Privacy Policy

PRYSM is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you use prysm-running.com, the PRYSM web application, any future mobile application, and related services (together, the “Services”).

The data controller responsible for your personal data is Zian Collombier EI.

Privacy enquiries: privacy@prysm-running.com
Support: support@prysm-running.com

Full publisher and legal contact details are available in the PRYSM Legal Notice.

PRYSM has not appointed a Data Protection Officer (DPO) as it is not required under GDPR Article 37 in the current scope of processing. Privacy enquiries are handled directly by the data controller at privacy@prysm-running.com.

This Privacy Policy applies to:

• visitors to the PRYSM website
• users who create a PRYSM account and use the Services
• users who complete onboarding questionnaires or training profile forms
• users who view, manage, or follow training plans in PRYSM
• users who subscribe to paid features
• users who contact support or communicate with us
• users who choose to connect optional third-party fitness platforms, wearable ecosystems, or similar connected services

We may collect the following categories of personal data, depending on how you interact with the Services.

Account data

Name, email address, login credentials, authentication identifiers, account security information, language preferences, and account creation date.

Training profile and onboarding data

Athletic goals, current fitness level, training history, schedule availability, target races or events, performance benchmarks, and preferences communicated during onboarding or profile setup. Some of this data may constitute health-related or fitness-related data subject to heightened protections under applicable law.

Training and activity data

Planned and completed training sessions, duration, pace, distance, heart rate zones, perceived effort, session notes, ratings, adherence records, and similar performance data generated through use of the Services or imported from connected third-party fitness platforms, wearable ecosystems, or similar connected services.

Location data

When you import activities from connected fitness platforms (Strava, Polar, Garmin, COROS), we receive and store geolocation data associated with those activities, including GPS coordinates, route polylines, elevation profiles, and start and end locations. This data is used to display activity routes on in-app maps and to compute distance and elevation metrics.

We do not collect real-time location from your device. The PRYSM mobile application does not run background location tracking. Location data only enters PRYSM through your authorized third-party platform connections.

You can disconnect a fitness platform connection at any time to stop further location data imports. Existing imported route data remains in your training history unless you request deletion or delete your account.

Connected fitness platform data

If you choose to enable an available connection with a third-party fitness platform, wearable ecosystem, or similar connected service, PRYSM may receive from and send to that service selected data reasonably necessary to support the connected feature.

Depending on the connection, data we may receive can include:

• activity summaries and workout completion data
• session history and performance metrics
• training load indicators or readiness scores, where exposed by the platform
• sync metadata and account linkage identifiers required to maintain the connection

Data we may send to a connected platform may include:

• structured workout definitions, such as targets, intervals, zones, and duration
• planned session schedules, workout metadata, and plan details
• sync identifiers required to complete the connection

Connected fitness features are optional. PRYSM is designed to request only the permissions and data reasonably needed for the feature you choose to use. You can disconnect a connection at any time through PRYSM or, where available, through the third-party platform's own settings. Disconnecting stops future data exchange, but does not automatically delete historical data already stored in your PRYSM account unless you request deletion or delete your account.

Subscription and billing data

Subscription plan type, billing status, invoice records, and limited payment metadata, such as the last four digits of a payment method and billing country.

Depending on the platform you subscribe through, your payment is processed by a different provider:

• Web subscriptions are processed by Stripe. Full payment card data is held by Stripe and is not stored by PRYSM.
• iOS subscriptions are processed by Apple via the App Store In-App Purchase system. Apple is the data controller for the payment transaction. PRYSM receives only the transaction identifier, the product identifier, and the renewal status from Apple via App Store Server Notifications. PRYSM does not have access to your payment card data, billing address, or Apple ID.

In both cases, PRYSM stores your subscription tier and billing status to deliver the paid features you subscribed to.

Technical and device data

IP address, browser type and version, operating system, application version, device identifiers, session logs, authentication events, error reports, crash reports, and performance traces.

Crash reports and performance traces are collected via Sentry, our error monitoring sub-processor. To help us correlate issues with the affected user, we send a truncated form of your account identifier (the first 8 characters only) to Sentry along with each crash or performance event. Tokens, passwords, email addresses, and full names are never sent to Sentry; URL parameters containing tokens are redacted before transmission.

Push notification tokens

If you enable push notifications on the PRYSM mobile application, we generate and store a push notification token for your device. This token allows us to send you session reminders and coach feedback notifications. Push notifications are delivered through the Expo Push Notification Service, which routes the notification to Apple's APNs (iOS) or Google's FCM (Android). The token does not identify you personally to Expo, Apple, or Google beyond what is needed to deliver the notification.

You can disable push notifications at any time from your device settings or from PRYSM's notification preferences.

Support and communications data

The content of messages you send to us, including support requests, feedback, and any attachments or context you provide.

Analytics data

Where permitted or consented to, aggregated, pseudonymized, or otherwise privacy-protective usage data about how users interact with the Services, such as features used and session frequency, used to improve the platform.

No cross-app or cross-site tracking

PRYSM does not track you across other apps or websites. We do not use advertising identifiers (such as Apple's IDFA), and we do not share your personal data with advertising networks or data brokers. The PRYSM iOS application does not display the App Tracking Transparency prompt because no tracking takes place.

We collect personal data through the following means:

• directly from you, when you create an account, complete onboarding, configure your training profile, log workouts, subscribe to a paid plan, contact support, or communicate with us
• automatically, when you use the Services, including technical and device data
• from optional connected fitness platforms, if and when you choose to authorize an available connection

We process personal data for the following purposes and on the following legal bases under the GDPR and, where applicable, other data protection laws.

Providing and managing the Services

Purpose: creating and managing your account, generating and delivering training plans, tracking progress, operating subscriptions, enabling connected fitness features, and providing technical support.

Legal basis: performance of a contract under Article 6(1)(b) GDPR, where this processing is necessary to deliver the Services you request or subscribe to.

Health and fitness data — special category data (GDPR Art. 9)

Purpose: processing training profile data, performance metrics, and fitness-related data to personalize your training plans and coaching experience. This includes: training metrics (pace, heart rate, distance, duration, elevation); physiological indicators (VDOT aerobic capacity estimate, Load Ratio (a normalized training load metric), fatigue indicators, perceived effort RPE); training history (completed sessions, compliance scores, progression trends); and coach interactions (messages exchanged with the AI coach, training preferences, injury flags).

This data constitutes special category data (health data) under GDPR Article 9. We process this data based on your explicit consent (Art. 9(2)(a) GDPR), which you provide when creating your account. You can withdraw your consent at any time by deleting your account or by contacting privacy@prysm-running.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but will prevent us from providing personalized training features.

Given the processing of health data on a structured and recurring basis, PRYSM has conducted a Data Protection Impact Assessment (DPIA) under GDPR Article 35. The DPIA is summarized at prysm-running.com/dpia.

Service improvement and analytics

Purpose: improving the reliability, performance, and quality of the Services based on usage data.

Legal basis: legitimate interests under Article 6(1)(f) GDPR. Where analytics involve cookies or tracking technologies that require consent, we rely on your consent.

Security and fraud prevention

Purpose: detecting and preventing unauthorized access, abuse, or fraud, and maintaining the security of our systems.

Legal basis: legitimate interests under Article 6(1)(f) GDPR and, where applicable, compliance with legal obligations under Article 6(1)(c) GDPR.

Legal and regulatory compliance

Purpose: complying with applicable legal obligations, including tax, accounting, and financial reporting requirements, and responding to lawful requests from public authorities.

Legal basis: compliance with legal obligations under Article 6(1)(c) GDPR.

Marketing communications

Purpose: sending you updates, newsletters, or promotional content about PRYSM, where you have opted in or where otherwise permitted by applicable law.

Legal basis: consent under Article 6(1)(a) GDPR, where required. You may withdraw consent at any time by using the unsubscribe link in any marketing email or by contacting us.

Summary: legal bases by processing purpose

PRYSM does not sell your personal data.

We may share personal data with carefully selected categories of recipients where this is necessary to operate, secure, support, or improve the Services, to process payments, to provide optional connected features you request, or to comply with legal obligations.

• hosting and cloud infrastructure providers
• authentication and account security providers
• payment processors and billing service providers
• email, communications, and customer support providers
• analytics and performance providers, where permitted or consented to under applicable law
• third-party fitness platforms and connected services that you choose to link to your account
• professional advisers, auditors, insurers, and legal or regulatory authorities where reasonably necessary

Where service providers process personal data on our behalf, we seek to ensure that they handle it under appropriate confidentiality, security, and data protection obligations and only for the purposes relevant to the service they provide to us.

PRYSM uses the following sub-processors (data processors acting on our behalf). We have entered into Data Processing Agreements (DPAs) with each of them as required by GDPR Article 28.

AI coach and personalization (OpenAI)

PRYSM uses OpenAI's API to power the AI training coach and session personalization. When you interact with the coach or when your training plan is personalized, the following data may be sent to OpenAI's servers:

• Your training profile (fitness level, goal, training phase)
• Session context (type, duration, intensity targets)
• Coach conversation messages
• Aggregated training metrics (Load Ratio, compliance, trends)

Data Processing Agreement: We have entered into a Data Processing Agreement (DPA) with OpenAI that includes Standard Contractual Clauses (SCCs) for international data transfers in accordance with GDPR Articles 28 and 46(2)(c).

Data retention by OpenAI: Under our API agreement, OpenAI does not use your data to train their models. API inputs and outputs are retained for up to 30 days for abuse monitoring purposes only, then permanently deleted.

Data minimization: We minimize the data sent to OpenAI by:

• Sending only aggregated metrics, not raw GPS data
• Truncating conversation history to the most recent exchanges
• Using anonymized identifiers — no email address or full name is sent to OpenAI

Other international transfers

PRYSM is based in France, within the European Union. Our database infrastructure is hosted in the EU (Frankfurt region). Other service providers, including our payment processor (Stripe) and application hosting provider (Vercel), may process data outside the EEA. Where such transfers occur, we use appropriate safeguards including Standard Contractual Clauses or adequacy decisions as required by GDPR Article 46.

You may request more information about relevant transfer safeguards by contacting privacy@prysm-running.com.

International data transfers

PRYSM is based in France, within the European Union. Some of our service providers and connected service partners may process personal data in countries other than your own, including outside the European Economic Area.

Where international transfers occur, we seek to use an appropriate legal basis and safeguard for the transfer, such as an adequacy decision, Standard Contractual Clauses, or another recognised transfer mechanism where required by applicable law. You may request more information about relevant safeguards by contacting privacy@prysm-running.com.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required or permitted by applicable law.

• Account and training profile data: retained for the duration of your account, then deleted within 30 days of account closure (subject to limited backups for up to 90 days for disaster recovery)
• Training history and activity data: retained while your account is active and as needed to provide your training history and continuity of service
• Connected fitness platform data: retained while the connection is active and as needed to support the relevant feature; upon disconnection, no further data is imported, though historical data already received may be retained as part of your training history
• Subscription and billing data: retained as required by French and EU accounting and tax regulations, generally up to 10 years where applicable
• Support communications: retained for 3 years from the last contact, in line with French commercial dispute limitation periods
• Technical and security logs: retained for the period necessary for security monitoring and incident response, typically up to 12 months
• Analytics data: aggregated or anonymized data may be retained for longer where it no longer constitutes personal data

When personal data is no longer required, we aim to securely delete or anonymize it.

Security

PRYSM implements technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures are calibrated to the nature of the data and the associated risks, and include access controls, encryption in transit using TLS 1.2+, encryption at rest using AES-256 on our database (Supabase), authentication mechanisms, and continuous monitoring.

No method of transmission or storage is completely secure. If you become aware of any potential security issue relating to your PRYSM account, please contact us immediately at support@prysm-running.com.

Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, PRYSM will notify the CNIL within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk, PRYSM will also inform affected users without undue delay, in accordance with GDPR Article 34.

Depending on your location and applicable data protection law, you may have the following rights in relation to your personal data:

• Right of access, to obtain confirmation of whether we process your personal data and to receive a copy of it
• Right to rectification, to request correction of inaccurate or incomplete personal data
• Right to erasure, to request deletion of your personal data, subject to applicable legal exceptions
• Right to restriction of processing, to request that we limit how we use your personal data in certain circumstances
• Right to object, to object to processing based on legitimate interests or direct marketing
• Right to data portability, to receive your personal data in a structured, commonly used, and machine-readable format and, where technically feasible, to have it transmitted to another controller
• Right to withdraw consent, where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint, to lodge a complaint with the CNIL or the competent supervisory authority in your country of residence

To exercise any of these rights, please contact privacy@prysm-running.com.

We will respond within the timeframes required by applicable law, generally within one month. We may need to verify your identity before processing your request.

Right to erasure — account deletion (Art. 17)

You can permanently delete your account and all associated data at any time from your Profile settings in the PRYSM dashboard. This action:

• Immediately cancels your active subscription
• Permanently deletes all your data from our database (training plans, sessions, coach conversations, connected integration data)
• Revokes access tokens for connected platforms (Garmin, Strava, COROS, Polar)
• Cannot be undone

Data already transmitted to third-party processors (OpenAI, Stripe) is subject to their respective retention policies as described in this Privacy Policy. To request deletion without accessing your account, email privacy@prysm-running.com.

