Privacy Policy
Last updated:
Last updated: 24 March 2026 | Version 1.2
The Short Version
Pelaris is an AI-powered fitness coaching app. Here’s what you need to know:
- We collect your profile, training data, and body measurements to generate personalised programs and coaching.
- Your photos vanish. Body analysis photos are processed in memory and immediately discarded — never stored, never seen by a human.
- Your identity is hidden from AI. We strip personal identifiers before AI processing. The AI never knows who you are.
- Your data is stored in Sydney, Australia (australia-southeast1) during normal operation.
- Your data is never sold or shared with third parties.
- AI never trains on you. Your data is never used to train or improve any AI model — ours or Google’s.
- You own the delete button. Delete your account and everything goes — profile, programs, measurements, conversations.
- No ads. No data selling. We make money from subscriptions, not your data.
For the full details, read on.
1. Who We Are
Pelaris (“we”, “us”, “our”) is an AI-powered adaptive fitness coaching platform. We are the data controller responsible for your personal information.
Privacy Contact: Email: privacy@pelaris.io
If you have any questions about this policy or how we handle your data, please contact us at the email above.
2. Data We Collect
2.1 Information You Provide
| Data | Examples | Why We Collect It |
|---|---|---|
| Account information | Email address, display name | To create and manage your account |
| Fitness profile | Goals, experience level, available equipment, training preferences, injuries | To personalise your training programs |
| Training data | Workout sessions, exercise logs, sets, reps, weights, RPE ratings, completion status | To track your progress and adapt your programs |
| Body measurements | Shoulder, waist, hip circumferences, height, weight (from manual entry or AI analysis) | To assess body composition and personalise training |
| Body photos | Photos you upload for AI body analysis | To estimate body measurements — photos are processed in memory and immediately discarded, never stored |
| Coach conversations | Messages you send to the AI Coach, preferences and health notes you share | To provide personalised coaching responses |
| Feedback | Session feedback, RPE ratings, check-in responses, injury reports | To adapt your programs based on how you feel |
| Strava activity data | Sport type, date, duration, distance, heart rate, pace/speed, cadence, power, elevation gain | To understand training load and adapt your coaching program |
| Polar exercise data | Sport type, duration, heart rate, pace, cadence, calories | To understand training load and adapt your coaching program |
| Wahoo workout data | Sport type, duration, power, heart rate, cadence, distance | To understand training load and adapt your coaching program |
2.2 Information We Derive
| Data | How It’s Created |
|---|---|
| AI-generated training programs | Generated by AI based on your profile, goals, methodology, and training history |
| Body composition estimates | Derived from your photos or manual measurements using AI analysis |
| Coach memory | Preferences, health notes, and context the AI Coach retains from your conversations |
| Training metrics and trends | Calculated from your workout logs (e.g., volume trends, RPE trajectory, streak data) |
| Completion analysis | AI analysis of actual vs. target performance after each training week |
2.3 Information Collected Automatically
| Data | Purpose |
|---|---|
| Device and browser information | To optimise the app experience for your device |
| Usage analytics | Screen views, feature usage, funnel events (only if you consent) |
| Error and crash reports | To identify and fix bugs (only if you consent) |
3. How We Use Your Data
We use your data for these purposes only:
| Purpose | Legal Basis (GDPR) | APP Reference |
|---|---|---|
| Provide the service (programs, coaching, tracking) | Performance of contract | APP 3, 6 |
| Personalise training based on your goals and feedback | Performance of contract | APP 3, 6 |
| AI processing of your data to generate recommendations | Legitimate interest + consent for health data | APP 3, 6 (sensitive: explicit consent) |
| Body photo analysis | Explicit consent | APP 3 (sensitive information) |
| Usage analytics to improve the app | Legitimate interest (only if consented) | APP 3, 6 |
| Error reporting and crash diagnostics | Legitimate interest (only if consented) | APP 3 |
| Communicate with you about your account | Performance of contract | APP 3 |
| Comply with legal obligations | Legal obligation | APP 3, 6 |
We never use your data to:
- Train or improve AI models
- Sell to third parties
- Serve advertising
- Profile you for marketing purposes
- Make automated decisions with legal or similarly significant effects without your ability to contest
4. How Our AI Works
Pelaris uses artificial intelligence (Google Gemini via Vertex AI) to power three core features:
4.1 Training Program Generation
The AI considers your goals, training history, fitness level, available equipment, chosen methodology, body measurements, and feedback to generate personalised, periodized training programs.
If you connect your Strava account, Pelaris imports a summary of your completed activities including sport type, date, duration, distance, and available performance metrics (heart rate, pace, cadence, power, elevation). GPS coordinates and route data are not imported. This data helps the AI understand your recent training load and adapt your programs accordingly.
