Privacy Policy

1. About this Policy

We Jog ("we", "us", "our") operates the We Jog web application. This Privacy Policy explains how we collect, use, disclose and protect your personal information when you use our service. We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable international privacy laws including the EU General Data Protection Regulation (GDPR) and UK GDPR where they apply.

2. Information We Collect

Account Information

• Email address (used for authentication via magic link)
• Display name (optional)
• Avatar image (optional)

Activity Data from Connected Services

When you connect a third-party fitness platform (e.g. Strava, Garmin Connect), we receive activity data which may include:

• Distance, duration, pace and splits per kilometre
• Heart rate (average and maximum) and cadence
• Elevation gain and calories burned
• Route and map data (GPS polyline coordinates)
• Activity type, sport and start time

We may store the raw API response from connected services to ensure data accuracy and support troubleshooting.

Training Data You Create

• VDOT scores and race results you enter
• Planned workouts and training schedules

Preferences & Settings

• Maximum and resting heart rate
• Weekly kilometre target and preferred run days

Technical Data

• Browser type and version
• IP address
• Device information
• Usage patterns and page views (via privacy-respecting analytics)

3. Legal Basis for Processing (GDPR)

If you are in the EU or UK, we process your personal information under the following lawful bases:

• Contract performance (Art. 6(1)(b)) — providing the service, including account management, calculating training paces, generating workouts and syncing with connected platforms
• Consent (Art. 6(1)(a)) — connecting third-party accounts (Strava, Garmin Connect) and processing health and fitness data (see below)
• Legitimate interest (Art. 6(1)(f)) — service security, fraud prevention and improving the service
• Legal obligation (Art. 6(1)(c)) — complying with applicable laws and responding to lawful requests

Health and fitness data. Heart rate, cadence and similar biometric metrics are considered "special category" data under GDPR Article 9. We process this data based on your explicit consent, which you provide when you connect a third-party fitness account or enter health-related data into the service. You can withdraw this consent at any time by disconnecting the relevant account or deleting your data from Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

4. How We Use Your Information

We use your personal information to:

• Provide, maintain and improve the We Jog service
• Authenticate your identity and manage your account
• Calculate training paces and display your fitness data
• Sync data with connected third-party services at your request
• Export structured workouts to connected devices at your request
• Enrich your activity data with weather conditions for training context
• Process payments and manage your subscription
• Send service-related communications (e.g. authentication emails)
• Ensure security and prevent misuse of the service

We do not use your data for advertising, sell your personal information to third parties, or use your fitness data for AI or machine learning training. Activity data synced from connected services is only displayed to the authenticated account holder.

5. Third-Party Services

We Jog integrates with the following third-party services when you choose to connect them:

• Strava — When you connect your Strava account, we receive activity data via the Strava API, including distance, duration, pace, heart rate, cadence, elevation, calories, splits and route map data. Strava may also notify us of new activities via webhook. You can disconnect at any time from Settings. To revoke access on Strava's side, visit your Strava settings at strava.com/settings/apps.
• Garmin Connect — When you connect your Garmin account, we may (a) send structured workout files (FIT format) to your Garmin device, containing pace targets, distances and interval structure, and (b) receive completed activity data from Garmin Connect. Exported workout files contain only training structure — no personal information, account details or health data is included. You can disconnect at any time from Settings.
• Open-Meteo — We use the Open-Meteo API to enrich your activity data with weather conditions (temperature, wind, precipitation) at the time and location of your run. Open-Meteo receives only the approximate coordinates and timestamp of your activity — no personal information is sent.
• Stripe — We use Stripe to process payments for Pro subscriptions. When you subscribe, Stripe collects your payment information directly — we do not store your full card number or payment credentials. We receive only a customer identifier, subscription status and transaction history from Stripe. See Stripe's privacy policy at stripe.com/privacy.
• Supabase — Provides our database and authentication infrastructure. Your data is stored securely in Supabase's cloud infrastructure.
• Vercel — Hosts our application. Standard server logs may be collected.

6. Sub-Processors

We use the following sub-processors to operate the service:

• Supabase — Database, authentication and file storage (AWS Sydney, Australia)
• Vercel — Application hosting (Global CDN)
• Stripe — Payment processing (United States)
• Strava — Activity data sync, when connected by user (United States)
• Garmin — Workout sync and activity data, when connected by user (United States)
• Open-Meteo — Weather data enrichment (Germany)

We ensure all sub-processors maintain appropriate data protection standards. For transfers outside the EEA/UK, we rely on standard contractual clauses or adequacy decisions where required.

7. Data Storage & Security

Your data is stored in secure cloud infrastructure provided by Supabase, with servers located in regions that comply with applicable data protection standards. We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest for stored data
• Row-level security policies restricting data access to authorised users
• Secure token storage for third-party service connections

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Articles 33–34 and the Australian Privacy Act's Notifiable Data Breaches scheme.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. If you delete your account, we will delete or anonymise your personal information within 30 days, unless we are required by law to retain it.

When you disconnect a third-party service (e.g. Strava, Garmin Connect), we stop receiving new data but retain previously synced activity data unless you specifically request its deletion.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate or incomplete information
• Deletion — Request deletion of your personal information
• Portability — Request your data in a structured, machine-readable format. You can also export individual workouts as FIT files, compatible with most running watches and fitness platforms.
• Objection — Object to the processing of your personal information
• Withdrawal of Consent — Withdraw consent at any time where processing is based on consent

Australian residents: Under the Privacy Act 1988, you have the right to access and correct your personal information. You may also complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

EU/UK residents: Under the GDPR, you have additional rights including the right to restrict processing and to lodge a complaint with your local data protection authority.

10. International Data Transfers

Your data may be transferred to, and processed in, countries other than your country of residence. Where we transfer personal information internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including standard contractual clauses where required.

11. Cookies & Local Storage

We use essential cookies and browser local storage to maintain your authentication session and store user preferences (such as your last calculator input). We do not use tracking cookies or third-party advertising cookies.

12. Automated Decision-Making

We use automated processes to calculate your VDOT fitness score, generate training paces and create workout plans based on the data you provide (race results, heart rate, preferences). These calculations use established running science formulas (the Daniels-Gilbert model) and are not based on profiling.

You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects. You can always adjust your training paces and workout plans manually, and you are under no obligation to follow generated recommendations.

13. Children's Privacy

We Jog is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Email: hello@we-jog.com