1. Personal Data Protection
2A CONSULTING is committed to protecting the personal data of its users in accordance with the General Data Protection Regulation (GDPR โ EU Regulation 2016/679) and, where applicable, the UK Data Protection Act 2018 and UK GDPR.
Data controller:
2A CONSULTING
Email: contact@athleteside.com
Data Protection Officer (DPO):
Contact by email at contact@athleteside.com
For any questions regarding the protection of your personal data, you can contact us at the above address.
2. Data Collected
We collect different categories of data depending on your use of the platform:
Identification data: surname, first name, email address, password (hashed), profile picture, date of birth.
Connection data: IP address, browser type, operating system, pages consulted, date and time of connection, referral URL.
Payment data: credit card information is processed exclusively by our payment provider Stripe. We never store your credit card numbers on our servers. We keep transaction references, amounts and billing dates.
Sports data: activity history (via Strava, Garmin Connect or manual entry), performance, heart rate, GPS route data, sports goals, fitness level.
Coaching data: messages exchanged between coach and athlete, assigned training plans, reviews and ratings.
AI interaction data: conversation history with the Smart Coaching, questions asked, sports profile transmitted to the AI.
Geolocation data: geolocated IP address (MaxMind GeoIP), location of events and clubs.
Navigation data: cookies, session identifiers, display preferences, audience data (see Cookies section).
Communication data: email address for newsletter, notification preferences.
3. Legal Basis for Processing
Each processing of personal data is based on a legal basis in accordance with Article 6 of the GDPR:
Performance of contract (Art. 6.1.b):
- Creation and management of your user account
- Processing of your orders and payments (Prime subscriptions, training plans, coaching)
- Provision of coaching service (messaging, plans, monitoring)
- Connection via the marketplace
- Access to Smart Coaching (for Prime subscribers)
- Export of sessions to Strava / Garmin Connect
- Sending newsletter and commercial communications
- Connection of your Strava or Garmin account (access to your sports activity data)
- Connection via a third-party service (Google, Facebook, Apple)
- Placement of non-essential cookies (analytics, advertising)
- Platform improvement and audience analysis
- Fraud prevention and site security (reCAPTCHA, rate limiting)
- Conversion tracking and feature performance
- Retention of invoices and transaction data (tax and accounting obligations)
- Response to legal requests
4. Processing Purposes
Your personal data is processed for the following purposes:
- Account management: registration, authentication, user profile management.
- Paid services: payment processing, subscription management (Prime, coaching), invoice issuance, commission payment to coaches.
- Coaching: coach/athlete connection, messaging, session monitoring, evaluations.
- Artificial intelligence: provision of Smart Coaching, personalization of training recommendations.
- Sports data: synchronization with Strava and Garmin, session export, performance calculations.
- Marketplace: publication and management of ads, messaging between seller and buyer.
- Communication: sending newsletter, transactional notifications (order confirmation, payment reminders, card expiry), service emails.
- Referral: tracking referrals, attribution of rewards.
- Analysis and improvement: audience measurement, user journey analysis, site optimization.
- Security: fraud detection, abuse protection (reCAPTCHA), access logging.
5. Artificial Intelligence
AthleteSide uses artificial intelligence services provided by OpenAI (OpenAI, L.L.C., San Francisco, United States) for the following features:
- Smart Coaching: Conversational training, nutrition and race strategy assistant. Messages you send to the Smart Coaching are transmitted to the OpenAI API to generate responses.
- Content generation: Some articles and descriptions may be generated or enhanced by AI.
- Translation: Assistance with translation of content into the different languages of the site.
No automated decision-making: AI provides recommendations for informational purposes. No decision producing legal effects or significantly affecting the user is made automatically on the sole basis of algorithmic processing.
Data transmitted to OpenAI is subject to transfer outside the EU (see "Transfers outside the EU" section).
6. Payment Data
Payments on AthleteSide are processed by Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland).
Data processed by Stripe: credit card number, expiry date, CVV, cardholder name. This data is collected and processed directly by Stripe in a PCI-DSS Level 1 certified environment. AthleteSide never stores your credit card data.
Data retained by AthleteSide: Stripe customer ID, last 4 digits of the card, card type, expiry date, transaction history (amounts, dates, statuses), invoices.
For coaches: commission payments are made via Stripe Connect. The coach provides their bank details (IBAN, BIC) directly to Stripe.
Stripe privacy policy: https://stripe.com/privacy
7. Login via Third-Party Services
AthleteSide allows login and registration via the following third-party services:
Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) โ Data retrieved: name, first name, email address, profile picture.
Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) โ Data retrieved: name, first name, email address, profile picture.
Apple (Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland) โ Data retrieved: name, email address (possibly relayed via "Hide My Email" service).
Strava (Strava, Inc., San Francisco, United States) โ Data retrieved: name, first name, profile picture, sports activity data (see "Sports Data" section).
The use of these login services is optional and subject to your consent. You can disconnect a third-party service at any time from your account settings. Only the data necessary to create or log into your account is retrieved.
8. Sports and Health Data
Some features of AthleteSide involve the processing of data relating to health within the meaning of Article 9 of the GDPR, in particular:
- Heart rate (data imported from Strava or Garmin Connect)
- Physical activity data: distance, duration, pace, elevation, power, cadence
- GPS data: route tracks
- Sports goals and fitness level
Strava (Strava, Inc., San Francisco, United States) โ We access your sports activities via the Strava API. You can revoke this access at any time from your Strava account settings.
Garmin Connect (Garmin Ltd., Schaffhausen, Switzerland / Garmin International, Inc., Olathe, Kansas, United States) โ We export sessions to your Garmin account. The connection can be revoked from Garmin settings.
