Inc. (USA): database hosting and authentication.
  • Vercel, Inc. (USA): application hosting and infrastructure.
  • Anthropic, PBC (USA): AI model powering the coaching chat. Your training context is sent to Anthropic to generate responses.
  • Stripe, Inc. (USA): payment processing.
  • Resend, Inc. (USA): transactional email delivery.

All service providers are contractually bound to process your data only on our instructions and in accordance with applicable privacy laws.

5.3 International data transfers

We are based in Canada. Canada has received an adequacy decision from the European Commission with respect to organisations covered by PIPEDA. Our service providers are primarily located in the United States. Transfers of personal data from the EEA to our US-based service providers are made under Standard Contractual Clauses (SCCs) adopted by the European Commission, or other appropriate safeguards.

5.4 Legal disclosures

We may disclose your information if required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Velox, our users, or the public.

5.5 Business transfers

If Velox is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

6. DATA RETENTION

We retain your personal data for as long as your account is active and for a reasonable period thereafter in case you choose to reactivate. Specific retention periods:

  • Account and training data: retained until account deletion.
  • AI chat messages: retained until account deletion.
  • Billing records: retained for 7 years as required by Canadian tax law.
  • Security and fraud logs: retained for up to 12 months.

When you delete your account, we permanently erase all training plans, sessions, activity data, chat history, onboarding data, and profile information. Billing records are retained only as required by law. Deletion is processed within 30 days of your request.

7. YOUR RIGHTS

Depending on your location, you have the following rights regarding your personal data:

7.1 All users

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your account and all associated data via Settings → Delete Account, or by emailing us.
  • Opt-out of marketing emails: unsubscribe via the link in any email or by updating your notification preferences in Settings.

7.2 EEA, UK, and Switzerland (GDPR)

In addition to the above, you have the right to:

  • Portability: receive your data in a structured, machine-readable format.
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Object: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Supervisory authority: lodge a complaint with your local data protection authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.

7.3 California residents (CCPA/CPRA)

California residents have the right to know what personal information is collected, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising these rights. To submit a verifiable consumer request, email hello@velox.training.

7.4 Canadian residents (PIPEDA / Quebec Law 25)

Canadian residents have rights of access and correction under PIPEDA and provincial privacy legislation. Quebec residents have additional rights under Law 25, including the right to data portability and the right to be informed of automated decision-making. Contact us at hello@velox.training to exercise these rights.

We will respond to all rights requests within 30 days. We may need to verify your identity before processing your request.

8. SECURITY

We implement industry-standard security measures to protect your personal information, including:

  • Encrypted connections (TLS 1.2+) for all data in transit.
  • Encryption at rest for database storage.
  • Row-level security policies on our database.
  • Access controls limiting which systems and personnel can access your data.
  • HMAC-signed webhook verification for all third-party integrations.

No method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. COOKIES AND TRACKING

We use the following types of cookies and local storage:

  • Essential cookies: authentication session tokens required for the Service to function. These cannot be disabled.
  • Preference cookies: store your theme and display preferences.

We do not currently use advertising cookies or third-party tracking pixels. If this changes, we will update this policy and, where required, obtain your consent.

10. CHILDREN

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address associated with your account) and by updating the "Last updated" date at the top of this page at least 14 days before the change takes effect. Your continued use of the Service after that date constitutes acceptance of the updated policy. If you do not accept the changes, you may delete your account before the effective date.

12. CONTACT

For any privacy-related questions, rights requests, or concerns, contact us at:

Ryan Park, operating as Velox
Ontario, Canada
hello@velox.training

We aim to respond to all inquiries within 5 business days.