Privacy Policy

Last updated: March 3, 2026
Effective date: March 3, 2026
Version: 2.2 (GDPR Compliant)

1. Data Controller
2. Data We Collect
3. Legal Basis for Processing
4. How We Use Your Data
5. Data Sharing
6. Data Retention
7. Your Rights
8. International Data Transfers
9. Connected Services & Third Parties
9.5 AI Services
10. Cookies & Tracking
11. Data Security
12. Children's Privacy
13. Contact & Complaints
14. Policy Changes

            Important: This privacy policy complies with the EU General Data Protection Regulation (GDPR), 
            California Consumer Privacy Act (CCPA), and other applicable privacy laws. By using EnduCloud, you consent to 
            the practices described in this policy.
        

1. Data Controller

EnduCloud Ltd.
9 Halimon St.
Raanana, 4365209, Israel
CEO & Data Controller: Tomer Geminder
Email: privacy@enducloud.com
DPO Contact: dpo@enducloud.com
EU Representative: Available upon request for EU residents

2. Data We Collect

2.1 Registration Data (Required)

Data Type	Purpose	Legal Basis	Retention
Email address	Account creation, authentication, communication	Contract performance (Art. 6(1)(b))	Account lifetime + 2 years
Username	Account identification, platform functionality	Contract performance (Art. 6(1)(b))	Account lifetime + 2 years
Year of birth	Age verification, personalized training	Contract performance (Art. 6(1)(b))	Account lifetime + 2 years
Gender	Personalized training recommendations	Contract performance (Art. 6(1)(b))	Account lifetime + 2 years

2.2 Optional Profile Data

Data Type	Purpose	Legal Basis	Retention
First and last name	Personalization, social features	Consent (Art. 6(1)(a))	Until withdrawn or account deletion
Address	Local weather, training recommendations	Consent (Art. 6(1)(a))	Until withdrawn or account deletion
Profile photo	Account personalization	Consent (Art. 6(1)(a))	Until withdrawn or account deletion

2.3 Health & Fitness Data

Data Type	Purpose	Legal Basis	Retention
Body metrics (weight, height, BMI)	Training calculations, progress tracking	Consent (Art. 6(1)(a)) + Health data (Art. 9(2)(a))	Account lifetime + 1 year
Heart rate data	Training zones, health monitoring	Explicit consent (Art. 9(2)(a))	Account lifetime + 1 year
Sleep data	Recovery analysis, training optimization	Explicit consent (Art. 9(2)(a))	Account lifetime + 1 year
Activity data (GPS, duration, intensity)	Training analysis, route tracking	Consent (Art. 6(1)(a))	Account lifetime + 3 years

2.4 Technical Data

IP address: Security, analytics (legitimate interests) - 7 days
Browser information: Compatibility, security - 30 days
Device identifiers: Session management - Session duration
Usage analytics: Service improvement - 26 months
Log files: Security, debugging - 90 days

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Essential account data needed to provide our services
Consent (Art. 6(1)(a)): Optional features, marketing communications, cookies
Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement
Legal obligation (Art. 6(1)(c)): Tax records, legal compliance

            Special Category Data (Health Data): We process health-related data only with your explicit consent 
            under GDPR Article 9(2)(a). You can withdraw this consent at any time.
        

4. How We Use Your Data

Service delivery: Account management, training recommendations, progress tracking
Communication: Service updates, support responses, security notifications
Improvement: Analytics, bug fixes, new feature development
Marketing: Newsletter, promotional content (with consent only)
Legal compliance: Fraud prevention, legal obligations

We share your data only in the following circumstances:

5.1 Service Providers

Cloud hosting: Firebase (Google) - Server infrastructure
Email services: MailChimp - Newsletter delivery
Analytics: Google Analytics - Usage statistics
Maps: Google Maps, OpenStreetMap, MapBox - Location services
Weather: OpenWeatherMap, Visual Crossing - Weather data

5.2 Legal Requirements

We may disclose data when required by law, court order, or to protect our rights and users' safety.

5.3 Business Transfers

In case of merger, acquisition, or sale, your data may be transferred with proper notice and protection.

