Privacy Policy
THALOS AI FITNESS COACH
Privacy Policy
App, Website, Wearables, AI Coaching and Performance Data
DATA PROTECTION / PRIVACY
1. Controller
The controller within the meaning of the General Data Protection Regulation ("GDPR") is Thalos AI Fitness Coach GmbH, Kohlmarkt 4/6, 1010 Vienna, Austria, Commercial Register No. FN 658737 g, Commercial Register Court Commercial Court of Vienna, VAT ID ATU82506012.
For data protection matters, please contact: privacy@thalos.at. For general contact, support, complaints and legally relevant notices, please contact: notifications@thalos.at.
This Privacy Policy applies to the Thalos app, website, ordering processes, customer account, support, device and app integrations, and related consumer services.
2. Principles
Transparency and control. We provide information about the purposes of processing, legal bases, recipients, retention periods and your rights. Where processing is based on consent, you may withdraw your consent at any time with effect for the future.
Data minimisation and security. We process data only to the extent necessary for fitness personalisation, contract performance, security, product improvement and legal obligations. We apply technical and organisational measures and restrict internal access on a need-to-know basis.
Non-medical purpose. Thalos processes data exclusively for fitness, wellness, lifestyle, performance, app-related and contractual purposes. Thalos does not provide medical diagnosis, therapy, prevention, disease monitoring or emergency care.
No sale of personal health data. We do not sell personal fitness or health data to advertisers, employers, gyms or other third parties.
Use of anonymised data. We may use, share, license and commercially exploit anonymised or aggregated data, and models, benchmarks, reports, data products and insights derived from such data, provided that individuals can no longer be identified after reasonable assessment.
3. Data We Process
Depending on how you use Thalos, your subscription, your consent choices and the integrations you activate, we may process the following categories of data:
| Data category | Examples |
|---|---|
| Account, identity and contact data | Name, email address, telephone number, login data, language, country, customer number, app/account status, consent history. |
| Contract, payment and device data | Plan, prices, invoices, payment status, billing period, cancellation, withdrawal, device shipment, returns, outstanding pro-rated device value. |
| Onboarding and profile data | Sex/gender, date of birth/age, height, weight, dominant hand, training background, typical daily structure, goals, sleep goal, performance level, VO2 max, resting heart rate, maximum heart rate. |
| Wearables and sensor data | Heart rate, HRV/RR/PPI, PPG quality, movement/accelerometer data, steps, activity, sleep times, sleep phases, sleep score, skin temperature, contact status, device ID, battery status, app and device metadata. |
| Training data | Training plans, workouts, exercises, sets, repetitions, weights, duration, RPE/RIR, breaks, performance data, training logs, photos/videos, CrossFit board photos, free-text notes. |
| Nutrition data | Meal photos, text entries, timestamps, recognised foods, portions, calories, macros, nutrients, alcohol content, fasting/skipping information, corrections and acceptance status. |
| Supplements, medication and notes | Supplement/product names, dosage form, ingredients, dosages, photos, information on over-the-counter or prescription medication, free-text notes about stress, recovery, muscle condition, cycle or daily life. |
| Glucose, lactate and body metrics | Glucose values from CGM/HealthKit, body weight, lactate measurement images, recognised and confirmed lactate values, body composition, performance tests, where used. |
| Advanced diagnostics | Blood values, hormone values, microbiome data, genetic data, lactate and performance diagnostics, bioimpedance, spiroergometry or similar values, where you participate in relevant features, studies or add-on services. |
| Support and communication data | Chat, WhatsApp, email and support messages, screenshots, log files, bug reports, feedback, satisfaction and complaint information. |
| Technical, security and usage data | IP address, device type, operating system, app version, log data, session data, push token, cookie/tracking IDs, usage events, error and performance data. |
Free text, photos and videos
Please do not upload data relating to third parties. Photos and videos should not contain faces, names, addresses, licence plates, third-party medical documents or other personal data of other people. In particular, when uploading blackboard, whiteboard or workout photos, third-party names and faces should be removed or made unrecognisable before upload.
