Privacy Policy

We collect the following categories of personal data: Account information: Name, email address, profile picture (provided via Google, Apple, or Microsoft sign-in through Clerk). Training data: Workout sessions (planned and actual), training metrics (heart rate, pace, power, cadence), wellness reports, competition schedules, and injury records. Methodology data: Coaching philosophy, zone systems, periodization rules, communication style preferences, and other methodology documents you create. Integration data: Data synced from third-party platforms (Strava, Garmin, TrainingPeaks) including activities, health metrics, and device data. Payment information: Billing details are processed by Stripe and are not stored on our servers. API keys: Your Anthropic API key, stored encrypted (AES-256-GCM) and used solely to make AI requests on your behalf. Usage data: Pages visited, features used, error logs, and performance metrics.

We use your data to: Provide the core service: Generate AI-powered training plans, analyse sessions, and deliver coaching insights — all grounded in your methodology. Process AI requests: Your training data and methodology are sent to Anthropic's Claude AI via your API key to generate plans and analysis. Data is not retained by Anthropic beyond the request. Sync integrations: Exchange data with connected platforms (Strava, Garmin) to import and export activities. Process payments: Handle subscription billing through Stripe. Improve the platform: Analyse usage patterns to improve features and fix issues. Communicate: Send transactional emails (session reports, account notifications) via Resend.

Your data is stored on Neon PostgreSQL (serverless) with connections encrypted via TLS. The application runs on Azure Container Apps in European data centres. All data in transit is encrypted via HTTPS/TLS. Sensitive data at rest (API keys) is encrypted with AES-256-GCM using per-user derived keys (HKDF). File uploads (profile images, attachments) are stored in Azure Blob Storage with server-side encryption.

We use the following third-party services that may process your data: Clerk: Authentication and user management. Processes your name, email, and sign-in provider data. Privacy policy: clerk.com/legal/privacy. Anthropic: AI processing. Your training data and methodology are sent to generate plans and analysis via your API key. Anthropic does not retain data from API requests. Privacy policy: anthropic.com/privacy. Stripe: Payment processing. Handles billing information. Privacy policy: stripe.com/privacy. Resend: Transactional email delivery. Processes email addresses and message content. Privacy policy: resend.com/legal/privacy-policy. Sentry: Error monitoring. Collects technical error data and performance metrics. Privacy policy: sentry.io/privacy. Strava, Garmin, TrainingPeaks: Activity and health data sync (when you connect these integrations).

FORMA uses essential cookies for authentication (managed by Clerk) and session management. We do not use advertising or tracking cookies. Authentication cookies: Required for sign-in functionality. Cannot be disabled. Preference cookies: Store your language and theme preferences. Functional only.

As FORMA is based in Spain, we comply with the EU General Data Protection Regulation (GDPR). You have the right to: Access: Request a copy of all personal data we hold about you. Rectification: Correct inaccurate personal data. Erasure: Request deletion of your personal data ("right to be forgotten"). Portability: Receive your data in a structured, machine-readable format. Restriction: Request we limit how we process your data. Objection: Object to processing based on legitimate interests. Withdraw consent: Where processing is based on consent, you can withdraw at any time. To exercise any of these rights, contact us at privacy@formalabs.es. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.

Active accounts: Data is retained for the duration of your subscription. Cancelled accounts: Your data remains accessible for 30 days after cancellation to allow for re-activation. After 30 days, personal data is deleted. Anonymised, aggregated data may be retained for analytics. API keys: Deleted immediately upon account deletion or when you remove the key. Payment records: Retained as required by Spanish tax law (minimum 5 years).

For privacy-related inquiries: Email: privacy@formalabs.es Data Protection Officer: privacy@formalabs.es FORMA Spain