keysessions.ai
privacy

Last updated: 14 June 2026

This notice describes how keysessions.ai processes the personal data of users who access and use the web app available through the site and related services.

1. Data Controller

The Data Controller is:

Ivan Sergheevich PotapovVia dei Malatesta 720146 Milan (MI), Italy

Email: founders@keysessions.ai

For any request relating to the processing of personal data or the exercise of GDPR rights, you may contact the Data Controller at the email address indicated above.

2. Scope of application

This Privacy Policy applies to the processing of personal data carried out through keysessions.ai, including:

  • browsing on the site and the web app;
  • creation and management of the user account;
  • authentication via magic link;
  • use of the service;
  • management of payments and subscriptions, where applicable;
  • security, prevention of abuse, spam, bots, and fraud;
  • operational communications and support;
  • compliance with legal obligations and protection of the Data Controller's rights.

This Privacy Policy does not apply to third-party sites, services, or platforms accessible through external links or integrations, whose processing is governed by their respective privacy notices.

3. Categories of personal data processed

Depending on the use of the service, keysessions.ai may process the following categories of personal data.

3.1 Identification and account data

  • email address;
  • first and last name, where required;
  • account identifier;
  • account status;
  • information relating to registration, access, and closure of the account.

3.2 Authentication data

Access to the service takes place via a magic link sent to the user's email address.

The Data Controller may process:

  • email address;
  • temporary tokens or technical identifiers;
  • date and time of request and use of the magic link;
  • technical logs relating to authentication.

keysessions.ai does not require a password, unless otherwise indicated within the service.

3.3 Billing and payment data

In the case of paid services, the following may be processed:

  • first and last name or business name;
  • billing address;
  • city, postal code, province, state, and country;
  • any tax data required by applicable law;
  • payment, customer, transaction, plan, or subscription identifiers;
  • payment status.

Complete payment card information is not processed directly by the Data Controller, but by the external payment service provider.

3.4 Technical and usage data

During use of the service, the following may be collected automatically:

  • IP address;
  • date and time of requests;
  • URLs or paths visited;
  • request method;
  • response status code;
  • information on browser, operating system, and device;
  • technical data relating to sessions, errors, security, and performance;
  • system and maintenance logs.

3.5 Data contained in communications

When you contact the Data Controller, the following may be processed:

  • email address;
  • content of the communication;
  • any attachments or information provided voluntarily by the user;
  • technical metadata of the communication.

3.6 Training and athletic profile data

The service allows you to enter, generate, and save data relating to your athletic profile and training activity. In particular, the Data Controller may process:

  • the athlete's age, weight, and height;
  • FTP (Functional Threshold Power) and the date of the last FTP test;
  • the athlete's level and weekly training hours available;
  • bicycle configuration (discipline, setup);
  • training mesocycles generated by the platform (season phase, physiological focus, load trajectory, progression curve);
  • daily training sessions (power, cadence, duration, intensity-zone targets);
  • session execution data (actual power, duration, TSS, RPE, athlete notes and feedback);
  • readiness status and recovery parameters;
  • gym strength sessions and their systemic impact;
  • interactions with the AI coach (briefings, session analyses, questions and answers);
  • the athlete's location data, used exclusively for weather integration to contextualise training.

This data may include information relating to the health, physical condition, or physiological parameters of the user. Processing is carried out on the basis of the performance of the contract for the provision of the requested service pursuant to Art. 6(1)(b) GDPR and, where the data falls within special categories of data, on the basis of the user's explicit consent pursuant to Art. 9(2)(a) GDPR.

Failure to provide, or withdrawal of, explicit consent for the processing of such data may prevent the Data Controller from providing the core features of the service, including the generation of training plans, plan adaptation, and AI coach analyses.

4. Purposes, legal bases, and retention

The Data Controller processes personal data for the purposes indicated in the following table.

