MAVINTY
Join waitlist โ†’
LEGAL ยท PRIVACY POLICY

Privacy Policy

Last updated: 26 April 2026
Version: 2.1

This Privacy Policy explains how Loomreach Limited (“we”, “us”, “our”), trading as Mavinty, collects, uses, stores, and protects your personal data when you use our website mavinty.com, our application at app.mavinty.com, and any related services (together, “Mavinty” or the “Service”).

We take your privacy seriously. This policy is written in plain English where possible, and tells you what we collect, why, who we share it with, and what rights you have.

1. Who we are

Data Controller:
Loomreach Limited
411 Oxford Street, Office 1.01, London, England, W1C 2PE, United Kingdom
Company number 16839451
Registered with the Information Commissioner’s Office (ICO), registration number C1918840
Trading as Mavinty

Contact for privacy matters: info@mavinty.com

We do not have a designated Data Protection Officer (DPO) as we are not legally required to appoint one. Privacy enquiries are handled directly by the company.

1.1 EU/EEA Representative

Under Article 27 of the EU GDPR, controllers based outside the EU/EEA who offer services to EU/EEA residents must appoint a representative within the EU/EEA. We have appointed:

[EU REPRESENTATIVE โ€” to be confirmed before public launch]

Likely candidates: DataRep (offices in all 27 EU member states + Norway, Iceland) or DPR Group (Germany, UK, Switzerland). Final appointment will be made before public launch and this section updated.

If you are an EU/EEA resident, you may contact our representative directly to raise privacy questions or exercise your rights:

  • Email: [to be confirmed]
  • Postal address: [to be confirmed]
  • Web form: [to be confirmed]

You may also contact us directly at info@mavinty.com.

2. What personal data we collect

We collect different categories of data depending on how you interact with Mavinty.

2.1 If you join the waitlist

  • Email address โ€” to send you waitlist confirmation, launch notifications, and (if you are a founding member) information about your locked rate
  • Language preference โ€” detected from the page you signed up on, used to send you communications in your language
  • Signup timestamp and position โ€” to track founding member eligibility (first 500 spots)
  • IP address (transient, in server logs only) โ€” for security and abuse prevention

2.2 If you create an account (after launch)

  • Account data: email, password (hashed, never stored in plain text), display name, language preference
  • Profile data: age, sex, height, weight, training history, race goals, injury history (if you choose to share), age group
  • Subscription data: plan tier (founding/standard), billing status, payment method (handled by Stripe โ€” see Section 5)

2.3 Training and health data (after launch)

If you connect Mavinty to wearables and training platforms, or log data manually, we process:

  • Training data: workout files (FIT, GPX, TCX), session metrics (duration, distance, pace, power, heart rate, cadence), training load, performance metrics
  • Wellness data: heart rate variability (HRV), resting heart rate, sleep duration and stages, body battery / readiness scores, recovery scores
  • Body composition data: weight, body fat percentage, muscle mass, asymmetry data (from Tanita and similar smart scales)
  • Health check-ins: self-reported data on injury, pain levels, recovery, mood, energy
  • Photo meal logs: images of meals you upload, AI-generated estimates of portion size, calories, macros
  • Coach interactions: messages between you and the AI coach, plan adjustments, your reasoning when you override plans

Most of this data falls under special category data (“sensitive data”) under UK GDPR Article 9 โ€” specifically health-related data. We process this only with your explicit consent, given when you connect a wearable or share health information with the platform. See Section 3.2 below.

2.4 Technical data

  • Device and browser information: device type, browser, operating system, screen size
  • Usage data: pages visited, features used, time spent in app, error logs
  • IP address (in server logs)

We do not currently use third-party analytics tools (Google Analytics, Plausible, Fathom, etc.) on the marketing website or in the app. If we add analytics in future, we will update this policy and ask for your consent where required.

3. Why we process your data (legal basis)

Under UK GDPR Article 6 (and Article 9 for special category data), every processing activity needs a legal basis. The table below sets out our lawful bases per processing activity.