5.4 Academic Research

EnduCloud may make aggregated, anonymised data available to academic researchers studying topics directly relevant to endurance sports and human health — such as activity habits, sleep patterns, training load, and physiological adaptation. Any such access is subject to all of the following conditions:

The research is conducted under a formal ethics approval issued by a recognised institution in accordance with the Declaration of Helsinki (or an equivalent national research ethics framework);
The data provided cannot be re-linked to any individual user — it is irreversibly anonymised before disclosure;
The research is non-commercial and its findings are intended for public benefit.

The legal basis for this processing is our legitimate interest in contributing to scientific knowledge that underpins endurance sport and human performance research (GDPR Art. 6(1)(f)), combined with appropriate safeguards (irreversible anonymisation) that eliminate any material risk to your privacy. Because the data shared is anonymised and cannot be traced back to you, GDPR obligations that apply to personal data do not arise in respect of this specific disclosure.

6. Data Retention

Data Category	Retention Period	Reason
Account data	Account lifetime + 2 years	Legal obligations, dispute resolution
Health/fitness data	Account lifetime + 1 year	Historical analysis, export requests
Activity logs	3 years	Training history, progress tracking
Marketing data	Until consent withdrawn	Consent-based processing
Technical logs	90 days	Security, debugging

7. Your Rights

Under GDPR, you have the following rights:

Right to access (Art. 15): Request a copy of your personal data
Right to rectification (Art. 16): Correct inaccurate or incomplete data
Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
Right to restrict processing (Art. 18): Limit how we use your data
Right to data portability (Art. 20): Receive your data in a machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interests
Right to withdraw consent: For consent-based processing
Right to lodge a complaint: With your data protection authority

How to exercise your rights:

Email us at privacy@enducloud.com
Use your account settings for some data management
We will respond within 30 days (or 90 days for complex requests)

8. International Data Transfers

Your data may be processed outside the EU/EEA by our service providers:

United States: Google (Firebase, Analytics) - Adequacy decision + SCCs
United States: MailChimp - Standard Contractual Clauses (SCCs)
Israel: Our servers - Adequacy decision (EU Commission)

All transfers are protected by appropriate safeguards under GDPR Chapter V.

9. Connected Services & Third Parties

9.1 Mapping & Location Services

Service	Purpose	Data Shared	Privacy Policy
Google Maps	Route visualization, topography	GPS coordinates, search queries	Google Privacy Policy
OpenStreetMap	Alternative mapping, route display	GPS coordinates, map requests	OSM Privacy Policy
MapBox	Custom map styling, satellite imagery	Location data, usage analytics	MapBox Privacy Policy

9.2 Weather Services

Service	Purpose	Data Shared	Privacy Policy
OpenWeatherMap	Real-time weather, forecasts	Location coordinates, API requests	OpenWeather Privacy
Visual Crossing	Historical weather data	Location data, date ranges	Visual Crossing Privacy

9.3 Communication Services

Service	Purpose	Data Shared	Privacy Policy
MailChimp (Intuit)	Newsletter delivery, email campaigns	Email addresses, engagement metrics	Intuit Privacy Policy
Firebase Cloud Messaging	Push notifications	Device tokens, message content	Google Privacy Policy

9.4 Analytics & Infrastructure

Service	Purpose	Data Shared	Privacy Policy
Google Analytics	Usage analytics, performance monitoring	Anonymized usage data, demographics	Google Privacy Policy
Firebase (Google Cloud)	App infrastructure, authentication	Account data, app usage	Google Privacy Policy

9.5 AI Services

Service	Purpose	Data Shared	Privacy Policy
OpenAI (GPT models)	AI coaching assistant, training analysis, and training plan generation	Training questions, anonymized activity context, anonymized physiological summaries	OpenAI Privacy Policy
Anthropic (Claude models)	AI coaching assistant, library plan generation, and workout design	Training questions, anonymized activity context, anonymized physiological summaries	Anthropic Privacy Policy
Google AI (Gemini models)	AI coaching assistance and supplementary analysis	Training questions, anonymized activity context, anonymized physiological summaries	Google Privacy Policy

            Your privacy with AI services: We do not share personally identifiable information (PII) —
            such as your name, email address, or contact details — with any AI service provider.
            Queries are processed using anonymized training context and physiological summaries only.
            AI providers are contractually prohibited from using your data to train their models.
        

10. Cookies & Tracking

10.1 What Are Cookies

Cookies are small text files stored on your device to enhance your experience and provide functionality.