PurposeData processedGDPR legal basisIndicative retention
Account creation and managementemail, account identifiers, profile dataperformance of the contract or pre-contractual measures, Art. 6(1)(b) GDPRuntil account closure; thereafter for the time necessary for backups, security, legal obligations, or the defence of rights
Access via magic linkemail, temporary tokens, authentication logsperformance of the contract, Art. 6(1)(b) GDPR; security of the service, Art. 6(1)(f) GDPRtokens for the technically necessary time; authentication logs for a limited period, indicatively up to 90 days, except for security needs
Provision of the web app and requested featuresaccount data, technical data, training and athletic profile dataperformance of the contract, Art. 6(1)(b) GDPR; for health-related data, explicit consent Art. 9(2)(a) GDPRfor the duration of the account or contractual relationship; any content according to the service settings and the user's request
Payments, subscriptions, and billingbilling data, payment identifiers, payment statusperformance of the contract, Art. 6(1)(b) GDPR; legal obligation, Art. 6(1)(c) GDPRfor the time necessary to manage the relationship and, for accounting/tax documents, 10 years from the close of the relevant accounting year
Support and responses to requestscontact data, content of communicationsperformance of the contract or pre-contractual measures, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPRindicatively up to 24 months from the closure of the request, unless further retention is necessary
Security, prevention of abuse, spam, bots, fraud, and unauthorised accessIP, technical logs, device data, usage datathe Data Controller's legitimate interest, Art. 6(1)(f) GDPRindicatively from 30 to 180 days, except for incidents, investigations, disputes, or legal obligations
Hosting, backend infrastructure, traffic distribution, and maintenancetechnical data, account data, content necessary to deliver the serviceperformance of the contract, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPRfor the time necessary to deliver the service and according to backup and maintenance cycles
Compliance with legal obligationsdata necessary for compliancelegal obligation, Art. 6(1)(c) GDPRfor the periods provided by applicable law
Defence, establishment, or exercise of rightsaccount data, logs, communications, payment datalegitimate interest, Art. 6(1)(f) GDPRfor the time necessary to manage the dispute and according to the applicable limitation periods
Operational communications about the serviceemail, account dataperformance of the contract, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPRfor the duration of the account or for as long as the communication is necessary
Weather contextualisation of traininglocation indicated by the user or obtained via device features, where authorised; associated weather dataperformance of the contract, Art. 6(1)(b) GDPR; where required by the browser/device, the user's consent to access locationfor the time necessary to generate or update the plan/session; unless otherwise necessary, no longer than the duration of the account

keysessions.ai uses, where possible, approximate location or location entered manually by the user, avoiding the collection of precise location data when not necessary.

The Data Controller does not use the data for marketing, advertising profiling, or sending promotional communications, unless this is introduced in the future with an updated notice and, where necessary, the user's consent.

4-bis. Athletic profiling, plan adaptation, and AI features

keysessions.ai uses the data provided by the user and the data generated during use of the service to create athletic profiles, generate training plans, adapt mesocycles, evaluate session execution, and provide analyses via the AI coach.

Such processing is intended solely for the provision of the service requested by the user and is not used for marketing, behavioural advertising, or commercial scoring purposes.

The service may produce automated recommendations relating to training, but such recommendations do not constitute decisions with legal effects on the user. The user remains responsible for critically evaluating the guidance received and for stopping physical activity or consulting a qualified professional in the event of doubts, symptoms, or medical conditions.

The Data Controller does not use the user's data to train general third-party AI models, except with the user's consent or another legal basis indicated in this Privacy Policy.

5. Mandatory or optional nature of providing data

Providing the data necessary for registration, authentication, delivery of the service, and management of payments is necessary in order to use keysessions.ai.

Failure to provide such data may make it impossible to create an account, access the web app, or use specific features.

Providing further data, where requested as optional, is free and does not affect the use of the service, unless such data is necessary for a specific feature requested by the user.

6. Methods of processing

Processing is carried out using IT and electronic tools, according to logic consistent with the purposes indicated in this notice.

The Data Controller adopts technical and organisational measures appropriate to protect personal data from unauthorised access, disclosure, modification, loss, or destruction, taking into account the nature of the data, the context, the purposes of the processing, and the risks to data subjects.

Access to the data is limited to parties authorised by the Data Controller and to providers that process personal data on behalf of the Data Controller or as independent controllers, according to their respective role.

7. Providers, recipients, and processors

To provide the service, keysessions.ai uses technical and commercial providers. Such parties may act, as the case may be, as data processors, sub-processors, independent controllers, or separate controllers.

ProviderServiceData potentially processedPrivacy roleCountry / processing area
Vercel Inc.frontend/backend hosting and infrastructuretechnical data, IP, logs, data necessary to deliver the servicedata processor under the Vercel DPAUnited States / global infrastructure; certified under the EU-US Data Privacy Framework
Neonmanaged PostgreSQL databaseaccount data, application data, training and athletic profile datadata processor under the Neon DPAEU region: Frankfurt, Germany (aws-eu-central-1).
Cloudflare, Inc.CDN, security, traffic optimisation, bot protectionIP, technical logs, device data, security datadata processor for CDN and security; independent controller for bot and abuse protection activities as indicated in the Cloudflare DPAUnited States / global infrastructure; certified under the EU-US Data Privacy Framework
Stripepayments, subscriptions, transaction managementpayment data, billing data, transaction identifiersindependent controller for payment processing activities; data processor for delegated activities as indicated in the Stripe DPAUnited States / global infrastructure; certified under the EU-US Data Privacy Framework
Resendsending transactional emails and magic linksemail, sending metadata, transactional email contentdata processor under the Resend DPAUnited States / certified under the EU-US Data Privacy Framework

The Data Controller may also disclose personal data to:

  • legal, tax, accounting, or technical advisors;
  • public, judicial, or administrative authorities, when required by law;
  • parties involved in corporate or organisational transactions, within the limits permitted by law;
  • providers of security, maintenance, technical support, and infrastructure.

The Data Controller maintains, where necessary, data processing agreements pursuant to Art. 28 GDPR or other applicable privacy agreements.

8. Data transfers outside the European Economic Area

Some providers used by keysessions.ai are based or have infrastructure outside the European Economic Area, in particular in the United States.

