Legal

Privacy Policy

Last updated: 24 April 2026 · Effective immediately

SPLIT ("we", "the platform") is operated from Denmark and complies with the EU General Data Protection Regulation (GDPR). This policy explains what data we collect, how we use it, and the rights you have over it.

1. Data we collect

Account data

• Email address, display name, password hash (bcrypt, never stored in plaintext)
• Optional profile: tagline, avatar, height, weight, date of birth
• Account creation timestamp, last-login timestamp, IP address of last session

Training data

• Activities synced from Garmin / Polar / Suunto via OAuth — GPS traces, heart rate, pace, cadence, power, all metrics your device recorded
• Manual activities you log, including notes
• Planned workouts, goals, race dates, target times
• Body composition (weight, body fat, muscle mass, hydration) — if synced from Garmin scale or entered manually

Usage + technical data

• Session cookies to keep you logged in (splitsession, 30-day expiry, HttpOnly, Secure)
• Browser user-agent + version for compatibility debugging
• API request logs (IP, path, timestamp) — retained 14 days then deleted

2. How we use it

• Deliver the service: render your dashboard, calculate stats, generate training plans, push structured workouts to Garmin
• Improve training recommendations: the AI Coach reads your last 30 days of data to give contextual advice
• Social features (optional): share activities with friends you follow, participate in challenges
• Billing (premium users): process subscription payments via Stripe

We never sell your data. We never use it to train third-party AI models outside the SPLIT AI Coach feature you explicitly use.

3. Where it lives

• EU-hosted Hetzner server in Germany (Falkenstein data centre)
• SQLite database, encrypted at rest via Linux LUKS full-disk encryption
• Daily backups to an encrypted volume on the same host; quarterly off-site cold backup to EU-region S3-compatible storage
• Stripe (payment processor) holds card numbers — we only see the last 4 digits
• Garmin Connect OAuth tokens stored server-side and never exposed to your browser

4. Third parties

• Garmin / Polar / Suunto: receives push requests when you schedule workouts; we send workout structure + target date, nothing else
• Stripe: for premium-tier billing only
• Anthropic (AI Coach Premium): receives your training context when you explicitly ask the AI coach a question. Not used for training Anthropic's models per their API terms
• Open-Meteo: for forecast data on upcoming workout days; we send coordinates and date, not identity
• CartoDB / OpenStreetMap: map tiles; standard anonymous usage

No advertising networks, no tracking pixels, no Google Analytics.

5. Your rights under GDPR

• Access: export every byte of your data via Settings → Export account data
• Deletion: request full account deletion from Settings; data is purged within 14 days (backups rotate out within 90)
• Correction: edit profile + metric overrides directly in Settings
• Portability: activities export as GPX + TCX, stats export as JSON + CSV
• Objection: email [email protected] to object to any processing

6. Cookies

We use two cookies:

• splitsession — required, keeps you logged in
• gs-next-theme — optional, remembers dark/light preference

No tracking cookies, no advertising cookies, no cross-site cookies. No consent banner needed because we don't track.

7. Children

SPLIT is not intended for users under 16. If you believe a child has created an account, email [email protected] and we will delete it immediately.

8. Changes to this policy

Material changes are announced on the home page 14 days before taking effect. The "Last updated" date above always reflects the current revision.

9. Contact

Data Protection questions: [email protected]
General support: [email protected]
Data Protection Authority (DK): Datatilsynet