Privacy Policy

Effective date: January 31, 2026

1. Introduction

Spethial Coach is a fitness tracking web application that helps you log workouts, track training progress, and analyse your fitness data. We take your privacy seriously, especially when it comes to sensitive health and fitness information.

This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information. By using Spethial Coach, you agree to the practices described in this policy.

2. Information We Collect

Account Data

Email address, name, and profile image (provided via Google OAuth or account registration). Passwords are stored as bcrypt hashes and are never stored in plain text.

Fitness & Workout Data

Workout logs including exercises, sets, reps, weight, distance, duration, heart rate, pace, cadence, power, elevation, and GPS route data.

Health & Biometric Data

When imported from Apple Health at your explicit request: daily steps, active calories, exercise minutes, resting heart rate, heart rate variability (HRV), VO2 max, respiratory rate, oxygen saturation, sleep data (total, deep, core, and REM), nutrition logs, body weight, and body fat percentage.

Third-Party Fitness Platform Data

When imported from Strava or Garmin at your explicit request: activity data, workout details, and GPS routes.

File Imports

GPX, FIT, and CSV files you upload. Device and app information contained in these files is preserved for data provenance.

Usage Data

Google Analytics collects anonymised page views. User IDs are replaced with a :id placeholder before being sent to Google, so your identity is never shared with analytics services.

3. How We Use Your Information

  • Provide and maintain the service — logging workouts, displaying analytics dashboards, and managing training plans.
  • Display your workout history, progress charts, and training programmes.
  • Import and synchronise data from connected platforms (Strava, Garmin, Apple Health) at your request.
  • Improve the service based on aggregated, anonymised usage patterns.

Apple HealthKit Disclosure

We do not use health data for advertising or use-based data mining. Health data is used solely to improve your health management experience within the app.

Strava API Disclosure

We do not use Strava data for AI/ML training, analytics products, customer insights, or combining with data from other sources.

4. Third-Party Services & Platform-Specific Disclosures

Strava Integration

  • Data is accessed only with your explicit consent via OAuth.
  • Strava data is used solely to display your activities within your own account.
  • We do not display your Strava data to other users.
  • We do not use Strava data for AI/ML, analytics, or product improvements.
  • Cached Strava data is not retained longer than 7 days unless saved to your account.
  • You can disconnect Strava at any time via Settings; upon disconnection, Strava API data is deleted.
  • User-deleted activities on Strava are removed from our system within 48 hours.

Strava privacy policy: strava.com/legal/privacy

Garmin Integration

  • Data submitted to Spethial Coach is submitted to us, not to Garmin. Garmin has no responsibility for data within our system.
  • Data is accessed only with your explicit consent via OAuth.
  • We retain Garmin data only as long as needed for service operation, unless you give express consent for longer retention.
  • You can disconnect Garmin and request deletion of all Garmin-sourced data at any time.

Garmin privacy policy: garmin.com/en-US/privacy/connect/policy

Apple Health Data

  • Health data is imported only at your explicit request.
  • We do not use health data for advertising or use-based data mining.
  • Health data is used solely to improve your health management experience within the app.
  • We do not share health data with third parties except as necessary to provide the service.
  • We do not store health data in iCloud.
  • We do not write false or inaccurate data back to Apple Health.

Other Services

  • Google OAuth — Used for authentication. We receive your name, email address, and profile picture.
  • Google Analytics — Anonymised page view tracking. User IDs are never sent to Google.
  • Supabase — Database hosting provider. Data is stored in PostgreSQL with encrypted connections.

5. Data Sharing

We do not sell your personal data. We do not share your data with third parties for their marketing purposes.

Data is only shared with:

  • Infrastructure providers (Supabase for database hosting, Vercel for deployment) as necessary to operate the service.
  • Law enforcement if required by law.

Public training programmes: If you choose to publish a programme as public, its content (not your personal data) is visible to other users.

6. Cookies & Local Storage

  • Session cookie (NextAuth.js) — Required for authentication. Expires when your session ends.
  • Theme preference (localStorage) — Stores your light/dark mode choice. Contains no personal data.
  • Google Analytics cookies — If enabled, standard GA cookies for anonymised usage tracking.

We do not use third-party advertising cookies.

7. Data Storage & Security

  • Data stored in PostgreSQL via Supabase with encrypted connections (TLS).
  • Passwords hashed with bcrypt.
  • JWT-based session tokens.
  • Security headers enforced: HSTS, X-Content-Type-Options, X-Frame-Options, and strict Referrer-Policy.
  • Permissions-Policy blocks camera, microphone, and geolocation access.
  • OAuth tokens for Strava and Garmin are stored encrypted and refreshed automatically.

8. Data Retention

  • Account data — Retained while your account is active.
  • Workout and health data — Retained while your account is active.
  • Strava API cached data — Maximum 7 days (per Strava requirements).
  • Garmin data — Retained only as needed for service operation.
  • Account deletion — All personal data, workout data, and third-party tokens are permanently deleted.
  • Google Analytics data — Subject to Google's retention policies (anonymised).

9. Your Rights

  • Access — View all your data within the app (dashboard, workout logs, settings).
  • Export — Export your workout data using the export feature in Settings.
  • Deletion — Request deletion of your account and all associated data.
  • Disconnect — Revoke access to Strava, Garmin, or Apple Health at any time via Settings.
  • Withdraw consent — You can withdraw consent for data processing at any time by deleting your account.

EU/EEA users (GDPR): You have the right to access, rectification, erasure, data portability, restriction of processing, and objection.

California users (CCPA): You have the right to know, delete, and opt-out of the sale of personal data. We do not sell personal data.

10. Children's Privacy

Spethial Coach is not intended for users under the age of 13 (or 16 in the EU). We do not knowingly collect data from children. If we discover that a child's data has been collected, we will delete it promptly.

11. Changes to This Policy

Material changes to this policy will be communicated via email or in-app notification. The updated effective date will be posted at the top of this page. Continued use of Spethial Coach after changes constitutes acceptance of the revised policy.

12. Contact

For privacy inquiries, data deletion requests, or questions about this policy, contact us at: privacy@spethialcoach.com