Privacy Policy

Last updated: May 3, 2026 · Stride (“we”, “us”) · Melbourne, Victoria, Australia · privacy@runstri.de

This policy describes how we collect, use, store, and share personal information when you use Stride (the “Service”) at runstri.de. By using the Service, you agree to this policy.

1. Who we are

Stride is operated from Melbourne, Victoria, Australia. For privacy enquiries, contact privacy@runstri.de.

2. Data we collect

We may process the following categories of information:

• Account and identity: email address, name, and profile identifiers from Clerk (authentication). We use this to create and secure your account.
• Strava activity data: when you connect Strava, we sync activities you authorize, including sport type, start time, distance, duration, pace, elevation gain, heart rate metrics where available, cadence, training-load proxies we derive, and route approximations via encoded polylines (location represented as a simplified path, not continuous GPS tracking by Stride).
• Whoop physiological data: if you connect Whoop, we sync the metrics Whoop provides via their API, including daily recovery score, sleep duration and stages, heart rate variability (HRV), resting heart rate, respiratory rate, SpO2, skin temperature, and strain. We use this alongside Strava data to make training recommendations recovery-aware.
• Google Calendar (write-only): if you connect Google Calendar, we hold an OAuth token that lets us write planned workouts to a calendar you specify. We do not read your existing calendar entries.
• Anthropic API key (optional): if you supply your own Anthropic API key in Settings, we store it AES-256-GCM encrypted at rest and use it only to make AI requests on your behalf. AI requests made with your key are billed to you under your direct contract with Anthropic.
• Usage and product analytics: anonymous or pseudonymous events via PostHog, Statsig, Vercel Analytics, and Vercel Speed Insights (feature usage, performance metrics, experimentation), in line with your cookie and tracking preferences where applicable.
• Session replay and error data: Sentry and Statsig may capture anonymised replays of your session and unhandled errors so we can debug issues and improve usability. Sensitive inputs such as password fields are masked by default. You can opt out via your browser's tracking preferences or by contacting us.
• Communications: if you email us or receive product email, metadata and message content handled through our email provider (Resend).
• Technical data: IP address, device and browser type, and logs needed for security and reliability, stored in infrastructure providers supporting the Service.

3. How we use your data

We use personal data to:

• Provide the Service: sync Strava activities, sync Whoop recovery (where connected), show analytics, and power features you request.
• Generate AI-assisted outputs (training plans, chat responses, insights) using your activity context and, where configured, your own API credentials.
• Make recovery-aware training recommendations when Whoop is connected, including flagging sessions on low-recovery days and proposing plan adjustments when your training drifts.
• Push planned workouts to your Google Calendar (where you have connected and authorized it).
• Maintain security, prevent abuse, and debug issues.
• Improve the product using aggregated or de-identified analytics via PostHog, Statsig, and Vercel Analytics.
• Comply with law and respond to valid legal requests.

4. Third parties

We rely on subprocessors that process data on our behalf, including:

Data sources you choose to connect

• Strava: source of your activity data. You control connection scope in Strava and can revoke access there at any time.
• Whoop: source of your recovery, sleep, and physiological data when you connect Whoop. You control connection scope in Whoop and can revoke access there at any time.
• Google: Google Calendar API for writing planned workouts to a calendar you specify. We never read your existing calendar entries.

AI

• Anthropic: AI inference for plan generation, adaptive coaching, and chat. When you supply your own API key in Settings, requests go to Anthropic under your direct contract; otherwise we use our key.

Application infrastructure

• Clerk: authentication and session management.
• Neon: hosted PostgreSQL for application data.
• Vercel: application hosting and edge networking. Vercel Analytics and Vercel Speed Insights process anonymised performance metrics for the same domain.
• Inngest: durable background job execution (Strava and Whoop sync, plan generation, calendar push, weekly emails).
• Resend: transactional and weekly summary email delivery.

Observability and analytics

• Sentry: client-side error capture and optional session replay (with sensitive-input masking on by default).
• PostHog: product analytics for understanding feature usage.
• Statsig: feature gates, experimentation, optional session replay, and product analytics auto-capture.

Each provider has its own terms and privacy policy. We only share what is needed for the Service. A current list of subprocessors is maintained on this page; we will update it when we add or remove a provider that processes personal data.

5. Retention

We retain Strava-derived activities and derived metrics while your account is active so the Service can function. If you close your account or request deletion, we aim to delete associated personal data within 30 days, subject to backup cycles and legal obligations. Some records may be retained longer where required for security, disputes, or compliance.

6. International transfers

Our infrastructure and subprocessors may be located outside Australia. Where we transfer personal information overseas, we take steps appropriate to the circumstances (including contractual safeguards where available).

7. Your rights

Depending on applicable law, you may have the right to:

• Access or correct your personal information.
• Request deletion of your account and associated data.
• Disconnect Strava, Whoop, or Google Calendar at any time (stopping new syncs and revoking our access tokens; contact us to remove historical copies of synced data if needed).
• Export or port data where technically feasible. Contact us with specifics.
• Lodge a complaint with a regulator (in Australia, the Office of the Australian Information Commissioner).

To exercise these rights, email privacy@runstri.de.

8. Security

We implement reasonable administrative, technical, and organisational measures to protect personal information. OAuth access and refresh tokens for Strava, Whoop, and Google, along with any user-supplied Anthropic API keys, are stored encrypted at rest using AES-256-GCM. Traffic is served over TLS. No method of transmission or storage is completely secure.

9. Children

The Service is not directed at children under 13. If you believe we have collected a child's data in error, contact us for removal.

10. Changes

We may update this policy from time to time. Material changes will be reflected by updating the date above and, where appropriate, notice in the app or by email.