4.2 AI Coaching
The AI Coach responds to your questions and requests, suggests exercise alternatives, logs health notes, and adapts your training. Coach conversations are processed in real time.
4.3 Coach Memory
The AI Coach remembers certain things you tell it across conversations to provide continuity:
- What it remembers: Training preferences, health notes (e.g., “I have a shoulder injury”), equipment availability, and general coaching context you share.
- Where it’s stored: Coach memory is stored in your account data in Firestore (australia-southeast1), the same way your training data is stored.
- How long it remembers: Coach memory persists as long as your account is active.
- Your control: You can ask the Coach to forget specific information at any time (say “forget my shoulder injury” or similar). You can also delete all coach memory by deleting your account.
Coach memory is subject to the same privacy protections as all your other data — it is never shared, never used for model training, and is permanently deleted when you delete your account.
4.4 Body Composition Analysis
When you upload a photo, AI estimates body measurements (shoulder, waist, hip circumferences) and classifies your body type. The photo is processed in memory only and immediately discarded.
What the AI Receives
Before your data reaches any AI model, we run it through our privacy scrubber. This strips out your name, email address, and other personal identifiers. The AI processes your fitness data without knowing who you are.
What the AI Does NOT Do
- Does not store your photos. Photos exist in temporary server memory during processing only.
- Does not train on your data. Pelaris uses Google’s pre-trained Gemini models via Vertex AI under enterprise terms. Google does not use your data to train or improve its AI models. Your prompts and responses are not retained by Google beyond the processing duration.
- Does not diagnose medical conditions. AI outputs are fitness guidance, not medical advice.
- Does not make decisions you can’t override. You can modify or reject any AI recommendation.
AI Transparency
All AI-generated content in Pelaris is clearly identified as AI-generated. Training programs, coaching responses, and body estimates are automated recommendations — no human reviews them before they reach you. If you believe an AI output is inaccurate or unsafe, you can contact us.
5. Body Analysis & Photo Processing
This section covers our highest-sensitivity data handling.
How Photos Are Handled
- You select a photo
- Photo is compressed (< 1MB) on your device
- Transmitted securely (HTTPS/TLS) to our processing server in Australia
- Server decodes photo in temporary memory (RAM only)
- AI extracts approximate body measurements
- Photo buffer is immediately released and garbage collected
- Only numerical measurements are returned and stored
Your photo is:
- Held in temporary server memory for seconds only
- Never written to any storage system, database, log file, or backup
- Never viewed by any Pelaris employee, contractor, or third party
- Never transmitted to any party other than the secure AI processing endpoint
- Never used to train or improve any AI model
What IS stored: Numerical measurements only — shoulder circumference, waist circumference, hip circumference, weight estimate, height, body type classification, and training recommendations. These are stored as health information in your account.
Consent
Before your first body analysis, we will ask for your explicit consent. You can use Pelaris without ever using the body analysis feature. You can withdraw consent and delete all stored measurements at any time.
6. Data Sharing
Third-Party Services
| Service | Provider | Purpose | Data Shared | Model Training |
|---|---|---|---|---|
| Firebase Authentication | User login and identity | Email, auth tokens | No | |
| Cloud Firestore | Data storage | All account data (encrypted) | No | |
| Vertex AI (Gemini) | AI processing | Scrubbed fitness data (no PII) | No | |
| Firebase Analytics | Usage analytics (if consented) | Anonymised events | No | |
| Firebase Hosting | App delivery | None (static hosting) | No | |
| Strava API | Strava, Inc. | Training activity import | Sport type, date, duration, distance, heart rate, pace, cadence, power, elevation — no GPS or route data | No |
| Polar AccessLink API | Polar Electro | Training activity import | Exercise data — sport, duration, heart rate, pace, cadence, calories | No |
| Wahoo Cloud API | Wahoo Fitness | Training activity import | Workout summaries — power, heart rate, cadence, distance, duration | No |
All Google services are used under Google Cloud Platform enterprise terms, which explicitly state: “Google will not use Customer Data to train or improve Google’s generalized AI/ML models.”
Pelaris uses the Strava API to import activity data for connected athletes. By using the Strava integration, you acknowledge that Strava may monitor and collect certain usage data related to how Pelaris accesses the Strava API, in accordance with Strava’s own privacy policy and API Agreement.
Pelaris uses the Polar AccessLink API and Wahoo Cloud API for the same purpose. Wahoo may use data sent to the Wahoo Platform for its own business purposes per the Wahoo API Agreement.
