Flex — Privacy Policy
Last updated: 2026-06-10 Effective date: 2026-06-10
1. Who we are
This Privacy Policy applies to the Flex training app and website at https://www.runwithflex.com (and the iOS / Android apps, once released).
The data controller is Robert Perry, operating as Flex ("Flex", "we", "us", "our"). A dedicated legal entity is being incorporated; this document will be updated to name it upon registration. Our registered address is available on request via privacy@runwithflex.com. You can contact us at support@runwithflex.com (privacy enquiries: privacy@runwithflex.com).
For UK / EEA users, our Data Protection contact is privacy@runwithflex.com (a formal DPO is not required given our scale; we will appoint one if we cross the GDPR thresholds).
2. What this policy covers
This policy explains:
- What personal information we collect about you
- Why we collect it and how we use it
- Who we share it with
- How long we keep it
- The rights you have over it
- How to contact us with questions or to exercise those rights
Where this policy refers to "the Service" we mean the Flex web app, iOS PWA install, and (once shipped) the iOS and Android native apps.
3. Information we collect
3.1 Information you provide
- Account information: email address, password (stored hashed by Supabase Auth, never visible to us).
- Profile information: display name, experience level, current weekly running volume, longest recent run, preferred units.
- Training information: goals (race date, distance, target time), weekly availability, blocked periods, life-factor inputs (work stress, sleep quality, young children indicator), preferences (back-to-back hard days, terrain and equipment preferences).
- Workout activity: logged completions, perceived effort, feeling rating, notes.
3.2 Information we collect automatically
- Device information: device type, OS version, app version, language.
- Usage information: which pages you visit, which features you use, in-product events (e.g. "started onboarding step X", "accepted a proposal"). Collected via PostHog when product analytics are enabled. You can opt out of analytics at any time by emailing
privacy@runwithflex.com. - Diagnostic information: crash reports, error stack traces. Collected via Sentry, with user identifiers excluded.
- Push notification tokens: if you opt in, your APNs / FCM / Web Push subscription endpoint so we can deliver workout reminders.
3.3 Information we receive from third parties (only if you connect them)
- Wearable data (via Terra): if you connect a wearable, Terra sends us heart rate, sleep, HRV, completed activity sessions, and (in some cases) body composition from the source platform (Garmin / Apple Watch / Polar / Coros / etc.).
- Strava: if you connect Strava, we receive your activities and you grant us permission to write back the prescribed workout to the activity description.
- Location coordinates: ~10 m precision (neighborhood-level, not surveillance-grade), captured only after you explicitly tap "Use my location" in the Weather prompts section of Settings. Used solely to fetch a forecast and augment your workout reminder.
We do not request HealthKit access on iOS in v1; wearable data flows through Terra exclusively. We will update this policy if that changes.
4. Why we collect it (and the legal basis)
| Purpose | Legal basis under UK / EU GDPR |
|---|---|
| Create your account, authenticate you | Contract — performance of our service to you |
| Generate your training plan via Anthropic Claude | Contract |
| Adapt your plan based on completion data | Contract |
| Send workout reminders, log prompts, recovery alerts | Consent (push must be opted in) |
| Fetch weather forecast for reminder augmentation | Consent (location must be granted) |
| Send service announcements / security notices | Legitimate interest |
| Aggregate analytics for product improvement | Legitimate interest (you can opt out by emailing privacy@runwithflex.com) |
| Investigate abuse, prevent fraud | Legitimate interest |
| Comply with legal obligations (tax, lawful requests) | Legal obligation |
For California (CCPA) users, the same purposes apply; we do not "sell" your personal information.
5. Who we share it with (sub-processors)
We share data with the following third-party processors only as necessary for the purposes above. Each is bound by contract to handle your data securely:
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Supabase (USA / EU) | Database, authentication, file storage | All account + training + workout data | US/EU |
| Anthropic | AI plan generation (Claude API) | A summary of your goal + constraints + recent training (no email, no IDs) | US |
| Terra | Wearable data aggregation | OAuth tokens to your wearable, the data it sends us | US |
| Apple Push Notification service | Push delivery (iOS) | Push subscription endpoint only | US |
| Web Push / FCM | Push delivery (web, Android) | Push subscription endpoint only | Global |
| OpenWeather | Forecast lookup | Anonymous coordinates per request | Global |
| Vercel | Hosting, CDN, edge functions | All HTTP traffic | Global edge |
| PostHog | Product analytics | Anonymized usage events, opt-outable | US/EU choice |
| Sentry | Error monitoring | Anonymized crash/exception data | US/EU choice |
We do not sell, rent, or otherwise transfer your personal data to advertisers, data brokers, or any unrelated third party for marketing.