Third-party platforms and their privacy practices

If you choose to connect an optional third-party fitness platform, wearable ecosystem, or similar connected service, your use of that third-party environment remains subject to its own terms and privacy practices. PRYSM is not responsible for the independent data practices of third-party platforms.

We encourage you to review the privacy information of any service you choose to connect. PRYSM's connection flows are intended to request only the permissions reasonably required for the relevant feature.

Cookies and tracking technologies

PRYSM uses cookies and similar technologies to operate the Services, maintain account sessions, remember key settings, protect the platform, and, where permitted or based on your consent, understand how the Services are used and improve performance.

Some of these technologies are strictly necessary for core functionality and security. Others, such as analytics or similar measurement tools, are used only where permitted under applicable law and, where required, with your prior consent. You can manage or withdraw your consent choices at any time through our cookie settings.

For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

This section covers data flows specific to the PRYSM iOS application available on the Apple App Store.

App Store Server Notifications

When you subscribe to PRYSM on iOS, Apple sends server-to-server notifications to PRYSM about your subscription lifecycle: initial purchase, renewal, cancellation, refund, billing retry, and revocation. These notifications contain the transaction identifier, product identifier, and the new subscription status — they do not contain your payment card data, Apple ID, or billing address. PRYSM uses these notifications to keep your subscription tier in sync with the actual state of your subscription.

App Privacy declaration

PRYSM provides a privacy nutrition label on the App Store that summarizes the categories of data the app collects and the purposes for that collection. This label is consistent with the present Privacy Policy. If you find any discrepancy, the present Privacy Policy is the authoritative document.

Apple HealthKit

The PRYSM iOS application integrates with Apple HealthKit on an opt-in basis. HealthKit is one of several optional sources for training and recovery data, alongside Strava, Polar, Garmin, and COROS.

When you enable Apple HealthKit from your Profile, PRYSM requests read-only access to the following data categories:

• Workouts
• Heart rate
• Resting heart rate
• Heart rate variability
• Sleep analysis
• Steps
• Body mass

PRYSM uses this data to enrich your training history and to inform the AI coach's personalized recommendations. PRYSM does not write any data back to Apple Health.

Apple HealthKit is optional. The application is fully functional without it. You can revoke HealthKit access at any time from iOS Settings → Privacy & Security → Health → PRYSM, or by disconnecting the integration from your PRYSM Profile.

Health data accessed through HealthKit is processed under your explicit consent (GDPR Article 9(2)(a)) as special category health data, consistent with the rest of this Privacy Policy.

Children's privacy

The Services are not directed at children under the age of 16. During account creation, users confirm that they are at least 16 years old. PRYSM does not actively verify age but will delete the account and associated data of any user we identify as being under 16.

If you believe that a child under 16 has provided personal data to PRYSM without appropriate authorization, please contact us at privacy@prysm-running.com and we will take appropriate steps to address the issue, including data deletion.

Automated decision-making

PRYSM uses algorithmic and AI-assisted processes to generate personalized training plans and recommendations. These processes combine:

• a deterministic calculation engine (based on VDOT, training load, recovery metrics, and structured rules), which is the source of truth for plan structure, intensity, and progression;
• a large language model (currently OpenAI), which formulates the coach's natural-language output and contextualizes deterministic decisions, but does not make decisions on your behalf.

These outputs are intended to support your training decisions and coaching experience. They do not produce legal effects or similarly significant effects on you. You retain full control over whether to follow, modify, postpone, or ignore any recommendation, and the application does not act on your behalf based on these outputs.

You have the right to obtain human intervention regarding any recommendation generated by the Services, to express your point of view, and to contest the recommendation. To exercise this right, contact privacy@prysm-running.com.

Updates to this policy

PRYSM may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or data practices. When we make material changes, we may notify you by email or through a prominent notice within the Services before the changes take effect. The “Last updated” date at the top of this page indicates when this Privacy Policy was most recently revised.

We encourage you to review this Privacy Policy periodically.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy: privacy@prysm-running.com
• Support: support@prysm-running.com

Full publisher and legal contact details are available in the PRYSM Legal Notice.

For complaints relating to the processing of your personal data, you may also have the right to contact the CNIL or the competent supervisory authority in your country of residence.