Privacy Policy

About Aria & this Policy

Aria is an AI-powered training companion for sprint athletes — the 100m, 200m, and 400m crowd. We build mobile apps for iOS and Android, plus a companion web app called Stadiora that athletes and coaches use on the web.

Aria is operated by Stadiora Labs. Throughout this Policy, "Aria", "we", "us", and "our" refer to Stadiora Labs; "you" and "your" refer to the person whose data we process.

This Policy applies whenever you use the Aria mobile app, the Stadiora web app, or any of the APIs and services behind them (collectively, the "Services"). Your data is processed on infrastructure we run on Microsoft Azure in the United States (West US region).

Why we process your personal data

We collect and process personal data only for specific, defined purposes. Here's the full list.

To provide AI coaching Services

This is the core of what Aria does. We process the profile, training, nutrition, chat, and video data you give us so we can generate personalized training plans, nutrition plans, sprint analytics, answers from your AI coach, and feedback on video of your sprint technique. Without this processing there is no product.

To operate Coach Mode

Coach Mode lets you accept an invitation from a coach and, once you accept, makes a defined subset of your data visible to that coach in the Stadiora web app. We process your account identifiers, the invitation itself, and the data you've agreed to share in order to deliver this feature. See Coach Mode sharing below for the full mechanics.

To provide customer support

When you email us or file a support request, we use the information you send (and, where relevant, information already in your account) to answer your question and resolve the issue.

To protect your privacy and our Services

We process data to detect abuse, prevent fraud, enforce rate limits, and keep accounts secure. Where we can, we work with aggregated or pseudonymised data rather than identifiable records.

To improve our Services

We look at how the app and web app are used — which features are used, where errors happen, how plans perform — so we can make the product better. Where feasible we do this using data that has been aggregated or stripped of direct identifiers.

To perform analysis

We run analysis to improve the insights and recommendations Aria generates. Some of this analysis uses third-party AI services (see Third-party processors). We do not use your data to train Aria's own models, and the AI providers we use contractually do not train their foundation models on your prompts or outputs either.

To market our Services

If you opt in, we may send you email marketing or in-app messages about new features and offers. You can opt out at any time from the unsubscribe link in the email or from Settings in the app. Transactional messages (password resets, receipts, security alerts) are not marketing and can't be opted out of while you have an account.

To enable third-party integrations

If you choose to connect Apple HealthKit, Google Health Connect, Apple Sign In, Google Sign In, or similar, we process the data needed to make that integration work. We only process data from those integrations after you grant the relevant permission, and only for the purposes described in this Policy.

To comply with legal obligations

Sometimes the law requires us to keep or disclose certain data — for tax, accounting, legal-claim, or safety reasons. We will oppose any request to provide authorities with user data for surveillance or prosecution where we can, and we will notify you of such a request whenever we are legally permitted to.

Legal basis for processing

If you live in the European Economic Area, the United Kingdom, or another jurisdiction that requires a specific legal basis to process personal data, here are the bases we rely on:

Contract

Most of what we do — delivering training plans, running your AI coach, providing the app — is necessary to perform the contract you enter into when you create an account and accept this Policy and our Terms of Service.

Consent

We rely on your consent for anything that needs it: health data from HealthKit or Health Connect, direct marketing emails, Coach Mode sharing, and any processing of sensitive data. You can withdraw consent at any time — withdrawing it doesn't affect processing we already did lawfully, but it does stop processing going forward.

Legitimate interest

For things like product improvement, aggregated analytics, customer support, and keeping Aria secure, we rely on our legitimate interest in running and improving the Services. We balance that interest against your privacy rights, and we don't rely on legitimate interest where your rights override ours.

Legal obligation

Some processing (for tax, consumer-protection, or similar legal requirements) is mandatory under applicable law.

What data we process

These are the categories of personal data we process when you use Aria. Most of it comes directly from you.

Contact information — your email address, and (if you provide it) a display name.
Profile information you provide — name, gender, date of birth, height, weight, sport and event (e.g. 100m, 200m, 400m), training goals, training history, and anything else you add to your athlete profile.
Device information — IP address, approximate location derived from your IP, device model, operating system version, app version, and push notification token.
Content you create — chat messages with your AI coach, workout notes, meal photos, video uploads for sprint analysis, and any tags or annotations you add.
Health and fitness data (with your consent) — data from Apple HealthKit or Google Health Connect such as workouts, heart rate, steps, sleep, and body metrics. See Health data below for the details.
Generated data — training plans, nutrition plans, analytics, benchmarks, and AI-generated insights derived from the inputs above.
Guardian consent data — if you are a minor, we collect your guardian's email address and the timestamp of their consent. See Children's data.

