LEGAL
Last updated: 6 June 2026
This Privacy Policy explains how Chirona ("Chirona", "we", "us") collects, uses, shares, retains and protects your personal data, and the rights you have under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), and the Data Protection Act 2018. Chirona connects your training and recovery apps to AI assistants such as Claude and ChatGPT through a secure connector (an "MCP" server).
It applies to the Chirona website, web application, and hosted MCP/API services. It does not cover the third-party apps and AI assistants you separately choose to connect, which are governed by their own privacy policies.
Chirona is currently operated by Joe Joseph, trading as Chirona, as the data controller for this service while the company entity is being formed. You can contact us about privacy or to exercise your rights at privacy@chirona.ai or via Help. We will update this section with the registered company name, number and office once incorporation is complete.
We have not appointed a statutory Data Protection Officer. If the scale of our processing of health and fitness data requires one, this section will be updated with their contact details.
We collect the following categories of personal data. Where data is needed to provide the service it is described as required; where you choose to provide it, it is optional.
Most data is provided by you directly. Your connected fitness and health data is obtained from the providers you authorise (for example Garmin, COROS, Oura, Polar, WHOOP, Suunto, Wahoo, Peloton, TrainingPeaks, Hevy or Strava), in most cases via our data-aggregation partner Terra — see section 5.
We only process your personal data where we have a lawful basis under Art. 6 UK/EU GDPR (and, for health data, an additional condition under Art. 9 — see section 4):
| Purpose | Data used | Lawful basis |
|---|---|---|
| Create and authenticate your account; operate the dashboard, connectors and MCP/AI tools you request | Account, technical, connected fitness data | Art. 6(1)(b) — performance of our contract with you |
| Connect providers and sync, project and serve your training and recovery data to your AI assistant when you call our tools | Connected fitness data, account | Art. 6(1)(b) contract; Art. 9(2)(a) explicit consent for health data |
| Take and manage payments, grant or remove Chirona Pro access | Billing data | Art. 6(1)(b) — contract |
| Keep records required by law (e.g. accounting/tax records) | Billing data | Art. 6(1)(c) — legal obligation |
| Keep the service secure, prevent abuse and fraud, debug and ensure reliability | Technical, account, delivery records | Art. 6(1)(f) — legitimate interests |
| Understand aggregate product usage to improve Chirona | Technical/usage data | Art. 6(1)(f) legitimate interests; or consent where required for non-essential cookies |
| Provide customer support | Support & communications, account | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests |
| Send service-related and permitted similar-product messages | Account, email | Art. 6(1)(f) legitimate interests / Art. 6(1)(a) consent, in line with PECR |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can ask us about this balancing assessment using the contact details above.
Fitness and recovery data such as sleep, HRV, resting heart rate, recovery/readiness and body-composition metrics can reveal information about your health. This is "special category" data under Art. 9(1) UK/EU GDPR and receives extra protection.
We process this data only on the basis of your explicit consent (Art. 9(2)(a)), which you give through the provider or Terra authorization flow when you choose to connect a provider, review the permissions shown there, and authorize Chirona or Terra to receive the selected fitness and health data so Chirona can sync and surface that data to your AI assistant. You can withdraw this consent at any time by disconnecting the provider or deleting your account (section 8); withdrawal does not affect processing carried out before withdrawal. We do not use your health data for advertising, and we do not sell it.
We do not sell your personal data and we do not share identifiable fitness or health data for third-party advertising or third-party model training. We share data only with service providers ("processors") who act on our instructions under a data-processing agreement, and with recipients you direct:
| Recipient | Purpose |
|---|---|
| Supabase | Authentication and primary (Postgres) database |
| Google Cloud | Hosting, queues, logging, and storage of raw provider webhook payloads |
| Terra and the fitness providers you connect | Establishing connections and delivering your fitness/health data into Chirona |
| Stripe | Payment processing and subscription management |
| PostHog | Product analytics (EU-hosted) |
| Email delivery provider | Account, verification and support emails |
| Your chosen AI assistant (e.g. Anthropic Claude, OpenAI ChatGPT) | When you invoke Chirona tools inside that assistant, the relevant training context is returned to your session with that provider, under that provider's terms — at your direction |
We may also disclose data where required by law, to protect our rights, or in connection with a corporate transaction (e.g. merger), in each case with appropriate safeguards.
