Legal

Back to Dashboard

Privacy Policy, Terms of Service, and Cookie Policy for Breakaway.

Last updated: March 2026

1. Data We Collect

From Strava

When you connect your Strava account, we receive and store: your Strava athlete ID, display name, email address, and profile photo URL. For each activity we sync, we store the activity name, sport type, date, distance, moving time, elapsed time, average pace, average and maximum heart rate, elevation gain, per-kilometer splits, lap data, and time-series streams (altitude, velocity, cadence). We also store the complete original Strava API response for each activity.

Generated by Breakaway

We compute and store a fitness profile based on your activity history, including weekly volume averages, pace zones, estimated race times, run frequency, consistency scores, and training trajectory. When we generate a training plan using AI, we store the plan, its workouts, the full prompt sent to the AI model, and the full AI response. Adaptation recommendations and their AI reasoning are also stored.

Analytics and Cookies

We collect usage analytics through PostHog (page views, feature interactions, session replays) and set HTTP-only authentication cookies. Coach chat conversation history is not stored server-side — it exists only in your browser session and is cleared when you close or refresh the page.

2. How We Use Your Data

Your training data is used to generate personalized training plans and to provide coaching insights. When generating plans, we send your fitness profile data (pace zones, weekly volume, run frequency, trajectory) and your stated goals to OpenAI. When using the coach chat, we send your fitness profile, the last 6 weeks of weekly training summaries, your last 30 days of individual activity data (dates, distances, paces, heart rate, elevation), estimated personal bests, and your current plan schedule. We do not send raw GPS coordinates, time-series streams, or your Strava profile information to OpenAI. Usage analytics help us understand how the product is used so we can improve it.

3. Third-Party Processors

We share data with the following third-party services as necessary to operate Breakaway:

  • Strava — source of your activity data, subject to Strava's own Privacy Policy.
  • OpenAI — receives fitness profile data (pace zones, volume trends, race estimates), recent activity summaries (distances, paces, heart rate), and your plan schedule to generate training plans and coaching responses. Does not receive raw GPS data, time-series streams, or your email address.
  • Railway — hosts our backend API and PostgreSQL database.
  • Vercel — hosts the Breakaway frontend application.
  • PostHog — provides product analytics, session replays, and page-view tracking.
  • Sentry — provides error monitoring to help us identify and fix bugs.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway. Strava OAuth access and refresh tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before being written to the database. Authentication uses short-lived JWT tokens (15-minute access tokens, 7-day refresh tokens) stored in HTTP-only, secure cookies. AI coaching conversation history is not stored server-side — it is maintained only in your browser for the duration of your session.

5. Cross-Border Data Transfers

Breakaway is operated from and your data may be transferred to the United States. OpenAI, Vercel, PostHog, and Sentry are US-based services. We rely on appropriate safeguards, including standard contractual clauses where required, to protect data transferred outside your country of residence.

6. Your Rights

You have the right to access, correct, export, or delete the personal data we hold about you at any time through your account settings or by reaching out to us directly.

EU / GDPR Rights

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation: the right to object to processing, the right to restrict processing, and the right to data portability. You also have the right to lodge a complaint with your local supervisory authority.

California / CCPA Rights

If you are a California resident, you have the right to know what personal information we collect, disclose, or sell; the right to delete your personal information; and the right to opt out of the sale of personal information. We do not sell personal information.

7. Data Retention

Activity data, fitness profiles, training plans (including the AI prompts and responses used to generate them), and adaptation recommendations are retained for as long as your account is active. Complete Strava API responses are stored alongside processed activity data. Deleting your account removes all personal data from our systems within 30 days. AI coaching conversation history is not stored server-side and exists only in your browser for the duration of your session.

8. Cookies

We use HTTP-only session cookies (access_token and refresh_token) for authentication. We also set PostHog analytics cookies to track page views and feature usage. See our Cookie Policy for full details.

9. Children

Breakaway is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes become effective upon posting to this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.

11. Contact

For privacy-related questions or requests, please reach out through the support channels listed on our website.