Home > Privacy Policy
Privacy Policy
Last updated: April 21, 2026
1. Who We Are
Endoryx is an AI-powered endurance training coaching platform for athletes (triathlon, running, cycling, swimming, duathlon).
Controller of personal information:
Name: Keven Forgues
Email: privacy@endoryx.ca
Quebec, Canada
In accordance with Quebec's Law 25 on the protection of personal information in the private sector, we have designated a person responsible for the protection of personal information whom you can contact at the above address.
2. Information We Collect
2.1 Registration and profile data
First and last name, email address, gender, age, weight, preferences (language, unit system, theme).
2.2 Sports and performance data
Experience level, physiological thresholds (FTP, running pace, CSS), primary sport, goals, available training time, session history, generated plans.
2.3 Health and wellness data (sensitive data)
Recovery metrics, life metrics (stress, sleep, energy), Balance Score, menstrual cycle information (if activated).
2.4 Financial data
Stripe customer ID (we do not store credit card information directly), subscription status, trial dates.
2.5 Third-party connection data
Strava access tokens (encrypted), sync history, hidden activities.
2.6 Usage data
Navigation history, usage events, technical error logs, AI API usage logs.
2.7 Personal context data (optional)
Family members, travel and unavailability periods, unavailable days.
2.8 Communication data
Support tickets and messages, marketing communication consent (date and time).
3. How We Use Your Data
3.1 Service provision
Generate and adjust personalized training plans, analyze performance, sync with Strava, calculate Balance Score.
3.2 Advanced personalization
Adapt session intensity to your menstrual cycle (with explicit consent), account for family context and travel.
3.3 Communication
Transactional emails (billing, trial, support) — always sent. Marketing emails — only with your explicit consent.
3.4 Service improvement
Analyze overall usage (aggregated data), diagnose and fix technical issues.
4. Special Commitment on Sensitive Data
4.1 Menstrual Cycle
Your menstrual cycle data is stored only within our secure infrastructure. It is NEVER transmitted to our AI partners (Anthropic/Claude, OpenAI/GPT). You can delete only this data or disable this feature at any time in your settings.
4.2 Health data
Used exclusively to personalize your training. Not sold, not shared for marketing.
5. Who We Share Your Data With
Each provider accesses only the data necessary for their role.
| Provider | Role | Data transmitted | Jurisdiction |
|---|---|---|---|
| Supabase | Database and authentication | User data | United States |
| Vercel | Web hosting | Traffic and requests | United States |
| Anthropic (Claude) | AI plan generation | Sports data (excl. cycle) | United States |
| OpenAI (GPT) | AI generation (consensus) | Sports data (excl. cycle) | United States |
| Stripe | Payment processing | Customer ID, amounts | United States |
| Strava | Activity import | OAuth tokens | United States |
| Resend | Email sending | Email address, content | United States |
We do not sell your personal data.
6. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Active account data | As long as account is active |
| Data after deletion | Deleted within 30 days |
| Technical logs | 90 days |
| Billing data | 7 years (tax obligation) |
| Marketing consents | Account duration + 3 years after withdrawal |
7. Your Rights
In accordance with Quebec's Law 25 and GDPR (if you reside in Europe):
- Access — copy of your personal data
- Rectification — correct in settings or on request
- Erasure — complete deletion via /data-deletion
- Portability — export in JSON format
- Restriction — limit certain processing
- Withdraw consent — marketing via /settings/notifications
- Complaint — to the Commission d'accès à l'information du Québec
8. How to Exercise Your Rights
Send an email to privacy@endoryx.ca with your request and account email address. We will respond within 30 days.
9. Security
Communication encryption (HTTPS), password and OAuth token encryption, strict access controls, audit logs, regular security updates.
In case of a security incident, we will notify you within a timeframe compliant with legal obligations.
10. Cookies
Endoryx uses only strictly necessary cookies (session, preferences, security). We do not use advertising or third-party tracking cookies.
11. Minor Users
Endoryx is not intended for persons under 16 years of age. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this policy. Major changes will be communicated by email and/or in-app notification.
13. Contact
Endoryx
Person responsible: Keven Forgues
Email: privacy@endoryx.ca
Quebec, Canada