Some of our processors and the AI assistants you connect are located outside the UK/EEA (for example in the United States). Where personal data is transferred outside the UK/EEA, we rely on an appropriate safeguard under Chapter V UK/EU GDPR — an adequacy decision (including the UK Extension to the EU–US Data Privacy Framework where the recipient is certified), the UK International Data Transfer Agreement / IDTA Addendum, or the EU Standard Contractual Clauses, together with any additional measures required following a transfer risk assessment. You can request details of the safeguard for a specific transfer using the contact details above.
| Data | Retention |
|---|---|
| Account and connected training/health data | While your account is active and you keep the provider connected |
| Data for a disconnected provider or removed access | Query/sync access is disabled immediately. We are moving disconnected-provider data to a 30-day recovery window, after which connected-app data is deleted; until that migration is complete, some disconnect flows may delete provider data immediately. |
| Account deletion requests | Sessions, MCP tokens, pending authorisations and provider tokens are revoked immediately; the account is then hard-erased — including canonical training records and raw webhook deliveries linked to your account — after a 30-day grace window |
| Raw provider webhook payloads | Held only for a short operational period for replay/debugging, then archived or removed by automated retention jobs |
| Billing and accounting records | Retained as required by law (typically up to 6 years) for tax, accounting and dispute purposes |
| Security logs and backups | Retained for a limited period necessary for security, fraud prevention and infrastructure recovery, then deleted or overwritten on a rolling basis |
Subject to conditions and exemptions in the legislation, you have the right to:
To exercise any right, contact privacy@chirona.ai or use Help. We may need to verify your identity using the email on your Chirona account. We will respond within one month (extendable by two months for complex requests), free of charge unless a request is manifestly unfounded or excessive. You can also disconnect providers, revoke MCP access, manage or cancel Stripe-managed billing, or request deletion directly in the app. Complimentary, manually granted or migrated access does not create a Stripe subscription to cancel.
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data that is based on our legitimate interests (Art. 21(1)). You also have an absolute right to object to processing for direct marketing at any time (Art. 21(2)); if you object to direct marketing we will stop. To object, contact privacy@chirona.ai.
We use strictly necessary cookies and similar technologies to authenticate you and operate the service. We use PostHog for product analytics to understand aggregate usage. Where analytics or other non-essential technologies require consent under the Privacy and Electronic Communications Regulations (PECR) / ePrivacy rules, we will obtain it and you can withdraw it at any time.
Chirona's purpose is to make your training and recovery data available to AI assistants you choose, such as Claude or ChatGPT. When you ask your assistant a question that calls a Chirona tool, we process that request and return the relevant context to your assistant's session. Those assistants are operated by third parties under their own terms and privacy policies.
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (Art. 22). We do not use your personal data to train third-party AI models. In line with the EU AI Act transparency principles, we tell you here that AI assistants are involved in delivering the service. If this ever changes, we will update this notice and provide the additional information required by Art. 22.
Chirona is not directed at children and is intended for users aged 16 and over (or the higher minimum age that applies where you live). We do not knowingly collect data from children below the applicable age. If you believe a child has provided us data, contact us and we will delete it.
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, secret management, isolated processing lanes, and retention/erasure routines. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents.
We may update this policy from time to time. We will change the "Last updated" date above and, for material changes, take additional steps to notify you where appropriate.
Questions, requests and complaints can be sent to privacy@chirona.ai or via Help. If you are unhappy with how we have handled your data, you have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO), ico.org.uk; in the EU/EEA, your local data protection authority. We would, however, appreciate the chance to address your concerns first.