Neverchill is a training platform built on athlete data. The smarter the platform gets, the better it is for everyone who uses it. This page lays out what we collect, what we do with it, and the controls you have.
1. What we collect
When you use Neverchill, we collect:
- Account information - email, name, password hash, OAuth identifiers (Google, Apple), timezone, preferred units.
- Activity data - uploaded FIT/GPX/TCX files, GPS traces, power, heart rate, cadence, elevation, splits, lap data, attached photos and captions, comments.
- Baseline data - FTP, LTHR, max HR, resting HR, weight, CP/W′ values you log over time.
- Planning and coaching data - planned workouts, training plans, coach-athlete relationships, threaded discussions.
- Device and session metadata - IP address (for security and abuse), browser / device info, session cookies.
- Payment metadata - Stripe customer IDs and subscription state (the card-number side lives with Stripe, not us).
2. How we use it
In short: We use your data to run the product for you, to build community features, and to train the models that power Domestique and our analytics.
- Running the Service - rendering activities, computing metrics (power curves, TSS, training load), syncing across devices.
- Communicating with you - transactional email (signup, password resets, billing receipts), product updates, occasional announcements you can unsubscribe from.
- Building community features - climb leaderboards, segment times, course records, popular-route discovery, peer comparisons. See section 4.
- Training our models - Domestique, route classifiers, climb categorizers, fitness predictors, recommendation systems. See section 3.
- Aggregate analytics and research - understanding what works in training, identifying product issues, publishing anonymized insights ("athletes on this plan typically improve FTP by X% in Y weeks").
- Safety and fraud - preventing account takeover, detecting abuse, complying with legal requests where required.
We don't run ads on Neverchill. We don't sell your contact information to data brokers. We don't share identifying activity data with advertisers.
3. AI and model training
In short: We train AI models on athlete data. You can turn AI features off; data already in training corpora stays.
Two things happen when AI features are involved:
- Real-time AI requests - when you trigger a Domestique chat, summary, or suggestion, the relevant slice of your activity and baseline data is sent to Anthropic's Claude API for processing. Under their commercial terms, that data isn't used to train Anthropic's models and isn't retained beyond what's needed to return a response.
- Our own model training - we train internal models on Neverchill data. These include Domestique fine-tunes, route-quality scoring, climb categorization, and personalized recommendation systems. We use individually-tied data during training; model outputs are not tagged to a specific athlete's identity when surfaced to other athletes without a separate consent path.
You can turn AI features off in /settings/privacy. Disabling them removes your access to Domestique and AI summaries from that point forward. Data already incorporated into training corpora cannot be retroactively removed from models that have learned from it, though no individual athlete is identifiable in the resulting weights.
4. Community features
Neverchill's community features depend on aggregating athlete data. Examples:
- Segment leaderboards - when multiple athletes ride or run the same stretch, we surface times and rankings.
- Climb records - fastest known times on a categorized climb, broken down by age, sex, and bike type where you've supplied that data.
- Popular routes - heatmap-style discovery of where athletes ride, built from anonymized aggregate GPS density.
- Peer comparisons - "athletes like you" suggestions in plans, baselines, and recovery prompts.
Each activity has a visibility setting (private, followers, public) that controls whether your activity is shown by name in the social feed and on leaderboards. Private activities still contribute to aggregate, anonymized metrics - they don't appear with your name attached.
5. Third-party processors
We use a small set of third parties to run the Service. Their privacy practices are linked below.
| Processor | Role | Policy |
|---|---|---|
| Stripe | Payment processing | Policy ↗ |
| Mapbox | Maps and geocoding | Policy ↗ |
| Anthropic | AI activity summaries and Domestique chat | Policy ↗ |
| OAuth sign-in (optional) | Policy ↗ | |
| Apple | OAuth sign-in (optional) | Policy ↗ |
| AWS | Hosting and file storage | Policy ↗ |
6. Where your data lives
Primary storage is in the United States. If you're outside that region, this means an international transfer when you use the Service. For EU/UK users we rely on standard contractual clauses with our processors where required.
7. Your rights
You have the following rights over data we hold about you:
- Access - see what we have. The export at /settings/account gives you original FIT files plus a JSON bundle of everything else.
- Correction - edit your profile, activities, and baselines directly in the product.
- Deletion - delete your account and we'll purge primary data within 30 days. Backups rotate out within 90 days. Aggregate / anonymized data and audit logs required for fraud, abuse, or tax may persist.
- Portability - your full export is in standard formats (FIT for activities, JSON for everything else).
- Restriction and objection - you can object to specific uses (such as AI training) via /settings/privacy or by emailing us.
- Withdraw consent - for any consent-based processing, you can withdraw consent at any time.
For rights you can't exercise in-product, email privacy@neverchill.com and we'll handle it.
8. Cookies and sessions
We use functional cookies only: a session cookie to keep you signed in, and preference cookies (theme, timezone, units). No advertising cookies, no third-party tracking pixels. There's no cookie banner because there's no advertising surveillance to consent to.
9. Children
Neverchill is for athletes aged 16+. We don't knowingly collect data from anyone younger. If we learn we have such data, we delete it.
10. Security
We encrypt data in transit (TLS) and at rest (AES-256). Passwords are stored as bcrypt hashes. OAuth identifiers are tokens, not passwords. We audit our processor list annually. SOC 2 certification is on the roadmap; we'll update this section when it lands.
11. Retention
- Active accounts - data kept for as long as the account is active.
- Deleted accounts - primary stores purged within 30 days; backups rotate out within 90 days.
- Aggregate / anonymized data - may persist indefinitely as part of community features, training corpora, or research.
- Audit logs - kept as required for fraud, abuse, and tax records (typically 7 years).
12. Changes
We'll email you at least 30 days before any material change to this policy. Minor changes (clarifications, processor additions with no scope change, typos) update the Last Updated date and don't spam your inbox.
13. GDPR / CCPA / UK-GDPR - quick reference
| Right | How to exercise it |
|---|---|
| Right of access | Export from /settings/account |
| Right to correction | Edit in-product |
| Right to deletion | Delete account from /settings/account |
| Right to portability | Export bundle (FIT + JSON) |
| Right to object | AI off-switch in /settings/privacy; email for other uses |
| CCPA: do not sell my data | Already covered - we don't sell personal data. Email us if you want a written confirmation. |
| Right to complain | EU/UK users may file with their supervisory authority. We'd prefer you talk to us first at privacy@neverchill.com. |
14. Contact
Privacy and data requests: privacy@neverchill.com.
General contact: hello@neverchill.com.
Web: neverchill.com.