Privacy Policy

This privacy policy explains how Evora ("we", "us", "our") collects, uses, and protects your personal data when you use our website (evora.fit) and our mobile application ("Evora App").

To help you understand which information applies to you, this policy is organized into three parts: general information that applies everywhere, a section specific to our website, and a section specific to our mobile app.

The data controller responsible for processing your personal data is:

Florian Stracke

c/o COCENTER

Koppoldstr. 1

86551 Aichach

Germany

Email: florian@evora.fit

No Data Protection Officer is listed for Evora at this time. This assessment should be reviewed by qualified German/EU counsel before production launch and as the service scales.

We process your personal data based on the following legal grounds:

Consent (Art. 6(1)(a) GDPR) - for optional integrations, importing activity and recovery data, push notifications, and any future non-essential tracking or session replay if enabled.

Contract performance (Art. 6(1)(b) GDPR) - for account creation, authentication, subscription entitlement checks, training plan generation, AI coaching, workout export, and the core app features you request.

Legal obligation (Art. 6(1)(c) GDPR) - where we must retain limited records to satisfy accounting, tax, consumer-protection, or regulatory duties.

Legitimate interest (Art. 6(1)(f) GDPR) - for security, fraud prevention, abuse prevention, operational logs, reliability monitoring, error tracking, and product analytics that do not override your rights and freedoms.

Special category health and fitness data may also require an additional legal basis under GDPR Art. 9. Where applicable, Evora relies on your explicit consent under Art. 9(2)(a) GDPR.

Evora uses providers in the European Union and providers in countries outside the European Economic Area, including the United States.

Where a provider processes personal data outside the EEA, we rely on the available legal transfer mechanisms, such as an EU adequacy decision, certification under the EU-US Data Privacy Framework where applicable, or EU Standard Contractual Clauses with additional safeguards.

The provider list below states the main processing location known to us for each service. Some global providers may process support, security, or operational data in additional locations according to their own privacy terms.

Evora uses algorithms and AI systems to generate training plans, evaluate completed workouts, and suggest training adjustments.

These outputs are coaching suggestions and planning aids. Evora does not use solely automated processing to make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Art. 22.

You remain responsible for deciding whether to follow, ignore, or adapt a training recommendation.

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — you may request a copy of the personal data we hold about you.

Right to rectification (Art. 16) — you may request correction of inaccurate personal data.

Right to erasure (Art. 17) — you may request deletion of your personal data.

Right to restriction of processing (Art. 18) — you may request that we restrict the processing of your data.

Right to data portability (Art. 20) — you may request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21) — you may object to the processing of your personal data based on legitimate interest.

Right to withdraw consent - you may withdraw consent for optional integrations or notifications at any time by disconnecting the integration in Settings or adjusting device/app settings. Withdrawal does not affect processing that happened before withdrawal.

Right to lodge a complaint - you have the right to lodge a complaint with a supervisory authority. The competent authority is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany - https://www.lda.bayern.de

To exercise any of these rights, contact us at: florian@evora.fit

We retain your data for the following periods:

Account and profile data - retained for as long as your account is active or until you request deletion, unless limited data must be retained for legal obligations.

Training plans, workouts, evaluations, RPE/readiness inputs, and coach context - retained while your account is active so Evora can provide longitudinal coaching and plan adaptation.

Strava activity data - retained while your Strava account is connected. Strava-sourced data is deleted from Evora when you disconnect Strava or revoke access, subject to limited backup or legal retention where required.

Wahoo workout data - imported only after you connect Wahoo. On disconnect, Evora removes Wahoo account secrets and raw provider payloads. Normalized workout history may remain in Evora unless you request deletion or delete your account.

WHOOP recovery and sleep data - retained while your WHOOP account is connected. WHOOP-sourced data is deleted from Evora when you disconnect WHOOP, subject to limited backup or legal retention where required.

Intervals.icu credentials - retained only while the integration remains connected. Workout export payloads are sent when you initiate export and are not separately retained beyond your Evora training plan data.

AI coaching context - sent to OpenAI and LangSmith when AI coaching, transcription, or monitoring runs. OpenAI API inputs and outputs are not used for model training by default unless explicitly opted in; default abuse-monitoring logs may be retained by OpenAI for up to 30 days unless different retention controls apply.

Voice message audio - uploaded to the backend and forwarded to OpenAI for transcription. Evora processes raw audio transiently for transcription and uses the resulting transcript as the coach-chat message.

