Privacy Policy

1. Introduction

At ShadowFit we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our premium fitness platform and when you connect your Strava account.

By using ShadowFit, you consent to the data practices described in this policy. If you do not agree, please do not use the service and disconnect your Strava account.

2. Information We Collect

2.1 Personal Information

We collect information you provide directly to us, including:

• Account information (email, password — hashed with a strong one‑way algorithm; we never store plaintext passwords).
• Profile information (name, location).
• Payment information (processed securely by Stripe; we never store full card numbers).
• Preferences (units, notification settings).

2.2 Strava Integration Data

When you connect your Strava account via OAuth, we may access (with your explicit consent and minimal scopes):

• Your Strava athlete ID and basic profile.
• Activity data strictly necessary to create/synchronize activities you request.
• OAuth access and refresh tokens (stored encrypted; rotated and revocable at any time in Strava settings).

We do not request your Strava password and we do not use Strava data to train AI/ML models.

2.3 Special Categories

We do not intentionally collect special categories of data (e.g., health data beyond what Strava exposes for activities). You should avoid sharing sensitive free‑text information in forms or support tickets.

3. Legal Bases for Processing (GDPR)

• Contract performance (Art. 6(1)(b)) for account management, processing orders, and synchronizing activities to your Strava account.
• Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, service improvement, and aggregated analytics (balanced against your rights).
• Consent (Art. 6(1)(a)) for Strava connection, marketing communications, and optional cookies. You can withdraw consent at any time (disconnect Strava; unsubscribe; adjust cookie settings).
• Legal obligation (Art. 6(1)(c)) for tax, accounting, and compliance.

4. How We Use Your Information

We use the collected information for the following purposes:

5. Strava API Compliance & Restrictions

• We use Strava’s official OAuth flow and minimal scopes necessary. We never ask for or store your Strava password.
• We access and display Strava data only to the authenticated user it belongs to. We do not share users’ Strava data with other users or third‑party apps without explicit consent.
• We do not use Strava data to train AI/ML models. Data is used solely to fulfill the service features you request.
• You may revoke ShadowFit’s access at any time from your Strava account settings. Revocation immediately invalidates our tokens.
• We respect Strava rate limits and developer policies, and we promptly remove data if required by Strava or by you.

6. Token Management & Security Controls

• Token storage: OAuth access/refresh tokens are stored server‑side, encrypted at rest (e.g., AES‑256) and never exposed to the client.
• Transport security: All data in transit is protected using TLS (HTTPS).
• Rotation & revocation: Tokens are refreshed automatically and can be revoked by you at any time via Strava; we also support manual disconnection in your ShadowFit settings.
• Secrets management: API keys and credentials are stored in a secure secrets manager; access is restricted by role‑based access controls (RBAC) and audit logging.
• Least privilege: Internal access to production data is limited to authorized personnel for defined purposes.

7. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties, except in the following circumstances:

Service Providers

• Stripe: For secure payment processing (we do not store full card details).
• Cloud hosting & databases: For application hosting and storage (with encryption at rest).
• Analytics: For service improvement (aggregated or anonymized where possible).

Legal Requirements

We may disclose your information when required by law or to:

• Comply with legal processes or government requests.
• Protect our rights, property, or safety, or that of our users.
• Investigate potential violations of our terms.

8. Data Security

We implement layered security measures to protect your personal information:

• Passwords are hashed using industry‑standard algorithms (e.g., Argon2/BCrypt) with per‑user salts.
• Regular security updates, dependency management, and vulnerability scanning.
• Incident response plan; in case of a data breach impacting your rights, we will notify you and the relevant authority (e.g., CNIL) in accordance with the GDPR.

9. Privacy Risks & User Controls (Strava)

Publishing GPS activities may reveal sensitive locations (e.g., home/work). We recommend you configure Strava privacy settings (privacy zones, activity visibility) to limit exposure. You can also choose private uploads by default.

10. Your Rights and Choices

Under the GDPR and French law, you have the following rights:

• Right to object and restrict processing in certain cases.
• Right to withdraw consent at any time (e.g., disconnect Strava).

To exercise these rights, contact us at privacy@shadowfit.com. We may verify your identity. We respond within one month, extendable in complex cases.

11. Cookies and Tracking

ShadowFit uses cookies and similar technologies to enhance your experience:

• Essential Cookies: Required for basic functionality.
• Performance/Analytics: Aggregated usage analytics; IPs anonymized where supported.
• Functional: Remember your preferences.

12. Data Retention

We retain personal information only as long as necessary for the purposes described above:

• Account/profile data: retained while your account is active; deleted or anonymized within 30 days after account deletion (unless longer is required by law).
• Strava tokens: deleted immediately upon disconnection or revocation; otherwise rotated per Strava policy.
• Activity records & order history: retained for contract/accounting obligations (typically 6–10 years for invoices per local law); activity metadata may be anonymized earlier.
• Logs & security records: retained for a limited period necessary for security and auditing (typically 90–180 days), unless required for investigations.

13. International Data Transfers

Your information may be processed in and transferred to countries outside your country of residence, including outside the EEA/UK. Where such transfers occur, we implement appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and additional technical measures (encryption, access controls).

14. Children’s Privacy

ShadowFit is not intended for children under 15 years old in France. If you are between 15 and 18, you should seek parental guidance to understand your rights. We do not knowingly collect personal information from children under 15; if we learn that we have, we will delete it promptly.

15. Sub‑processors

We use trusted sub‑processors under data processing agreements:

• Stripe, Inc. — payments processing.
• (Hosting provider, e.g., AWS/OVH) — infrastructure and storage.
• (Email provider) — transactional email delivery.
• (Analytics provider) — usage analytics (with IP anonymization where available).

An up‑to‑date list of sub‑processors is available on request.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email or in‑app notice. The effective date appears at the top of this page.