You can delete your sports data at any time from your AthleteSide account settings.
9. Sub-processors and Data Recipients
Your personal data may be transmitted to the following sub-processors, acting on the instructions of 2A CONSULTING:
| Sub-processor | Service | Data concerned | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting | All data | EU (Ireland / France) |
| Stripe | Payments | Payment data, identity | Ireland / United States |
| SendGrid (Twilio) | Email sending | Email address, email content | United States |
| OpenAI | Artificial intelligence | AI conversations, sports profile | United States |
| reCAPTCHA, Analytics, OAuth | IP address, navigation data | Ireland / United States | |
| Plausible Analytics | Audience analysis | Anonymized navigation data | EU |
| MaxMind (GeoIP2) | IP geolocation | IP address | United States |
| Meta (Facebook) | OAuth, social sharing | Identity (if social login) | Ireland / United States |
| Apple | OAuth (Sign In with Apple) | Identity (if social login) | Ireland |
| Strava | Sports activity sync | Physical activity data | United States |
| Garmin | Session export | Training sessions | Switzerland / United States |
| Effiliation | Commercial affiliation | Navigation data (cookies) | France |
No personal data is sold to third parties.
10. Data Transfers outside the EU
Some of our sub-processors are located outside the European Union, particularly in the United States. These transfers are governed by the following safeguards, in accordance with Chapter V of the GDPR:
EU-US Data Privacy Framework: Stripe, Google, Meta and other US sub-processors are certified under the Data Privacy Framework, recognized by the European Commission as providing an adequate level of protection (adequacy decision of 10 July 2023).
Standard Contractual Clauses (SCCs): For sub-processors not covered by the Data Privacy Framework, Standard Contractual Clauses approved by the European Commission are implemented.
Sub-processors concerned by transfer outside the EU:
- Stripe (United States) โ Data Privacy Framework
- SendGrid / Twilio (United States) โ SCCs
- OpenAI (United States) โ SCCs + Data Processing Agreement
- Google (United States) โ Data Privacy Framework
- MaxMind (United States) โ SCCs
- Strava (United States) โ SCCs
11. Cookies and Trackers
The website https://www.athleteside.com uses cookies and trackers. For detailed information, please consult our dedicated cookie page.
Summary of cookie categories used:
- Strictly necessary cookies: User session, authentication, basket, CSRF, language preference. These cookies do not require your consent.
- Analytical cookies: Google Analytics, Plausible Analytics โ audience measurement and site improvement.
- Functional cookies: Remembering your preferences (product comparator, filters).
- Third-party cookies: reCAPTCHA (Google), social sharing buttons, embedded content (videos).
12. Retention Periods
Your data is retained for the following periods:
| Data type | Retention period |
|---|---|
| User account | Duration of account + 3 years after deletion |
| Payment data and invoices | 10 years (accounting obligation) |
| Coaching data (messages, plans) | Duration of subscription + 1 year |
| Smart Coaching conversations | Duration of account (deletable by user) |
| Sports activity data | Duration of account (deletable by user) |
| Newsletter | Until unsubscription |
| Connection logs | 12 months (legal obligation) |
| Audience data (analytics) | 26 months maximum |
| Cookies | 13 months maximum |
| Marketplace ads | Duration of publication + 6 months |
| Referral data | Duration of referrer account |
At the end of these periods, data is deleted or irreversibly anonymized.
13. Your Rights
In accordance with the GDPR and, where applicable, the UK Data Protection Act 2018, you have the following rights over your personal data:
- Right of access (Art. 15 GDPR): Obtain confirmation that data concerning you is being processed and obtain a copy.
- Right to rectification (Art. 16 GDPR): Have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17 GDPR): Request deletion of your data, subject to legal retention obligations.
- Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR): Object to the processing of your data on legitimate grounds, or object to commercial prospecting.
- Right to restriction (Art. 18 GDPR): Request suspension of processing of your data in certain cases.
- Right to withdraw consent: Withdraw your consent at any time (newsletter, cookies, social login, sports data), without affecting the lawfulness of prior processing.
14. Exercising Your Rights
To exercise your rights, you can:
- Send an email to contact@athleteside.com specifying your request and attaching proof of identity.
- Use your account features: modify your information, delete your account, manage your subscriptions, disconnect third-party services (Strava, Google, etc.).
If you experience difficulties exercising your rights, you may lodge a complaint with the relevant supervisory authority:
For UK users: Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: www.ico.org.uk
For EU users: Your local Data Protection Authority, or the French supervisory authority (CNIL)
CNIL โ 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr
15. Data Security
2A CONSULTING implements appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: All communications are secured via HTTPS/TLS.
- Encryption at rest: Sensitive data is encrypted in the database.
- Password hashing: Passwords are hashed with a secure algorithm (bcrypt) and never stored in plain text.
- Access control: Role-based access restriction (RBAC), enhanced authentication for administrators.
- Secure payments: PCI-DSS processing via Stripe โ no credit card data passes through our servers.
- Abuse protection: Rate limiting, reCAPTCHA, CSRF protection, intrusion detection.
- Backups: Regular and encrypted data backups.
- Updates: Regular application of security patches.
16. Minors
The website AthleteSide is not intended for children under 16 years (EU default age of digital consent under GDPR, Article 8). In the UK, the age of digital consent is 13 years under the UK GDPR.
Users aged between 13/16 and 18 years (depending on jurisdiction) should obtain authorization from their legal guardian to create an account and use the services, particularly paid services.
If we learn that data has been collected concerning a child under the age of consent without parental consent, we will take the necessary steps to delete this data as soon as possible.