// legal

Privacy Policy

This policy explains how endu-bot collects, uses, and protects your personal data.

Last updated: 28 February 2025

Table of Contents

  1. Data Controller
  2. Data We Collect
  3. Legal Basis for Processing
  4. How We Use Your Data
  5. Sharing Your Data
  6. Data Retention
  7. Your Rights Under GDPR
  8. Security
  9. Cookies
  10. International Transfers
  11. Children's Privacy
  12. Changes to This Policy
  13. Contact Us

Summary: We collect only what we need to provide the service, we never sell your data, you can delete your account at any time, and you have full GDPR rights. Read on for the full details.

01Data Controller

The data controller for your personal data is:

endu-bot
Email: privacy@endubot.com

When this policy refers to "endu-bot", "we", "us", or "our", it refers to the data controller above. References to "you" or "your" refer to the individual using our service.

02Data We Collect

We collect information you provide directly to us and information generated through your use of the service.

Account information

  • Name and email address (when you register)
  • Password (stored as an irreversible hash — we never store your plaintext password)
  • Google account details, if you choose to sign in with Google (name, email, profile picture URL)

Training and fitness data

  • Athlete profile: sport(s), current fitness level, training history, target races and events
  • Training plans: macro plans, weekly schedules, and session details generated with AI assistance
  • Conversation history: messages you exchange with the AI coach
  • Subjective performance notes you provide

Usage and technical data

  • Log data: IP address, browser type and version, pages visited, timestamps
  • Device information: operating system, screen resolution
  • Cookie identifiers (see Section 9)

Payment data

We do not store your payment card details. Payments are processed by our third-party payment processor and are subject to their privacy policy.

04How We Use Your Data

We use the data we collect to:

  • Create, authenticate, and manage your account
  • Provide AI-powered coaching features, generate training plans, and enable chat interactions
  • Process subscription payments and manage billing
  • Send you important transactional communications about your account or subscription
  • Improve the quality and accuracy of our AI models (using anonymised and aggregated data only)
  • Monitor and improve the security and performance of our platform
  • Comply with legal obligations
  • Resolve disputes and enforce our terms

We will not use your data to make fully automated decisions that have a significant legal or similarly significant effect on you without offering a meaningful human review mechanism.

05Sharing Your Data

We do not sell your personal data. We may share your data with:

Service providers (data processors)

We use trusted third-party services to operate our platform. These processors are contractually bound to handle your data only on our instructions and in accordance with GDPR:

  • Cloud hosting — infrastructure and database hosting
  • Payment processor — for subscription billing (your card data is handled directly by the processor)
  • AI model provider — conversation data is sent to our AI provider to generate responses. We have a Data Processing Agreement in place. Data is not used to train their general models without your explicit consent.
  • Email delivery — transactional email service
  • Analytics — privacy-respecting analytics provider (no cross-site tracking)

Legal requirements

We may disclose your data if required to do so by law or in response to a valid legal request from a competent authority, provided we are legally permitted to notify you first where possible.

Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified via email and/or a prominent notice on our website.

06Data Retention

We retain your personal data only as long as necessary for the purposes set out in this policy:

  • Account data — for as long as your account is active, plus 30 days after deletion to allow recovery.
  • Training data and conversation history — for the lifetime of your account, deleted upon account deletion.
  • Billing records — up to 7 years as required by EU tax law.
  • Security logs — up to 90 days.
  • Anonymised analytics data — may be retained indefinitely as it cannot be linked to you.

You can delete your account at any time from your account settings, which will trigger the deletion of your personal data (except where retention is required by law).

07Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") — you may request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing — you may ask us to limit how we use your data in certain circumstances.
  • Right to data portability — you may request your data in a structured, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
  • Right to lodge a complaint — you have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, please contact us at privacy@endubot.com. We will respond within 30 days. Identity verification may be required before we process your request.

08Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest in our databases
  • Passwords stored as cryptographic hashes (bcrypt)
  • HTTP-only, SameSite session cookies to mitigate XSS and CSRF attacks
  • Access controls and least-privilege principles for staff access to data
  • Regular security reviews and dependency updates

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.

09Cookies

We use cookies and similar technologies to operate and improve the service. You can manage your cookie preferences at any time.

For full details, please see our Cookie Policy.

10International Transfers

Your data may be processed by our service providers in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure adequate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions recognising the country's level of data protection
  • Other lawful transfer mechanisms under Chapter V of the GDPR

11Children's Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us at privacy@endubot.com and we will delete that data promptly.

12Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

Your continued use of the service after the effective date of any changes constitutes your acknowledgement of the updated policy.

13Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with the supervisory authority in your EU Member State or, for UK residents, with the Information Commissioner's Office (ICO) at ico.org.uk.