← Back home

Legal

Privacy Policy

Last updated: April 29, 2026

Who we are

WorkoutPost is an indie service that turns your Strava activities into AI-generated training descriptions. This policy describes what we collect, why, and what control you have over it.

What we collect

  • Account data. Email address you sign up with, authentication tokens. Stored in Supabase.
  • Strava activity data. When you connect Strava, we store activities you sync — distance, time, GPS, heart rate, splits, laps, and the full Strava activity payload — so we can generate descriptions and let you review them later.
  • Strava OAuth tokens. Access and refresh tokens, encrypted at rest by Supabase, used to talk to Strava on your behalf.
  • Per-activity context (survey). Anything you voluntarily type — workout type, intent, feelings, fueling, weather, free-text notes — sent to the AI as context.
  • Generated descriptions. Output from the AI plus a snapshot of the input we used, kept so you can re-read or copy them later.
  • Heart-rate zone configuration. The values you set in Settings.
  • Payment data. If you subscribe, Stripe stores your customer record and payment method; we only keep the Stripe customer ID, plan tier, status, and renewal date. We never see or store your card details.
  • Cookies. A session cookie (Supabase) to keep you logged in. Short-lived state cookies during Strava OAuth redirects. No third-party tracking or analytics.

Who we share data with

  • Strava — read activities, post descriptions (only when you click Post to Strava).
  • Anthropic (Claude API) — receives the activity summary, your survey, and recent activity stats when generating a description. Anthropic does not train on API data by default.
  • Supabase — hosting the database, auth, and file storage.
  • Stripe — processes payments. Visit Stripe's privacy policy for details.
  • Vercel — runs the web app. Server logs may contain IP addresses and request paths.

We don't sell, rent, or trade your data. We don't share it with advertisers.

How long we keep it

Account, activities, surveys, descriptions, and payment metadata stay until you delete your account. Stripe and Strava retain data under their own policies even after you disconnect from us.

Your rights

Under GDPR you can ask us to access, correct, export, or delete your data. To delete your account, email us — we run a hard delete on our database (which cascades to remove activities, surveys, descriptions, HR zones, and the Stripe customer link). Disconnecting Strava also revokes our access to your Strava data and removes our local copy of your tokens.

Where the data lives

Supabase project is hosted in EU Central (Frankfurt). Vercel edge nodes are global. Anthropic, Stripe, and Strava operate from the US.

Children

WorkoutPost is not directed at users under 16. If you are under 16, please don't use the service.

Changes

We'll update this page when something material changes. Continued use after an update means you accept the new version. Material changes get an email.

Contact

Questions, deletion requests, or just want to say hi — kazzper791@gmail.com.