Privacy Policy

Last updated: March 1, 2026

1. Introduction

Performance Analyzer ("PA", "the Service") is a web-based performance analysis platform for coaches and athletes. This Privacy Policy describes how we collect, use, store, and protect your information when you use Performance Analyzer and any associated integrations, including the Velodrome Timer ("Timer").

2. Data We Collect

Account data: Email address and password (securely hashed). Used for authentication only.

Athlete profiles: Name, email (optional), FTP value, weight, height. Created by coaches for their athletes.

Activity data: FIT and SRM files uploaded by coaches or athletes. These may contain: power, heart rate, cadence, speed, GPS coordinates, altitude, temperature, device information.

Session metadata: Date, duration, power statistics, computed training metrics (TSS, IF, NP), wind conditions.

Notes & markers: Coach-created annotations on activity data.

Timer sessions: Lap times, session codes, session names from timing integrations.

Location data: GPS coordinates contained in activity files are used for map visualization and wind data lookups. GPS data is processed in the browser and is not shared with third parties beyond anonymous weather API requests.

Device fingerprints: Hash of device serial numbers for device management. Not personally identifiable.

3. How We Use Your Data

Your data is used exclusively for providing the Performance Analyzer service to you. We analyze activity files to compute power curves, training load, and performance metrics. Coach accounts can view data for their athletes only. We do not sell, share, or monetize your data in any way. We do not use your data for advertising or marketing purposes.

4. Data Storage & Security

Infrastructure: All data is stored on enterprise-grade cloud infrastructure with encryption at rest, DDoS protection, and global distribution for low-latency access.

Encryption in transit: All connections use TLS 1.3 (HTTPS). No unencrypted connections are accepted.

Encryption at rest: Activity files are encrypted at rest on the server. Passwords are securely hashed.

Secure+ (optional): Coaches can enable end-to-end encryption via Secure+. With Secure+ enabled, activity files are encrypted before storage — the server never sees plaintext data. Recovery requires a seed phrase known only to the coach.

Access control: Token-based authentication. Coaches can only access their own athletes' data. Admin role required for platform-level operations.

5. Data Sharing

We do not share your data with any third parties. Activity data is only accessible to the coach who uploaded it. We do not integrate with analytics services, advertising networks, or data brokers. Email notifications (account registration, session uploads) are sent via a transactional email provider — only recipient email addresses are shared with this provider, not activity data. Weather data (wind speed/direction) is fetched from Open-Meteo using anonymized GPS coordinates — no personal or account data is included in these requests.

6. Data Retention & Deletion

Your data is retained as long as your account and license are active. Coaches can delete individual sessions, athletes, or their entire account at any time. Deleting a coach account removes all associated athletes, sessions, and activity files. Deleted data is permanently removed from both the database and file storage. Upon license expiration, data is retained for a grace period of 30 days, after which it may be permanently deleted if the license is not renewed.

7. Cookies & Local Storage

PA uses browser local storage for authentication tokens and local session caching. Timing integrations use local storage for session codes and display preferences. We do not use tracking cookies, analytics cookies, or any third-party cookies.

8. Third-Party Integrations

PA may integrate with Garmin Connect to automatically sync activity data. When connected, PA accesses only activity files (FIT data) from your Garmin account — no other Garmin data is accessed. You can disconnect the Garmin integration at any time. Map tiles are provided by OpenStreetMap (no user data is sent to tile servers beyond standard HTTP requests for map imagery). Historical weather data is provided by Open-Meteo (open-meteo.com), a free and open-source weather API — only latitude, longitude, and date range are sent in requests.

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). We process your personal data on the legal basis of contract performance (providing the Service) and legitimate interest (improving the Service). You have the right to:

Access: Request a copy of all personal data we hold about you.

Rectification: Correct inaccurate or incomplete personal data at any time via the application.

Erasure: Request deletion of your account and all associated data. Coaches can also delete individual sessions and athletes.

Data portability: Export your data in CSV or JSON format from the Dashboard.

Restriction: Request that we restrict processing of your data in certain circumstances.

Objection: Object to processing based on legitimate interest.

Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at the address below or use the account management features in the application. We will respond to GDPR requests within 30 days. If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your EU member state.

10. Data Processing Location

Data is processed and stored on Cloudflare's global infrastructure. Cloudflare operates under standard contractual clauses (SCCs) and is committed to GDPR compliance. Activity files may be stored in data centers within the EEA or in other regions served by Cloudflare's network, subject to Cloudflare's data processing agreement.

11. Trademarks & Third-Party Attribution

Garmin and FIT are registered trademarks of Garmin Ltd. or its subsidiaries. SRM is a registered trademark of Schoberer Rad Messtechnik GmbH. PowerControl is a trademark of SRM GmbH. Performance Analyzer is not affiliated with, endorsed by, or sponsored by Garmin, SRM, or any device manufacturer. FIT and SRM file formats are used for interoperability with training devices. All other trademarks are the property of their respective owners.

12. Contact

For privacy-related inquiries or GDPR requests, contact: [email protected]