Privacy Policy
Effective 1 May 2026. This Policy describes how AnvilPlan (“we”, “us”) collects, uses, and shares personal data when you use the Service.
We aim to be clear and fair. This Policy is not legal advice for you or your company. Where laws like the UK GDPR or EU GDPR apply, you may have additional rights described below.
Who is responsible?
The data controller for AnvilPlan is the person or organisation operating the Service (the publisher of this website). Contact: [email protected].
Data protection contact
For questions about this Policy or how we process personal data (including requests you may have under the UK GDPR or EU GDPR), contact us at [email protected] from your account email where possible.
We do not currently list a separate Data Protection Officer on this page; use the address above for supervisory enquiries as well as day-to-day support.
Data we process
Depending on how you use the Service, we may process:
- Account and authentication: Strava identifier, email address or profile fields we receive via Strava sign-in, and session data needed to keep you logged in.
- Training data: activities, streams, or summaries we fetch or derive from Strava (according to the scopes you approve) and data you enter in the app (goals, preferences, feedback, notes).
- Product telemetry and support: technical logs (for example IP address, user agent, timestamps, error reports) to operate and secure the Service.
- Strava API: when we call Strava’s API on your behalf, Strava may collect and use information about that usage (for example to enforce limits, improve their platform, support developers, and verify compliance), as described in the Strava API Agreement.
- Billing (optional): if you subscribe to paid features, Stripe processes payment data on their side; we receive limited billing metadata (such as subscription status and customer references) as needed to provide access.
- AI-assisted features (optional): if enabled, prompts or structured training context you send to coaching features may be transmitted to our model provider to generate a response. We design flows to minimise what is sent; do not paste sensitive information you do not want processed.
Why we use data
We use data to:
- provide, personalise, and improve the Service (including plans and insights);
- authenticate you and prevent abuse;
- communicate about the Service, security, or policy changes;
- process payments where offered;
- meet legal obligations and resolve disputes.
Where required by law, we rely on appropriate bases such as performing our contract with you, legitimate interests (for example securing the Service and improving non-Strava product features in ways that do not conflict with Strava’s API terms), or consent where we ask for it separately.
Sharing and processors
We use carefully selected service providers (“processors” or sub-processors) to host and operate the Service. They process personal data on our instructions and for the purposes described in this Policy. The table below lists the main providers you are likely to interact with through the product; we may add or change providers over time and will update this page for material changes where appropriate.
| Provider | Typical role | Further information |
|---|---|---|
| Strava | OAuth sign-in; activity, profile, and optional stream data via Strava’s API; optional push webhooks to your account only. | Strava privacy policy · Strava API Agreement |
| OpenAI | Optional AI-assisted coaching and related features: prompts or structured training context you submit may be sent to OpenAI to generate a response. | OpenAI privacy policy |
| Stripe | Payment processing and subscription management when billing is enabled. | Stripe privacy policy |
| Garmin | Optional wellness connection: if you link Garmin, we may receive wellness-related data under Garmin’s terms and your consent in their flow. | Garmin privacy policy |
| MyFitnessPal | Optional nutrition or wellness sync if you connect your account. | MyFitnessPal privacy policy |
| Cloudflare | Edge network, security, and DNS in front of our production site (traffic may pass through Cloudflare before it reaches our servers). | Cloudflare privacy policy |
| Sentry | Error and performance monitoring: technical diagnostics when something fails in the app. | Sentry privacy policy |
| Hosting and infrastructure | Application servers, databases, backups, queues, and related tooling operated by us or by infrastructure vendors we contract with. | Contact us if you need the current hosting stack for due diligence. |
We do not sell your personal data. We may disclose information if required by law or to protect rights, safety, and integrity of users and the Service.
Retention and deletion
We keep data only as long as needed for the purposes above, including legal, accounting, and dispute-resolution needs. When you disconnect Strava or delete your account (where available), we stop new syncing and delete or anonymise data on a reasonable schedule unless we must retain specific records by law.
Strava activities you remove on Strava. When an activity is deleted or hidden from our Strava view in line with Strava’s rules, we remove that activity from the copy we hold for your account and detach it from your plan in the product. We reconcile our store on each sync against Strava’s activity list, and we may also process near-real-time Strava push events (webhooks) so removals are reflected promptly — consistent with Strava’s expectation that data you delete on Strava is not kept visible in connected apps beyond a short window.
Security
We use industry-standard measures appropriate to the risk (for example encryption in transit, access controls, and separation of environments). No method of transmission or storage is perfectly secure; please use a strong, unique password where applicable and protect your devices.
Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability. You may also have the right to lodge a complaint with a supervisory authority. To exercise rights, contact us at the email above from your account email where possible.
International transfers
Our providers may process data in countries other than your own. Where required, we use appropriate safeguards (such as standard contractual clauses) offered by providers or supplementary measures.
Children
The Service is not intended for children. If you believe a child has provided personal data, contact us and we will take appropriate steps.
Changes
We may update this Policy from time to time. We will post the new version on this page and update the effective date. Where changes are material, we will provide additional notice if required by law.
Strava API integration
This section is written for athletes using AnvilPlan and for Strava API application review: it summarises how we access, use, and respect Strava data in line with the Strava API Agreement and Strava API Brand Guidelines. If anything here conflicts with Strava’s published terms, Strava’s terms control for Strava data and services.
Authorisation and access
We only access Strava data after you sign in with Strava and grant the OAuth scopes presented in Strava’s consent screen for this application. We do not access another athlete’s Strava account or show another person’s Strava activity data inside AnvilPlan — the product is built for your data, for you. You can withdraw access at any time by revoking the app under Strava → Settings → My Apps; we stop receiving new data from Strava once revoked.
What we use Strava data for
We use Strava-sourced activities and related summaries (and optional power streams where you enable them) solely to operate AnvilPlan for you: training history, planning, matching rides to prescribed sessions, fitness-style charts, and in-product explanations. We do not sell Strava personal data, licence it to advertisers, or combine Strava activity data with other customers’ data for analytics or “insights” products. We do not use Strava data to train machine-learning models; optional AI features operate on compact, user-scoped context for inference only where you enable them, in line with our Terms of Service and the Strava API Agreement.
How we keep Strava data accurate and secure
- Sync and reconcile: background jobs run Strava’s official APIs with rate limits; after each sync we compare our stored activity list to Strava’s so activities you deleted on Strava drop out of our store.
- Webhooks (optional): where configured, Strava may
POSTsigned events to our/webhooks/stravaendpoint; we verify the X-Strava-Signature header in production and process deletes asynchronously so we can respond within Strava’s time limits. - Transport and storage: we use HTTPS in transit; access tokens are protected in the database (encryption at rest where configured); only your account can see your Strava-derived content in the app.
Strava usage and branding
Strava may collect and use information about API usage when we call their platform (for example rate limits, compliance, and product integrity), as described in the Strava API Agreement — we reference this above under “Data we process”. We display Strava’s required Connect with Strava control for sign-in and Powered by Strava attribution where we show Strava-derived information, and we link activities with the prescribed View on Strava treatment from the Brand Guidelines.
Cookies and Strava’s own sites
When you authenticate, cookies on our domain are described in our Cookie Policy. Strava’s own websites and cookies are governed by Strava’s privacy policy.
Questions for Strava or for us
Platform questions for Strava belong with Strava ([email protected]). Questions about AnvilPlan, this Policy, or a data request: [email protected] from your account email where possible.