Push notification tokens - retained while your device is registered for notifications. Tokens are removed when you disable notifications, unregister the device, or delete your account.

Analytics data - retained according to PostHog project retention settings. PostHog processes data in the EU (eu.i.posthog.com).

Error tracking data - crash reports and error logs are retained for 90 days by Sentry unless project settings are changed.

Backend log data - structured logs are retained according to PostHog Logs and Google Cloud logging configuration.

Website technical data - IP addresses and browser information processed by Vercel are retained according to Vercel's standard hosting logs and security practices.

If you request deletion of your data, we will process your request within 30 days.

We may update this privacy policy from time to time. We will notify users of significant changes via email or in-app notification. The date of the last update is shown at the top of this page.

If you have questions about this privacy policy or your personal data, contact us at:

Florian Stracke

c/o COCENTER

Koppoldstr. 1

86551 Aichach

Germany

Email: florian@evora.fit

When you visit evora.fit, our hosting provider Vercel automatically collects technical data necessary to deliver the website, including your IP address, browser type and version, device type, operating system, and referring URL. This data is processed by Vercel and is not stored by us beyond Vercel's standard retention period.

If you sign up for our waitlist, we collect your email address, signup source (for example hero or footer form), and - if present - UTM parameters (utm_source, utm_medium, utm_campaign) and your referrer URL. We also derive approximate geolocation (country and city) from Vercel headers for analytics purposes. This data is stored in our Supabase database and is used to notify you when Evora becomes available and to understand where interest comes from.

We apply IP-based rate limiting (3 requests per 10 minutes) to prevent abuse. Your IP address is not stored permanently for this purpose.

Our website does not currently use third-party analytics scripts or advertising cookies.

Where the website stores or reads information on your device, such as technical state needed to submit a form or preserve URL tracking parameters for the waitlist form, this is done only where technically necessary for the requested service or with consent where required by § 25 TDDDG.

If we introduce non-essential cookies, tracking technologies, or website session replay in the future, this policy will be updated and consent will be requested where required.

When you create an account in the Evora App, we collect your email address and authentication credentials. These are processed and stored by Supabase (our database and authentication provider) within the European Union.

If you sign in with Apple or Google, the respective identity provider and Supabase Auth process the authentication data needed to create or access your Evora account.

You may provide additional profile information including your training goals, FTP (Functional Threshold Power), maximum heart rate, weekly training availability, training preferences, perceived exertion (RPE), and readiness inputs. This data is used to generate and personalize your training plan.

Evora integrates with the Strava platform to import your training activities. When you connect your Strava account, you explicitly authorize Evora to access your data through Strava's OAuth 2.0 authorization flow.

Data collected from Strava: activity metadata (activity name, sport type, distance, duration, moving time, average speed, average heart rate, maximum heart rate where available, average and max power, elevation gain, calories, suffer score or relative effort, route summary polyline), activity streams/timeseries where available, zones, and athlete profile data (display name, FTP, city, country). Supported sports include running, cycling, swimming, and strength training.

How we use Strava data: to build and personalize your training plan, track completed activities against planned workouts, and provide AI-powered coaching feedback based on your actual performance.

Evora requests read-only access to your Strava data. We never post to your Strava profile or modify your Strava data in any way.

Data retention: your Strava data is stored for as long as your Strava account remains connected to Evora. When you disconnect your Strava account via Settings > Integrations, or revoke access via Strava settings, Evora revokes tokens on a best-effort basis and deletes Strava-sourced activity data from our systems.

To disconnect Strava and delete imported Strava data, go to Settings > Integrations in the Evora app and tap "Disconnect", or revoke access directly in your Strava settings at https://www.strava.com/settings/apps.

Strava may collect usage data about your use of the Strava API through our application. For details, see Strava's privacy policy: https://www.strava.com/legal/privacy

Evora can integrate with WHOOP to import your recovery and readiness data. When you connect your WHOOP account, you authorize Evora to access your data through WHOOP's OAuth 2.0 authorization flow.

Data collected from WHOOP: recovery score, heart rate variability (HRV as RMSSD), resting heart rate, SpO2, skin temperature, sleep data (duration, stages including light sleep, slow-wave sleep, and REM, sleep performance, efficiency, and consistency), and respiratory rate.

How we use WHOOP data: to assess your daily readiness and adapt your training plan accordingly — for example, suggesting easier sessions when recovery is low, or flagging when you may be at risk of overtraining.

