Privacy Notice
Last updated: 2026-06-13.
Operator: baseline, operated from Belgium. Contact: privacy@trybaseline.coach.
1. The short version
baseline is a running coach app. It reads your activity data from Strava, looks for patterns in how you train, and gives you one piece of advice per day.
- We don't sell your data.
- We don't use your data to train AI models.
- Your data lives on EU servers.
- You can delete your account from Settings; everything goes within 30 days.
2. What we collect
From you: your email address, and optionally the heart-rate landmarks (max HR, lactate-threshold HR, resting HR) and training zones you choose to enter. We also store a few preferences — your time zone (region-level, used to time the morning digest) and your morning-digest settings. We do not collect a display name, body weight, height, or gender.
From Strava (with your explicit consent): your activity summaries, and per-second data (heart rate, pace, cadence, and — when your device records them — power and elevation) for activities in the last 60 days. Your runs carry GPS location: we use it once, at import, to look up the weather for that run, and then we discard the coordinates — we keep no route map and no GPS track (see §5). We store our access to Strava as encrypted tokens.
Derived by baseline: from your runs we compute and store training analysis — run classifications, the trends, patterns and insights baseline surfaces, your training plan, and per-run debriefs. This is data about your training, derived from the data above.
Automatic: a session cookie so we know you're signed in, and the browser/device string of your session (used to show you your active sessions and for a basic security audit trail, not for analytics). We do not store your IP address.
We don't use third-party analytics, advertising trackers, or fingerprinting libraries.
3. Why we collect each piece
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Sign you in via magic link; send the morning digest (if on) | Performance of contract | |
| Athlete profile | Compute your training zones | Performance of contract |
| Time zone | Send the morning digest at your local time | Performance of contract |
| Morning-digest settings | Remember whether/when you want the daily email | Legitimate interest (coaching engagement), opt-out anytime |
| Strava activity data | Generate insights and today's call | Performance of contract |
| Run coordinates (transient) | Look up each run's weather at import, then discarded | Performance of contract |
| Session cookie | Keep you signed in | Performance of contract |
| Browser/device on auth + session | Active-sessions view, security audit trail | Legitimate interest (security) |
| Error logs | Diagnose bugs | Legitimate interest (service quality) |
The only emails we send are your magic-link sign-in and — if you leave it on — a once-a-day morning digest of your Today's Call (the session, the "why", and your goal). It carries no GPS and no heart-rate numbers. Every digest has a one-tap unsubscribe, and you can turn it off anytime in your profile. We don't run advertising or third-party marketing.
4. Who sees your data
Only the operator has access to the database, and only when investigating a bug or a runner-flagged issue. There is no internal "support team" with default read access.
We use the following processors:
| Processor | What they see | Where |
|---|---|---|
| Neon | The encrypted database | EU |
| Fly.io | The backend process | EU (Amsterdam) |
| Vercel | Frontend assets, render logs | EU edge |
| Resend | Your email address, your magic-link sign-in URL, and — if you keep the morning digest on — your daily Today's Call content (session, "why", goal; no GPS, no heart-rate numbers) | EU |
| Anthropic | Single-value summary metrics for the run you're viewing — average heart rate, pace, drift, distance, duration, and our classification of the run. Never your second-by-second HR / GPS track, your location, or any other runner's data | US |
| Strava (if connected) | Your Strava data | US |
| Open-Meteo | A run's coordinates, sent once at import to look up that run's weather, then discarded | EU |
| Sentry | Error stack traces (no HR / GPS / credentials) | EU |
| BetterStack | Backend logs (no HR / GPS / credentials) | EU |
The Anthropic boundary is the most sensitive, and we've deliberately scoped what crosses it tightly. We send single-value summary numbers for the run you're looking at — your second-by-second heart-rate and GPS track, your location, directly identifying information, and any other runner's data never reach the model. Under Anthropic's commercial API terms, your data is not used to train models.
We don't share data with any party not on this list.
5. How long we keep it
- Account + activity data — as long as your account is active.
- GPS coordinates — not stored at all. We use a run's location once, at import, to look up that run's weather, then immediately discard the latitude/longitude. We keep no route map and no GPS track, so there's no record of where you run for us to retain.
- Magic-link tokens — 15 minutes (single-use).
- Session cookies — 90 days from last use, sliding.
- Error logs — 30 days.
- Emails we've already sent you (sign-in links, morning digests) live in your own inbox and in our email provider's sending logs for their retention window. Like any email, we can't recall one once it's delivered — deleting your account stops new sends but doesn't reach into your mailbox.
When you delete your account, everything goes within 30 days, including any backups taken before the deletion. Your time zone and morning-digest settings are part of your account and go with it.
6. Your rights
Under the GDPR you can:
- See your data. Email us; we'll send a JSON dump within 30 days.
- Correct your data. Most fields are editable in your profile. For the rest, email us.
- Delete your account. Settings → Delete Account. Wipes every row keyed to you within 30 days. No tombstones.
- Take your data with you. Same as the access request.
- Withdraw consent for Strava. Disconnect from Settings → Integrations.
If you think we're handling your data wrong, you can complain to the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at gegevensbeschermingsautoriteit.be, or to the supervisory authority in your own country of residence (your right under GDPR Art. 77).
7. Children
baseline isn't for users under 16. We don't knowingly collect data from anyone under that age. Email us if you believe a child has signed up.
8. Security
- Email is the only identifier; no passwords stored.
- Sign-in tokens and session IDs are stored as one-way hashes, never in cleartext.
- OAuth tokens (Strava) are encrypted at rest with industry-standard authenticated encryption.
- Backend logs are scrubbed of heart rate, GPS, and credentials.
- Production traffic is HTTPS only; cookies are secure-flagged.
We don't claim baseline is unbreachable. We claim that the attack surface is small and the things stored are the things needed.
9. Changes
We'll email you if we materially change how data is processed. Cosmetic edits to this page (typos, clarifying examples) don't trigger a notice. Material changes do.
10. Contact
Privacy questions: privacy@trybaseline.coach.
We aim to respond within 14 days, max 30.