AI Platform Integrations (MCP)
Pelaris can optionally connect to third-party AI assistants (such as ChatGPT, Claude, and Google Gemini) via the Model Context Protocol (MCP). When you connect Pelaris to an AI assistant:
What data is shared: When you use Pelaris through an AI assistant, that assistant may request your training context (sport, goals, current program phase, session summaries), benchmark values, body analysis trends, and coaching insights. No raw personal identifiers (email, Firebase UID, phone number) are ever shared — we use pseudonymous identifiers so the AI assistant cannot identify you.
How data is shared: Data is shared only when you explicitly connect Pelaris to an AI assistant via OAuth 2.0 authorization. You are shown a consent screen listing exactly which data categories the assistant will access, and you must approve before any data flows. Each data category requires a separate scope approval (e.g., training data, health data, coach insights).
Your control: You can disconnect from any AI assistant at any time, which immediately revokes all access tokens. No data is retained by the AI assistant after disconnection (per each platform’s data handling policies). You can reconnect at any time with fresh consent.
What Pelaris does NOT do:
- We do not store AI assistant conversation data
- We do not share your data with AI assistants without your explicit action
- We do not sell your data to AI platform operators
- We do not allow AI assistants to modify your training data without your confirmation
Platform privacy policies: Each AI assistant has its own privacy policy governing how it handles data received from tools like Pelaris. We encourage you to review:
- OpenAI Privacy Policy (ChatGPT)
- Anthropic Privacy Policy (Claude)
- Google Privacy Policy (Gemini)
We Never Share Your Data With
- Advertisers or ad networks
- Data brokers
- Social media platforms
- Insurance companies
- Employers
- Any party for marketing purposes
Law Enforcement
We will only disclose personal data to law enforcement or government authorities if:
- We are legally compelled to do so (court order, subpoena, or mandatory legal process)
- We believe in good faith that disclosure is necessary to prevent imminent harm
If legally permitted, we will notify you before any disclosure.
7. Data Storage & Security
Where Your Data Lives
All data is stored on Google Cloud Platform servers in Sydney, Australia (region: australia-southeast1). Your data does not leave Australia during normal operation.
How Your Data Is Protected
| Measure | Implementation |
|---|---|
| Encryption in transit | All data transmitted over TLS 1.2+ (HTTPS) |
| Encryption at rest | Google Cloud default encryption (AES-256) for all stored data |
| Access controls | Firestore security rules enforce per-user data isolation |
| PII scrubbing | Personal identifiers stripped before AI processing |
| No photo storage | Body photos processed in memory only, never persisted |
| Rate limiting | API rate limits prevent abuse |
| Input sanitisation | Prompt injection detection and content length limits |
| Authentication | Firebase Authentication with secure session management |
Data Breach Response
In the event of a data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of the breach, as required by the Notifiable Data Breaches (NDB) scheme.
- We will notify affected users without undue delay, including a description of the breach, the data affected, and steps we are taking.
- For users covered by GDPR, we will also notify the relevant supervisory authority within 72 hours per GDPR Article 33.
8. Your Rights
You have the following rights regarding your personal data:
| Right | What It Means | How to Exercise It |
|---|---|---|
| Access | See what data we hold about you | Contact privacy@pelaris.io |
| Correction | Fix inaccurate data | Edit in-app or contact us |
| Deletion | Delete all your data permanently | In-app account deletion or contact us |
| Data portability | Receive your data in a machine-readable format | Contact privacy@pelaris.io (JSON export) |
| Withdraw consent | Stop optional data processing (analytics, body analysis) | In-app settings or contact us |
| Object | Object to processing based on legitimate interest | Contact privacy@pelaris.io |
| Restrict processing | Limit how we use your data while a concern is resolved | Contact privacy@pelaris.io |
| Complaint | Lodge a complaint with a supervisory authority | See “Complaints” section below |
Account Deletion
You can delete your account from within the app (Profile > Settings > Delete Account). When you delete your account:
- Your account is immediately disabled
- All personal data is permanently deleted within 30 days, including your profile, all training programs, workout history, body measurements, goals, coaching conversations, and preferences
- Firebase Authentication record is deleted
- Anonymised, aggregated analytics data that cannot identify you may be retained
Automated Decision-Making
Pelaris uses AI to generate training programs, coaching responses, and body composition estimates. These are automated recommendations. Under GDPR Article 22, you have the right to:
- Be informed that automated decision-making is used (this section serves that purpose)
- Request human review of any AI-generated recommendation
- Express your point of view and contest an AI decision
- Contact us if you believe an AI output is inaccurate or unsafe
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Retained while your account is active |
| Training data and workout history | Retained while your account is active |
| Body measurements | Retained while your account is active |
| Coach conversation history | Retained while your account is active |
| Body photos | Never retained — processed and immediately discarded |
| Analytics data (if consented) | Anonymised and retained indefinitely |
| Error/crash reports (if consented) | Retained for up to 90 days |
| Deleted accounts | All data permanently deleted within 30 days of deletion request |
10. Children’s Privacy
Pelaris is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete that data promptly.
