Last Updated: April 10, 2026

1. Introduction

Cortex Athletics ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

The data controller responsible for your personal data is:
Taskero UG (haftungsbeschränkt)
Graben 2, 55116 Mainz, Germany
Email: contact@taskero.de

2. Information We Collect

2.1 Information You Provide

We collect personal information that you voluntarily provide when using our Service:

• Account data: Email address, first name, and last name (required for registration)
• Profile data: Date of birth, gender, weight (kg), and height (cm) (optional — used to personalize training plans)
• Health data: Information about active injuries including title, description, and start date (voluntary — this constitutes special category data under GDPR Article 9)
• Training data: Sport preferences, experience levels, training configurations (splits, schedules, goals), available equipment, and workout logs (exercises, sets, reps, weights, running pace, distances)
• Account credentials: Your password is hashed using PBKDF2 and is never stored in plaintext

2.2 Automatically Collected Information

We do not use analytics, tracking, or advertising technologies. We do not collect your IP address, browser type, device information, or usage patterns. The only data automatically handled is through essential cookies required for the website to function (see our Cookie Policy).

3. How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your user account
• To generate personalized AI-powered training plans using your profile data, sport preferences, injuries, and workout history
• To send email verification codes during registration
• To send password reset emails when requested
• To display your training history, workout logs, and progress
• To improve the quality of our AI-generated training plans
• To comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): Account creation, training plan generation, workout logging, and providing the core Service functionality
• Consent (Art. 6(1)(a) GDPR): Processing of health data (injuries, biometric measurements such as weight and height) under Art. 9(2)(a) GDPR. You voluntarily provide this data and can withdraw consent at any time
• Legal obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws and regulations
• Legitimate interests (Art. 6(1)(f) GDPR): Service security, abuse prevention, and service improvement

4.1 Special Categories of Data (Art. 9 GDPR)

We process the following special categories of personal data based on your explicit consent:

• Health data: Information about your active injuries (title, description, start date)
• Health-related data: Weight and height measurements provided in the context of fitness training

This data is used exclusively to generate safe and appropriate training plans that account for your physical condition. You may choose not to provide this data, though it may reduce the quality of your training plans. You can update or delete this data at any time through your account settings.

5. Data Sharing and Disclosure

5.1 Google Gemini API (AI Training Plan Generation)

When you request an AI-generated training plan, we transmit the following data to Google via the Gemini API:

• Your profile data: age (calculated from date of birth), gender, weight, height
• Your sport preferences and training configuration
• Your active injuries (health data)
• Your workout history from the last 30 days
• Your daily schedule preferences and time limits

Google processes this data to generate your training plan. Google's privacy policy applies to their processing of this data: https://policies.google.com/privacy. We send this data based on your explicit consent, which you provide when requesting a training plan. The data is transmitted to Google's servers, which may be located outside the European Economic Area (see Section 10).

5.2 Email Service Provider

We use an SMTP email provider to send transactional emails (account verification and password resets). Only your email address and name are shared with this provider for the purpose of delivering these emails.

5.3 No Other Sharing

We do not sell, rent, or share your personal data with any other third parties. We do not use analytics services, advertising networks, or social media plugins. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, and we will notify you before your data becomes subject to a different privacy policy. We may also disclose your data when required by law or to protect our rights.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• HTTPS encryption enforced site-wide with HSTS (HTTP Strict Transport Security)
• Passwords hashed using the PBKDF2 algorithm — never stored in plaintext
• Session cookies configured as Secure, HttpOnly, and SameSite=Lax
• CSRF (Cross-Site Request Forgery) protection on all forms
• Clickjacking protection via X-Frame-Options

However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your personal data as follows:

• Account and profile data: Retained for the duration of your account
• Training data and workout logs: Retained for the duration of your account
• AI generation logs: Prompts sent to and responses received from the AI service are retained for service improvement and debugging purposes
• Email verification codes: Automatically expire after 15 minutes

Upon account deletion, all associated data is permanently removed from our database. To request deletion of your account and all associated data, please contact us at contact@taskero.de.

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Access (Art. 15): Request access to your personal data and information about how it is processed
• Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Erasure (Art. 17): Request deletion of your personal data
• Restriction (Art. 18): Request restriction of processing in certain circumstances
• Portability (Art. 20): Request transfer of your data in a structured, machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent (Art. 7(3)): Withdraw consent for processing of health data at any time, without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us at contact@taskero.de. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. Our competent authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34, 55116 Mainz
Email: poststelle@datenschutz.rlp.de

9. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at contact@taskero.de, and we will take steps to delete such information.

10. International Data Transfers

Your data may be transferred to servers outside the European Economic Area (EEA) when you use the AI training plan feature. Specifically, data is sent to Google's Gemini API servers, which may be located in the United States or other countries. These transfers are safeguarded by Standard Contractual Clauses (SCCs) and/or EU adequacy decisions, in accordance with GDPR Article 46.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: contact@taskero.de
Address: Taskero UG (haftungsbeschränkt), Graben 2, 55116 Mainz, Germany

Taskero UG is not required to appoint a Data Protection Officer under GDPR Article 37. For all privacy-related inquiries, please contact us at the email address above.