LOONSTEP

Legal

Privacy
Policy.

Last updated

The short version

  • 01 Loonstep is a coaching tool. To make it work we collect your account info, your training profile (age, sex, height, weight, injuries), the workouts you log, and the chat conversations you have with the coach.
  • 02 We host in Germany. Authentication and the database run in Frankfurt. Some processing (chat completions, marketing-site delivery, transactional email) transits the United States under standard contractual clauses.
  • 03 We don't sell your data. We don't use your training data or chat content for advertising. We don't train AI models on your conversations.
  • 04 You can ask for a copy of your data, correct it, or delete your account at any time. Email privacy@loonstep.com. We'll act within 30 days.
  • 05 You must be 16 or older to use Loonstep.

1. Who we are

Loonstep ("we", "us", "our") is a personal-coaching service for athletes who train with both weights and running. Loonstep is operated by Juan Mugica, an individual data controller established in Spain. For the purposes of the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), Juan Mugica is the data controller for the personal data described in this policy.

You can reach us at privacy@loonstep.com for any privacy or data-protection question.

2. What we collect

We collect only what we need to run the coaching service.

Account

  • Email address (used as your login identifier and for transactional email).
  • Display name and locale preference, where you provide them.
  • An authentication identifier issued by our auth provider (Supabase). Your password is held by Supabase and is never stored on our servers.

Training profile

  • Age, sex, height, body weight history.
  • Training experience, available equipment, schedule constraints.
  • Injuries, medical considerations, or movement restrictions you choose to share.
  • Goals and dietary preferences, where you provide them.

Some of this information (body weight, injury history, and any health context you volunteer) may qualify as a special category of personal data under Article 9 GDPR (data concerning health). We process this category only with your explicit consent, given when you create your account and complete onboarding, and only to provide the coaching service. You can withdraw consent at any time by deleting your account or by editing or removing the relevant fields.

Workout and nutrition data

  • Lifting sessions: exercises, sets, repetitions, weights, RPE/RIR ratings, free-text notes.
  • Running sessions: distance, duration, pace, perceived effort, surface, footwear, free-text notes.
  • Body weight logs.
  • Nutrition logs (calories, protein, free-text notes), if you choose to record them.
  • Programmes, mesocycle plans, exercise preferences, and progression history we generate from your inputs.

Coach conversations

  • The text of messages you exchange with the coach.
  • Any images you upload in the chat (for example, photos of your gym setup or form checks).
  • Tool calls the coach issues against your training data while answering you, and the resulting outputs.

Coach conversations may include health-related content you choose to share (symptoms, fatigue, recovery, mood, dietary intake). Treat the chat as you would a notebook, not a clinical record. See the AI and chat content section below for how this data is processed.

Technical data

  • IP address and request metadata, as part of standard server logging by our CDN (Cloudflare) and reverse proxy (Caddy).
  • Aggregated, cookie-free analytics about marketing-site visits via Cloudflare Web Analytics.

3. How we use your data

  • To operate the service: build and adapt your training programme, log your sessions, run the conversational coach, and surface progress.
  • To send transactional email: sign-up confirmation, password resets, account-related notices. We do not send marketing email.
  • To secure the service: rate limiting, abuse detection, error diagnosis.
  • To understand how features are used and improve the service, only where you have consented to product analytics via the cookie banner in the application.
  • To comply with legal obligations.

The lawful bases on which we rely are: performance of a contract with you (Article 6(1)(b) GDPR) for the core service; explicit consent (Article 9(2)(a)) for processing of health-related data; and our legitimate interests (Article 6(1)(f)) for security, fraud prevention, and service-integrity logging. We do not use your data for advertising, profiling for third parties, or any form of automated decision-making producing legal effects.

4. Sub-processors

We use a small number of carefully selected third parties to operate Loonstep. Each is bound by a written data-processing agreement and processes your data only on our instructions.

Processor Purpose Region Transfer basis
Supabase Authentication and database hosting (passwords, JWT issuance, application data). Frankfurt, Germany (EU). EU/EEA: no transfer.
Hetzner Online GmbH Server hosting for the API, database, and file storage. Falkenstein/Nuremberg, Germany (EU). EU/EEA: no transfer.
Cloudflare CDN, DDoS protection, TLS termination at the edge; cookie-free aggregate analytics on the marketing site. Global edge network; corporate in the United States. EU SCCs (Commission Decision 2021/914); EU-U.S. Data Privacy Framework.
PostHog Product analytics (funnel and retention) and session replay with masked form inputs, only on the application at app.loonstep.com and only after you accept the cookie banner. Frankfurt, Germany (EU). EU/EEA: no transfer.
Resend (via Supabase SMTP relay) Delivery of transactional email (sign-up, password reset, account notices). United States. EU SCCs.
OpenRouter API gateway for the language model that powers the coach chat. United States. EU SCCs.
Upstream model provider (currently Google, via OpenRouter) Generates coach replies. The specific provider may change as models improve. United States or other Google data-processing regions. EU SCCs (back-to-back via OpenRouter).

We will update this list before adding a new sub-processor. If you want to be notified of changes, write to privacy@loonstep.com.

