Privacy Policy

2.1 Account Information

• Email address (for login and communication)
• Password (encrypted with bcrypt, never stored in plain text)
• Full name (optional, for personalization)
• Profile photo/avatar (optional, stored securely)

2.2 Athlete Profile Data

• Date of birth (for age-based recommendations)
• Weight and height (for power-to-weight calculations)
• Resting heart rate and maximum heart rate
• Functional Threshold Power (FTP)
• Sport type and experience level
• Training goals and preferences

2.3 Training & Activity Data

• Activity records from connected devices and services
• GPS data, routes, and location information
• Power output, heart rate, cadence, and speed data
• Activity duration, distance, and elevation gain
• Lap times and split data
• Training load and stress calculations (TSS, CTL, ATL)

2.4 Health & Recovery Data

When you connect health tracking services (like Whoop):

• Sleep duration and quality metrics
• Recovery scores and readiness indicators
• Heart rate variability (HRV)
• Strain and exertion metrics

2.5 AI Coach Interactions

• Chat conversation messages with the AI coach
• Training questions and coaching responses
• Uploaded images (e.g., power files, bike fit photos, training screenshots)
• Training plan requests and generated proposals

3.1 Contract Performance (Art. 6(1)(b))

Processing necessary to provide our AI coaching service:

• Managing your account and authentication
• Synchronizing data from connected devices
• Generating personalized training plans and recommendations
• Calculating training load and performance metrics

3.2 Consent (Art. 6(1)(a))

Processing based on your explicit consent:

• Connecting third-party integrations (Strava, Whoop, Wahoo)
• Using analytics cookies to improve our service
• Sending newsletter and marketing communications
• Processing sensitive health data (GDPR Art. 9(2)(a))

You can withdraw your consent at any time through your account settings.

3.3 Legitimate Interests (Art. 6(1)(f))

Processing necessary for our legitimate business interests:

• Preventing fraud, abuse, and security threats
• Improving service quality and user experience
• Technical troubleshooting and customer support
• Business analytics and strategic planning

4.1 Providing Core Services

• Authenticating your access to the platform
• Synchronizing activities from connected devices and services
• Calculating training load, readiness scores, and performance metrics
• Generating personalized AI coaching responses
• Creating and adapting training plans based on your goals and fitness
• Displaying performance analytics, trends, and progress charts

4.2 AI Coaching with OpenAI

• Your profile data, training history, and chat messages are sent to OpenAI's GPT-4 API for processing
• OpenAI processes this data to generate personalized coaching responses
• Under our enterprise agreement, your data is NOT used to train OpenAI's models
• OpenAI's data processing terms: https://openai.com/enterprise-privacy
• We do NOT send: passwords, payment information, or authentication tokens

4.3 Service Improvements

• Analyzing usage patterns to identify popular and underused features
• Identifying and fixing technical issues and bugs
• Understanding which features provide the most value to users
• Planning new features and integrations based on user needs
• Optimizing performance and loading times

5.1 Essential Service Providers

We use trusted third-party service providers to operate our platform. All providers have Data Processing Agreements (DPAs) in place:

5.2 Integration Services (With Your Consent)

When you connect third-party fitness services, we access only the data you authorize via OAuth:

• Strava: Activities, athlete profile, activity streams (power, heart rate, GPS)
• Whoop: Recovery scores, sleep data, workout data
• Wahoo: Activities and workout data

We store access tokens securely and only access data necessary for providing coaching services. You can disconnect integrations at any time via Settings > Integrations.

5.3 Payment Processing (When Implemented)

When subscription features are launched, we will use Stripe for payment processing:

• Stripe processes all subscription payments
• We do NOT store your credit card information on our servers
• Stripe maintains PCI-DSS Level 1 compliance (highest security standard)
• We receive only payment confirmation and subscription status

5.4 Analytics

Vercel Analytics: We use privacy-friendly analytics that:

• Do not use cookies or track personal identifiers
• Collect only aggregated, anonymized usage statistics
• Help us understand which features are most valuable
• Comply with GDPR without requiring consent

7.1 Active Account

• Profile data: Retained while your account is active
• Training sessions:
  • Free tier: 90 days of detailed activity history
  • Pro tier: 2 years of detailed history (when implemented)
  • Elite tier: Unlimited retention (when implemented)
• Chat conversations: Retained while account is active
• Activity logs: Server logs retained for 90 days for security purposes

7.2 After Account Deletion

• All personal data permanently deleted within 30 days of account deletion request
• Aggregated, anonymized statistics may be retained for business analytics
• Legally required records (e.g., tax, accounting): Retained for 7 years as required by German law
• Backup systems purged within 90 days

8.1 Right of Access (Art. 15)

You have the right to request a copy of all personal data we hold about you, including:

• Profile information and account details
• Training sessions and activity data
• Chat conversations with the AI coach
• Integration connections and sync history
• Goals, training plans, and readiness scores

How to exercise: Go to Settings > Privacy > Export Data. Your data will be provided in JSON format for easy portability.

