Legal

Privacy
Policy

Last updated: March 2026 · Effective: March 2026

Short version: We collect only what we need to run your dashboard. We never sell your data. Your health and training data stays yours. You can delete everything at any time.

1. Who We Are

Decode Strength ("we", "us", "our") is a personal athletic dashboard product operated by Decode Strength, Bengaluru, India. You can reach us at [email protected].

This Privacy Policy covers the Decode Strength website (decodestrength.com), the web app (app.decodestrength.com), your public dashboard (username.decodestrength.com), and the Decode Strength Android app.

2. What Data We Collect

2.1 Account Data

When you sign up, we collect:

Your name and display name
Email address
Password (stored as a bcrypt hash — we never store your plaintext password)
Your chosen handle (username)
City and Instagram handle (optional)

Decode Strength integrates with multiple training platforms. You connect the platforms you already use — we read only what is needed to compute your Decode Score and populate your public page. Each integration is described below; all are activated by you and can be disconnected at any time.

2.2 Strava Data

If you connect Strava, we access (with your permission):

Your activities: distance, time, pace, heart rate, elevation, splits
Your athlete profile: name, city, profile photo
Your all-time and yearly training statistics
Activity photos you have uploaded to Strava

We access only what you authorise via Strava's OAuth flow. We do not access private activities unless you explicitly set them to public. We do not access your Strava followers, payment information, or email address.

2.3 Health Data (Android App Only)

If you install the Decode Strength Android app and grant permission, we read the following from Android Health Connect on your device:

Resting heart rate
Heart rate variability (HRV)
Sleep duration and sleep stages (deep, light, REM, awake)
Blood oxygen saturation (SpO₂)
Body weight
Body fat percentage
Blood pressure

This data is read from your device and sent to our servers only to power your dashboard. It is never sold, shared with advertisers, or used for any purpose other than displaying your personal health metrics.

You can revoke Health Connect permissions at any time through your Android device settings. Revoking permissions stops future data collection. Previously collected data can be deleted on request.

2.4 Intervals.icu Data

If you connect Intervals.icu, we access your data using either:

OAuth 2.0 authorisation (recommended) — you grant access via Intervals.icu's authorisation page; or
an API key you generate in your Intervals.icu settings.

We access:

Your activities: sport type, date, distance, duration, heart rate (avg and max), pace, elevation, power (cycling/rowing), stroke rate (rowing), Training Stress Score (TSS)
Your daily wellness data: HRV (rMSSD), resting heart rate, weight, sleep duration, sleep score, step count, blood oxygen (SpO₂)
Your athlete profile: name and athlete ID

Intervals.icu aggregates data from connected devices and platforms (such as Garmin, Wahoo, Polar, Suunto, Concept2, Oura, and Whoop). We receive this data as presented by Intervals.icu; we do not connect directly to those third-party platforms on your behalf.

OAuth access tokens are stored securely and refreshed automatically. API keys are stored encrypted. You can disconnect Intervals.icu at any time from app Settings, which revokes our access and stops all future syncing.

2.5 Payment Data

Payments are processed by Razorpay. We do not store your card number, CVV, UPI PIN, or any full payment credentials. We store only your Razorpay customer ID and subscription ID for managing your subscription status.

2.6 Usage Data

We collect basic usage information to keep the service running:

When you log in and which features you use
Error logs (to fix bugs)
API request counts (for capacity planning)

We do not use third-party analytics tracking. We do not install advertising cookies.

3. How We Use Your Data

Data	Why we use it
Account data	To create and manage your account, send you emails about your subscription, and identify you when you log in.
Strava activity data	To populate your public dashboard: heatmap, recent activities, personal bests, statistics. To calculate your Decode Score, Consistency Score, and Runner Archetype.
Health data	To show your health metrics on your dashboard (Recovery, HRV, Resting HR, Sleep, SpO₂, Weight, Body Fat). To calculate Race Readiness. Never for any other purpose.
Intervals.icu activity & wellness data	To populate your public dashboard (activities, heatmap, personal bests), calculate your Decode Score, display health trends (HRV, sleep, weight), and compute Race Readiness.
Payment data	To manage your subscription status (trial, active, archived) and send receipts.
Usage data	To keep the service running, fix bugs, and understand which features are used.

We do not use any of your data for advertising. We do not sell your data. We do not share your data with third parties except as described in Section 5.

