Privacy notice
This page explains what data Velorific collects, why, who we share it with, and what rights you have. Velorific is a small independent app, so this notice is written in plain English instead of boilerplate.
1. Who we are
Velorific is operated as a sole-trader project based in the United Kingdom. For privacy matters, including access, correction, deletion, or complaints, contact:
- Email: adam@velorific.com
We are the data controller for the personal data described below.
2. What data we collect
We only collect what the app needs to work. Specifically:
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Internal user ID, display name, passcode | You, at sign-up |
| Health & fitness data | Meal descriptions, calorie and macro entries, body weight, workout data (duration, calories, effort score) | You, Strava, TrainingPeaks |
| Targets and settings | Base TDEE, deficit, protein/carb/fat goals, connected integrations | You |
| Integration tokens | Strava OAuth access and refresh tokens, TrainingPeaks iCal URL | Strava / you |
| Operational logs | Server logs (IP address, request path, timestamp) kept short-term for debugging and abuse prevention | Automatically, during use |
We do not collect location, contacts, financial information, browsing history, or advertising identifiers. We do not use tracking cookies, and we do not sell data to advertisers.
Special-category data
Health-related information — meals, body weight, workout intensity — is treated as special-category data under UK and EU GDPR (Article 9). We process it only because you have given explicit consent by creating an account and logging entries, and only to provide the features of the app.
3. Why we process your data (lawful bases)
- Performance of a contract (Art. 6(1)(b)) — to run the service you signed up for: storing meals, computing calorie targets, displaying workouts.
- Legitimate interests (Art. 6(1)(f)) — keeping the service secure, preventing abuse, and fixing bugs. You can object; see "Your rights" below.
- Explicit consent (Art. 9(2)(a)) — for processing health-related data, and for any optional integration (Strava, TrainingPeaks) that you choose to enable.
4. Who we share data with
Velorific uses a small number of third-party services. Each handles a specific piece of the system, and none is sent more than it needs.
| Service | Role | Data shared |
|---|---|---|
| Railway | Hosting (app server and database volume) | All stored application data, processed on Railway infrastructure in the United States |
| Cloudflare | DNS, TLS, DDoS protection (proxied in front of velorific.com) | Network metadata (IP, request path, user agent) for each request |
| Strava | Workout import (optional, only if you connect) | OAuth tokens; workouts we read back are stored on our server |
| TrainingPeaks | Planned-session import via iCal URL (optional) | The iCal URL you provide; we fetch upcoming sessions from it |
| Anthropic | AI meal estimation (only when you use the "AI estimate" feature) | The meal description text you type. Anthropic states it does not use API inputs to train its models. |
Some of these providers are based outside the UK and EU. Where that is the case, transfers are covered by the providers' own safeguards (such as Standard Contractual Clauses and equivalent frameworks). We do not share your data with any other third party, and we do not sell or rent it.
5. How long we keep your data
- While your account is active, we keep your data so the app works.
- If you delete your account or ask us to remove your data, we retain your database file for up to 30 days to protect against accidental loss and cover operational rollback, and then we delete it.
- Server logs that contain IP addresses are kept short-term (typically under 30 days) for debugging and abuse prevention.
- Rolling database backups (the last 50 writes) may contain recently-deleted data and are rotated automatically.
6. Your rights
Under UK and EU GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Have your data deleted ("right to erasure").
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent for optional features at any time (disconnecting Strava or TrainingPeaks in Settings is the simplest route).
To exercise any of these rights, email adam@velorific.com. We will respond within one month, as required by law. A self-service JSON export endpoint is on the roadmap; until it ships, email us and we will produce the export manually.
If you believe we have handled your data incorrectly, you have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your local EU data protection authority.
7. Security
Velorific runs over HTTPS with HSTS. Application data lives on a dedicated, isolated database file per user. Secrets (Strava client secrets, API keys) are held in the hosting provider's secret store, not in the codebase. Failed authentication attempts are rate-limited. Standard security headers (Content Security Policy, X-Frame-Options, Referrer-Policy, and others) are applied to every response.
No system is perfectly secure. If you find a vulnerability, email adam@velorific.com and we will respond as quickly as we can.
8. Cookies, tracking, and on-device storage
Velorific does not use advertising or analytics cookies, and we do not embed third-party trackers.
The web app stores a small amount of data in your browser's localStorage (your passcode and a cache of your targets) so you do not need to re-enter them on every visit.
The iOS app stores your passcode in the device Keychain (encrypted by iOS, tied to this app) and caches targets in standard app storage. Nothing device-side is shared beyond our own server and the integrations you explicitly enable (Strava, TrainingPeaks, AI meal estimation).
9. Children
Velorific is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has created an account, email adam@velorific.com and we will remove it.
10. Changes to this notice
If we make material changes, we will update the "Last updated" date at the top of this page and, where practical, tell you in the app. Continuing to use Velorific after a change means you accept the updated notice.