Privacy Policy

Effective date: March 13, 2026 | stridevox.com

1. Controller

The controller responsible for the processing of your personal data is:

    StrideVox

    Sole proprietorship

    Email: info@stridevox.com

If you have any questions about this Privacy Policy or your data, you may contact us at the address above.

2. Scope and Applicable Law

This Privacy Policy applies to all personal data processed through the website stridevox.com and the StrideVox application (the "Service").

We process personal data in compliance with the Swiss Federal Act on Data Protection (nFADP/DSG) and, where applicable to users residing in the European Economic Area (EEA), the EU General Data Protection Regulation (GDPR). Where the GDPR applies, it takes precedence to the extent that it offers a higher level of protection.

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect:

Username (required)
Email address (optional, recommended for password recovery)
Password (stored in hashed form; we never store or have access to your plaintext password)
MFA configuration (if you enable multi-factor authentication via an OTP application such as Microsoft Authenticator or similar; we store only the shared secret needed to verify codes, not the app itself)

3.2 Fitness and Health Data (Sensitive Data)

When you connect your Garmin account, we import and store the following categories of data:

Category	Examples
Training activities	GPS routes, pace, distance, duration, cadence, elevation, activity type (running, cycling, swimming, etc.)
Heart rate & HRV	Resting heart rate, active heart rate zones, heart rate variability
Sleep data	Sleep duration, sleep stages, sleep quality scores
Computed metrics	Fatigue level, fitness level, estimated VO2 max — calculated by StrideVox based on data received from Garmin

    Important: Fitness and health data is classified as sensitive personal data (data concerning health) under Art. 5(c) nFADP and, where applicable, as a special category of data under Art. 9 GDPR. We process this data only with your explicit consent (see Section 4).

3.3 LLM Interaction Data

When you use the AI assistant feature (via the web app or WhatsApp), we process:

Your text queries (questions about training, sleep, performance, etc.).
A relevant subset of your fitness data, selected automatically to provide context for your query. We do not send your entire data set — only the data points relevant to the specific question.
The AI-generated responses you receive.

3.4 WhatsApp Interaction Data

If you choose to interact with the AI assistant via WhatsApp, we additionally process:

Your phone number, used to identify your account and route messages.
Message content (your questions and the AI-generated replies) transmitted through Twilio's messaging infrastructure.

WhatsApp messages are routed through Twilio (Twilio Inc., USA), which acts as a data processor. Twilio processes your phone number and message content solely to deliver messages between you and StrideVox. WhatsApp (Meta Platforms, Inc.) also processes data in accordance with its own privacy policy, over which StrideVox has no control.

3.5 User-Provided API Keys

If you provide your own LLM API key, we transmit it to the corresponding LLM provider solely to process your requests. We do not store your API key beyond what is technically necessary for the session.

3.6 Technical Data

When you use the Service, we may automatically collect:

IP address (may be logged temporarily for security and abuse prevention).
Browser type and version, operating system.
Pages visited, timestamps, referring URLs.

We do not currently use third-party analytics or tracking tools. Should this change in the future, we will update this Privacy Policy and, where required, obtain your consent.

4. Legal Bases for Processing

Processing Activity	Legal Basis (nFADP)	Legal Basis (GDPR, where applicable)
Account creation and management	Performance of the contract (use of the Service)	Art. 6(1)(b) GDPR — contractual necessity
Importing and storing fitness/health data	Explicit consent (Art. 6(6) and 6(7) nFADP)	Art. 9(2)(a) GDPR — explicit consent for sensitive data
Sending data to LLM provider for AI insights	Explicit consent	Art. 9(2)(a) GDPR — explicit consent
Password recovery emails	Performance of the contract	Art. 6(1)(b) GDPR — contractual necessity
WhatsApp messaging via Twilio (phone number, message content)	Explicit consent	Art. 6(1)(a) GDPR — consent; Art. 9(2)(a) GDPR for health data in messages
Security logging (IP, access logs)	Legitimate interest (security, abuse prevention)	Art. 6(1)(f) GDPR — legitimate interest

You may withdraw your consent at any time by disconnecting your Garmin account or deleting your StrideVox account. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Data Sharing and Third-Party Recipients

We share personal data only with the following categories of recipients, and only to the extent necessary to provide the Service:

Recipient	Data Shared	Purpose	Location
Garmin (Garmin Ltd.)	OAuth tokens for data synchronisation	Importing your fitness and health data	USA / International
LLM provider (e.g., OpenAI, Anthropic)	Your query + relevant fitness data subset; or your API key if user-provided	Generating AI-powered insights	USA / varies by provider
Resend (Resend, Inc.)	Email address only	Sending password recovery emails	USA
Twilio (Twilio Inc.)	Phone number, message content	Routing WhatsApp messages between you and the AI assistant	USA
WhatsApp (Meta Platforms, Inc.)	Phone number, message content (end-to-end encrypted in transit)	Messaging platform used to communicate with the AI assistant	USA / International
Paddle (Paddle.com Market Limited)	Payment details, billing address, email address	Payment processing, invoicing, VAT/tax handling, and refunds (Paddle acts as Merchant of Record)	UK / International

We do not sell your personal data. We do not share data with advertisers.

6. International Data Transfers

Your data is stored on servers located in Switzerland, which is recognised by the European Commission as providing an adequate level of data protection.

However, certain third-party services (Garmin, LLM providers, Twilio, WhatsApp, email service) may process data outside of Switzerland and the EEA, including in the United States. Where this occurs, we ensure appropriate safeguards are in place, such as:

EU-US Data Privacy Framework (where applicable).
Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

7. Data Retention

Account data and fitness data: Retained for as long as your account is active. Upon account deletion, all personal data is deleted immediately.
LLM interaction logs: Queries and responses are deleted upon account deletion. Note that the LLM provider may retain data according to its own policies, which are outside our control.
Security logs (IP addresses, access logs): Retained for a maximum of 90 days, then automatically deleted.
User-provided API keys: Not stored beyond the active session.

8. Your Rights

Under the nFADP and, where applicable, the GDPR, you have the following rights:

Right of access: You may request confirmation of whether we process your personal data and receive a copy of it.
Right to rectification: You may request correction of inaccurate or incomplete data.
Right to erasure: You may request deletion of your personal data. You can also delete your account at any time through the Service, which triggers immediate deletion.
Right to data portability: You may request your data in a structured, commonly used, machine-readable format (where technically feasible).
Right to withdraw consent: You may withdraw consent for the processing of your health data at any time by disconnecting your Garmin account or deleting your StrideVox account.
Right to restriction of processing: You may request that we limit the processing of your data in certain circumstances.
Right to object: Where we process data based on legitimate interest, you may object to such processing.

To exercise any of these rights, please contact us at the email address provided in Section 1. We will respond within 30 days.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with:

The Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch
Your local data protection supervisory authority (if you reside in the EU/EEA).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest.
Secure password hashing (your password is never stored in plaintext).
Support for multi-factor authentication (MFA/OTP).
Regular security reviews and updates.
Access controls limiting data access to what is strictly necessary.

Despite these measures, no system is completely secure. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant authorities in accordance with applicable law.

10. Cookies and Tracking

StrideVox currently uses only essential cookies required for the Service to function (e.g., session cookies for authentication). These cookies do not require consent under Swiss or EU law.

We do not currently use analytics cookies, advertising cookies, or third-party tracking tools. If this changes, we will update this Privacy Policy and implement a cookie consent mechanism where required.

11. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you have provided one) or through the Service at least 30 days before they take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

13. Contact

For any privacy-related questions, data access requests, or concerns, please contact:

    StrideVox

    Email: info@stridevox.com