4. Purposes and Legal Bases
| Purpose | Description | Legal basis |
|---|---|---|
| Contract performance | Account, ordering, membership, billing, cancellation, device provision, support and core app functions. | Art. 6(1)(b) GDPR; for health data, additionally Art. 9(2)(a) GDPR where required. |
| Personalised fitness and wellness recommendations | Analysis of profile, training, nutrition, recovery, wearable and sensor data to create plans, scores, insights and coaching responses. | Explicit consent under Art. 6(1)(a) and Art. 9(2)(a) GDPR. Consent may be withdrawn at any time; core functions may then no longer be available. |
| Device and integration operation | Connection with Polar, Apple Health/HealthKit, CGM, lactate measurement devices, push services and app stores. | Art. 6(1)(b) GDPR; consent where legally or platform-required; for health data, Art. 9(2)(a) GDPR. |
| Product improvement and AI training | Error analysis, quality assurance, model improvement, OCR/recognition improvement, development of new fitness and performance features, and training/validation of AI models. | Legitimate interests under Art. 6(1)(f) GDPR for non-sensitive technical data; explicit consent for health/special category data; anonymised data falls outside the GDPR. |
| Anonymised performance science | Creation of anonymised/aggregated benchmarks, models, datasets, reports and data products; use, licensing and commercial exploitation by Thalos, affiliated companies and partners. | Prior processing of personal special category data based on explicit consent or another suitable legal basis; effectively anonymised data is not personal data. |
| Security and abuse prevention | Log data, access controls, fraud prevention, protection against unauthorised use, incident response. | Art. 6(1)(f) GDPR; where applicable, Art. 6(1)(c) GDPR for legal obligations. |
| Legal obligations | Accounting, taxes, warranties, consumer rights, official requests, statutory retention obligations. | Art. 6(1)(c) GDPR; where applicable, Art. 6(1)(f) GDPR for legal defence. |
| Marketing | Newsletters, offers, product information, satisfaction surveys, campaign measurement. | Consent under Art. 6(1)(a) GDPR where required; otherwise legitimate interests for existing customer marketing where legally permitted. You may object at any time. |
5. Special Categories of Personal Data and Consent
Many types of data processed by Thalos may qualify as health data, even though Thalos does not use them for medical purposes. This may include heart rate, HRV, sleep, glucose, weight, training, recovery, medication/supplements, blood values, microbiome data and free-text notes with health-related content.
We process such data for personalised fitness and wellness functions only where an appropriate legal basis exists. In the consumer product, this will usually be your explicit consent under Art. 9(2)(a) GDPR in conjunction with Art. 6(1)(a) or Art. 6(1)(b) GDPR.
You may withdraw consent at any time in the app, in your customer account or by email to privacy@thalos.at. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. After withdrawal, certain functions may be limited or unavailable if they cannot be provided without the relevant data.
For advanced diagnostics, such as blood values or microbiome analysis, additional specific information and consent terms may apply. These will be provided separately where relevant. Such data is not used by Thalos for medical diagnosis or treatment.
6. Anonymised, Aggregated and De-identified Data
We may process data from the app to create anonymised or aggregated datasets, AI models, benchmarks, statistical insights, research reports, product features, data products and performance insights. In doing so, personal identifiers are removed, aggregated or protected through technical and organisational measures so that individual users can no longer reasonably be identified.
Once data has been effectively anonymised, it is no longer personal data within the meaning of the GDPR. Such anonymised or aggregated results may be used, shared, licensed, published, integrated into products or monetised by Thalos, affiliated companies within the Thalos/Trace/BioTrace group and selected research, technology or business partners, without identifying individual users.
We do not sell personal fitness or health data. If a use of data could still allow conclusions to be drawn about you, we treat the data as personal data and rely on an appropriate legal basis and safeguards.
Anonymised results, models, benchmarks, reports, data products and other derived insights that were lawfully created before a withdrawal of consent or deletion request, and that no longer allow identification, may continue to be used permanently.
7. Recipients and Processors
We share personal data only where necessary for the purposes described in this Privacy Policy, where a legal basis exists and where appropriate data protection agreements or safeguards are in place. Categories of recipients may include:
hosting, cloud, database, storage, security, monitoring and backup providers;
payment providers, invoicing, tax and accounting service providers;
app stores, push notification providers, email, messaging, support and CRM providers;
AI, LLM, image/OCR, speech, analytics and data processing providers;
wearable, sensor and integration providers such as Polar, Apple Health/HealthKit, CGM or lactate device providers, where you use the relevant integration;
laboratories, diagnostics and study partners, where you expressly use relevant add-on services or studies;
affiliated companies, in particular for technical support, product development, research or anonymised/aggregated performance science;
lawyers, tax advisers, auditors, insurers, authorities or courts, where required.
Gyms, coaches, influencers, employers, insurers or corporate wellness partners receive personal data only if you expressly authorise this or if another clear legal basis exists. Otherwise, only aggregated or anonymised information will be shared with such partners.
8. International Data Transfers
We aim to process data within the EU/EEA wherever possible. Where service providers or affiliated companies outside the EU/EEA are involved, transfers take place only in accordance with the GDPR, for example on the basis of an adequacy decision, EU Standard Contractual Clauses, additional safeguards or other legally permitted mechanisms.