Data retention: your WHOOP data is stored for as long as your WHOOP account remains connected. When you disconnect WHOOP via Settings > Integrations, Evora revokes tokens on a best-effort basis and deletes WHOOP-sourced recovery and sleep data from our systems.

For details on how WHOOP handles your data, see WHOOP's privacy policy: https://www.whoop.com/privacy/

Evora can integrate with Wahoo to import your completed workouts and power data. When you connect your Wahoo account, you explicitly authorize Evora to access your data through Wahoo's OAuth 2.0 authorization flow.

Data collected from Wahoo: completed workout metadata, workout summaries, sport type, start time, duration, distance, elevation, speed, heart rate, power, calories, load/TSS values where available, FIT file URLs where provided, and parsed FIT-derived activity streams when available.

How we use Wahoo data: to sync, display, and analyze your completed workouts inside Evora. Wahoo data is not sent to AI coaching, LLM prompts, or advertising systems in this import MVP.

Some activities created by third-party apps may not be available through Wahoo's API.

Data retention: when you disconnect Wahoo via Settings > Integrations, Evora makes a best-effort token revocation call, removes stored Wahoo tokens, account identifiers, and raw Wahoo import payloads. Normalized imported workouts and parsed workout streams may remain in Evora unless you request deletion or delete your account.

For support or deletion requests, contact florian@evora.fit. For details on how Wahoo handles your data, see Wahoo's privacy policy: https://www.wahoofitness.com/privacy-policy

Evora uses artificial intelligence to generate training plans, provide coaching feedback, and adapt your workouts based on your performance and readiness. This is powered by OpenAI's language models.

When generating coaching responses, we send relevant training context to OpenAI's API. This context may include your recent activities, profile data (goals, FTP, availability), recovery data, and current training plan. We do not send your email address, authentication credentials, or payment information to OpenAI.

OpenAI API inputs and outputs are not used to train OpenAI models by default unless the API customer explicitly opts in. Default abuse-monitoring logs may be retained by OpenAI for up to 30 days unless different retention controls apply to Evora's account.

We use LangSmith (by LangChain) for monitoring and debugging our AI coaching workflows. LangSmith may receive the inputs and outputs of AI calls for quality assurance and troubleshooting. Evora is configured to use LangSmith's EU endpoint where available.

Important: AI-generated training plans and coaching feedback are suggestions, not medical advice. Always consult a healthcare professional before starting or significantly changing a training program.

If you use voice messaging in the coach chat, the Evora App records audio from your microphone only after you start recording and grant device permission.

Voice messages are uploaded to the backend as audio files and are limited to 60 seconds and 5 MB. The backend sends the audio to OpenAI's transcription API (Whisper or the configured transcription model), then processes the resulting transcript through the same AI coach flow as a text message.

Evora processes raw audio transiently for transcription. The transcript may be returned to the app, included in AI coaching context, and monitored through LangSmith for debugging and quality assurance.

Evora's backend runs on Google Cloud Platform, including Cloud Run, scheduled jobs, Secret Manager, and operational Cloud Logging in the europe-west3 region. Technical request metadata and operational logs are processed to operate, secure, monitor, and debug the service.

If you enable push notifications, we collect your device's push notification token via Expo Push Notifications. This token is stored securely and used to send you workout reminders, activity notifications, and important service updates.

Notification payloads may include activity data such as route map images (generated via Google Static Maps API from your activity polylines). These images are generated on-demand and are not persistently stored.

You can disable push notifications at any time through your device's settings or within the Evora app.

The Evora App can display activity routes using native map providers. On iOS, route maps use Apple Maps. On Android, route maps use the Google Maps SDK when the app build is configured with a Google Maps key. GPS polylines are used to draw the route on the map.

The Evora App uses PostHog for product analytics. PostHog processes data in the European Union (eu.i.posthog.com).

We track explicit app usage events, device/app context, primary data source, connected-integration status, onboarding status, and your premium/subscription status. Analytics events are identified with your internal athlete ID; your email address and detailed training profile are not intentionally sent to PostHog.

Autocapture is disabled. Session replay is disabled unless Evora implements and enables an explicit opt-in/consent flow. If enabled later, text inputs and images must remain masked and this policy must be updated.

For details, see PostHog's privacy policy: https://posthog.com/privacy

We use Sentry for crash reporting and error tracking in both our backend and the mobile app. Sentry receives crash reports, stack traces, and device metadata when errors occur.

Backend Sentry is configured with send_default_pii disabled, but protected backend routes may attach the internal athlete ID to error context for debugging. Mobile crash reports may include app version, device metadata, stack traces, and runtime diagnostics.

