velo-x.eu · legal

Privacy Policy

This policy explains how Vēlox collects, uses, stores, and protects your personal data, including data imported from Strava. Last updated: 2 June 2026.

What we collect

We collect the information you provide when creating an account: your name, email address, password hash, date of birth, gender, country, experience level, training goal, heart rate parameters, weight, and email preferences.

If you subscribe to product updates without an account, we collect your first name and email address solely to send those updates and manage unsubscribes.

If you connect Strava, we import activity data through the scopes you approve via Strava's OAuth flow. This includes activity summaries, timestamps, distance, pace, heart rate, cadence, elevation, and other training metrics. We also store the start coordinates (latitude and longitude) of each activity solely to derive your training city and to fetch local weather context for coaching insights. Full GPS route polylines are processed transiently for city geocoding only and are never persisted. All Strava-derived data is retained on our servers for as long as your Strava account remains connected, and is automatically deleted when you disconnect Strava or when we receive a Strava deauthorization event. It is never transmitted to any external AI or LLM provider in raw form.

The dashboard includes a small weather widget. To show local conditions, your browser may ask for permission to share your device location. If you grant it, your latitude and longitude are sent to the open-source weather service Open-Meteo to retrieve the current temperature and conditions, and are not stored on our servers. If you decline, or have not granted permission yet, we fall back to the home location derived from your Strava profile. Your browser remembers your choice; you can change or revoke it at any time from your browser's site permissions.

For information about how Strava itself collects and uses your data, please review the Strava Privacy Policy. For Open-Meteo's privacy practices, see the Open-Meteo Terms.

How Strava data is used with AI

Vēloxuses AI to generate coaching insights and training plans. We are fully committed to compliance with Strava's API Agreement, which prohibits passing raw Strava activity data to external AI or machine-learning systems.

Raw Strava data is never sent to any AI provider. Before any AI request is made, our backend computes derived, anonymized training metrics from your activity history. These are mathematical summaries such as weekly mileage totals, load ratios, fatigue scores, heart rate zone distributions, and pace trend calculations. Only these derived metrics are included in AI prompts. No activity names, GPS coordinates, timestamps, or raw Strava payloads are ever transmitted externally.

This architecture is consistent with Strava's API Agreement. The AI providers we use do not receive, and cannot reconstruct, your raw Strava activity data.

In addition to derived training metrics, AI prompts may include athlete-authored content you enter directly into the app: post-run notes, training journal entries, health concern descriptions, and coaching preferences. This content helps the coach respond to your specific situation. It is transmitted under zero data retention (ZDR) — the AI provider does not store, log, or use it to train models.

Zero data retention is enforced on every AI request. All requests are routed through OpenRouter with zero data retention (ZDR) enabled at both the account level and the per-request level. This means OpenRouter and the underlying AI providers (OpenAI, Anthropic, Google) are contractually prohibited from storing, logging, or using your data to train or improve their models. No prompt or response is retained beyond the duration of the request.

How we use your data

We use your data to operate the service: showing your training dashboard, generating coaching insights from derived metrics, sending the coaching emails you opt into, managing billing, securing the app, and supporting you when you contact us.

If you subscribe to product updates, we use your first name and email to send those updates. You can unsubscribe at any time via the link in each email.

We do not sell your data. We do not use your data to target advertising. We do not use Strava data to train machine-learning models.

Strava may independently monitor and collect data related to your use of this application in accordance with the Strava API Agreement.

Sub-processors and third parties

We use the following third-party processors to operate Vēlox. Where personal data is transferred to processors outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.

Infrastructure

  • Supabase Inc. (United States) — application database and storage. Data is processed under Supabase's Data Processing Agreement.
  • Vercel Inc. (United States) — application hosting, edge delivery, scheduled jobs, and cookieless page analytics (Vercel Web Analytics stores no cookies and no cross-site identifiers; visits are counted from anonymized request data).

Payments and email

  • Stripe Inc. (United States) — subscription billing. Stripe processes payment data under its own PCI-compliant terms. Vēlox does not store card numbers.
  • Resend Inc. (United States) — transactional email delivery (coaching reports, receipts, product updates).

AI coaching (derived metrics only)

  • OpenRouter Inc. (United States) — AI gateway routing requests to LLM providers. Zero data retention (ZDR) is enforced at the account level and on every individual request. Only derived, anonymized training metrics are transmitted. Raw Strava data is never included.
  • OpenAI, LLC (United States) — accessible via OpenRouter under ZDR terms. Inputs and outputs are not stored or used for model training.
  • Anthropic, PBC (United States) — accessible via OpenRouter under ZDR terms. Inputs and outputs are not stored or used for model training.
  • Google LLC (United States) — accessible via OpenRouter under ZDR terms. Inputs and outputs are not stored or used for model training.

Your rights under GDPR

Vēlox is subject to the EU General Data Protection Regulation (GDPR). The data controller is Vēlox (contact: louis.vuylsteke04@gmail.com). If you are located in the European Economic Area, you have the following rights:

  • Right of access (Art. 15). You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16). You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17). You may request deletion of your personal data. See "How to request deletion" below.
  • Right to restriction (Art. 18). You may request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20). You may request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21). You may object to processing based on legitimate interests.
  • Right to lodge a complaint. You have the right to lodge a complaint with your national data protection authority. In Belgium: the Gegevensbeschermingsautoriteit (GBA).

Legal bases for processing. We process your data on the following legal bases: performance of a contract (operating the service you signed up for); legitimate interests (security, fraud prevention, service improvement); and consent (marketing emails, which you can withdraw at any time).

To exercise any of these rights, contact us at louis.vuylsteke04@gmail.com. We will respond within 30 days.

Disconnecting Strava

You can disconnect Strava from the Settings page at any time. When you use the disconnect flow, Vēlox attempts to revoke its access token on Strava and deletes all imported Strava-derived data stored by the app from our database.

You can also revoke access directly in your Strava account settings under "My Apps". When Strava sends us a deauthorization event, we automatically purge the imported data we hold.

How to request deletion

To delete imported Strava data immediately, use the disconnect flow in Settings. To delete your full Vēlox account and all associated data, use the delete account option in Settings or email louis.vuylsteke04@gmail.com. We will action the request within 30 days.

When your account is deleted, you will receive a confirmation email to the address on your account as a receipt of the erasure request.

You can also visit the Support page for additional help.

Retention and security

All data is transmitted over HTTPS. Sensitive operations are server-side only. Strava access tokens and refresh tokens are stored on the server and never exposed to the browser.

  • Account data (profile, goals, training logs, journal, health concerns, race results) is retained for as long as your account is active, or until you request deletion.
  • Imported Strava activity data is retained until you disconnect Strava or we receive a deauthorization event.
  • Raw activity stream data (per-second heart rate, pace, cadence arrays) is automatically and permanently purged from our servers within 7 days of import, in accordance with the Strava API Agreement. Only derived, anonymised metrics computed from this data are retained beyond that window.
  • Daily nutrition advice is retained for up to 12 months, after which it is automatically purged.
  • Security and authentication event logs are retained for up to 24 months for security and incident investigation purposes, after which they are automatically purged.
  • AI inference inputs are not stored by Vēlox or by AI providers beyond the duration of each request (zero data retention).
  • Newsletter subscriber data is retained while your subscription is active. If you unsubscribe, your details are deleted after 12 months.

Questions

For any privacy questions or to exercise your rights, contact louis.vuylsteke04@gmail.com.