3.1 Lawful Bases โ€” General Processing (Article 6)

# Processing Activity Lawful Basis Notes
1 Send waitlist confirmation and launch email Consent (Art. 6(1)(a)) You opted in by submitting your email
2 Operate your subscription (account creation, login, billing) Contract (Art. 6(1)(b)) Necessary to provide the Service you signed up for
3 Provide AI coaching, training plans, daily session adjustments Contract (Art. 6(1)(b)) Core Service performance
4 Send transactional emails (password resets, billing, important service updates) Contract (Art. 6(1)(b)) + Legitimate Interest (Art. 6(1)(f)) Keeping you informed about your account
5 Send optional product update emails (new features, blog posts) Consent (Art. 6(1)(a)) Opt-in only, easy unsubscribe
6 Photo meal logging (image upload + AI analysis) Contract (Art. 6(1)(b)) Optional feature you activate
7 Improve the product, fix bugs, monitor system health Legitimate Interest (Art. 6(1)(f)) Operating a working service. Balanced against your privacy.
8 Detect and prevent fraud, abuse, security incidents Legitimate Interest (Art. 6(1)(f)) Protecting users and the business
9 Comply with legal obligations (tax, accounting, regulatory) Legal Obligation (Art. 6(1)(c)) UK tax law requires 6-year financial record retention
10 Defend against legal claims, respond to court orders Legitimate Interest (Art. 6(1)(f)) Protecting the business
11 Process payment via Stripe / cryptocurrency processor Contract (Art. 6(1)(b)) Necessary to fulfil paid subscription
12 Connect to wearable platforms via intervals.icu and direct integrations Contract (Art. 6(1)(b)) + Explicit Consent (Art. 9(2)(a)) for health data See Section 3.2 and 5.5

3.2 Lawful Bases โ€” Special Category Data (Article 9)

Most data Mavinty processes for coaching purposes is health data, which is special category data under UK GDPR Article 9. We process this category of data only on the basis of your explicit consent (Article 9(2)(a)).

When you:

  • Connect intervals.icu (the primary wearable hub) โ†’ you give explicit consent for Mavinty to receive and process the training and wellness data that intervals.icu provides
  • Connect a wearable directly (Garmin, Wahoo, Coros, Polar, Oura, Whoop, Apple Health, etc.) โ†’ you give explicit consent for Mavinty to receive and process the health data that wearable provides
  • Upload a meal photo โ†’ you give explicit consent for Mavinty to process that image and any inferences about your nutrition or health
  • Submit a wellness check-in (energy, mood, pain, injury status) โ†’ you give explicit consent for that data to be processed

This consent is given through clear, separate consent flows โ€” typically a checkbox or button labelled with what you are consenting to, before any data flows. You can withdraw consent at any time from your account settings. Once withdrawn:

  • New data will not be collected through that integration
  • Historical data already collected can be deleted on request (see Section 7)
  • Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal

We do not rely on legitimate interest, vital interest, or any other basis to process special category data without your explicit consent.

3.3 What we do NOT do

We do not process your data for:

  • Targeted or behavioural advertising
  • Profiling for marketing purposes
  • Selling to third parties
  • Training or improving AI models โ€” see Section 5.2 for details

4. How long we keep your data

Data Retention period
Waitlist email (not converted to account) Until launch + 6 months, then deleted unless you opt in to further updates
Active account data While your account is open + period required by law
Training and health data While your account is open. You can delete individual records at any time.
Closed account data 30 days after closure (for accidental closure recovery), then deleted, except where retention is legally required (e.g. accounting records โ€” 6 years under UK tax law)
Payment transaction records 6 years (UK accounting requirement)
Server logs 90 days
Cookie consent logs 24 months (audit trail required by ICO)
Email communications you send to us 24 months unless ongoing matter

You can request deletion at any time โ€” see Section 7 (Your Rights).

