Last updated: March 2026
VéloPeak ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and what rights you have.
Who we are
VéloPeak is a cycling coaching platform powered by artificial intelligence. VéloPeak is a brand of VÉLO TECHNOLOGY, UNIPESSOAL LDA, the data controller responsible for your personal data. For any inquiries, contact us at support@velo-peak.com.
Data we collect
Account data
When you create an account, we collect your name, email address, and a hashed password (if you register with email). If you sign in with a third-party provider (Google), we receive your name and email from that provider.
Profile data
To personalise your training, we collect and store information you provide: date of birth, biological sex, body weight, FTP (Functional Threshold Power), preferred language, and your coach profile text.
Strava integration
If you connect Strava, we receive and store your Strava athlete ID, access and refresh tokens, and your activity data (distance, duration, elevation, power, heart rate, cadence, GPS streams, and other metrics). We may also post comments on your Strava activities on your behalf, if you enable that feature.
Training platform integration
If you connect a third-party training platform, we store your API credentials and athlete ID to read your fitness metrics (CTL, ATL, TSB) and push workouts to your calendar.
Device integrations
If you connect a supported training device or platform, we store the OAuth tokens required to push workouts to your device. We do not read activity data from these integrations.
Payment data
Payments are processed by a certified payment processor. We store your customer ID and subscription status. We never store card numbers or payment details — those remain with the payment processor.
Usage data
We collect standard server logs including IP address, browser type, pages visited, and timestamps, for security and performance purposes.
Error monitoring
To maintain service stability and quality, we use an active error monitoring service that automatically captures technical data when failures or unexpected behaviour occur. This may include error messages, stack traces, page URLs, browser type and version, operating system, and IP addresses. This data is used exclusively to detect, diagnose, and resolve technical issues — it is not linked to your identity and is never used for marketing or profiling purposes. The legal basis for this processing is our legitimate interest in providing a reliable and secure service (Article 6(1)(f) GDPR).
AI interactions
When you use the VéloPeak coach chat, your messages and activity context are sent to a third-party AI provider to generate responses. We do not use your data to train AI models.
How we use your data
| Purpose | Basis |
|---|---|
| Providing the service (training plans, analysis, coaching) | Contract |
| Syncing with Strava and connected platforms | Contract + Consent |
| Processing payments | Contract |
| Sending transactional emails (welcome, analysis, weekly summary) | Contract |
| Security, fraud prevention, debugging | Legitimate interest |
| Improving the platform | Legitimate interest |
We do not use your data for advertising. We do not sell your data to third parties.
Third-party services
We use third-party sub-processors to operate the platform. These include providers for:
- Database hosting — EU-based infrastructure
- Application hosting and CDN — EU-based infrastructure
- AI model inference — US-based provider (data processed for response generation only; not used for model training)
- Payment processing — US-based provider (PCI-DSS compliant)
- Transactional email delivery — US-based provider
- Strava — activity data integration (US-based)
- Error and performance monitoring — third-party provider (technical error data only; retained for 90 days; used exclusively for fault detection and resolution)
Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or equivalent).
You may request the full list of sub-processors by contacting us at support@velo-peak.com.
Data retention
- Account data: retained for as long as your account is active, and up to 30 days after deletion
- Activity data: retained for as long as your account is active
- Payment records: retained for 7 years for legal and tax compliance
- Server logs: retained for 90 days
- Error monitoring data: retained for 90 days
Your rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Export your data in a portable format
- Restrict or object to certain processing
- Withdraw consent at any time (for consent-based processing)
To exercise any of these rights, contact us at support@velo-peak.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
Cookies
We use essential session cookies for authentication — these are strictly necessary and cannot be disabled.
We also use, or plan to use, analytics cookies to understand how users interact with the platform (pages visited, features used, session duration). These cookies do not identify you personally and are used solely to improve the product.
When analytics cookies are active, we will present a cookie consent banner on your first visit. You can accept or decline non-essential cookies at any time via the cookie settings in your account or browser. Declining analytics cookies will not affect your access to the platform.
Children
VéloPeak is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with data, contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you by email. The date at the top of this page reflects the most recent update.
Contact
For any privacy questions or requests, contact us at support@velo-peak.com.