EnduraEnduraLog in

Privacy Policy

Last updated: 2026-05-06

This is the privacy policy for Endura, a small project that uses AI to generate endurance-training plans. The short version: we collect what we need to build your plan and nothing else, we don't sell your data, and you can delete your account at any time from inside the app.

What we collect

  • Account: email address (required for sign-in) and a display name.
  • Profile (optional): birth year, sex, weight, current training context, doctor-clearance status, current injuries, and personalisation inputs (recent race time, threshold heart rate, FTP, swim CSS).
  • Plans: the inputs you provide when creating a plan (race date, distance, weekly hours, etc.) and the AI output we generate. Adjustments and completion records you add over time.
  • Strava data (only if you connect Strava): see the dedicated section below.
  • Technical: IP address (for abuse prevention and rate-limiting), browser user-agent, request timestamps, and basic device/locale data sent by your browser.
  • Operational: server logs needed to keep the service running (errors, AI request/response payloads for debugging, anonymised token-cost metrics).

We do not currently use third-party analytics or advertising cookies. We do not sell your data.

Strava integration

Connecting Strava is optional. If you do connect, we receive the following from Strava on each completed activity you upload:

  • Activity metadata: type (run / ride / swim / etc.), start time, duration, distance.
  • Performance data when present: average heart rate, average power, calories.
  • Approximate location: the start coordinates of the activity (Strava's default precision; we don't pull route polylines).
  • OAuth access + refresh tokens. Stored encrypted at rest; never returned to the browser.

We use this data only to auto-mark planned sessions as completed when an upload matches, and to surface unplanned activities on your dashboard. We don't sell, share, or use it for any other purpose.

Disconnecting:you can disconnect Strava from your profile at any time. On disconnect, we revoke the OAuth token with Strava and delete the stored tokens within 24 hours. Activity data already received and matched against your plan stays on your sessions (it's your training history). If you want it removed, delete the account or contact us — see below.

Where your data lives

  • Supabase — authentication and database. EU region (Frankfurt).
  • Anthropic (USA):AI provider. Plan-generation and adjustment prompts (which include your profile fields) are sent to Anthropic's API to generate or modify your plan. Your data is transferred to Anthropic's US infrastructure for processing under their standard contractual clauses (SCCs) for international data transfers. Anthropic's data-handling terms apply to that call.
  • Vercel — hosting and serverless runtime. Edge servers may be EU or US depending on your geography.
  • Inngest — background-job runner used for plan generation and adjustments.
  • Strava (USA)— only if you connect it. Activity data is transferred from Strava's US infrastructure to ours.

Legal basis

Under UK GDPR / EU GDPR we process your data on the following legal bases:

  • Contractual necessity — to deliver the training-plan service you signed up for (account, plan generation, adjustments, dashboard).
  • Your consent — for the Strava integration. You opt in by connecting; you can withdraw consent at any time by disconnecting.
  • Legitimate interests — service security, abuse prevention, and product improvement (debugging logs, anonymised cost metrics). We balance these against your privacy rights and minimise what we collect.

Retention

  • We keep your data while your account is active.
  • When you delete your account (in-app or by request), account data is removed from our active systems within 30 days.
  • Backups containing your data are purged within 90 days of deletion. Operational logs that may incidentally reference your account ID are pruned on the same schedule.
  • Anonymised token-cost metrics and aggregate usage statistics may be retained indefinitely for capacity planning; these cannot be tied back to you.

Your rights

  • Access: view all your data inside the app (profile in Settings, plans on the dashboard).
  • Correction: edit your profile in Settings any time.
  • Deletion:“Delete account” is available from the Profile page. Deletion is immediate in our active systems and propagates to backups within 90 days (see Retention above).
  • Portability: export your active plan as PDF or .ics calendar from the plan view; export individual sessions from the session-detail menu.
  • Objection / restriction: contact us if you want to object to or restrict any specific processing activity. UK / EU users may also lodge a complaint with their local data-protection authority (e.g. the ICO in the UK).

Children

Endura is not intended for users under 16. Don't create an account if you're under 16.

Contact

Use the contact form for any privacy questions, data-subject requests, or to follow up on a deletion. We aim to respond within 7 days.

This policy may be updated as the product evolves. Material changes will be flagged in-app.

← Back to home