5. Who we share your data with

We do not sell your data. We share it only with service providers who help us run Mavinty, and only to the extent necessary. Each provider is bound by a Data Processing Agreement (DPA) requiring them to protect your data and use it only for our specified purposes.

5.1 Hosting and infrastructure

  • Hetzner Online GmbH (Germany) โ€” hosts our application server and database
  • Data location: Germany (EU)
  • Safeguard: EU-based provider, UK GDPR / EU GDPR fully applicable
  • DPA in place

5.2 AI processing

  • Anthropic, PBC (USA) โ€” provides the AI models that power Mavinty’s coaching, plan generation, photo meal recognition, and chat
  • Data location: USA
  • Data sent: training data, wellness check-ins, meal photos, chat messages โ€” only what is necessary to generate a response
  • Safeguard: UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) approved by the European Commission
  • AI Training: Under Anthropic’s commercial API terms, your data is NOT used to train Anthropic’s models. We have selected Anthropic in part for this guarantee.

Mavinty AI Training Policy: We do not use your personal data โ€” including training data, health data, photos, or chat messages โ€” to train, fine-tune, or improve AI models. The Service uses pre-trained models from Anthropic; your data is processed to generate responses for you, then released. Aggregated, fully anonymised statistics may inform our product roadmap (e.g., “average plan compliance rate”) but cannot be linked back to any individual.

5.3 Email delivery

  • Google LLC (Google Workspace, Gmail API) (USA / EU) โ€” delivers transactional emails (waitlist confirmation, password resets, account notifications)
  • Data sent: your email address and email content
  • Safeguard: SCCs Module 2; Google is also certified under the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-US DPF
  • DPA: Google Workspace Data Processing Amendment

5.4 Payments (after launch)

  • Stripe Payments Europe Ltd (Ireland) and Stripe, Inc. (USA) โ€” processes subscription payments
  • Data sent: name, email, billing address, payment method (card details handled by Stripe directly โ€” we never see or store your card number)
  • Safeguard: SCCs for any non-EU transfer; Stripe is PCI-DSS Level 1 certified
  • Crypto payment processor (TBD โ€” to be confirmed before launch) โ€” handles cryptocurrency payments (BTC, USDC)
  • Data sent: payment confirmation only; we do not collect wallet addresses or hold crypto

5.5 intervals.icu โ€” primary wearable integration hub

We rely on intervals.icu (operated by Intervals.icu Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom) as our primary integration hub for training and wellness data from wearable devices. Most of your training data reaches Mavinty through intervals.icu.

How the integration works:

  1. You create an intervals.icu account (free) and connect your wearables to it (Garmin, Wahoo, Coros, Polar, Suunto, Oura, Whoop, Apple Health, and others)
  2. You generate a personal API key in your intervals.icu Settings โ†’ Developer Settings
  3. You enter that API key into Mavinty’s settings page
  4. Mavinty uses the API key (basic authentication) to read your training, wellness, and planned workout data from intervals.icu
  5. You can revoke Mavinty’s access at any time by regenerating or clearing the API key in intervals.icu settings โ€” data flow stops immediately

Data we receive via intervals.icu:

  • Activity data (rides, runs, swims, other workouts) โ€” duration, distance, pace, power, heart rate, cadence, GPS data
  • Wellness metrics โ€” HRV, resting heart rate, sleep stages, sleep score, weight, readiness, mood, soreness, fatigue, hydration, blood pressure, SpO2, menstrual cycle data
  • Training load metrics โ€” fitness, fatigue, form, ramp rate
  • Planned workouts you have scheduled in intervals.icu
  • Power curve, FTP estimates, performance metrics
  • Device metadata (device name and type โ€” see Garmin attribution below)

Legal basis under intervals.icu API Terms:

Intervals.icu Ltd grants commercial API users a “non-exclusive, worldwide, royalty-free, perpetual license to access and use the API for any lawful purpose, including commercial use” (intervals.icu API Terms and Conditions, Effective Date: 23 October 2025). Mavinty operates under this license.

