PRIVACY POLICY.
The short version
STRIDD is free to use. You can build a plan without signing in (data stays in your browser), or create an optional account to save plans, sync watch data, and pick up where you left off across devices. The clauses below cover both flows. We do not sell your data. We do not run advertising. We do not share your training data with anyone you have not connected.
Account creation and password storage
When you create a STRIDD account, we collect your email address and a password (stored as a salted bcrypt hash via our authentication provider — never in plaintext). You can delete your account at any time from /athlete/settings/, which removes your profile, plans, watch-sync tokens, and run logs from our servers within 30 days.
Browser-only flow (no account)
If you build a plan without signing in, your training plan, race goal, schedule, fitness level, and any logged sessions are stored only in your browser's localStorage. They never leave your device. Clearing your browser data clears your plan. No personal data is submitted to a server in this flow.
Strava integration
If you connect Strava, we use Strava's OAuth 2.0 to request access to your activity data (read scope) and, optionally, to upload planned workouts (write scope). We store your activities, splits, heart rate, and route data on STRIDD servers for as long as your account is active. Disconnecting Strava in /athlete/settings/ revokes the OAuth token and deletes the cached activity data within 7 days.
Garmin Connect integration
If you connect Garmin, we use Garmin's Health and Activity APIs to receive workout summaries, heart rate, splits, and route data. The same retention model as Strava applies: data is stored while your account is active and is deleted within 7 days of disconnecting Garmin.
Coros, Polar, and other watch providers
Where supported, additional watch providers follow the same model: OAuth-based authorisation, data limited to workouts and physiological metrics relevant to training, retention tied to your account lifetime, and deletion within 7 days of disconnecting the provider.
Apple Health integration (future)
When Apple Health support ships, we will use Apple's HealthKit framework on the iOS app to read workout data. Apple Health data is processed on-device and only the workout summary (date, distance, time, average heart rate) is uploaded to STRIDD servers — raw heart rate streams and routes stay on your iPhone unless you opt in to upload them.
Watch data — what we store
Per workout: date, distance, duration, average and peak heart rate, cadence, splits, perceived effort, route polyline (where available), elevation gain, and any device-reported metrics relevant to training (e.g. ground contact time, vertical oscillation). We do not sell or share this data with third parties.
Cookies and sessions
When you sign in, STRIDD sets a session cookie (HttpOnly, Secure, SameSite=Lax) to keep you logged in for 30 days. You can clear this from your browser at any time. We continue to use no marketing or tracking cookies. Plausible analytics remains cookie-free. Mixpanel uses localStorage for an anonymous distinct_id, not cookies.
If you create an account, we may send you transactional email — account confirmation, password reset, and important service updates. We will not send marketing email unless you opt in via /athlete/settings/. You can unsubscribe from any non-transactional email at any time using the link in the footer of every email.
Anonymous analytics
We use Plausible (cookieless, EU-hosted) for aggregate page-view analytics — what pages people visit, where they came from, and which features get used. No personal identifier is sent to Plausible. Mixpanel runs anonymous event analytics with 10 percent session-replay sampling and masked text input. You can opt out of all non-essential analytics from the footer link on any page.
Third-party processors
We use these processors to operate STRIDD: Clerk Inc. (authentication; Delaware, USA), our managed PostgreSQL provider (database; region depends on your account), Resend (transactional email; USA), Plausible (page analytics; EU), Mixpanel (event analytics; USA, optional). Each processor receives only the data necessary for its function. Strava, Garmin, Coros, and Polar are upstream data sources, not processors of your STRIDD account data.
Your rights
You can export all of your STRIDD data from /athlete/export/ at any time. You can delete your account from /athlete/settings/ and we will purge your data from our active database within 30 days (and from backups within 60 days). For questions about your data or to exercise GDPR / DPDPA rights, write to hello@stridd.run.
Third-party content
We load fonts from Google Fonts, JavaScript libraries from public CDNs, and images from Unsplash. These providers may receive your IP address as a normal part of serving content. We do not share any data with them beyond what your browser sends in a normal HTTP request.
Lawyer review note
This policy is a working draft pending review by counsel. Sub-processor list and data residency details may be updated to reflect the final production deployment. Material changes will be summarised at the top of this page when they take effect.