4. Your Public Dashboard

Your public dashboard at username.decodestrength.com is visible to anyone with the link. It displays the data you have chosen to make public:

Your display name and city
Your Decode Score, Consistency Score, and Runner Archetype
Your 52-week training heatmap
Your personal bests
Your recent activities (name, distance, time, pace)
Your upcoming race calendar
Your Race Readiness (if a race is within 30 days)

Health metrics (HRV, resting HR, sleep, weight, body fat, blood pressure) are shown only in your private app view. They are not displayed on your public dashboard.

If your subscription lapses, your dashboard is archived (hidden from visitors). Your data is preserved and the dashboard is restored immediately when you renew.

5. Who We Share Data With

Third Party	Purpose	Data Shared
Intervals.icu	Activity and wellness data source	OAuth access tokens or API key — used to fetch your data on your behalf
Strava	Activity data source	OAuth tokens only — used to fetch your data on your behalf
Razorpay	Payment processing	Name, email, payment amount — governed by Razorpay's privacy policy
Resend	Transactional email	Your email address and name — for sending you subscription emails
Cloudflare	Infrastructure — hosting, database, queues	All data is processed in Cloudflare's infrastructure — governed by Cloudflare's privacy policy

We do not share your data with any other third parties. We do not share your data with advertisers, data brokers, or analytics companies.

6. Data Storage and Security

Your data is stored on Cloudflare's infrastructure, primarily in data centres in the Asia-Pacific region. Cloudflare is SOC 2 Type II certified.

We protect your data using:

HTTPS encryption for all data in transit
bcrypt hashing for passwords
Encrypted storage for API keys and OAuth tokens
JWT-based authentication for app sessions
Row-level isolation — every database query is filtered by your user ID

No system is perfectly secure. If we become aware of a security breach affecting your data, we will notify you at your registered email address within 72 hours.

7. Your Rights

You have the right to:

Access your data — request a copy of all data we hold about you
Correct your data — update your profile, name, and city from Settings at any time
Delete your data — request full deletion of your account and all associated data. We will complete deletion within 30 days and send you confirmation.
Disconnect Intervals.icu — revoke OAuth access from app Settings at any time, or revoke the API key from your Intervals.icu developer settings. This stops all future syncing immediately.
Disconnect Strava — revoke our Strava access from your Strava settings at any time. This stops future data syncing.
Disconnect Health Connect — revoke permissions from your Android device settings at any time.
Export your data — request a JSON export of your profile, races, personal bests, and health metrics.
Object to processing — contact us to discuss any concerns about how we use your data.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Account & Data Deletion

You can delete your account and all associated data at any time.

In the app: Go to Profile → Settings → Delete Account. This permanently removes your account and all associated data. Deletion cannot be undone.

If you no longer have the app installed: Email [email protected] from your registered email address and we will delete your account and all associated data on your behalf.

What is deleted: your profile and account details, connected-source credentials (Strava, Intervals.icu, Health Connect), and all activities, races, personal bests, and health metrics.

Timeline: Account deletion completes within 30 days, and we email you a confirmation. Health data is deleted immediately. Some data may persist in encrypted backups for up to 90 days, after which it is permanently erased.

9. Data Retention

Active accounts: Data is retained for as long as your account exists.
Cancelled accounts: We retain your data for 90 days after cancellation, then delete personal information and anonymise remaining aggregate statistics.
Deletion requests: Processed within 30 days. Some data may be retained in encrypted backups for up to 90 days after that.
Health data: Deleted immediately on account deletion or on request. Not included in anonymised aggregate statistics.

10. Children's Privacy

Decode Strength is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

11. Health Data — Additional Protections

Health and fitness data is sensitive. We apply additional protections:

Health data is never used for advertising or marketing profiling
Health data is never sold or shared with insurance companies, employers, or any third party not listed in Section 5
Health data is only used to display your own metrics to you on your personal dashboard
You can delete all health data independently of your account via Settings → Health Data → Delete All
Revoking Health Connect permissions immediately stops all future health data collection

12. Cookies

We use minimal cookies:

Session cookie: To keep you logged into app.decodestrength.com. This is a functional cookie — the service cannot work without it. It expires after 7 days.

We do not use advertising cookies, tracking pixels, or analytics cookies from third parties. We do not use Google Analytics.

13. Changes to This Policy

We may update this Privacy Policy as the product evolves. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send you an email to your registered address if the changes significantly affect your rights

Continued use of Decode Strength after changes are posted constitutes acceptance of the updated policy.

14. Contact

For any privacy questions, data requests, or concerns:

Privacy requests: [email protected]
General support: [email protected]
General enquiries: [email protected]

We aim to respond to all privacy requests within 30 days.

PrivacyPolicy