Garmin data attribution:

Some training and wellness data passing through intervals.icu originates from Garmin devices (Edge, Forerunner, Fenix, Venu, etc.). Per intervals.icu’s API Terms (Section 1.1) and Garmin’s brand guidelines, when Mavinty displays such data, we provide attribution to Garmin. In practice this means:

  • Activity detail views show the originating device name (e.g., “Source: Garmin Edge 530”)
  • Pages displaying mixed wellness data include a footer note: “Activity and wellness data may include data from Garmin devices.”

Strava limitation:

Per Strava’s API privacy update (November 2024), activities sourced via Strava are not accessible through the intervals.icu API. If your training data flows from Strava into intervals.icu, those Strava-originated activities will not reach Mavinty. To get full coverage in Mavinty, we recommend connecting your wearable directly to intervals.icu (via Garmin Connect, Wahoo, Coros, Polar Flow, Suunto, etc.) rather than relying on Strava as the data source. You may still use Strava as a secondary log; it just won’t sync with Mavinty.

Where the data lives:

  • intervals.icu stores your training and wellness data on its own infrastructure under its own Privacy Policy โ€” Intervals.icu Ltd is an independent UK data controller for the data you submit to them
  • Mavinty stores a copy of the data we receive on our Hetzner servers (Germany, EU) for the duration of your active subscription
  • You can delete your Mavinty data at any time without affecting your intervals.icu account (and vice versa)

5.6 Other wearable and training platform integrations (direct)

In some cases we integrate directly with a wearable platform without going through intervals.icu. When you authorise such an integration, data flows between Mavinty and that provider based on the permissions you grant. We act as the data controller for what we receive and process.

Direct integrations may include (subject to availability and the third party’s terms): Garmin Connect, Wahoo, Coros, Polar, Suunto, Apple Health, Oura, Whoop, Withings, Tanita, Google Fit, and others. Each platform has its own privacy policy governing data they hold about you. We strongly recommend you review the privacy policy of any platform you connect.

You can revoke any third-party integration at any time, both from within Mavinty and from the third party’s own settings. Revocation stops new data flow; existing data already received by Mavinty can be deleted on request.

5.7 Telegram (admin notifications only)

  • Telegram Messenger Inc. โ€” receives signup notifications sent to the company admin (e.g., “new founding member #123”). The notification contains your email address. This is for operational awareness only.
  • Reduction plan: Before public launch, we will move to anonymised IDs (e.g., “new founding member, position 123”) so that the Telegram notification no longer contains personal data.

5.8 Legal disclosures

We may disclose your data if required by law, court order, regulatory authority, or to protect our legal rights, the rights of others, or to prevent fraud, abuse, or harm.

6. International data transfers

Most of our processing happens within the UK and EU (Hetzner โ€” Germany; intervals.icu โ€” UK). Some service providers are based in the United States.

When we transfer your data outside the UK/EEA, we ensure a UK GDPR-compliant transfer mechanism is in place. Specifically:

Provider Country Transfer Mechanism
Anthropic USA UK International Data Transfer Agreement (IDTA) / SCCs Module 2 (Controller-to-Processor)
Google Workspace USA / EU SCCs Module 2 + EU-US Data Privacy Framework certification
Stripe Ireland (EU) / USA SCCs Module 2; Stripe certified under PCI-DSS
intervals.icu United Kingdom UK-to-UK transfer; no cross-border safeguard required
Hetzner Germany (EU) EU-to-UK transfer under UK adequacy decision for EEA

Where required, we conduct a Transfer Risk Assessment (TRA) for each non-UK/EU transfer and apply supplementary measures (encryption in transit and at rest, access controls, contractual restrictions on government access requests).

You can request a copy of the safeguards we use for any specific transfer by emailing info@mavinty.com.