Health data (Apple HealthKit & Google Health Connect)

Health data is sensitive personal data, and we treat it that way.

We only access HealthKit or Health Connect data after you explicitly grant permission in iOS or Android.
You can revoke that permission at any time in your device settings; Aria will stop receiving new data immediately.
HealthKit data is never used for advertising, is never sold to anyone, and is never shared with any third party for their own purposes. The only third party that processes HealthKit data on our behalf is Microsoft Azure (our hosting provider) and Azure OpenAI (for generating coaching insights), both under processor agreements and both bound by Apple's HealthKit requirements.
We comply with Apple's HealthKit guidelines and with the Google Health Connect Permissions policy and Google's Limited Use requirements.

Third-party processors and integrations

We work with a small set of trusted processors to run Aria. We require each of them, by contract, to process your data only on our instructions and to protect it to at least the standard we use ourselves. Here's the full list.

Microsoft Azure (hosting)

All Aria data is stored and processed on Microsoft Azure — specifically Azure Container Apps, Azure Database for PostgreSQL, Azure Cache for Redis, and Azure Blob Storage — in the West US region of the United States. Azure is our infrastructure provider and processes data solely on our instructions.

Azure OpenAI (AI coaching)

Aria's AI coach chat, plan generation, and analytics are powered by Azure OpenAI (the GPT-5 and GPT-5-mini family of models). This is important:

Prompts and completions sent to Azure OpenAI are not used by Microsoft to train or improve any foundation models. Microsoft processes this data solely to return the response and does not retain it for training purposes.

In other words: what you type to your AI coach, and what it says back, is used to deliver the answer you asked for — and nothing else. Aria itself also does not use your data to train any of its own models.

Apple HealthKit

Used only if you grant permission. See Health data. Aria does not share HealthKit data with any third party other than Azure (for processing on your behalf), does not use it for advertising, and does not sell it.

Google Health Connect

Same model as HealthKit, for Android. Aria complies with the Google Health Connect Permissions policy and Google's Limited Use requirements — your Health Connect data is only used to deliver the features you've enabled, and is not sold or used for advertising.

Apple Sign In and Google Sign In

Used for authentication only. Apple and Google give us a stable identifier and (if you allow it) your email address so we can create and sign you into your account. We don't receive your password.

Expo and EAS (mobile app infrastructure)

Expo and Expo Application Services (EAS) are how we build and distribute the mobile app. They receive anonymous diagnostic and crash data to help us fix bugs. They do not receive your account data, training data, chats, or health data.

Coach Mode sharing

Coach Mode is Aria's athlete-to-coach data-sharing feature. Here's exactly how it works.

Sharing is always athlete-initiated consent. A coach sends you an invite; nothing is shared until you accept it. There is no default sharing, and Aria will never enrol you in Coach Mode without your action.
The invite tells you what will be shared — the data categories the coach is requesting access to, and the scope of that access. You can decline, or accept only on your terms.
Once you accept, the coach becomes a co-controller of the data you've shared. They can view it in the Stadiora web app and use it for their own coaching and programming purposes. Their handling of your data is governed by their own privacy practices — review them before you accept.
You can revoke sharing at any time from Settings → Coaches in the Aria app, or from the equivalent screen in Stadiora. Revocation stops any future data from flowing to the coach.
Revocation is not retroactive. Data that the coach has already seen, downloaded, or acted on remains in their possession after you revoke; they are responsible for deleting it under their own privacy practices and applicable law.

Aria is not responsible for a coach's use of data after it has been shared with them under Coach Mode, but we will help you exercise your rights with them where we can.

How long we keep your data

Account data is retained for the lifetime of your account, plus a 90-day grace period after you delete the account (in case you change your mind and want to restore). After 90 days, it is permanently deleted.
Backups are kept on a 30-day rolling window. When you delete data, it clears from live systems immediately and from backups within 30 days.
Chat logs with your AI coach are retained for up to 2 years for abuse prevention and quality analysis. Chats older than 12 months are anonymised — stripped of direct identifiers — before we use them for any analysis.
AI training data — we don't use your data to train Aria's own models, and the third-party AI services we use (Azure OpenAI) contractually do not use your prompts or completions to train their foundation models either.
Legally-required records (tax, accounting, legal-claim-related) are kept for the period required by applicable law, which varies by country.

