Data & Privacy

What we collect,
and why.

No jargon. A plain-English explanation of what data Velora collects, how it's used, and how you stay in control.

What we collect

StravaLive

Activity metadata: name, date, sport type, duration, distance
Effort data: average pace, average heart rate, max heart rate
Lap splits when available
Perceived effort / RPE if logged in Strava
GPS route stored as polyline for display — not individually analyzed

We request only the activity:read scope from Strava. No access to segments, social features, or athlete profile beyond what coaching requires.

GarminIn development

Activity data: same fields as Strava, plus detailed HR streams
Daily health metrics: resting HR, HRV, sleep summary, body battery
Training readiness score if available via API

Pending Garmin Developer Program approval. Data scope will be finalized at integration time. Users will see explicit scope descriptions during OAuth.

Account data

Email address (via authentication)
Display name / first name
Timezone preference

What we don't collect

×Payment data — no payment system exists currently
×Social or contact data from connected accounts
×Location data beyond what's included in activities you explicitly sync
×Any data from accounts you haven't connected
×Third-party tracking pixels or browser fingerprinting data

Storage and retention

WhereSupabase (PostgreSQL), hosted in the US on AWS infrastructure.

EncryptionData encrypted at rest (AES-256) and in transit (TLS 1.2+).

RetentionData is retained for the duration of your account. When you delete your account, all personal data is purged within 30 days.

BackupsSupabase maintains automated backups subject to the same deletion timeline on account termination.

Your controls

Disconnect Strava

Revokes our access token immediately. We stop ingesting new activities. Existing synced data remains in your account unless you delete it.

Disconnect Garmin

Same as Strava — immediate token revocation, no new data ingestion. Available when Garmin integration launches.

Delete account

Purges all personal data within 30 days: synced activities, computed baselines, prescriptions, and account info.

Data export

Email contact@veloralabs.io to request a copy of your data in JSON format.

Cookies

Velora uses a single session cookie to maintain authentication state. We use no advertising cookies, analytics pixels, or third-party tracking. There is no cookie banner because there is nothing to consent to beyond functional session management.

Questions?

If you have questions about how your data is handled, email us or use the contact form.