Privacy Policy

1. Who We Are

TheAthleteHub (“we”, “us”, or “our”) operates the website theathletehub.com (the “Service”). This policy explains what personal data we collect, why we collect it, and how you can exercise your rights over it.

Questions? Contact us at baz.chodor@gmail.com.

2. Data We Collect

Account data

When you register, we collect your email address and create a username. This is stored securely via Supabase and used solely to authenticate you and operate your account.

Profile data you provide

Display name, bio, avatar image, and social links you enter in your dashboard. You control this data and can update or delete it at any time.

Strava data

If you connect Strava, we receive and store an OAuth access token, refresh token, and your Strava athlete ID. We use these to fetch and sync your activity data (activity name, sport type, distance, moving time, elapsed time, elevation, speed, and heart rate where available) and to display it on your public profile. We do not access Strava segments, personal records stored on Strava, or any data beyond what is needed to power your profile.

Subscription and payment data

If you upgrade to Pro, payments are processed by Stripe. We never see or store your full card details. We receive a Stripe customer ID and subscription status from Stripe to manage your plan.

Usage data

Standard server logs (IP address, browser type, pages visited, timestamps). We use these only for debugging and service reliability. We do not sell or share these logs.

3. How We Use Your Data

• To create and operate your athlete profile
• To sync and display your Strava activity data on your public profile page
• To calculate personal records and training stats shown on your profile
• To process and manage your Pro subscription via Stripe
• To send transactional emails (e.g. password reset) — no marketing without consent
• To maintain security and prevent abuse

We do not use your Strava data to train AI or machine learning models, sell it to third parties, or use it for targeted advertising.

4. Strava Data & the Strava API

TheAthleteHub is built on the Strava API. Our use of Strava data complies with the Strava API Agreement. In particular:

• Your Strava activity data is displayed only to you on your own profile and to visitors you share your public link with — it is never sold or shared beyond your own profile page.
• Strava activity data is cached for a maximum of 7 days and refreshed via webhook or manual sync.
• You can disconnect Strava at any time from your dashboard, which deletes your stored tokens immediately.
• Each activity on your profile includes a “View on Strava” link back to the original activity.

5. Data Sharing

We share your data only with the following sub-processors, strictly to operate the Service:

• Supabase — database and authentication (data stored in the EU or US depending on your region)
• Stripe — payment processing (see Stripe’s Privacy Policy)
• Strava — OAuth and activity data source (see Strava’s Privacy Policy)

We do not sell personal data and we do not share it with advertisers.

6. Your Rights (GDPR & UK GDPR)

If you are in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data via your dashboard settings
• Erasure — request deletion of your account and all associated data
• Restriction — ask us to pause processing your data
• Portability — receive your data in a portable format
• Objection — object to certain types of processing

To exercise any of these rights, email us at baz.chodor@gmail.com. We will respond within 30 days. Account deletion requests are fulfilled within 48 hours; your Strava activity data is deleted as part of that process.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, all personal data (profile info, synced activities, tokens) is deleted within 48 hours. Stripe retains payment records as required by financial regulations.

8. Security

We use industry-standard security measures including HTTPS for all data transmission, encrypted storage of OAuth tokens, and access controls on our database. We will notify affected users and, where required, supervisory authorities within 72 hours of becoming aware of a data breach.

9. Cookies

We use only essential session cookies required to keep you logged in (provided by Supabase Auth). We do not use advertising or tracking cookies.

10. Changes to This Policy

We may update this policy as the Service evolves. Material changes will be communicated by email to registered users at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent version.

11. Contact

For any privacy questions or requests, contact us at baz.chodor@gmail.com.