If you are a parent or guardian and believe your child has provided personal data to Pelaris, please contact us at privacy@pelaris.io.
11. Cookies & Tracking
Pelaris is a web application. We use the following technologies:
| Technology | Type | Consent Required? | Purpose |
|---|---|---|---|
| Firebase Auth tokens | Strictly necessary | No | Login and session management |
| Firestore local persistence | Strictly necessary | No | Offline functionality |
| Session cookies | Strictly necessary | No | App functionality |
| Firebase Analytics | Optional (analytics) | Yes | Understanding feature usage |
Your Choices
- Essential technologies are required for the app to function and cannot be disabled.
- Analytics are only enabled if you consent. You can withdraw consent at any time through your account settings.
- We do not use any third-party advertising cookies or tracking pixels.
12. International Data Transfers
Your data is primarily stored and processed in Australia (Sydney, australia-southeast1). Google Cloud processes AI requests within its infrastructure under enterprise data processing terms.
For users in the European Economic Area (EEA) or United Kingdom:
- Data transfers to Google Cloud are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission.
- Google Cloud’s Data Processing Addendum addresses GDPR transfer requirements.
13. Changes to This Policy
We may update this privacy policy from time to time. When we make changes:
- Minor changes (clarifications, formatting): Updated on this page with a new “Last updated” date.
- Material changes (new data collection, new third parties, changes to your rights): We will notify you via email and/or an in-app notice at least 14 days before the changes take effect.
If a material change requires your renewed consent, we will ask for it explicitly. Continued use of Pelaris after being notified of changes constitutes acceptance of the updated policy.
We maintain a version history of this policy. Previous versions are available on request.
Consent Versioning
When you create your account or accept an updated policy, we record which version of this privacy policy you consented to (e.g., “v1.0”) on your account profile. This allows us to:
- Track which users have accepted which policy version
- Identify users who need to re-consent after a material change
- Maintain an audit trail for legal compliance
If you have not accepted the current policy version, we may prompt you to review and accept it before continuing to use certain features.
14. Contact & Complaints
Privacy Inquiries
For any questions about this privacy policy or your personal data:
Email: privacy@pelaris.io
We aim to respond to all privacy inquiries within 14 days.
Complaints
Australia: If you believe we have breached the Australian Privacy Principles, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: https://www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
European Union / United Kingdom: If you are in the EEA or UK and believe we have breached GDPR, you can lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
15. Legal Basis Summary (GDPR)
For users covered by GDPR, here is a summary of our legal bases for processing:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| AI training program generation | Performance of contract (Art. 6(1)(b)) |
| AI coaching responses | Performance of contract (Art. 6(1)(b)) |
| Processing health/fitness data | Explicit consent (Art. 9(2)(a)) |
| Body photo analysis | Explicit consent (Art. 9(2)(a)) |
| Usage analytics | Consent (Art. 6(1)(a)) |
| Error reporting | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
16. Australian Privacy Principles Compliance
Pelaris complies with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988:
| APP | Principle | How We Comply |
|---|---|---|
| 1 | Open and transparent management | This privacy policy; privacy contact available |
| 2 | Anonymity and pseudonymity | Users can use a display name; PII scrubbed for AI processing |
| 3 | Collection of solicited personal information | We only collect data necessary for the service; sensitive data (health, body) requires explicit consent |
| 4 | Dealing with unsolicited personal information | We do not seek or retain unsolicited personal information |
| 5 | Notification of collection | This policy and in-app notices inform you of collection |
| 6 | Use or disclosure | Data used only for stated purposes; not disclosed without consent |
| 7 | Direct marketing | We do not use personal data for direct marketing without consent |
| 8 | Cross-border disclosure | Data stored in Australia; AI processing under Google Cloud enterprise terms with appropriate safeguards |
| 9 | Adoption, use, or disclosure of government-related identifiers | Not applicable — we do not collect government identifiers |
| 10 | Quality of personal information | You can correct your data in-app or by contacting us |
| 11 | Security of personal information | Encryption, access controls, PII scrubbing, secure infrastructure (see Section 7) |
| 12 | Access to personal information | You can request access to all data we hold about you |
| 13 | Correction of personal information | You can correct inaccurate data in-app or by contacting us |
This privacy policy is effective as of 21 March 2026.
Pelaris is committed to protecting your privacy. If anything in this policy is unclear, please contact us at privacy@pelaris.io — we’d rather explain than confuse.