Your rights

You have the following rights over the personal data we hold about you. Most of them are available directly in the app under Settings → Privacy, but you can also email us and we'll handle the request manually.

Access — ask what data we hold about you.
Rectification — correct inaccurate data. Most profile fields you can edit yourself in the app.
Erasure ("delete my account") — Settings → Delete Account in the app. We delete your account and all associated personal data within 30 days; backup copies are purged within the following 30 days.
Data portability — export your data as a JSON archive.
Restriction — ask us to stop processing your data while we investigate a concern.
Objection — object to processing we do on the basis of legitimate interest.
Withdraw consent — for anything we do on the basis of consent (health data, marketing, Coach Mode).
Lodge a complaint — if you are in the EEA or UK, you can complain to your local data protection authority. We'd appreciate the chance to resolve it with you first.

To exercise any of these rights, email hello@runwitharia.com from the address on your Aria account, or use the in-app tools in Settings → Privacy. We'll respond within 30 days (or within whatever shorter period your local law requires).

California residents (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act.

Right to know what personal information we've collected, used, disclosed, and for what purposes, over the last 12 months.
Right to delete personal information we hold about you, subject to narrow legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing — Aria does not sell personal information, and does not share it for cross-context behavioural advertising. There is nothing to opt out of, because the thing is not happening.
Right to non-discrimination — we will not charge you more, give you worse service, or deny you the app for exercising any of these rights.

To exercise a CCPA right, use the same channels as in the Your rights section above. We may need to verify your identity (usually just by confirming you control the email on the account) before we act on the request.

International data transfers

Aria stores and processes personal data on Microsoft Azure in the United States (West US region). If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-export restrictions, your data is transferred to the United States when you use the Services.

We rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) as the legal mechanism for those transfers. Microsoft is bound by those same clauses when processing your data for us.

Children's data

Aria is intended for users aged 13 and over (or 16 and over in jurisdictions that require it — e.g. parts of the EU). We do not knowingly collect personal data from children below that threshold; if we learn we have, we will delete it.

For users who are minors (under 18 in most jurisdictions), Aria requires guardian consent before processing personal data. Our signup flow asks minors for their guardian's email, sends the guardian a consent request, and records the consent (or lack of it) against the account. A minor's account is not fully activated until guardian consent is given.

Parents or guardians of minor users can review, correct, or delete their minor's data by emailing hello@runwitharia.com from the guardian email address on file, or by logging into the minor's account and using the in-app controls in Settings → Privacy.

How we protect your data

Encryption in transit — all connections between your device and Aria are encrypted with TLS 1.2 or higher.
Encryption at rest — data in Azure Postgres, Redis, and Blob Storage is encrypted at rest using Azure-managed keys.
Authentication — JWT-based sessions with short-lived access tokens (20 minutes) and longer refresh tokens. Passwords are hashed with bcrypt; we never store them in plain text.
Server-to-AI authentication — our servers authenticate to Azure OpenAI using Microsoft managed identity, not shared API keys. There is no single API key that, if leaked, gives broad access.
Access control — only a small number of Aria staff have access to production systems, and that access is logged.
Security reviews — we perform regular security reviews of the code, infrastructure, and third-party dependencies, and we patch on a defined cadence.

No system is perfectly secure. If you believe your account has been compromised, email hello@runwitharia.com immediately.

Changes to this policy

We'll update this Policy from time to time. The version number and effective date at the top of the page always tell you which version you're looking at.

Material changes (new categories of data, new processors, new sharing, expanded purposes, or anything that changes what we do with your data in a meaningful way) trigger an in-app re-acceptance screen. You'll be asked to read and accept the new Policy before continuing to use the app.
Non-material changes (clarifications, typo fixes, reorganisation) are announced by a version-number bump on this page, with no forced re-acceptance.

Continued use of the Services after an update takes effect means you accept the updated Policy.

Contact

For any question about this Policy, to exercise a privacy right, or to report something that looks wrong, email us at hello@runwitharia.com. We read every message and reply within 30 days — usually much sooner.

Version 1 — Effective April 22, 2026. This is the first published version of the Aria Privacy Policy.