Privacy Policy

Loria is an AI-powered sports training platform personalised to female physiology. We are a UK-based data controller. For the purposes of UK GDPR and EU GDPR, the data controller is Loria.

Email: hello@getloria.com

We collect the following categories of personal data:

Account Data

• Email address
• Password (stored as a secure hash via Supabase Auth — we never store your plain-text password)

Profile & Onboarding Data

• Life stage (e.g. reproductive years, perimenopause, post-menopause)
• Training context (goals, current weekly volume, session types, scheduled commitments)
• Menstrual cycle inputs (e.g. cycle length, current phase)
• Perimenopause-related inputs (e.g. symptom patterns, hormonal context)

Daily Check-in Data

• Energy levels
• Sleep quality and duration
• Symptoms (physical and emotional)
• Free-text notes

Strava Data (via OAuth)

If you connect your Strava account, we access the following data under the scopes you authorise:

• Activity type, name, date, and duration
• Distance and elevation
• Heart rate data (where recorded)
• Power data (where available)
• Pace and speed

We do not access private messages, payment information, or any Strava data outside the scopes explicitly listed above.

Device & Usage Data

• Basic session logs (feature usage, navigation)
• Error and diagnostic reports
• Device type and operating system (for debugging purposes)

We use your personal data to:

• Generate and dynamically adapt your training plan based on your physiology, check-in data, and Strava activity
• Personalise insights, explanations, and recommendations within the app
• Operate, maintain, and improve the Loria service
• Ensure the security of your account and our platform
• Communicate important service updates with you

Loria uses the Lovable AI Gateway to power training plan generation and in-app chat features.

• When you interact with AI features, relevant context — including your profile data and recent check-ins — is sent to the AI model to generate a personalised response. This context relates solely to you.
• We do not sell your personal data.
• We do not use your personal data to train third-party foundation models. Data submitted to AI features is used only to generate your response in that session.

AI-generated content is provided for training guidance purposes only and does not constitute medical advice. See Section 9 of our Terms of Service.

Connecting your Strava account is optional. When you connect, you will be asked to authorise specific OAuth scopes. Loria will only request the minimum scopes necessary to read your activity data (as listed in Section 2).

• You can disconnect your Strava account from within the Loria app at any time via Settings → Integrations.
• To revoke Loria's access directly from Strava: log in to strava.com → Settings → My Apps, then click 'Revoke Access' next to Loria.
• Revoking access will stop any future data sync. Data already imported will be retained in accordance with Section 9 (Retention) unless you request deletion.

We process your personal data under the following legal bases (UK GDPR / EU GDPR):

Contract (Article 6(1)(b))

Processing necessary to provide the Loria service you have signed up for, including account creation, training plan generation, and check-in logging.

Consent (Article 6(1)(a) and Article 9(2)(a))

Where we process special-category health data — including menstrual cycle data, perimenopause inputs, symptoms, and heart rate — we rely on your explicit consent. You may withdraw consent at any time by deleting your data or contacting us (see Section 10).

Legitimate Interests (Article 6(1)(f))

For basic usage analytics, error logging, and service security, where these interests are not overridden by your rights and interests.

We do not sell your personal data. We share data only with the following processors, under appropriate data processing agreements:

• Supabase — database hosting, authentication, and row-level security. Data stored in the EU (Ireland).
• Lovable Cloud — application hosting and AI gateway for plan generation and chat.
• Strava — activity data provider (only where you have connected your account).
• AI model providers via Lovable AI Gateway — for AI-powered features. Data is not used for model training.
• Email delivery provider — for transactional emails such as account verification, operated via our authentication provider.
• PostHog — product analytics and session replay (EU region). Used to understand how the product is used and to fix bugs. No data is sold or used for advertising.

Some of our processors are based outside the UK and EU, including in the United States. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs) where applicable

You can request details of the specific safeguards in place by contacting us at hello@getloria.com.

• We retain your personal data for as long as your account is active.
• Upon account deletion, your data will be deleted within 30 days of your request.
• Encrypted backups may retain your data for a limited period (typically up to 30 days) after deletion, after which it is permanently removed.
• Aggregated, anonymised analytics data may be retained indefinitely as it cannot identify you.

Under UK GDPR and EU GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — ask us to delete your personal data ('right to be forgotten')
• Right to restriction — ask us to restrict how we process your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — for any processing based on consent, including special-category health data
• Right to complain to the ICO — you may lodge a complaint with the Information Commissioner's Office at ico.org.uk

To exercise any of these rights, including account deletion or a data export, contact us at hello@getloria.com. We will respond within one calendar month.

Loria is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with their data, please contact us and we will delete it promptly.

We take the security of your personal data seriously. Our measures include:

• Encryption in transit (TLS/HTTPS) for all data transmitted to and from the app
• Encryption at rest for data stored in our database
• Row-Level Security (RLS) policies in Supabase, ensuring you can only access your own data
• Access controls limiting staff access to personal data on a need-to-know basis

No system is entirely secure. If you suspect a security incident, please contact us immediately at hello@getloria.com.

In version 1 of Loria:

• We use essential session cookies to keep you logged in
• We use local storage for UI preferences (e.g. light/dark mode)
• We do not use advertising trackers, third-party analytics cookies, or marketing pixels

If we introduce any non-essential cookies in future versions, we will update this policy and obtain your consent where required.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notification, and update the 'Last updated' date at the top of this document. We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@getloria.com