Data Privacy & Compliance Notice

Version: privacy-2026-04-09
Version: privacy-2026-04-09  ·  Last updated: April 9, 2026

EndureX AI ("we", "us", "our") is committed to protecting the privacy and security of your personal data. This notice explains how we collect, use, store, and protect your information in compliance with the EU General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, and the ePrivacy Directive.

1. Data Controller

Sarah Karollus & Dr. Sebastian Reinhard
Johann-Herrmann-Straße 17
97078 Würzburg, Germany
Email: 5000wracemachine@gmail.com

For all data privacy inquiries, please contact us at the address above.

2. Types of Data We Collect

2.1 Account Data

Name, email address, and password (stored in hashed form only). This data is necessary to create and maintain your account.

2.2 Health & Fitness Data (Special Category Data under GDPR Article 9)

EndureX AI processes data that qualifies as special category personal data relating to your physical health. This includes:

  • Heart rate data and heart rate zone configurations
  • Pace and power output data
  • Training stress scores: Chronic Load (CL), Acute Load (AL), and Form
  • Activity records (distance, duration, elevation, route data)
  • Workout plans, exercise prescriptions, and training schedules
  • Strength training records (exercises, sets, reps, loads, muscle group tracking)

Under GDPR, health data receives the highest level of protection. We process this data only with your explicit consent and apply enhanced security measures as described in Section 7 below.

2.3 Third-Party Integration Data

When you connect your Strava account or other wearable devices, we import activity data via OAuth-authenticated API connections. This may include activity summaries, GPS tracks, heart rate streams, power data, and related metadata. You can disconnect third-party integrations at any time through your account settings, which stops further data import.

2.4 Usage Data

We collect technical data including browser type, device information, and IP address through standard server access logs. This data is used for security monitoring, abuse prevention, and troubleshooting only. We do not use Google Analytics or any other third-party web analytics service, and we do not place tracking or advertising cookies. See Section 9 for our cookie policy.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

Data Category Legal Basis GDPR Article
Health & fitness data Explicit consent Art. 9(2)(a)
Account data Performance of contract Art. 6(1)(b)
Third-party integrations Explicit consent Art. 9(2)(a) / Art. 6(1)(a)
Server access & security logs Legitimate interest Art. 6(1)(f)
Transactional email (verification, password reset) Performance of contract Art. 6(1)(b)

Consent for health and fitness data processing is obtained through a dedicated consent interaction during account registration, separate from general terms of service acceptance. You may withdraw consent at any time (see Section 6).

4. Artificial Intelligence Disclosure (EU AI Act)

EndureX AI uses artificial intelligence and large language model (LLM) systems to provide the following features:

  • Automated generation of training plans and workout recommendations
  • Analysis of training load, recovery status, and performance trends
  • Conversational AI coaching through our chat interface

In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we disclose the following:

  • Transparency: All AI-generated content is clearly identified as such. When you interact with our AI coaching features, you are informed that responses are generated by an AI system, not a human coach.
  • Human oversight: AI-generated training recommendations are suggestions only and do not constitute medical advice. Users retain full control over their training decisions. We recommend consulting a qualified healthcare professional before making significant changes to your training based on AI recommendations.
  • Data governance: AI models used by EndureX AI are trained and validated using representative, high-quality datasets. We implement measures to identify and mitigate potential biases in training recommendations.
  • Risk management: We maintain a continuous risk management process throughout the AI system lifecycle, including regular evaluation of system outputs, monitoring for errors or harmful recommendations, and periodic review of model performance.
  • No automated decision-making with legal effect: Our AI systems do not make decisions that produce legal effects or similarly significantly affect you. All AI outputs are advisory in nature.

5. Third-Party Data Sharing

We share personal data with the following categories of recipients:

  • Strava API: When you connect your Strava account, we exchange data via Strava's OAuth 2.0 API. Data flows are governed by Strava's API Agreement and your Strava privacy settings.
  • Hosting provider: Your data is stored on servers located within the European Union / European Economic Area.
  • Transactional email (Google / Gmail SMTP): We use Google's Gmail SMTP service to send transactional messages such as email verification and password reset links. Only your email address and the message content are transmitted. Google may process this data on servers outside the EU/EEA; transfers are governed by EU Standard Contractual Clauses (SCCs). We do not use Gmail SMTP for marketing or newsletters.

We do not sell, rent, or trade your personal data to third parties. We do not transfer personal data outside the EU/EEA unless adequate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) for transactional email delivery via Gmail SMTP.

6. Your Rights (GDPR Chapter III)

As a data subject, you have the following rights under GDPR:

  • Right of access (Art. 15): You may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate personal data.
  • Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten").
  • Right to restriction of processing (Art. 18): You may request that we limit how we use your data.
  • Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interest.
  • Right to withdraw consent: You may withdraw your consent for health data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact us or use the account settings in the application.

To exercise any of these rights, contact us at 5000wracemachine@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. For Germany, this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn, or your state-level data protection authority (Landesbeauftragter für den Datenschutz).

7. Data Security

We implement technical and organizational measures to protect your personal data in accordance with GDPR Article 25 (privacy by design and by default):

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Password hashing using industry-standard algorithms
  • Access controls and authentication for all system components
  • Regular security reviews and updates
  • Data minimization: we collect only the data necessary for the services we provide

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

8. Data Retention

  • Account data: Retained for the duration of your active account. Deleted within 30 days of account deletion.
  • Health & fitness data: Retained while your account is active and consent is valid. Deleted upon account deletion or withdrawal of consent.
  • Third-party integration data: Retained while the integration is connected. You may disconnect integrations and request deletion at any time.
  • Server access logs: Retained for up to 90 days for security and abuse-prevention purposes, then automatically purged.

9. Cookies & Tracking Technologies

In accordance with the ePrivacy Directive (Directive 2002/58/EC, Art. 5(3)), we use only strictly necessary cookies — specifically, session management and JWT authentication tokens that are essential to provide the service you requested. No consent is required for these cookies under ePrivacy Art. 5(3).

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies (including Google Analytics). Because we set no consent-requiring cookies, we do not display a cookie consent banner.

10. Changes to This Notice

We may update this notice to reflect changes in our data processing practices or applicable regulations. Material changes will be communicated to registered users via email. The "last updated" date at the top of this notice indicates when the most recent revision was made.

11. Contact

For any questions or concerns about this privacy notice or our data processing practices, please contact:

Sarah Karollus & Dr. Sebastian Reinhard
Johann-Herrmann-Straße 17
97078 Würzburg, Germany
Email: 5000wracemachine@gmail.com