Privacy Policy

Effective date: 2026-06-18

Miles is an AI running coach that connects your training data (such as your Garmin Connect runs) to an AI model to give you personalised coaching. Because Miles handles information about your health and fitness, we take your privacy seriously. This policy explains what we collect, why, how we protect it, and the rights you have over it.

1. Who we are

Miles is operated by Sami Mustapha, an individual based in London, United Kingdom (the “data controller” — the person who decides how and why your data is used). For any privacy question or to exercise your rights, contact us at smustapha97@gmail.com.

2. The data we collect

Category	What it includes
Account	Your email address, and (if you sign in with Google) your basic Google profile. Passwords are handled by our authentication provider and are never seen or stored by Miles.
Profile	Your name, age, maximum heart rate, training preferences, and your city (used to fetch weather for your runs).
Health & fitness activity	Your running activities and their metrics — heart rate, pace, distance, duration, cadence, elevation, lap splits, route/location data, and weather conditions. This is “special category” health data under UK GDPR.
Coaching context	Notes about your goals, training history and any injury or health history you choose to share with the coach.
Coach conversations	The messages you exchange with the AI coach.
Connection credentials	If you connect Garmin, your Garmin login and access token — stored encrypted at rest and used only to sync your runs.
Usage	Records of AI actions you take (for fair-use limits and to keep the service running). We do not run third-party advertising trackers.

3. Why we use it, and our lawful bases

To provide the coaching service — syncing your runs, generating training plans, analysing sessions, and answering your questions. Lawful basis: performance of our contract with you (UK GDPR Art. 6(1)(b)).
To process your health & fitness data — heart rate, training load, injury history and similar. Because this is special-category data, our lawful basis is your explicit consent (UK GDPR Art. 9(2)(a)), which you give when you create your account. You can withdraw it at any time (see Your rights).
To keep the service secure and reliable — fair-use limits, abuse prevention, debugging. Lawful basis: our legitimate interests in running a safe service.

We do not sell your data, and we do not use it for advertising.

4. AI processing

To generate coaching, relevant parts of your data (for example your recent runs and your messages) are sent to our AI provider, Anthropic (the Claude API). Anthropic processes this to return a response and, under its commercial API terms, does not use it to train its models. We send only what's needed for the coaching task.

5. Who we share it with

We don't sell your data. We use a small number of trusted service providers (“processors”) who handle data on our behalf, under contract, only to run Miles:

Provider	Purpose	Location
Supabase	Database & account authentication (where your data is stored)	EU
Render	Application hosting	EU / US
Anthropic	AI coaching responses (Claude API)	US
Garmin Connect	Source of your run data (only if you connect it)	US
Google	Sign-in (only if you choose “Continue with Google”)	US
Brevo	Sending account & confirmation emails	EU

We may also disclose data if required by law, or to protect the rights, safety or security of users or the service.

6. International transfers

Your data is stored primarily in the European Economic Area (EEA). Some of our providers (such as Anthropic and, depending on region, Render) process data in the United States. Where data leaves the UK/EEA, it is protected by appropriate safeguards — typically the providers' Standard Contractual Clauses and their data-processing agreements.

7. How long we keep it

We keep your data for as long as your account is active. If you delete your account, your data is permanently erased from our database, and your login account is removed. Backups holding residual copies are rotated and expire on a rolling basis. You can export or delete your data at any time from Settings.

8. Your rights

Under UK GDPR you have the right to:

Access — get a copy of your data. Use Settings → Your data → Download my data, or email us.
Portability — receive your data in a structured, machine-readable format (the export is JSON).
Rectification — correct inaccurate data (edit it in the app, or ask us).
Erasure — delete your account and data. Use Settings → Your data → Delete my account.
Restriction / objection — limit or object to certain processing.
Withdraw consent — withdraw your consent to health-data processing at any time. Because health data is essential to coaching, withdrawing it generally means deleting your account.

You also have the right to complain to the UK's data-protection regulator, the Information Commissioner's Office (ICO).

9. How we protect your data

Connections are encrypted in transit (HTTPS/TLS). Your Garmin credentials and login token are encrypted at rest. Access to your data is scoped to your account on every request, and administrative access is limited. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your information.

10. Children

Miles is not intended for anyone under 18. We do not knowingly collect data from children.

11. Changes to this policy

We may update this policy as Miles evolves. When we make material changes we'll update the effective date above and, where appropriate, ask for renewed consent.

12. A note on this beta

Miles is currently in a private beta. Features and providers may change. We'll keep this policy current as that happens.

Contact

Questions or requests: smustapha97@gmail.com.

Read the Terms of Service →