Privacy Policy
Etapa — AI-Powered Cycling Companion
Effective Date: June 25, 2026
1. Introduction
Etapa ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Etapa mobile application ("App").
This policy applies to all users of the App regardless of location, and has been drafted with reference to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).
2. Data Controller
The data controller responsible for your personal data is:
Etapa Ltd, a company registered in England and Wales (company number 17130882), registered office 306b Cavendish Road, London SW12 0PJ.
Registered with the UK Information Commissioner's Office (ICO), registration number ZC179799.
Email: helloetapa@gmail.com
Website: https://getetapa.com
If a Data Protection Officer is appointed, their contact details will be published on our website.
3. Data We Collect
3.1 Data You Provide
- Account information: email address, name, and authentication credentials
- Cycling goals: target events, distances, dates, and experience level
- Training preferences: weekly availability, preferred training days, intensity preferences
- Companion selection: your chosen AI companion persona
- Chat messages: text you send to the AI companion, weekly check-in, and roadside-assistance features
- Photos and short videos: images of you and your bike that you choose to upload for the AI bike-fit, posture-check, or roadside-assistance features
- Self-reported training and fitness details: optional figures you enter such as body weight, maximum heart rate, and functional threshold power (FTP), and any free-text notes you write about injuries, pain, or physical constraints (for example in your athlete profile or weekly check-ins)
- Location you set: an approximate town/city or region you enter to find nearby events, shops, or physios, or a one-time approximate device location if you tap "detect my location"
- Connected Strava data (optional): if you choose to connect your Strava account, we sync your recent cycling activities — including distance, duration, elevation, speed, heart rate where available, and route maps (GPS data) — to inform your training. You can disconnect Strava at any time in Settings.
- Connected Whoop data (optional): if you choose to connect your Whoop account, we retrieve your daily recovery, strain, and sleep metrics through Whoop's API — including your recovery score, heart-rate variability (HRV), resting heart rate, day strain, and sleep performance and duration — so your guide can adjust training around how recovered you are. This is health-related data (see the note below and section 5). You can disconnect Whoop at any time in Settings, which stops further syncing and deletes the Whoop data we have cached.
- Feedback: any ratings, reviews, or feedback you provide through the App
Some of the information above — in particular notes about injuries, pain, or health conditions, the photos/videos you upload, and the recovery, heart-rate, and sleep metrics from a connected Whoop account — may constitute health-related personal data. We process it only to provide the coaching, bike-fit, and safety features you have asked for, and you are never required to provide it. See section 5 for the legal basis.
3.2 Data We Collect Automatically
- Device information: device type, operating system, unique device identifiers, app version
- Usage and product analytics: features used, session duration, screens viewed, and interaction patterns, including session-replay recordings in which text you type is masked before it leaves your device
- Crash and performance data: error logs and diagnostic information, which may include your user ID
- IP address and approximate location (country/region level only)
3.3 Data We Do Not Collect
- Continuous or background location tracking. We do not track your location while you are not using a feature that needs it. We do not collect GPS route data directly from your phone — route data only reaches us if you choose to connect Strava (see 3.1).
- Health and fitness data from Apple HealthKit or Google Health Connect. We do not read from these sources. We also do not read any data directly from a wearable device on your phone. The only wearable data we receive is what you explicitly authorise us to retrieve from Whoop's own API by connecting your Whoop account (see 3.1); apart from that, any fitness figures we hold are self-reported by you.
- Payment-card or other financial information (payments are processed entirely by Apple and Google — see section 6)
4. How We Use Your Data
4.1 Providing the Service
- Generating personalised AI training guides based on your goals and preferences
- Powering the AI companion chat, weekly check-in, ride-tip, and session-guidance features with contextual, personalised responses
- Analysing the photos and videos you upload to provide AI bike-fit feedback, posture checks, and roadside-assistance triage
- Searching for cycling events that match your goal and location through our "find a goal" feature
- Syncing your training data (and, if connected, your Strava activities and Whoop recovery data) across devices
- Adjusting your training plan and check-in guidance around your recovery, strain, and sleep, if you connect Whoop
- Managing your account and subscription
4.2 Improving the Service
- Analysing usage patterns to improve features and user experience
- Monitoring App performance and diagnosing technical issues
- Developing new features based on aggregated, anonymised usage trends
4.3 Communications
- Sending transactional emails (account verification, password resets, subscription confirmations)
- Sending product updates and feature announcements (with your consent, where required)
4.4 Human Review (Opt-In)
To refine the AI companion personas and the quality of their advice, members of Etapa's review team — human staff under contract with us — may review a sample of your AI companion conversations. This processing is strictly opt-in:
- Off by default. Human review only happens after you have turned on Help improve your companion in Settings → Companion & health → Privacy.
