Privacy Policy
Last updated: 2026-05-19 — placeholder, will be expanded before public launch.
Information we collect
- Email address — required at signup; account identifier.
- Display name — optional.
- Training data — sessions, sets, cardio activities, body weight, recorded limitations.
- Strava data (if connected) — cardio activities; pulled with your consent, revocable.
- Usage analytics (PostHog) — only with your consent.
- Error reports (Sentry) — only with your consent.
Where it lives
- Primary storage: Supabase Postgres in the EU (eu-west-1, AWS).
- Web hosting: Vercel (edge network; origin in EU).
- All transit is HTTPS/TLS.
Your rights (GDPR)
- Right to access: export all your data as JSON (Phase 1 feature).
- Right to erasure (Article 17): delete your account at any time from Settings. Hard-deletes immediately and cascades to all your data. Live now.
- Right to rectification: edit your profile and any logged data freely.
- Right to data portability: JSON export covers this.
- Right to complain: to your local data protection authority. For Finland: Tietosuojavaltuutettu.
Cookies
Only cookies strictly necessary for authentication (Supabase Auth session). No advertising cookies. Analytics cookies require your consent.
Contact
Personal-project deployment. For data-subject requests, contact via GitHub at drrowdev/hybrid-training-app or the email associated with your account.
This is a placeholder. Before public launch this policy will be expanded to cover the full GDPR Article 13 disclosures, retention periods, sub-processors list, and contact details for the Data Protection Officer if applicable.