Privacy Policy

What we collect

We collect the information you provide when creating an account, such as your name, email address, password hash, profile information, training goal, and email preferences.

If you connect Strava, we import the activity data needed to power your dashboard and coaching features, including activity summaries, timestamps, distance, pace, heart rate, cadence, elevation, and other training metrics made available to us through the scopes you approve.

How data is collected

Account data is collected directly from you through our signup and settings forms. Strava data is collected only after you explicitly authorize VELOXthrough Strava's OAuth flow.

We also receive limited operational events from Strava webhooks so we can detect deauthorizations, deletions, and activity updates and keep our records aligned with your current Strava data.

How we use your data

We use your data to operate the service, show your training dashboard, generate coaching insights, send the coaching emails you opt into, manage billing, secure the app, and support you when you contact us.

We do not sell Strava data. We do not use Strava data to target advertising. We do not use Strava data to train machine-learning models.

Service providers

We use third-party processors to run VELOX. Based on the current implementation, these include:

• Supabase for application data storage.
• Stripe for subscription billing.
• Resend for transactional email delivery.
• OpenRouter for generating coaching report content from the activity context we send.
• Vercel for hosting and scheduled jobs.

How to withdraw consent or disconnect Strava

You can disconnect Strava from the Settings page. When you use the disconnect flow, VELOX attempts to revoke access on Strava and deletes the imported Strava-derived data stored by the app.

You can also revoke VELOX's access directly in your Strava account settings. If Strava sends us a deauthorization event, we purge the imported Strava data that we control.

How to request deletion

To delete imported Strava data immediately, use the disconnect and delete flow in Settings. If you want us to delete your full VELOX account or you need help with a deletion request, email hello@velox.run.

For support, you can also visit the Support page.

Retention and security

We use HTTPS in transit and restrict sensitive operations to server-side code. Access tokens and refresh tokens are stored on the server and are never exposed to the browser.

We retain personal data only as long as needed to operate the service, comply with law, resolve disputes, and enforce our agreements. Imported Strava data is deleted when you disconnect Strava using the provided deletion flow or when we receive a deauthorization event that requires us to purge it.