Where required, we provide further information about key service providers and transfer mechanisms in this Privacy Policy, in a linked sub-processor list or upon appropriate request.
9. Retention Periods
| Type of data | Retention criterion |
|---|---|
| Account and contract data | For the duration of the membership and thereafter for as long as legal claims, warranty, tax or statutory retention periods apply. |
| Invoice and accounting data | In accordance with statutory retention obligations, generally up to seven years, unless longer obligations or legal claims apply. |
| Fitness, wellness and health data | As long as the membership exists, consent remains valid and the data is required for functions, history, support or legitimate purposes; thereafter deletion or effective anonymisation, unless retention grounds apply. |
| Support and communication data | As long as required for handling the request, quality assurance, abuse prevention or legal defence. |
| Security and technical logs | Usually for a short to medium period, depending on the security purpose; longer storage only in the event of incidents, abuse or legal reasons. |
| Anonymised/aggregated data | Permanently, since it no longer relates to an identifiable person. We review anonymisation and aggregation standards as appropriate. |
We define and implement retention and deletion periods in line with the actual system architecture, applicable providers and legal retention obligations.
10. AI, Profiling and Automated Recommendations
Thalos uses AI and profiling within the meaning of the GDPR to personalise training, nutrition, recovery and performance recommendations. Your data may be evaluated statistically and rule-based, and compared with models, historical progressions and benchmarks.
These recommendations do not have legal effect and are not intended to significantly affect you in a comparable way within the meaning of Art. 22 GDPR. They are not medical, they are not binding, and they may be inaccurate. You can review results, correct inputs, withdraw consent and contact support.
If Thalos introduces functions in the future that could have legal or similarly significant effects, Thalos will provide separate information in advance, assess the appropriate legal basis and implement the required safeguards.
11. HealthKit, Wearables and Third-Party Sources
If you connect Apple Health/HealthKit, Polar or other third-party sources, you decide in the relevant settings which data is shared. You can change or withdraw permissions there or in the app at any time.
Data from third-party sources may be incomplete or inaccurate. Thalos does not medically validate such data and is not responsible for manufacturer statements, measurement accuracy or third-party terms.
HealthKit data is not used for advertising and is not sold to advertising networks. It is used to provide the selected functions and, where you separately consent, for product improvement and anonymised performance science.
12. Cookies, App Analytics and Marketing
The website and app may use cookies, SDKs, pixels or similar technologies. Technically necessary technologies are used for operation, security, contract performance and login. Analytics, marketing or tracking technologies are used only where an appropriate legal basis exists, in particular consent.
Non-essential cookies and SDKs are not activated before consent has been given. App store privacy notices must be consistent with this Privacy Policy.
13. Security
We protect personal data through appropriate technical and organisational measures. Depending on the system, these may include encryption in transit and at rest, role-based access controls, the need-to-know principle, access logging, backups, secure development processes, monitoring, incident response, confidentiality obligations and regular review of service providers.
Despite security measures, no absolute security can be guaranteed. Users should use strong passwords, secure their devices and report suspicious activity to notifications@thalos.at.
14. Your Rights
Subject to the requirements of the GDPR, you have in particular the following rights:
right of access;
right to rectification;
right to erasure;
right to restriction of processing;
right to data portability;
right to object to processing based on legitimate interests;
right to withdraw consent;
right to lodge a complaint with a supervisory authority.
In Austria, the competent supervisory authority is: Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, Austria, Email: dsb@dsb.gv.at, Website: www.dsb.gv.at.
If you request deletion and the legal requirements are met, we will delete personal data or remove the personal reference so that identification by Thalos or third parties is no longer possible or would require disproportionate effort. We choose the specific technical implementation in compliance with the GDPR, data security, accountability requirements and statutory retention obligations.
Where data is still required for legal reasons, contract performance, billing, legal defence or security, it may continue to be processed on a restricted basis. There is no right to deletion in relation to effectively anonymised or aggregated data, results, models, benchmarks or products that no longer identify you.
Please send requests to privacy@thalos.at. We may require appropriate identity verification before processing a request.
15. Minors
Regular Thalos membership is intended for persons aged 18 or over.
For users aged 16 or 17, Thalos may offer a separate minor-specific process. In such cases, Thalos documents the consent of legal guardians, provides understandable privacy information, ensures clear contract and payment handling through an adult or with the consent of legal guardians, and implements additional safeguards.
The regular app is not intended for persons under the age of 16.
16. Changes to This Privacy Policy
We may update this Privacy Policy, for example due to new features, service providers, legal changes or changes in data processing. We will communicate material changes in an appropriate manner. Where new purposes require consent, we will obtain separate consent.