7. Your rights

Under UK GDPR, you have the following rights:

  • Right of access (Art. 15) โ€” request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) โ€” correct inaccurate or incomplete data
  • Right to erasure (Art. 17, “right to be forgotten”) โ€” request deletion of your data, subject to legal retention requirements
  • Right to restriction (Art. 18) โ€” ask us to limit processing in certain circumstances
  • Right to data portability (Art. 20) โ€” receive your data in a structured, commonly used format (we provide standard FIT and CSV exports)
  • Right to object (Art. 21) โ€” object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7) โ€” at any time, where processing is based on consent
  • Right not to be subject to automated decision-making (Art. 22) โ€” see Section 8 below
  • Right to lodge a complaint โ€” with the UK Information Commissioner’s Office (ICO) at ico.org.uk or +44 0303 123 1113. We would appreciate the chance to address your concerns first by emailing info@mavinty.com.

To exercise any of these rights, email info@mavinty.com. We will respond within one month. We may need to verify your identity before fulfilling certain requests. If your request is complex, we may extend the response window by a further two months and will inform you of the extension and reason within the first month.

EU/EEA residents may also contact our EU Representative (see Section 1.1).

8. Automated decision-making and AI coaching

Mavinty uses artificial intelligence to generate training plans, daily session adjustments, nutrition suggestions, and chat responses. Under UK GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing โ€” including profiling โ€” which produces legal effects concerning you or significantly affects you.

Mavinty’s AI does not make decisions with legal or similarly significant effects. AI outputs are recommendations: training sessions, nutrition prompts, recovery suggestions. You are always the final decision-maker:

  • Every recommendation is explained. Mavinty shows the reasoning behind each plan adjustment, so you understand why something is suggested.
  • You can override any recommendation at any time โ€” change a session, skip a day, modify intensity, ignore advice.
  • You can request human review. If you disagree with a Mavinty recommendation or want to discuss it, contact info@mavinty.com or message us in the founder Slack (Founding Members). A human will review and respond.
  • AI outputs do not determine your account status, billing, or access. Decisions affecting your subscription, refunds, or account closure are made by humans, not the AI.

If you would prefer not to use AI-generated recommendations at all, Mavinty is not the right product for you, as AI coaching is the core of the Service. In that case, we recommend cancelling your subscription and using your statutory cooling-off rights (see Refund Policy).

9. Security

We take reasonable technical and organisational measures to protect your data:

  • All connections to Mavinty are encrypted in transit (HTTPS / TLS 1.2+)
  • Database access is restricted to authenticated services on a private network
  • Passwords are hashed using industry-standard algorithms (bcrypt or equivalent โ€” never stored in plain text)
  • API keys (intervals.icu, third-party integrations) are encrypted at rest and accessible only by the authenticated user’s session
  • Service account credentials and API keys are stored separately from the application database, with restricted file permissions
  • Health data and other special category data are processed only with explicit consent
  • We log access to administrative interfaces
  • Backups are encrypted at rest

No system is 100% secure. If we ever experience a data breach affecting your personal data, we will notify the ICO within 72 hours where required by law (UK GDPR Art. 33), and notify you directly without undue delay if the breach poses a high risk to your rights and freedoms (Art. 34).

10. Cookies

See our Cookie Policy for details on what cookies we use and how to manage them.

11. Children

Mavinty is not intended for use by individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact info@mavinty.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date and “Version” at the top reflect the most recent revision. If we make material changes (for example, adding a new category of processing or a new third-party processor), we will notify active users by email at least 14 days before the change takes effect.

Previous versions of this policy are available on request.

13. Contact

For any privacy-related question, request, or complaint:

Email: info@mavinty.com
Postal address:
Loomreach Limited
411 Oxford Street, Office 1.01
London, W1C 2PE
United Kingdom

EU/EEA residents: see Section 1.1 for our EU Representative contact details.

For complaints about how we handle your data, you can also contact the UK Information Commissioner’s Office:
ico.org.uk ยท +44 0303 123 1113

Loomreach Limited ยท Company number 16839451 ยท ICO registration C1918840 ยท Trading as Mavinty