We may disclose data to law enforcement only on a valid legal request (warrant, court order) and only the specific data required.
6. International data transfers
You may be in the UK, EU, or US. Our processors are mostly US-based. For transfers from the UK / EU to the US:
- We rely on the UK-US Data Bridge (extension of the EU-US Data Privacy Framework, in force from October 2023) where the processor is DPF-certified (Vercel, Supabase, Anthropic, PostHog, Sentry).
- Where DPF certification does not apply, we use the Standard Contractual Clauses (UK IDTA + EU SCCs as appropriate) plus additional safeguards.
You can request a copy of these transfer mechanisms from privacy@runwithflex.com.
7. How long we keep it
| Data | Retention |
|---|---|
| Account information (email, profile) | While your account is active. Deleted 30 days after you delete the account. |
| Training plans + workouts | While your account is active. Deleted with the account. |
| Push subscription tokens | Until you disable notifications or uninstall the app. |
| Wearable data | While your wearable connection is active. Disconnect → we stop receiving new data; existing data is retained until account deletion. |
| Logs (web access, error reports) | 90 days. |
| Aggregated, de-identified analytics | Indefinitely (no longer personal data). |
After account deletion: a 30-day soft-delete window lets you reverse an accidental deletion. After 30 days, your data is permanently removed from our active systems. Backup tapes / snapshots cycle out within an additional 30 days.
8. Your rights
Wherever you are, you have these rights over your personal data:
- Access: email
privacy@runwithflex.comand we will provide a machine-readable JSON export of your data within 30 days. - Correction: edit profile, training inputs, and preferences directly in the app.
- Deletion: Settings → Delete account. Permanent within 30 days.
- Portability: the export we provide is structured JSON, machine-readable.
- Object to processing: opt out of analytics by emailing
privacy@runwithflex.com. - Withdraw consent: disable push notifications, location, or wearable sync at any time in Settings.
- Complain: to us first (
privacy@runwithflex.com). If unresolved:- UK: Information Commissioner's Office, ico.org.uk
- EU: your local Data Protection Authority
- US (California): California Privacy Protection Agency, cppa.ca.gov
We respond to verified rights requests within 30 days (UK / EU) or 45 days (US California), and we will not charge you for routine requests.
9. Children
Flex is intended for users 13 years or older (US, COPPA) and 16 years or older (UK / EU, GDPR). We do not knowingly collect personal information from children under those ages. If you believe a child has provided us with information, contact us immediately at privacy@runwithflex.com and we will delete it.
10. Cookies and similar technologies
We use:
- Strictly necessary cookies: authentication session (Supabase Auth). Cannot be disabled without breaking the service.
- Analytics cookies (PostHog): event tracking, when product analytics are enabled. You can opt out by emailing
privacy@runwithflex.com. We will surface a cookie consent banner before enabling analytics for new EU / UK users in a future release. - No advertising cookies, no third-party tracking pixels, no cross-site behavioral profiling.
11. Security
We protect your data with:
- TLS in transit for every request.
- Row-Level Security policies in Supabase that scope every read/write to your user ID.
- Sub-processor agreements requiring SOC 2 / ISO 27001 controls.
- Annual security review.
- Incident response: notification within 72 hours of confirmed personal data breach.
No system is perfectly secure. Use a strong, unique password. If you suspect your account has been compromised, contact support@runwithflex.com immediately.
12. Changes to this policy
We will tell you about material changes at least 30 days before they take effect, via email and an in-app notice. Non-material changes (typo fixes, processor name updates) take effect when posted.
The "Last updated" date at the top reflects the most recent change.
13. Contact
- General support:
support@runwithflex.com - Privacy enquiries / rights requests:
privacy@runwithflex.com
Our postal address is available on request via privacy@runwithflex.com.
Document hash for version control: v1.1 — first public publication.