- PII is redacted before review. Before any human sees a message, our server strips names, email addresses, phone numbers, postcodes, street addresses, URLs, and card-shaped numbers from the text and replaces them with neutral tokens such as
[NAME]or[EMAIL]. Redaction runs server-side and is conservative — we err on the side of removing too much. - What reviewers can access. Redacted companion-chat messages, your training guides and sessions, your weekly check-in answers, and metadata about ride-tip requests (when, on which activity, model + cost). Reviewers cannot see your email address, login credentials, payment details, or any data you have not shared with the AI companion.
- Reviewer notes. Reviewers may attach short text notes against any of the above to feed back into the AI training loop. These notes are internal to Etapa.
- Withdrawal. You can switch the toggle off at any time. From that point on, no new conversations are eligible for review. Existing redacted samples may be retained for an internal review window of up to 12 months and are then deleted; deleting your Etapa account removes them immediately as part of the standard account-deletion flow.
5. Legal Basis for Processing (GDPR)
Under the UK GDPR and EU GDPR, we process your data on the following legal bases:
- Contract: Processing necessary to provide the service you have requested (generating training guides, companion chat, account management).
- Legitimate interest: Improving the App, ensuring security, and preventing fraud.
- Consent: Sending marketing communications, setting non-essential analytics cookies on our website (Google Analytics — see section 12), processing any optional data you choose to provide, and the Human Review described in section 4.4 (which only proceeds where you have explicitly opted in).
- Explicit consent (special category data): Where the information you choose to share constitutes health-related data — for example notes about injuries, pain, or medical conditions, or the photos and videos you upload for bike-fit and posture analysis — we rely on your explicit consent, given by choosing to enter that information or upload that media. You are never required to provide it, and you can delete it (see section 7).
You may withdraw consent at any time by adjusting your preferences in the App settings or contacting us at helloetapa@gmail.com. Withdrawing consent for Human Review stops any new conversations being eligible for review.
6. Third-Party Data Processors (Sub-processors)
We share your data with the following third-party processors, solely to provide and improve the service. We maintain this list and will update it when our sub-processors change.
- Anthropic (AI — United States): Your cycling goals, training preferences, companion selection, chat and check-in messages, and the photos and videos you upload for bike-fit, posture, and roadside features are sent to Anthropic's Claude API to generate guides, responses, and analysis. If you choose to attach one of your connected Strava rides to a message in the companion chat, the details of that ride (such as distance, duration, speed, heart rate, and route) are also sent to Anthropic for that message so the companion can answer your question about it. Anthropic processes this data under its commercial terms and does not use it to train its models.
- Perplexity (AI event search — United States): When you use the "find a goal" feature, your search criteria (such as your goal type, distance, and the town/region you are looking in) are sent to Perplexity to find matching cycling events. We do not send your name, email, or account identifiers.
- Supabase (database, file storage & authentication — European Union): Your account, training data, uploaded photos/videos, and preferences are stored here, and Supabase handles secure sign-in.
- Railway (application hosting — United States): Our application server runs on Railway; your requests to the App pass through it.
- PostHog (product analytics & session replay — European Union): Captures usage events and session-replay recordings (with typed text masked) to help us understand and improve the App. Events may be linked to your user ID.
- Google Analytics (website analytics — United States): On our marketing website (not the App), Google Analytics measures aggregate visits and traffic sources so we can understand how people find and use the site. It uses cookies and may collect your approximate location and device information. We do not send it your name, email, or account identifiers.
- Sentry (crash & error diagnostics): Receives error and performance reports, which may include your user ID and technical context, to help us fix bugs.
- RevenueCat (subscription management): Manages your subscription status and purchase events across app stores. It does not receive your payment-card details.
- MailerLite (email): Sends transactional and, where you have not opted out, product emails. Receives your email address and email-engagement events.