We use PostHog Logs and Google Cloud Logging for structured operational logs. These logs may contain request metadata, endpoint names, status codes, internal athlete IDs, provider names, and training-system event metadata where needed for reliability, abuse prevention, and debugging. We avoid logging secrets and access tokens.

Sentry error data is retained for 90 days unless project settings are changed. PostHog Logs and Google Cloud logs follow their configured retention periods.

For details, see Sentry's privacy policy: https://sentry.io/privacy/

You can optionally connect Intervals.icu and export planned workouts to it. Evora stores the credentials or API key needed to perform exports while the integration remains connected.

Workout export is user-initiated and sends workout structure data such as power targets, interval durations, workout descriptions, and related workout metadata to Intervals.icu's API.

Evora does not store a separate copy of exported payloads beyond what is already part of your training plan and operational logs. You can disconnect Intervals.icu from Settings > Integrations. For details, see Intervals.icu's privacy policy: https://intervals.icu/privacy

The Evora App stores data locally on your device for offline access and performance:

Authentication tokens are stored securely using the platform's secure storage (iOS Keychain / Android Keystore).

Activity data, workouts, and app state may be cached locally using expo-sqlite or other app storage for offline access and fast loading. This cache is synchronized with our backend.

The app receives over-the-air updates via Expo Updates to deliver bug fixes and improvements without requiring an app store update. Your device information is shared with Expo for update delivery. For details, see Expo's privacy policy: https://expo.dev/privacy

Polyline decoding for route visualization is performed locally on the device by client-side code and does not send route data to a separate polyline decoding provider.

Evora processes health and fitness data that may qualify as special category data under GDPR Article 9. We process this data based on your explicit consent (Art. 9(2)(a) GDPR), which you provide when connecting your Strava, Wahoo, or WHOOP account.

Health data collected from Strava: heart rate (average and maximum), power output, calories burned, suffer score / relative effort, and GPS route data (summary polylines). Supported sports: running, cycling, swimming, and strength training.

Health and fitness data collected from Wahoo: completed workout summaries, duration, distance, elevation, speed, heart rate, power, calories, load/TSS values, FIT file URLs where available, and parsed FIT-derived workout streams where available.

Health data collected from WHOOP: recovery score (0–100), heart rate variability (HRV, measured as RMSSD in milliseconds), resting heart rate, blood oxygen saturation (SpO2), skin temperature, and sleep stage data (light sleep, slow-wave sleep, REM, sleep duration, efficiency, consistency, and respiratory rate).

Health and readiness data you enter manually, such as RPE, perceived fatigue, or training availability, may also be used for coaching and plan adaptation.

AI processing of health data: Strava, WHOOP, and manually entered health data may be included as context when our AI coaching system (powered by OpenAI) generates training plans, coaching feedback, or workout adaptations. Wahoo data is not sent to AI coaching or LLM prompts in this Wahoo import MVP. OpenAI API inputs and outputs are not used for model training by default unless explicitly opted in; default abuse-monitoring logs may be retained by OpenAI for up to 30 days unless different retention controls apply.

You can withdraw consent and delete imported health data at any time by disconnecting the respective integration in Settings > Integrations. You can also delete your account to remove your Evora profile and associated training data.

The following information summarizes how the Evora App collects and uses data, consistent with Apple App Store Privacy Labels and Google Play Data Safety requirements:

Contact Information (email address) — collected for app functionality; linked to your identity; not used for tracking.

Health & Fitness data (heart rate, HRV, recovery scores, sleep data) — collected for app functionality (training adaptation); linked to your identity; not used for tracking.

Fitness data (activities, routes, performance metrics) — collected for app functionality (training plan personalization); linked to your identity; not used for tracking.

Audio data (voice messages) — collected only when you use voice coach input; used for transcription and app functionality; linked to your identity during processing; not used for tracking.

Usage data (explicit app events and feature usage) — collected for analytics; linked to your identity through internal ID only; not used for tracking. Session replay remains disabled unless an explicit opt-in flow is implemented.

Diagnostics (crash reports, performance data) — collected for app functionality (stability); not linked to your identity; not used for tracking.

Purchases (subscription status) — collected for app functionality (premium access); linked to your identity; not used for tracking.

Identifiers (device push token) — collected for app functionality (notifications); linked to your identity; not used for tracking.

Evora does not use any data for third-party advertising or cross-app tracking.