Privacy Policy
Effective 23 April 2026. This Policy describes how AnvilPlan (“we”, “us”) collects, uses, and shares personal data when you use the Service.
We aim to be clear and fair. This Policy is not legal advice for you or your company. Where laws like the UK GDPR or EU GDPR apply, you may have additional rights described below.
Who is responsible?
The data controller for AnvilPlan is the person or organisation operating the Service (the publisher of this website). Contact: [email protected].
Data protection contact
For questions about this Policy or how we process personal data (including requests you may have under the UK GDPR or EU GDPR), contact us at [email protected] from your account email where possible.
We do not currently list a separate Data Protection Officer on this page; use the address above for supervisory enquiries as well as day-to-day support.
Data we process
Depending on how you use the Service, we may process:
- Account and authentication: Strava identifier, email address or profile fields we receive via Strava sign-in, and session data needed to keep you logged in.
- Training data: activities, streams, or summaries we fetch or derive from Strava (according to the scopes you approve) and data you enter in the app (goals, preferences, feedback, notes).
- Product telemetry and support: technical logs (for example IP address, user agent, timestamps, error reports) to operate and secure the Service.
- Billing (optional): if you subscribe to paid features, Stripe processes payment data on their side; we receive limited billing metadata (such as subscription status and customer references) as needed to provide access.
- AI-assisted features (optional): if enabled, prompts or structured training context you send to coaching features may be transmitted to our model provider to generate a response. We design flows to minimise what is sent; do not paste sensitive information you do not want processed.
Why we use data
We use data to:
- provide, personalise, and improve the Service (including plans and insights);
- authenticate you and prevent abuse;
- communicate about the Service, security, or policy changes;
- process payments where offered;
- meet legal obligations and resolve disputes.
Where required by law, we rely on appropriate bases such as performing our contract with you, legitimate interests (for example securing the Service, limited analytics, and product improvement balanced against your rights), or consent where we ask for it separately.
Sharing and processors
We use carefully selected service providers (“processors” or sub-processors) to host and operate the Service. They process personal data on our instructions and for the purposes described in this Policy. The table below lists the main providers you are likely to interact with through the product; we may add or change providers over time and will update this page for material changes where appropriate.
| Provider | Typical role | Further information |
|---|---|---|
| Strava | Sign-in and, when you authorise it, activity and profile data via Strava’s API. | Strava privacy policy |
| OpenAI | Optional AI-assisted coaching and related features: prompts or structured training context you submit may be sent to OpenAI to generate a response. | OpenAI privacy policy |
| Stripe | Payment processing and subscription management when billing is enabled. | Stripe privacy policy |
| Garmin | Optional wellness connection: if you link Garmin, we may receive wellness-related data under Garmin’s terms and your consent in their flow. | Garmin privacy policy |
| MyFitnessPal | Optional nutrition or wellness sync if you connect your account. | MyFitnessPal privacy policy |
| Cloudflare | Edge network, security, and DNS in front of our production site (traffic may pass through Cloudflare before it reaches our servers). | Cloudflare privacy policy |
| Sentry | Error and performance monitoring: technical diagnostics when something fails in the app. | Sentry privacy policy |
| Hosting and infrastructure | Application servers, databases, backups, queues, and related tooling operated by us or by infrastructure vendors we contract with. | Contact us if you need the current hosting stack for due diligence. |
We do not sell your personal data. We may disclose information if required by law or to protect rights, safety, and integrity of users and the Service.
Retention
We keep data only as long as needed for the purposes above, including legal, accounting, and dispute-resolution needs. When you disconnect Strava or delete your account (where available), we stop new syncing and delete or anonymise data on a reasonable schedule unless we must retain specific records by law.
Security
We use industry-standard measures appropriate to the risk (for example encryption in transit, access controls, and separation of environments). No method of transmission or storage is perfectly secure; please use a strong, unique password where applicable and protect your devices.
Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability. You may also have the right to lodge a complaint with a supervisory authority. To exercise rights, contact us at the email above from your account email where possible.
International transfers
Our providers may process data in countries other than your own. Where required, we use appropriate safeguards (such as standard contractual clauses) offered by providers or supplementary measures.
Children
The Service is not intended for children. If you believe a child has provided personal data, contact us and we will take appropriate steps.
Changes
We may update this Policy from time to time. We will post the new version on this page and update the effective date. Where changes are material, we will provide additional notice if required by law.
Strava
Strava processes data under its own privacy policy when you use their services. Revoking AnvilPlan in Strava stops our access to new Strava data; see also our Cookie Policy.