LEGAL

PRIVACY POLICY

Last updated: 17 March 2026

1. What we collect

We collect the following categories of data:

Account & profile

• —Email address (via Clerk authentication)
• —Display name and optional username
• —Athlete profile: age group, gender, estimated max heart rate
• —CrossFit box / gym affiliation (optional)

Activity & performance data

• —Strava activity metadata: activity name, type, date, duration, distance
• —Heart rate streams from connected devices (Garmin, Polar, Wahoo, etc.) — imported via Strava
• —HR zone distribution and aerobic decoupling calculations derived from your streams
• —WOD scores, round splits, and notes you enter manually
• —Personal records and benchmark history
• —Programme tags and RX/Scaled classifications you add to sessions

AI-generated data

• —AI intensity scores (0–10) generated per session using Anthropic Claude
• —AI coaching feedback text generated per session
• —Fit Level profile scores derived from your session history

Technical data

• —Strava OAuth tokens (stored encrypted, used only to sync your activities)
• —Standard server logs: IP address, browser type, request timestamps

We do not collect payment card details (handled entirely by Stripe), passwords (handled by Clerk), or any biometric data beyond heart rate.

2. How we use your data

• —Performance analytics — to calculate HR zones, aerobic decoupling, zone distribution, and pacing breakdowns for each session.
• —AI intensity scoring— your session data (WOD name, score, HR stats) is sent to Anthropic’s API to generate a 0–10 intensity score and coaching feedback. Anthropic processes this under their own privacy policy and does not train on your data under our API agreement.
• —Leaderboards — your scores and rank are shown on public leaderboards. Your email and full name are never shown; only your display name and score.
• —Benchmark comparisons & percentiles — to place your scores in context against anonymised aggregate data.
• —Service communications — to send account-related emails (welcome, data export, deletion confirmation). We do not send marketing emails without your explicit consent.
• —Product improvement — aggregate, anonymised usage patterns (not individual session data) help us improve the platform.

3. How we store your data

• —All data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure in the EU (eu-west-2 region).
• —Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• —Every database table uses Row Level Security (RLS)— your rows are only accessible to your authenticated session. No user can read another user’s private data.
• —Strava OAuth tokens are stored in the database and used only to fetch your activity data. They are never exposed to the client or logged.
• —Server infrastructure runs on Vercel (edge network, EU region preferred). Authentication is handled by Clerk, which is SOC 2 Type II certified.
• —We retain your data for as long as your account is active. On account deletion, all personal data is permanently removed within 30 days.

4. Third-party services

We use a small number of third-party services to operate Shobu. Each receives only the minimum data required for its function:

• —Strava — activity sync. We request activity:read_all scope only.
• —Anthropic — AI scoring. Session context (WOD name, score, HR stats) only — no PII.
• —Clerk — authentication. Manages your email and login credentials.
• —Stripe — payments. We never see or store your card details.
• —Vercel — hosting and edge delivery.
• —Resend — transactional email (waitlist confirmation, data requests).

We do not sell, rent, or share your personal data with any third party for advertising, marketing, or commercial purposes. Ever.

5. Your rights (GDPR)

If you are in the UK or European Economic Area, you have the following rights under GDPR and UK GDPR:

• —Right of access — request a copy of all personal data we hold about you.
• —Right to rectification — correct inaccurate data. Most profile data can be updated directly in Settings.
• —Right to erasure (“right to be forgotten”) — request permanent deletion of your account and all associated data.
• —Right to data portability — receive your session history, scores, and HR data in a machine-readable format (JSON / CSV).
• —Right to object — object to processing for legitimate interest purposes (e.g. aggregate analytics).
• —Right to restriction — request we restrict processing of your data while a complaint is investigated.

To exercise any of these rights, email us at privacy@shobu.fit. We will respond within 30 days. We may ask you to verify your identity before processing the request.

You also have the right to lodge a complaint with your national data protection authority. In the UK this is the ICO. In Ireland / EU: your local supervisory authority.

6. Cookies & local storage

• —Authentication session cookie — set by Clerk to keep you logged in. Essential; cannot be disabled.
• —Preference storage — we use localStorage for lightweight UI preferences (e.g. dismissed banners). No tracking.

We do not use advertising cookies, cross-site trackers, or third-party analytics cookies.

7. Data retention

• —Active accounts: data retained indefinitely while your account is active.
• —Deleted accounts: all personal data purged within 30 days of deletion request.
• —Server logs: retained for 90 days then automatically deleted.
• —Strava tokens: revoked and deleted immediately on Strava disconnect or account deletion.

8. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated by email to registered users at least 14 days before taking effect. The “last updated” date at the top of this page always reflects the current version.

9. Contact

For any privacy questions, data requests, or complaints: