Privacy Policy

PRYSM is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you use prysm.digital, the PRYSM web application, any future mobile application, and related services (together, the “Services”).

The data controller responsible for your personal data is Zian Collombier EI.

Privacy enquiries: privacy@prysm.digital
Support: support@prysm.digital

Full publisher and legal contact details are available in the PRYSM Legal Notice.

This Privacy Policy applies to:

• visitors to the PRYSM website
• users who create a PRYSM account and use the Services
• users who complete onboarding questionnaires or training profile forms
• users who view, manage, or follow training plans in PRYSM
• users who subscribe to paid features
• users who contact support or communicate with us
• users who choose to connect optional third-party fitness platforms, wearable ecosystems, or similar connected services

We may collect the following categories of personal data, depending on how you interact with the Services.

Account data

Name, email address, login credentials, authentication identifiers, account security information, language preferences, and account creation date.

Training profile and onboarding data

Athletic goals, current fitness level, training history, schedule availability, target races or events, performance benchmarks, and preferences communicated during onboarding or profile setup. Some of this data may constitute health-related or fitness-related data subject to heightened protections under applicable law.

Training and activity data

Planned and completed training sessions, duration, pace, distance, heart rate zones, perceived effort, session notes, ratings, adherence records, and similar performance data generated through use of the Services or imported from connected third-party fitness platforms, wearable ecosystems, or similar connected services.

Connected fitness platform data

If you choose to enable an available connection with a third-party fitness platform, wearable ecosystem, or similar connected service, PRYSM may receive from and send to that service selected data reasonably necessary to support the connected feature.

Depending on the connection, data we may receive can include:

• activity summaries and workout completion data
• session history and performance metrics
• training load indicators or readiness scores, where exposed by the platform
• sync metadata and account linkage identifiers required to maintain the connection

Data we may send to a connected platform may include:

• structured workout definitions, such as targets, intervals, zones, and duration
• planned session schedules, workout metadata, and plan details
• sync identifiers required to complete the connection

Connected fitness features are optional. PRYSM is designed to request only the permissions and data reasonably needed for the feature you choose to use. You can disconnect a connection at any time through PRYSM or, where available, through the third-party platform's own settings. Disconnecting stops future data exchange, but does not automatically delete historical data already stored in your PRYSM account unless you request deletion or delete your account.

Subscription and billing data

Subscription plan type, billing status, invoice records, and limited payment metadata, such as the last four digits of a payment method and billing country. Full payment card data is processed exclusively by our third-party payment processor and is not stored by PRYSM.

Technical and device data

IP address, browser type and version, operating system, application version, device identifiers, session logs, authentication events, and error reports.

Support and communications data

The content of messages you send to us, including support requests, feedback, and any attachments or context you provide.

Analytics data

Where permitted or consented to, aggregated, pseudonymized, or otherwise privacy-protective usage data about how users interact with the Services, such as features used and session frequency, used to improve the platform.

We collect personal data through the following means:

• directly from you, when you create an account, complete onboarding, configure your training profile, log workouts, subscribe to a paid plan, contact support, or communicate with us
• automatically, when you use the Services, including technical and device data
• from optional connected fitness platforms, if and when you choose to authorize an available connection

We process personal data for the following purposes and on the following legal bases under the GDPR and, where applicable, other data protection laws.

Providing and managing the Services

Purpose: creating and managing your account, generating and delivering training plans, tracking progress, operating subscriptions, enabling connected fitness features, and providing technical support.

Legal basis: performance of a contract under Article 6(1)(b) GDPR, where this processing is necessary to deliver the Services you request or subscribe to.

Health and fitness data — special category data (GDPR Art. 9)

Purpose: processing training profile data, performance metrics, and fitness-related data to personalize your training plans and coaching experience. This includes: training metrics (pace, heart rate, distance, duration, elevation); physiological indicators (VDOT aerobic capacity estimate, training load ACWR, fatigue indicators, perceived effort RPE); training history (completed sessions, compliance scores, progression trends); and coach interactions (messages exchanged with the AI coach, training preferences, injury flags).

This data constitutes special category data (health data) under GDPR Article 9. We process this data based on your explicit consent (Art. 9(2)(a) GDPR), which you provide when creating your account. You can withdraw your consent at any time by deleting your account or by contacting privacy@prysm.digital. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but will prevent us from providing personalized training features.