When this entails a transfer of personal data to third countries, the Data Controller adopts one of the tools provided by the GDPR, including, where applicable:

  • adequacy decisions of the European Commission;
  • valid certification of the provider under the EU-US Data Privacy Framework (DPF), where available — Vercel, Cloudflare, Stripe, and Resend are certified under the EU-US Data Privacy Framework at the time this notice was drafted;
  • Standard Contractual Clauses (SCC) approved by the European Commission, included in the providers' DPAs;
  • supplementary technical, contractual, and organisational measures, when necessary;
  • other safeguards or derogations provided by Chapter V GDPR, in the permitted cases.

As regards the database (Neon), the main database is configured in a region located within the European Economic Area, currently Frankfurt, Germany (aws-eu-central-1), in order to limit non-EEA transfers of the main application data.

You may request further information on transfers by writing to the Data Controller.

9. Cookies and similar technologies

keysessions.ai uses exclusively cookies and similar technologies strictly necessary for the operation of the service.

In particular, the following are used:

  • session cookies (Auth.js), necessary to maintain the session and enable user authentication;
  • language preference cookie (ksn-locale), necessary to store the user's language choice among the available languages (English, Italian, Spanish, French);
  • Cloudflare technical cookies (for example __cf_bm), necessary for the operation of the protection service against bots and malicious traffic.

No profiling, advertising tracking, or marketing cookies are used.

For strictly necessary technical cookies, prior consent is not required, but the user can manage them through the browser settings. Disabling technical cookies may prevent the correct operation of the web app.

10. Third-party data entered by the user

You must not enter, upload, or share third-party personal data through keysessions.ai unless you have a suitable legal basis and have provided the information required by applicable law.

You remain responsible for the third-party personal data you decide to enter or process through the service.

11. Special data and data of minors

keysessions.ai processes data relating to the physical condition and athletic performance of the user, including weight, power, physiological parameters, training data, readiness, recovery, athlete notes, and feedback. Such data may fall within health-related data pursuant to Art. 9 GDPR.

For such data, processing is based on the performance of the contract pursuant to Art. 6(1)(b) GDPR, as necessary to provide the service requested by the user, and on the user's explicit consent pursuant to Art. 9(2)(a) GDPR, where the processed data falls within special categories of data.

You may withdraw explicit consent at any time by contacting the Data Controller or, where available, through the account settings.

The service is not intended for persons under 18 years of age. If the Data Controller becomes aware of personal data processed in violation of this limit, it will take reasonable measures to delete it or limit its processing.

12. User rights

Within the limits and under the conditions provided by the GDPR, you have the right to:

  • obtain confirmation as to whether or not personal data concerning you is being processed;
  • access your personal data;
  • obtain the rectification of inaccurate data or the completion of incomplete data;
  • obtain the erasure of personal data;
  • obtain the restriction of processing;
  • object to processing based on legitimate interest;
  • receive the data in a structured, commonly used, and machine-readable format, where applicable;
  • request the transmission of the data to another controller, where technically feasible and applicable;
  • withdraw consent, where processing is based on consent;
  • lodge a complaint with a competent supervisory authority.

In Italy, the competent supervisory authority is the Garante per la protezione dei dati personali.

13. How to exercise your rights

Requests relating to privacy rights may be sent to:

founders@keysessions.ai

The Data Controller will respond without undue delay and, in any case, within one month of receiving the request, subject to extension in the cases provided by the GDPR.

The Data Controller may request additional information to verify the user's identity, in compliance with the minimisation principle.

The exercise of rights is free of charge, except for manifestly unfounded, excessive, or repetitive requests, in the cases provided by applicable law.

14. Data security

The Data Controller adopts appropriate technical and organisational measures, including, where applicable:

  • access control;
  • authentication via temporary links;
  • use of infrastructure providers with documented security measures;
  • protection against bots, spam, and malicious traffic;
  • technical logging and security monitoring;
  • backups and maintenance procedures;
  • limiting access to the data to authorised parties only.

No IT system can be considered absolutely secure. You must adopt appropriate measures to protect your device, email address, and account access.

15. Personal data breaches

In the event of a personal data breach, the Data Controller will assess the event and, where necessary, make the notifications to the supervisory authority and to data subjects in accordance with Articles 33 and 34 GDPR.

16. Changes to the Privacy Policy

The Data Controller may modify this Privacy Policy to reflect regulatory, technical, organisational, or service changes.

Changes will be published on this page with an indication of the last modification date. When changes significantly affect users' rights or consent-based processing, the Data Controller will provide adequate communication and, where necessary, collect new consent.

17. Essential definitions

Personal data: any information relating to an identified or identifiable natural person.

Data subject: the natural person to whom the personal data relates.

Processing: any operation performed on personal data, such as collection, recording, storage, consultation, use, disclosure, erasure, or destruction.

Data Controller: the party that determines the purposes and means of the processing.

Data processor: the party that processes personal data on behalf of the controller.

Service: the web app and features offered through keysessions.ai.

GDPR: Regulation (EU) 2016/679.