Last updated 23 April 2026

Privacy Policy

This policy explains what data pacechat ("we", "us") collects when you connect your Strava account, how we store and process it, who it is shared with, and how you can export or delete it. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and the UK GDPR. We are the data controller for the personal data described below.

Contact: privacy@pacechat.com

1. What we collect

When you sign up and connect Strava we store:

  • Account data: email address, a password hash (if you use email/password login), locale, and a server-generated user id.
  • Strava OAuth tokens: encrypted access token, refresh token, and expiry. Needed to fetch your data on your behalf.
  • Strava athlete profile: your Strava user id, display name, and avatar URL.
  • Activities: title, description, activity type, start time, duration, distance, elevation, speed, heart rate, power, cadence, and — if available — device name. Both summary metrics and time-series streams (heart rate, power, cadence, etc.).
  • Athlete metrics you provide:weight, FTP, LTHR, resting/max heart rate, preferred units, etc.
  • Operational logs: which endpoints you called via our MCP server, durations, error messages, and access-token identifiers. Used to operate and debug the service.

We do not collect location or device-sensor data beyond what is embedded in the activity you uploaded to Strava. We do not run analytics tracking pixels.

2. How we collect it

All data is collected through official APIs with your explicit consent:

  • Strava OAuth 2.0. You authorize pacechat to read your activities and profile (read,activity:read_all,profile:read_all). You can revoke this at any time from your Strava settings or from the pacechat settings page; see section 7.
  • Strava webhooks. Strava notifies us when you create, update, or delete an activity, and when you revoke access. We act on these events immediately.
  • Direct input. Some fields (weight, FTP, etc.) are entered by you in the settings UI.

3. How we use it

  • To display your training data and analytics back to you.
  • To compute derived metrics (training stress score, intensity factor, heart-rate zones, etc.) — this happens on our servers using your own data only.
  • To answer your questions in the in-app chat. Relevant activity summaries are included in the prompt sent to the LLM provider (Anthropic, OpenAI). We do not send your raw time-series streams to the LLM and we do not use your data to train any AI model. See section 5.
  • To operate the MCP server so you can use pacechat inside Claude, ChatGPT, or Claude Code.
  • To keep your cached data fresh. We re-fetch your activities from Strava at least every 7 days while your connection is active, as required by the Strava API Agreement.

We do not use your data for targeted advertising, customer profiling, or benchmarking across users. Strava's API Agreement prohibits these uses and we enforce that limit in our own processing.

4. Legal basis (GDPR Art. 6)

  • Consent (Art. 6(1)(a)): for connecting Strava and processing the activity data we fetch.
  • Contract (Art. 6(1)(b)): for operating the account you create with us.
  • Legitimate interest (Art. 6(1)(f)): for operational logs used to secure and debug the service. You can object by contacting us.

5. Sub-processors and cross-border transfer

We use the following sub-processors. All of them are contractually bound to process data only on our instructions.

  • Strava, Inc. (USA) — source of the activity and profile data. Governed by Strava's own privacy policy.
  • Our hosting provider — runs the pacechat web application and Postgres database in the EU.
  • LLM providers — Anthropic (USA) and/or OpenAI (USA) receive activity summaries only when you actively send a chat message. Both providers contractually do not train their models on API traffic by default; we do not opt in to training.

Transfers to the United States rely on the EU-US Data Privacy Framework and the applicable Standard Contractual Clauses. You can request the current list of sub-processors at any time.

6. Security (GDPR Art. 32(1))

  • Transport encryption: TLS 1.2+ for every request between you, pacechat, Strava, and our LLM providers.
  • Encryption at rest: Strava access and refresh tokens are encrypted with AES-256-GCM before they are written to the database; the encryption key is held separately from the database.
  • Access control: application traffic is authenticated via NextAuth sessions or short-lived OAuth bearer tokens. MCP personal access tokens are stored as SHA-256 hashes and shown only once at creation time.
  • Minimisation: only the device-name string is surfaced to the client from Strava's raw payload; the rest stays server-side.
  • Backups: database backups are encrypted and retained for a rolling 30-day window.

If we become aware of a security incident affecting your data, we will notify you and, where required, the competent supervisory authority within 72 hours.

7. Your rights

You have the right to access, rectify, port, restrict, object to, and erase the personal data we hold about you (GDPR Arts. 15–21). To exercise any of these rights, either use the self-service controls in Settings → Privacy & data or email us at privacy@pacechat.com.

  • Disconnect Strava: revokes our OAuth tokens with Strava, deletes every activity and stream we fetched through that connection, and blanks the stored tokens.
  • Delete all synced data: drops every cached activity, stream, and derived metric while keeping your pacechat account so you can reconnect later.
  • Export my data: produces a JSON download of your profile, connections, activities, streams, metrics, and zones.
  • Delete my account: deauthorizes every provider, deletes every row tied to your user id, and removes your pacechat account. This is not reversible.

All deletion requests, whether made in-app or by email, are honoured within 48 hours of receipt — the maximum permitted by the Strava API Agreement. You also have the right to lodge a complaint with your local data protection authority.

8. Retention

We keep your data for as long as your account is active. If you disconnect Strava or delete your account, the data is removed on the schedule described above. Operational logs are retained for up to 90 days, after which they are deleted automatically.

9. Strava-specific notices

  • Strava may monitor and collect usage data related to our use of the Strava API for business purposes. This applies to us, the application developer, and not to you directly, but we disclose it here as required by the Strava API Agreement.
  • Activities recorded on a Garmin device retain Garmin attribution where we display them. See the "Data from Garmin" tag next to affected activities.
  • We never display one user's activities to another user. Data is partitioned per account.

10. Changes to this policy

We will update this page when our processing changes. The "Last updated" date at the top reflects the most recent version. Material changes will be announced in-app before they take effect.