- Strava (optional — only if you connect it): If you connect Strava, we retrieve your recent activity data through Strava's API. By default this Strava data is not sent to our AI provider; the one exception is when you explicitly attach a Strava ride to a companion-chat message, in which case the details of that ride are sent to Anthropic (see above). You can disconnect at any time.
- Whoop (optional — only if you connect it): If you connect Whoop, we retrieve your recovery, strain, and sleep metrics through Whoop's API to personalise your training. Whoop acts as the source of this data under its own privacy policy; we receive it only after you authorise the connection. By default this Whoop data is not sent to our AI provider. You can disconnect at any time in Settings, which stops further syncing and deletes the Whoop data we have cached.
- Expo (push notifications): Delivers push notifications using a device push token. Notification content is routed via Apple and Google push services.
- Maps & geocoding (Mapbox and OpenStreetMap / Nominatim): Used to display maps and turn a place name into coordinates. These services receive map and location-lookup requests but not your account identifiers.
- Apple & Google: Handle sign-in (where you use Apple/Google sign-in) and all subscription billing and payment processing. We do not receive or store your payment details.
We do not sell your personal data to any third party.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:
- Account data, training guides, chat and check-in history, and uploaded photos/videos: Retained for the duration of your account. You can delete individual guides at any time.
- Connected Strava activity data: Retained while your account is active. Disconnecting Strava stops new syncs; previously synced data is removed when you delete your account.
- Connected Whoop recovery data: We keep a rolling cache of your recent daily metrics while the connection is active. Disconnecting Whoop in Settings deletes this cached data; it is also removed when you delete your account.
- Usage, analytics, and diagnostic data: Retained by our analytics and error-monitoring providers in pseudonymised form, in line with their retention settings (up to 24 months).
- When you delete your account: We delete your account, its associated database records, and your uploaded photos and videos. This is carried out promptly and in any case within 30 days, except where limited records must be retained to meet a legal, tax, or fraud-prevention obligation.
You can delete your account at any time from Settings → Delete account.
8. Your Rights
8.1 Under UK/EU GDPR
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
8.2 Under CCPA (California Residents)
- Right to know: Request details about the categories and specific pieces of personal information we have collected.
- Right to delete: Request deletion of personal information we have collected.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
We do not sell personal information as defined by the CCPA.
To exercise any of these rights, contact us at helloetapa@gmail.com. We will respond within 30 days (or as required by applicable law).
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Row-level security on database records to ensure users can only access their own data
- Secure authentication with hashed credentials
- Regular security reviews and dependency updates
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
10. International Data Transfers
Some of our processors are located outside the UK and EU, including in the United States (for example Anthropic, Perplexity, and Railway — see section 6). This means your data may be transferred to and processed in those countries.
For these transfers we rely on appropriate safeguards recognised under UK and EU data protection law — such as the UK–US Data Bridge / EU–US Data Privacy Framework where the recipient is certified, the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses (SCCs). You can contact us at helloetapa@gmail.com for more detail on the safeguard relied on for a particular processor.
11. Children's Privacy
The App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.
12. Cookies and Tracking
The App does not use advertising cookies or cross-app tracking identifiers, and we do not track you across other companies' apps or websites. The App does use first-party analytics and session replay (see sections 3.2 and 6), which rely on device and installation identifiers to understand how the App is used and to diagnose problems. We do not use this data for advertising. We respect Apple's App Tracking Transparency framework and will request permission before any activity that would require it.
Our website (getetapa.com):
- Strictly necessary: We store a small record of your cookie choice (in your browser's local storage) so we don't ask you again. This is required to make the site work and to honour your preference, so it does not need your consent.
- Analytics (optional — consent required): With your consent, we load PostHog and Google Analytics. PostHog sets first-party analytics cookies and captures usage events and session-replay recordings (with typed text masked); Google Analytics sets non-essential analytics cookies (for example _ga and _ga_<id>) to measure aggregate visits and traffic sources. We use these to understand how the site is used and improve it. We do not load either tool, and no analytics cookies are set, until you accept the cookie banner shown on your first visit. If you decline, these cookies are not used.
You can change or withdraw your choice at any time using the "Cookie settings" link in the website footer, which reopens the banner. Withdrawing consent stops any further analytics collection in your browser. We do not use advertising cookies or cross-site tracking on the website.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and, where appropriate, by email. The "Effective Date" at the top of this policy indicates when it was last revised.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: helloetapa@gmail.com
Website: https://getetapa.com
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at https://ico.org.uk.