Legal

Privacy
Policy

Last updated: March 2026 · Effective: March 2026

Short version: We collect only what we need to run your dashboard. We never sell your data. Your health and training data stays yours. You can delete everything at any time.

1. Who We Are

Decode Strength ("we", "us", "our") is a personal athletic dashboard product operated by Decode Strength, Bengaluru, India. You can reach us at privacy@decodestrength.com.

This Privacy Policy covers the Decode Strength website (decodestrength.com), the web app (app.decodestrength.com), your public dashboard (username.decodestrength.com), and the Decode Strength Android app.

2. What Data We Collect

2.1 Account Data

When you sign up, we collect:

Your name and display name
Email address
Password (stored as a bcrypt hash — we never store your plaintext password)
Your chosen handle (username)
City and Instagram handle (optional)

2.2 Strava Data

When you connect Strava, we access (with your permission):

Your activities: distance, time, pace, heart rate, elevation, splits
Your athlete profile: name, city, profile photo
Your all-time and yearly training statistics
Activity photos you have uploaded to Strava

We access only what you authorise via Strava's OAuth flow. We do not access private activities unless you explicitly set them to public. We do not access your Strava followers, payment information, or email address.

2.3 Health Data (Android App Only)

If you install the Decode Strength Android app and grant permission, we read the following from Android Health Connect on your device:

Resting heart rate
Heart rate variability (HRV)
Sleep duration and sleep stages (deep, light, REM, awake)
Blood oxygen saturation (SpO₂)
Body weight
Body fat percentage
Blood pressure

This data is read from your device and sent to our servers only to power your dashboard. It is never sold, shared with advertisers, or used for any purpose other than displaying your personal health metrics.

You can revoke Health Connect permissions at any time through your Android device settings. Revoking permissions stops future data collection. Previously collected data can be deleted on request.

2.4 Intervals.icu Data (Optional)

If you connect Intervals.icu by providing your athlete ID and API key, we use these credentials to fetch your training load data (CTL, ATL, TSB, VO₂max estimate) from Intervals.icu. Your API key is stored encrypted. You can disconnect Intervals.icu at any time from Settings.

2.5 Payment Data

Payments are processed by Razorpay. We do not store your card number, CVV, UPI PIN, or any full payment credentials. We store only your Razorpay customer ID and subscription ID for managing your subscription status.

2.6 Usage Data

We collect basic usage information to keep the service running:

When you log in and which features you use
Error logs (to fix bugs)
API request counts (for capacity planning)

We do not use third-party analytics tracking. We do not install advertising cookies.

3. How We Use Your Data

Data	Why we use it
Account data	To create and manage your account, send you emails about your subscription, and identify you when you log in.
Strava activity data	To populate your public dashboard: heatmap, recent activities, personal bests, statistics. To calculate your Decode Score, Consistency Score, and Runner Archetype.
Health data	To show your health metrics on your dashboard (Recovery, HRV, Resting HR, Sleep, SpO₂, Weight, Body Fat). To calculate Race Readiness. Never for any other purpose.
Intervals.icu data	To show training load charts (CTL/ATL/TSB) and enhance Race Readiness calculation.
Payment data	To manage your subscription status (trial, active, archived) and send receipts.
Usage data	To keep the service running, fix bugs, and understand which features are used.

We do not use any of your data for advertising. We do not sell your data. We do not share your data with third parties except as described in Section 5.

4. Your Public Dashboard

Your public dashboard at username.decodestrength.com is visible to anyone with the link. It displays the data you have chosen to make public:

Your display name and city
Your Decode Score, Consistency Score, and Runner Archetype
Your 52-week training heatmap
Your personal bests
Your recent Strava activities (name, distance, time, pace)
Your upcoming race calendar
Your Race Readiness (if a race is within 30 days)

Health metrics (HRV, resting HR, sleep, weight, body fat, blood pressure) are shown only in your private app view. They are not displayed on your public dashboard.

If your subscription lapses, your dashboard is archived (hidden from visitors). Your data is preserved and the dashboard is restored immediately when you renew.

5. Who We Share Data With

Third Party	Purpose	Data Shared
Strava	Activity data source	OAuth tokens only — used to fetch your data on your behalf
Razorpay	Payment processing	Name, email, payment amount — governed by Razorpay's privacy policy
Resend	Transactional email	Your email address and name — for sending you subscription emails
Cloudflare	Infrastructure (hosting, database)	All data passes through Cloudflare's infrastructure — governed by Cloudflare's privacy policy
Cloudflare	Infrastructure — Workers, database, queues, email automation	Account data and activity data processed in Workers runtime; no third-party data sharing

We do not share your data with any other third parties. We do not share your data with advertisers, data brokers, or analytics companies.

6. Data Storage and Security

Your data is stored on Cloudflare's infrastructure, primarily in data centres in the Asia-Pacific region. Cloudflare is SOC 2 Type II certified.

We protect your data using:

HTTPS encryption for all data in transit
bcrypt hashing for passwords
Encrypted storage for API keys and OAuth tokens
JWT-based authentication for app sessions
Row-level isolation — every database query is filtered by your user ID

No system is perfectly secure. If we become aware of a security breach affecting your data, we will notify you at your registered email address within 72 hours.

7. Your Rights

You have the right to:

Access your data — request a copy of all data we hold about you
Correct your data — update your profile, name, and city from Settings at any time
Delete your data — request full deletion of your account and all associated data. We will complete deletion within 30 days and send you confirmation.
Disconnect Strava — revoke our Strava access from your Strava settings at any time. This stops future data syncing.
Disconnect Health Connect — revoke permissions from your Android device settings at any time.
Export your data — request a JSON export of your profile, races, personal bests, and health metrics.
Object to processing — contact us to discuss any concerns about how we use your data.

To exercise any of these rights, email privacy@decodestrength.com. We will respond within 30 days.

8. Data Retention

Active accounts: Data is retained for as long as your account exists.
Cancelled accounts: We retain your data for 90 days after cancellation, then delete personal information and anonymise remaining aggregate statistics.
Deletion requests: Processed within 30 days. Some data may be retained in encrypted backups for up to 90 days after that.
Health data: Deleted immediately on account deletion or on request. Not included in anonymised aggregate statistics.

9. Children's Privacy

Decode Strength is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@decodestrength.com and we will delete it promptly.

10. Health Data — Additional Protections

Health and fitness data is sensitive. We apply additional protections:

Health data is never used for advertising or marketing profiling
Health data is never sold or shared with insurance companies, employers, or any third party not listed in Section 5
Health data is only used to display your own metrics to you on your personal dashboard
You can delete all health data independently of your account via Settings → Health Data → Delete All
Revoking Health Connect permissions immediately stops all future health data collection

11. Cookies

We use minimal cookies:

Session cookie: To keep you logged into app.decodestrength.com. This is a functional cookie — the service cannot work without it. It expires after 7 days.

We do not use advertising cookies, tracking pixels, or analytics cookies from third parties. We do not use Google Analytics.

12. Changes to This Policy

We may update this Privacy Policy as the product evolves. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send you an email to your registered address if the changes significantly affect your rights

Continued use of Decode Strength after changes are posted constitutes acceptance of the updated policy.

13. Contact

For any privacy questions, data requests, or concerns:

Privacy requests: privacy@decodestrength.com
General support: support@decodestrength.com
General enquiries: info@decodestrength.com

We aim to respond to all privacy requests within 30 days.

PrivacyPolicy