Service improvement and analytics

Purpose: improving the reliability, performance, and quality of the Services based on usage data.

Legal basis: legitimate interests under Article 6(1)(f) GDPR. Where analytics involve cookies or tracking technologies that require consent, we rely on your consent.

Security and fraud prevention

Purpose: detecting and preventing unauthorized access, abuse, or fraud, and maintaining the security of our systems.

Legal basis: legitimate interests under Article 6(1)(f) GDPR and, where applicable, compliance with legal obligations under Article 6(1)(c) GDPR.

Legal and regulatory compliance

Purpose: complying with applicable legal obligations, including tax, accounting, and financial reporting requirements, and responding to lawful requests from public authorities.

Legal basis: compliance with legal obligations under Article 6(1)(c) GDPR.

Marketing communications

Purpose: sending you updates, newsletters, or promotional content about PRYSM, where you have opted in or where otherwise permitted by applicable law.

Legal basis: consent under Article 6(1)(a) GDPR, where required. You may withdraw consent at any time by using the unsubscribe link in any marketing email or by contacting us.

Summary: legal bases by processing purpose

PRYSM does not sell your personal data.

We may share personal data with carefully selected categories of recipients where this is necessary to operate, secure, support, or improve the Services, to process payments, to provide optional connected features you request, or to comply with legal obligations.

• hosting and cloud infrastructure providers
• authentication and account security providers
• payment processors and billing service providers
• email, communications, and customer support providers
• analytics and performance providers, where permitted or consented to under applicable law
• third-party fitness platforms and connected services that you choose to link to your account
• professional advisers, auditors, insurers, and legal or regulatory authorities where reasonably necessary

Where service providers process personal data on our behalf, we seek to ensure that they handle it under appropriate confidentiality, security, and data protection obligations and only for the purposes relevant to the service they provide to us.

PRYSM uses the following sub-processors (data processors acting on our behalf). We have entered into Data Processing Agreements (DPAs) with each of them as required by GDPR Article 28.

AI coach and personalization (OpenAI)

PRYSM uses OpenAI's API to power the AI training coach and session personalization. When you interact with the coach or when your training plan is personalized, the following data may be sent to OpenAI's servers:

• Your training profile (fitness level, goal, training phase)
• Session context (type, duration, intensity targets)
• Coach conversation messages
• Aggregated training metrics (ACWR, compliance, trends)

Data Processing Agreement: We have entered into a Data Processing Agreement (DPA) with OpenAI that includes Standard Contractual Clauses (SCCs) for international data transfers in accordance with GDPR Articles 28 and 46(2)(c).

Data retention by OpenAI: Under our API agreement, OpenAI does not use your data to train their models. API inputs and outputs are retained for up to 30 days for abuse monitoring purposes only, then permanently deleted.

Data minimization: We minimize the data sent to OpenAI by:

• Sending only aggregated metrics, not raw GPS data
• Truncating conversation history to the most recent exchanges
• Using anonymized identifiers — no email address or full name is sent to OpenAI

Other international transfers

PRYSM is based in France, within the European Union. Our database infrastructure is hosted in the EU (Frankfurt region). Other service providers, including our payment processor (Stripe) and application hosting provider (Vercel), may process data outside the EEA. Where such transfers occur, we use appropriate safeguards including Standard Contractual Clauses or adequacy decisions as required by GDPR Article 46.

You may request more information about relevant transfer safeguards by contacting privacy@prysm.digital.

International data transfers

PRYSM is based in France, within the European Union. Some of our service providers and connected service partners may process personal data in countries other than your own, including outside the European Economic Area.

Where international transfers occur, we seek to use an appropriate legal basis and safeguard for the transfer, such as an adequacy decision, Standard Contractual Clauses, or another recognised transfer mechanism where required by applicable law. You may request more information about relevant safeguards by contacting privacy@prysm.digital.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required or permitted by applicable law.

• Account and training profile data: retained for the duration of your account, plus a reasonable period after account closure to allow for reactivation requests or to fulfil remaining obligations
• Training history and activity data: retained while your account is active and as needed to provide your training history and continuity of service
• Connected fitness platform data: retained while the connection is active and as needed to support the relevant feature; upon disconnection, no further data is imported, though historical data already received may be retained as part of your training history
• Subscription and billing data: retained as required by French and EU accounting and tax regulations, generally up to 10 years where applicable
• Support communications: retained for a reasonable period to provide continuity and to handle potential disputes
• Technical and security logs: retained for the period necessary for security monitoring and incident response, typically up to 12 months
• Analytics data: aggregated or anonymized data may be retained for longer where it no longer constitutes personal data

When personal data is no longer required, we aim to securely delete or anonymize it.

Security

PRYSM implements technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures are calibrated to the nature of the data and the associated risks, and may include access controls, encryption in transit using TLS, authentication mechanisms, and monitoring.

No method of transmission or storage is completely secure. If you become aware of any potential security issue relating to your PRYSM account, please contact us immediately at support@prysm.digital.

Depending on your location and applicable data protection law, you may have the following rights in relation to your personal data:

• Right of access, to obtain confirmation of whether we process your personal data and to receive a copy of it
• Right to rectification, to request correction of inaccurate or incomplete personal data
• Right to erasure, to request deletion of your personal data, subject to applicable legal exceptions
• Right to restriction of processing, to request that we limit how we use your personal data in certain circumstances
• Right to object, to object to processing based on legitimate interests or direct marketing
• Right to data portability, to receive your personal data in a structured, commonly used, and machine-readable format and, where technically feasible, to have it transmitted to another controller
• Right to withdraw consent, where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint, to lodge a complaint with the CNIL or the competent supervisory authority in your country of residence

To exercise any of these rights, please contact privacy@prysm.digital.

We will respond within the timeframes required by applicable law, generally within one month. We may need to verify your identity before processing your request.

Right to erasure — account deletion (Art. 17)

You can permanently delete your account and all associated data at any time from your Profile settings in the PRYSM dashboard. This action:

• Immediately cancels your active subscription
• Permanently deletes all your data from our database (training plans, sessions, coach conversations, connected integration data)
• Revokes access tokens for connected platforms (Garmin, Strava, COROS, Polar)
• Cannot be undone

Data already transmitted to third-party processors (OpenAI, Stripe) is subject to their respective retention policies as described in this Privacy Policy. To request deletion without accessing your account, email privacy@prysm.digital.

Third-party platforms and their privacy practices

If you choose to connect an optional third-party fitness platform, wearable ecosystem, or similar connected service, your use of that third-party environment remains subject to its own terms and privacy practices. PRYSM is not responsible for the independent data practices of third-party platforms.

We encourage you to review the privacy information of any service you choose to connect. PRYSM's connection flows are intended to request only the permissions reasonably required for the relevant feature.

Cookies and tracking technologies

PRYSM uses cookies and similar technologies to operate the Services, maintain account sessions, remember key settings, protect the platform, and, where permitted or based on your consent, understand how the Services are used and improve performance.

Some of these technologies are strictly necessary for core functionality and security. Others, such as analytics or similar measurement tools, are used only where permitted under applicable law and, where required, with your prior consent. You can manage or withdraw your consent choices at any time through our cookie settings.

For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

Children's privacy

The Services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided personal data to PRYSM without appropriate authorization, please contact us at privacy@prysm.digital and we will take appropriate steps to address the issue.

Automated decision-making

PRYSM uses algorithmic and AI-assisted processes to help generate personalized training plans and recommendations based on data you provide. These outputs are intended to support your training decisions and coaching experience.

They are not designed to produce legal or similarly significant effects without your involvement. You retain full control over whether to follow, modify, postpone, or ignore any recommendation generated by the Services.

Updates to this policy

PRYSM may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or data practices. When we make material changes, we may notify you by email or through a prominent notice within the Services before the changes take effect. The “Last updated” date at the top of this page indicates when this Privacy Policy was most recently revised.

We encourage you to review this Privacy Policy periodically.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy: privacy@prysm.digital
• Support: support@prysm.digital

Full publisher and legal contact details are available in the PRYSM Legal Notice.

For complaints relating to the processing of your personal data, you may also have the right to contact the CNIL or the competent supervisory authority in your country of residence.