10.2 Cookie Categories

Category	Purpose	Duration	Consent Required
Essential	Authentication, security, basic functionality	Session / 1 year	No (legitimate interest)
Functional	User preferences, language settings	1 year	Yes
Analytics	Usage statistics, performance monitoring	26 months	Yes
Marketing	Newsletter tracking, campaign analytics	13 months	Yes

10.3 Managing Cookies

You can manage cookie preferences through:

Our cookie consent banner (first visit)
Account settings (logged-in users)
Browser settings (all users)
Third-party opt-out links provided above

Google Analytics Opt-Out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

11. Data Security

11.1 Technical Measures

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Authentication: Multi-factor authentication available
Access controls: Role-based access, principle of least privilege
Infrastructure: SOC 2 Type II certified cloud providers
Monitoring: 24/7 security monitoring and incident response

11.2 Organizational Measures

Regular security training for employees
Data Protection Impact Assessments (DPIAs)
Incident response procedures
Regular security audits and penetration testing

11.3 Data Breach Notification

In case of a data breach affecting your personal data:

We will notify relevant authorities within 72 hours
We will notify affected users without undue delay
We will provide clear information about the incident and remedial actions

12. Children's Privacy

Age Requirement: EnduCloud is not intended for children under 16 years old. We do not knowingly collect personal data from children under 16.

If we discover that we have collected personal data from a child under 16:

We will delete the data immediately
We will notify the child's guardian if possible
We will implement additional safeguards to prevent recurrence

Parents/guardians can contact us at privacy@enducloud.com regarding children's data.

13. Contact & Complaints

Data Protection Contacts

Privacy inquiries: privacy@enducloud.com

Data Protection Officer: dpo@enducloud.com

EU Representative: Available upon request

Postal Address

EnduCloud Ltd.
Attn: Privacy Office
9 Halimon St.
Raanana, 4365209
Israel

Filing Complaints

You have the right to lodge a complaint with a supervisory authority:

EU residents: Contact your national data protection authority
Israeli residents: Privacy Protection Authority
Other jurisdictions: Contact your local privacy regulator

14. Policy Changes

14.1 Notification of Changes

We will notify you of material changes to this privacy policy:

Email notification: For significant changes affecting your rights
In-app notification: For all policy updates
Website banner: For 30 days after changes

14.2 Change History

Version	Date	Changes
2.2	March 3, 2026	Updated AI Services section: accurate per-provider descriptions; added explicit statement that no PII is shared with AI providers and that providers are prohibited from model training on user data
2.1	December 20, 2025	Added AI Services section (OpenAI, Anthropic, Google AI) for Coach Endy feature
2.0	September 20, 2025	Complete GDPR compliance update, enhanced cookie management, detailed third-party services
1.0	June 1, 2025	Initial privacy policy

Continued Use: Your continued use of EnduCloud after policy changes constitutes acceptance of the updated terms. You can always access the current version at enducloud.com/legal/privacy.html.

Quick Reference

Data Controller: EnduCloud Ltd., Israel

Privacy Contact: privacy@enducloud.com

Your Rights: Access, rectification, erasure, portability, objection

Complaints: Contact your data protection authority

Last Updated: March 3, 2026

Privacy Policy

Table of Contents

1. Data Controller

2. Data We Collect

2.1 Registration Data (Required)

2.2 Optional Profile Data

2.3 Health & Fitness Data

2.4 Technical Data

3. Legal Basis for Processing

4. How We Use Your Data

5. Data Sharing

5.1 Service Providers

5.2 Legal Requirements

5.3 Business Transfers

5.4 Academic Research

6. Data Retention

7. Your Rights

Under GDPR, you have the following rights:

8. International Data Transfers

9. Connected Services & Third Parties

9.1 Mapping & Location Services

9.2 Weather Services

9.3 Communication Services

9.4 Analytics & Infrastructure

9.5 AI Services

10. Cookies & Tracking

10.1 What Are Cookies

10.2 Cookie Categories

10.3 Managing Cookies

11. Data Security

11.1 Technical Measures

11.2 Organizational Measures

11.3 Data Breach Notification

12. Children's Privacy

13. Contact & Complaints

Data Protection Contacts

Postal Address

Filing Complaints

14. Policy Changes

14.1 Notification of Changes

14.2 Change History

Quick Reference