Privacy Policy

1. Introduction

The Daily Athlete ("we," "us," or "our") is a workout tracking platform operated by Ryan Sareen, based in India. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services at thedailyathlete.in (the "Service").

This policy is designed to comply with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act") as applicable. For users in the European Union, this policy also addresses rights under the General Data Protection Regulation (GDPR).

By using the Service, you consent to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and username. If you sign in with Google, we receive your name, email, and profile photo from Google.

2.2 Profile Information

You may optionally provide additional profile data such as age range, experience level, height, weight, sport preferences, training goals, bio, and profile photo.

2.3 Workout & Health-Related Data

We store workout data you create manually, import via CSV/XLSX, or sync from third-party services. This includes workout type, date, duration, distance, pace, heart rate, elevation, calories, laps/splits, and any notes or descriptions you add.

Note on health data: Some workout data (heart rate, calories, body metrics) may be classified as health-related or sensitive personal data under certain jurisdictions. We treat all such data with the same level of protection as described in this policy. This data is used solely for providing you with training analytics and insights within the Service.

2.4 Third-Party Service Data

When you connect third-party fitness services, we access and store data from those platforms:

• Strava: Activity summaries, detailed activity data (distance, duration, pace, heart rate, elevation, laps, splits, photos), and activity metadata. We access this data via the Strava API using OAuth 2.0 authorization that you explicitly grant.

You can disconnect any third-party service at any time from your Settings page, which revokes our access to new data from that service.

2.5 Usage Data

We collect anonymized product analytics via PostHog to understand how the Service is used and to improve it. This may include pages visited, features used, and general interaction patterns. We do not sell or share this data with third parties for advertising purposes.

2.6 Push Notification Tokens

If you opt in to push notifications, we store your device's push subscription endpoint to send you workout reminders, sync completion alerts, and weekly summaries. You can opt out at any time.

3. How We Use Your Information

We use your data to:

• Provide, maintain, and improve the Service
• Display your workout history, stats, progress, and training insights
• Generate AI-powered workout suggestions, reports, and coaching insights
• Sync and merge workout data from connected third-party services (Strava)
• Send you email summaries, weekly wraps, and push notifications (with your consent)
• Detect and prevent abuse, fraud, or unauthorized access
• Generate anonymized aggregate statistics about platform usage

4. Data Storage and Security

Your data is stored in Google Cloud Firestore (Firebase) and Vercel infrastructure. We use industry-standard security measures including:

• Firebase Authentication with secure session management
• HTTPS encryption for all data in transit
• Firestore Security Rules restricting data access to authenticated users
• OAuth 2.0 for all third-party service connections (no passwords stored)
• Regular automated backups with integrity verification
• HttpOnly, SameSite cookies for admin session management

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

The Service integrates with the following third-party services. Each has its own privacy policy:

• Firebase (Google): Authentication, database, and storage — Privacy Policy
• Vercel: Hosting and deployment — Privacy Policy
• Strava: Workout sync — Privacy Policy
• Groq: AI-powered insights and suggestions — Privacy Policy
• PostHog: Product analytics — Privacy Policy
• Brevo: Email delivery — Privacy Policy

When you use AI features (workout suggestions, reports, coaching), your workout data may be sent to Groq for processing. We do not send personally identifiable information (name, email) to AI providers — only anonymized workout metrics.

6. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in these limited cases:

• Public profiles: If you enable your public profile, your display name, username, bio, workout stats, and profile photo are visible to anyone with your profile link.
• Service providers: We use third-party services (listed above) to operate the platform. They process data on our behalf under their respective privacy policies.
• Legal requirements: We may disclose data if required by law, legal process, or government request.

7. Your Rights

Under the DPDP Act, IT Act, and GDPR (where applicable), you have the following rights as a Data Principal:

• Right to Access: View all data we hold about you through your profile and settings pages
• Right to Export / Portability: Request a full export of your data in JSON format
• Right to Correction: Update your profile information at any time through Settings
• Right to Erasure: Request deletion of your account and all associated data by contacting us
• Right to Disconnect: Revoke access to any connected third-party service at any time
• Right to Withdraw Consent: Withdraw consent for data processing at any time (this may affect Service functionality)
• Right to Opt Out: Disable push notifications, email summaries, and analytics tracking
• Right to Nominate: Under the DPDP Act, you may nominate another person to exercise your rights in case of your death or incapacity

To exercise any of these rights, contact our Grievance Officer (see Section 13 below) at ryanssareen@gmail.com. We will respond to requests within 30 days.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Data Protection Board of India (once constituted under the DPDP Act) without unreasonable delay, and in any case within 72 hours of becoming aware of the breach
• Notify affected users via email and/or in-app notification as soon as practicable
• Provide details of the nature of the breach, the data affected, and the measures taken to mitigate it
• Document the breach and remediation steps in our internal records

For EU users, breach notifications will also comply with GDPR Article 33/34 requirements where applicable.

9. Data Retention

We retain your data for as long as your account is active and the data is necessary for the purposes described in this policy. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes (e.g., backup integrity, fraud prevention, legal compliance).

Automated backups containing your data are pruned on a regular schedule: daily backups kept for 7 days, weekly for 4 weeks, monthly for 12 months. After these periods, backup data is permanently deleted.

10. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from minors. Under the DPDP Act, processing personal data of children requires verifiable consent from a parent or lawful guardian.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at ryanssareen@gmail.com. We will take steps to delete such data promptly.

11. International Data Transfers

Your data may be processed and stored in servers located outside India (e.g., Google Cloud for Firebase, Vercel for hosting, Groq for AI processing). By using the Service, you consent to the transfer of your data to these locations. We ensure that all third-party processors maintain appropriate security measures.

For EU users: data transfers outside the EEA are conducted in accordance with GDPR requirements, relying on the third-party processors' own compliance mechanisms (e.g., Standard Contractual Clauses).

12. Changes to This Policy

We review and update this Privacy Policy at least annually, or more frequently when required by changes in law, our practices, or the Service. We will notify you of material changes by email and by posting the updated policy on this page with a revised "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

We are actively monitoring the rollout of the DPDP Rules (expected full enforcement by 2027) and will update this policy as new requirements are enacted.

13. Grievance Officer & Contact

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the following person has been designated as the Grievance Officer for the purpose of this Privacy Policy:

Grievances will be acknowledged within 24 hours and resolved within 30 days from the date of receipt. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (once constituted) or the relevant supervisory authority in your jurisdiction.