Athlea Legal

Privacy Policy

Back

Athlea Ltd

Effective Date: 15 May 2026

Version: 1.0

At a glance

Who we are
Athlea Ltd, 86-90 Paul Street, London EC2A 4NE. Company No. 15171507.
What we collect
Account information, usage data, content you upload, API credentials, and analytics data.
Why we collect it
To provide the Services, improve AI features, process payments, and meet legal obligations.
Who we share it with
Cloud infrastructure providers, analytics providers, payment processors, and where required by law.
International transfers
Data may be transferred to the United States using UK GDPR-compliant safeguards, including UK SCCs.
How long we keep it
While your account is active, plus applicable legal retention periods described below.
Your rights
Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable.
Cookies
Strictly necessary cookies and Google Analytics / GA4. See Section 10 for details.

This Privacy Policy explains how Athlea Ltd processes personal data when you use the Athlea web application, mobile applications, API, developer tools, and related AI-powered services.

1. Who We Are and How to Contact Us

Athlea Ltd is the data controller for personal data processed in connection with the Services.

ItemDetails
Company nameAthlea Ltd
Registered address86-90 Paul Street, London, EC2A 4NE, United Kingdom
Company number15171507 (England & Wales)
D-U-N-S number231045098
Incorporated28 September 2023
Privacy contactprivacy@athlea.ai
General enquirieshello@athlea.ai

You have the right to lodge a complaint with the UK Information Commissioner's Office if you are not satisfied with how we handle your data.

Website: www.ico.org.uk

2. Scope of This Policy

This Privacy Policy applies to all personal data we collect and process when you use:

  • the Athlea web application at www.athlea.ai;
  • the Athlea mobile applications on iOS and Android;
  • the Athlea API and developer tools; and
  • any AI-powered features within the above.

This Policy applies to Consumers, Business Users, and Developers. Where Athlea acts as a data processor on behalf of a Business User, that relationship is governed by a separate Data Processing Agreement. To request a DPA, contact legal@athlea.ai.

3. Personal Data We Collect

3.1 Data You Provide Directly

  • Account information: name, email address, password hash, organisation name for Business Users, and any profile details you choose to add.
  • Billing information: billing address and payment card details processed by our payment provider. We do not store raw card data.
  • Content: any data, text, files, or other material you upload, create, or share.
  • Communications: emails, support tickets, and in-app feedback.
  • API credentials: API keys and related developer account information.

3.2 Data We Collect Automatically

  • Usage data such as pages viewed, features used, actions taken, and session duration.
  • Device and browser data including IP address, browser type and version, operating system, device identifiers, and time zone.
  • Log data, error reports, and diagnostic information.
  • API usage data including request timestamps, endpoints called, response times, and error rates associated with your account.

3.3 Data from Third Parties

  • Authentication providers such as Google or Apple, which may supply basic profile information like your name and email.
  • Pseudonymised behavioural analytics data via Google Analytics / GA4.
  • Payment processors that confirm successful or failed payment transactions.

3.4 Special Categories

We do not intentionally collect special category data such as health, biometric, or religious data. Please do not upload such data to the Services. If your use case requires this, contact privacy@athlea.ai before uploading it so appropriate safeguards can be discussed.

4. How We Use Your Personal Data

The table below sets out our purposes for processing and the legal basis under the UK GDPR for each.

PurposeExamplesLegal Basis
Providing the ServicesAccount management, web and mobile delivery, AI features, API accessArticle 6(1)(b) - performance of contract
Processing paymentsSubscription billing, invoicing, fraud preventionArticle 6(1)(b) contract; Article 6(1)(c) legal obligation
Improving the ServicesUsage analysis, debugging, AI model improvementArticle 6(1)(f) legitimate interests
AI model trainingTraining and evaluating AI models using content, subject to your settingsArticle 6(1)(f) legitimate interests or Article 6(1)(a) consent
SecuritySuspicious activity monitoring and breach investigationArticle 6(1)(f) legitimate interests
Legal complianceTax, accounting, regulatory obligations, lawful requestsArticle 6(1)(c) legal obligation
Support and communicationsSupport responses, service updates, terms change notificationsArticle 6(1)(b) contract; Article 6(1)(f) legitimate interests
MarketingProduct news, feature updates, relevant offersArticle 6(1)(a) consent

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time.

5. Artificial Intelligence and Your Data

5.1 AI-Generated Outputs

When you use AI Features, your prompts, content, and queries are processed to generate outputs. Inputs may be retained for a limited period to enable debugging, safety monitoring, and service improvement.

5.2 Training Data

By default, Athlea may use anonymised or pseudonymised content and interaction data to train, evaluate, and improve its AI models. We take reasonable steps to remove or obscure personal identifiers before using data for training purposes.

Business Users and individual users who do not want their data used for AI training may opt out via account settings or by emailing privacy@athlea.ai. Opting out does not affect our ability to use your data for other purposes described in this Policy.

5.3 Third-Party AI Infrastructure

Some AI Features are delivered using third-party AI infrastructure and model providers. Where this involves transferring personal data outside the UK or EEA, appropriate safeguards are used. We do not pass identifiable personal data to third-party AI providers beyond what is necessary to fulfil your specific request.

6. Who We Share Your Data With

We do not sell your personal data. We share it only in the following circumstances.

6.1 Service Providers (Data Processors)

  • Cloud infrastructure: Microsoft Azure for hosting, storage, and compute. Data may be hosted in UK, EU, and US regions.
  • Analytics: Google LLC for Google Analytics / GA4. Data is pseudonymised.
  • Payment processing: PCI DSS-compliant third-party payment processors for subscription billing.
  • Email and communications providers for transactional and service email delivery.
  • Security and monitoring tools for uptime, error tracking, and incident detection.

6.2 Business Transfers

If Athlea is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before any such transfer takes effect.

6.3 Legal Requirements

We may disclose personal data where required by law, court order, or regulatory authority, or where reasonably necessary to protect the rights, property, or safety of Athlea, our users, or the public.

6.4 With Your Consent

We may share your data with third parties where you have given us explicit consent.

7. International Transfers of Personal Data

Athlea is based in the United Kingdom. Some service providers, including Microsoft Azure and other technology partners, process personal data in the United States or other countries outside the UK and EEA.

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including UK Standard Contractual Clauses, UK adequacy regulations where applicable, and technical and organisational measures such as transport encryption, encryption at rest, pseudonymisation, and access controls.

You may request a copy of the relevant transfer safeguards by contacting privacy@athlea.ai.

8. Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes in this Policy, or as required by law.

Data typeRetention period
Account dataRetained while your account is active. Deleted within 30 days of account deletion, subject to legal holds.
Billing recordsRetained for 7 years following the transaction date to comply with UK tax and accounting obligations.
Content and AI inputsRetained while your account is active. Deleted within 90 days of account deletion, subject to rolling backup cycles.
Usage and analytics dataPseudonymised analytics retained for up to 26 months. Raw logs retained for up to 12 months.
Support communicationsRetained for 3 years after the issue is resolved.
API logsRetained for up to 12 months for security monitoring and debugging.
Legal and regulatory holdsRetained for longer where required by law. We will notify you where practicable.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure (Article 17).
  • Right to restriction (Article 18).
  • Right to data portability (Article 20).
  • Right to object (Article 21).
  • Rights relating to solely automated decisions with significant effects (Article 22).
  • Right to withdraw consent where processing is based on consent.

To exercise any of these rights, contact privacy@athlea.ai. We will respond within one calendar month and may ask you to verify your identity. There is no charge for most requests.

If you are dissatisfied with our response, you may complain to the ICO:

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website or use our apps. We use cookies and similar technologies to operate the Services and understand usage patterns.

10.2 Cookies We Use

CategoryExamplesPurpose
Strictly necessarySession token, authentication cookieRequired for the Services to function. Cannot be disabled.
Performance / analyticsGoogle Analytics / GA4 (_ga, _gid, _gat)Measures how users interact with the Services. Data is pseudonymised and aggregated.
FunctionalUser preferences, language settingsRemembers your choices to improve your experience.
MarketingNot currently usedWe do not currently use advertising or targeting cookies.

10.3 Google Analytics / GA4

We use Google Analytics 4 to analyse how the Services are used. GA4 collects pseudonymised data including pages visited, session duration, and general device and location information. IP addresses are anonymised by default.

You can opt out of Google Analytics using the browser add-on provided by Google: https://tools.google.com/dlpage/gaoptout

10.4 Your Cookie Choices

When you first visit the Services, a cookie banner will allow you to accept or reject non-essential cookies. You can also manage cookies through your browser settings. For browser guidance, see www.allaboutcookies.org.

11. Security

  • Encryption of data in transit using TLS 1.2+ and at rest using AES-256.
  • Role-based access controls limiting access to authorised personnel only.
  • Regular security assessments and penetration testing.
  • Multi-factor authentication for internal systems.
  • Incident response procedures aligned with ICO breach notification requirements.

No method of transmission or storage is completely secure. If you suspect a security incident involving your account or personal data, contact admin@athlea.ai immediately.

12. Children's Privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate consent, contact privacy@athlea.ai and we will delete it promptly.

13. Third-Party Links and Services

The Services may link to or integrate with third-party websites and services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use in connection with Athlea.

14. Business Users and Data Processing Agreements

Where Athlea processes personal data on behalf of a Business User, Athlea acts as a data processor. In those cases:

  • a Data Processing Agreement must be in place between Athlea and the Business User;
  • the Business User is responsible for ensuring a valid legal basis for processing;
  • Athlea will process data only on the Business User's documented instructions; and
  • Athlea will assist the Business User in meeting its obligations under applicable data protection law.

To request a DPA, contact admin@athlea.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via in-app notice at least 14 days before they take effect. The effective date at the top of this Policy shows when it was last updated.

16. Contact and Complaints

Contact purposeDetails
Privacy enquiries and rights requestsadmin@athlea.ai
Registered addressAthlea Ltd, 86-90 Paul Street, London, EC2A 4NE, United Kingdom
ICO (UK supervisory authority)www.ico.org.uk | 0303 123 1113