5. AI and chat content

The coach is powered by a large-language model accessed through OpenRouter. When you send a message, the following is forwarded for the model to generate a reply:

  • Your message text and any images you attached.
  • A bounded summary of recent conversation (typically the last few messages from up to a week back).
  • The training context the coach needs to answer: your profile, your active programme, your most recent sessions.

OpenRouter does not retain prompt content for training by default, and we do not opt into any training-data retention scheme. The upstream model provider operates under its own data-handling terms, which we have reviewed; we do not authorize use of your data to train models. Both relationships are governed by EU SCCs.

The coach's outputs are generated by software. They can be wrong. They are not medical advice, not a diagnosis, and not a substitute for guidance from a qualified physician, physiotherapist, or coach. See the Terms for the full health disclaimer.

6. How long we keep your data

  • Account, profile, training data, chat: retained for as long as your account exists.
  • After deletion: personal data is erased from live systems within 30 days; encrypted backups age out and are overwritten within a further 30 days. We do not restore data once deletion has been processed.
  • Server logs (CDN, reverse proxy, application): ephemeral; rotated by the container runtime within days of generation. Not used for profiling.
  • Aggregate site analytics: Cloudflare Web Analytics retains only anonymized, cookie-free aggregates; no individual visitor profile is created.
  • Records required by law: a small set of records (for example, billing records, where applicable) may be retained for the period required by Spanish or EU law (typically up to 6 years for fiscal records under Spanish commercial law). Where this applies, the data is locked to the legal-retention purpose and used for no other purpose.

7. Your rights

Under the GDPR you have the following rights with respect to your personal data:

  • Access: receive a copy of the data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: have your data deleted (see Section 8).
  • Restriction: pause processing while a question about it is resolved.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on our legitimate interests.
  • Withdraw consent: for any processing based on consent. Withdrawal does not affect lawfulness of prior processing.
  • Lodge a complaint: with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, aepd.es) or with the data-protection authority of your EU country of residence.

To exercise any of these rights, email privacy@loonstep.com from the address on your account. We respond within 30 days, extendable by up to a further 60 days for complex or numerous requests, with notice. We do not charge a fee unless requests are manifestly unfounded or excessive.

8. Account deletion

You can delete your account and all personal data we hold about you from inside the app: open the menu, go to settings, and choose Delete account. The action is immediate and irreversible. It removes your profile, programmes, training sessions, runs, chat history, exercise preferences, body-weight log, integrations, and the authentication record we hold for you.

If you cannot reach the in-app control (for example, you have lost access to the email on your account), email privacy@loonstep.com from the address on your account. We confirm receipt within two business days and complete the deletion within 30 days of confirmation. Encrypted backups containing residual data age out within a further 30 days. After that, your data is gone. We cannot retrieve it for you.

9. Cookies and tracking

The marketing site at loonstep.com uses Cloudflare Web Analytics, which is cookieless and does not create an individual visitor profile.

The application at app.loonstep.com uses a small number of strictly-necessary cookies issued by our authentication provider to keep you signed in. These cookies are required for the service to work and do not require consent.

The application also offers product analytics and session replay through PostHog (EU-hosted in Frankfurt). These are off by default. The first time you open the application we show a banner asking whether you accept analytics cookies. If you accept, PostHog sets session cookies on app.loonstep.com that record which screens you visit, which actions you take inside the app (for example, completing onboarding or logging a session), and a replay of your session with all form inputs masked: text fields render as opaque dots, never as their actual content, so chat messages, body weights, free-text notes, and similar are not captured. If you decline, no PostHog cookies are set and no analytics events are sent. You can change your decision at any time from the Privacy section of your profile page in the application, which clears any analytics cookies and stops further capture.

We do not use advertising cookies, marketing pixels, social-media trackers, or cross-site tracking technologies, and we never will without revising this policy first and asking you explicitly.

10. Children

Loonstep is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided personal data to us, contact privacy@loonstep.com and we will delete the account.

11. International transfers

Your account, training data, and the database that holds it remain in the European Union (Frankfurt, Germany). Some processors involved in delivering the service operate from the United States, in particular our CDN (Cloudflare), the email-delivery service that carries our transactional mail (Resend, via our authentication provider's SMTP relay), and the language model that powers the coach chat (OpenRouter, with upstream providers including Google). These transfers take place under the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented where applicable by the EU-U.S. Data Privacy Framework. You can request a copy of the relevant safeguards by writing to privacy@loonstep.com.

12. Security

We use TLS in transit, encrypted storage at rest, scoped database credentials, and standard server-hardening practices on our hosting environment. No system is perfectly secure. If a personal-data breach occurs that is likely to result in risk to your rights and freedoms, we will notify the Spanish Data Protection Agency within 72 hours of becoming aware and will notify affected users without undue delay where the risk is high.

13. Changes to this policy

We update this policy when our practices change. The "Last updated" date at the top of this page reflects the current version. For material changes (for example, adding a new sub-processor that handles substantive personal data, or changing the lawful basis of processing) we will notify you by email before the change takes effect.

14. Contact

For privacy questions, data-subject requests, or concerns about how we handle your data, email privacy@loonstep.com.

See also: Terms of Service.