8.2 Right to Rectification (Art. 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your information directly via Settings > Profile, or contact support for assistance.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

You have the right to request deletion of your personal data. We will permanently delete your data within 30 days, except where:

• We are legally required to retain certain records (e.g., tax records for 7 years)
• Data is needed to complete an ongoing transaction
• Data is needed to comply with legal obligations

How to exercise: Go to Settings > Privacy > Delete Account. This action is permanent and cannot be undone.

8.4 Right to Restriction of Processing (Art. 18)

You have the right to request that we limit processing of your data in certain circumstances:

• When you contest the accuracy of the data
• When processing is unlawful but you don't want data deleted
• When we no longer need the data but you need it for legal claims
• While we verify legitimate grounds following your objection

How to exercise: Contact us at hi@nplusone.app

8.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and transfer it to another service.

How to exercise: Use the Export Data feature in Settings > Privacy to download your complete data archive.

8.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes:

• Object to direct marketing at any time (unsubscribe links in all marketing emails)
• Object to processing based on legitimate interests
• Object to automated decision-making and profiling

We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you have the right to withdraw it at any time:

• Disconnect integrations via Settings > Integrations
• Manage cookie preferences via Cookie Settings
• Unsubscribe from newsletters using links in emails

Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

If you believe we are not complying with GDPR, you have the right to file a complaint with your local Data Protection Authority:

We encourage you to contact us first so we can address your concerns directly.

9.1 Technical Measures

• Encryption in transit: TLS/SSL encryption (HTTPS) for all data transmission
• Encryption at rest: Database encryption for stored data
• Password security: Passwords hashed using bcrypt (never stored in plain text)
• Encrypted database connections: All database queries use encrypted connections
• OAuth 2.0: Secure authorization for third-party integrations
• Token management: Access tokens encrypted at rest, expire automatically
• Regular security updates: Dependencies and systems kept up to date

9.2 Organizational Measures

• Access controls: Least privilege principle for system access
• Security training: Regular security awareness and best practices
• Incident response: Procedures for detecting and responding to security incidents
• Secure development: Security-first development practices and code reviews
• Third-party assessments: Regular security audits of service providers

9.3 Infrastructure Security

• Databases hosted in secure, ISO-certified data centers
• Automated encrypted backups
• DDoS protection and rate limiting
• Intrusion detection and prevention systems
• Regular security monitoring and logging

10.1 Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

• Authentication cookies (Supabase): Manage your login session
• Preference cookies: Remember your settings and preferences
• Security cookies: CSRF protection and security features

Legal basis: Necessary for contract performance (GDPR Art. 6(1)(b))

10.2 Analytics Cookies (Opt-in Required)

With your consent, we use analytics to understand how our service is used:

• Vercel Analytics: Privacy-friendly, aggregated usage statistics
• No personal identifiers or tracking across websites
• Helps us understand which features provide the most value

Legal basis: Consent (GDPR Art. 6(1)(a))

12.1 AI Coaching Recommendations

• Our AI coach provides training suggestions based on your profile and activity data
• These are recommendations only, not binding decisions
• You maintain full control over your training choices
• No decisions with legal or similarly significant effects are made automatically
• You can always override or ignore AI suggestions

12.2 Training Load Calculations

• Automated algorithms calculate training stress (TSS), fitness (CTL), and fatigue (ATL)
• Based on established sports science principles
• Calculations are transparent and use standard formulas
• You can view, question, and ignore these metrics at any time

13.1 Your Responsibility

• Review the privacy policies of Strava, Whoop, and Wahoo
• Understand what data you're authorizing us to access through OAuth permissions
• You can revoke access at any time via Settings > Integrations
• Disconnecting removes our access but doesn't delete data from the third-party platform

13.2 Our Responsibility

• Access only the data scopes you explicitly authorize
• Store access tokens securely with encryption
• Respect your data deletion requests
• Delete integration data when you disconnect a service
• Use accessed data only for providing coaching services