Privacy Policy

Running Coach App ("the App", "we", "us") is a training plan management platform for running groups. This Privacy Policy describes how we collect, use, store, and protect personal information — including data obtained from Garmin Connect — when you use our service.

By using the App you agree to the practices described in this policy.

2.1 Account Information

• Name and email address (used for authentication and notifications)
• Role within the App (runner, coach, or admin)
• Heart-rate training zones and personal pace configuration

2.2 Garmin Connect Fitness Data

With your explicit authorization, we access the following data from Garmin Connect:

• Activity summaries (date, distance, duration, activity type)
• Pace data (average pace, lap splits)
• Heart-rate data (average HR, HR zones, max HR)
• Elevation and GPS route data associated with running activities
• VO2 Max estimate (where available from the device)

We do not access Garmin health data unrelated to running activities (sleep, stress, body composition, menstrual tracking, etc.).

2.3 Training Plan Data

• Scheduled workouts assigned by your coach
• Workout completion status and effectiveness evaluations
• Weekly training summaries

2.4 Usage Data

• Login timestamps and session information
• Actions taken within the App (for debugging and improvement)

• Training evaluation: Garmin activity data is compared against your scheduled workout targets to calculate Pace Score and Distance Score (0–100 effectiveness rating).
• Coach visibility: Your coach can view your completed activities, effectiveness scores, and weekly summaries to guide your training.
• Plan generation: Aggregate pace and HR data may be used to suggest personalized training plans.
• Notifications: We send email notifications about workout schedules and plan updates.
• Service improvement: Anonymized, aggregated statistics are used to improve the App. No individual data is sold or shared for advertising purposes.

Our App integrates with the Garmin Connect platform under the Garmin Health API / Developer Program. We comply with Garmin's API Terms of Service and data usage guidelines.

• Authorization: Access to your Garmin data requires your explicit consent through the Garmin OAuth flow. You may revoke access at any time from your Garmin Connect account settings or within the App.
• Token storage: OAuth access and refresh tokens are encrypted with AES-256-GCM before being stored in our database. Tokens are never logged or exposed in plaintext.
• Scope limitation: We request only the minimum permissions necessary to sync running activity data and push structured workouts to your Garmin device.
• Data retention: Garmin activity data is retained as long as your account is active. You may request deletion at any time (see Section 7).
• No re-sharing: Garmin data is not shared with any third party other than your designated coach within the App and our infrastructure provider (Supabase — see Section 5).

We use the following sub-processors to operate the App:

• Supabase (supabase.com) — Database, authentication, and file storage. Data is stored in an encrypted PostgreSQL database with row-level security policies.
• Garmin Connect (connect.garmin.com) — Fitness data source. Subject to Garmin's own Privacy Policy.
• Resend (resend.com) — Transactional email delivery.
• Vercel — Application hosting and serverless functions.

We do not sell, rent, or trade personal data to any third party for marketing or advertising purposes.

• All data in transit is protected by TLS 1.2+.
• Garmin OAuth tokens are encrypted at rest using AES-256-GCM with a secret key that is never stored alongside the data.
• Database access is protected by row-level security (RLS) — users can only read their own data; coaches can read data for runners in their groups.
• Admin access is restricted to a separately provisioned role set via the database console.

You have the right to:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and all associated data, including Garmin activity records synced to the App.
• Garmin disconnect: Revoke the App's access to your Garmin account at any time from within the App (Settings → Garmin → Disconnect) or directly from your Garmin Connect account.
• Data portability: Request an export of your training data in a machine-readable format (JSON or CSV).

To exercise any of these rights, contact us at the address in Section 9. We will respond within 30 days.

• Active account data is retained for the duration of your account.
• Upon account deletion, all personal data is permanently removed within 30 days, except where retention is required by law.
• Anonymized, aggregated statistics may be retained indefinitely.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. Continued use of the App after the effective date constitutes acceptance of the updated policy.