Privacy Policy

1. Introduction

This Privacy Policy explains how Stadia (“Stadia,” “we,” “our,” or “us”) collects, uses, and shares information about you when you use our website at app.stadia.fit, our iOS application, and related services (collectively, the “Service”). The Service is an AI-powered fitness planning assistant that generates periodized training plans and tracks workouts across strength, cycling, running, and swimming.

By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

2. Information We Collect

a. Account Information

When you register, we collect your username, email address, and a hashed password. We never store plaintext passwords.

b. Fitness and Health Data

To generate plans and track progress, we collect and store fitness and physiological data you provide or authorize us to retrieve, including:

• Training goals, experience level, and preferences you share in chat.
• Workouts you log (exercises, sets, reps, weights, durations, RPE, notes).
• Activity data imported from connected services (e.g., Garmin, Strava), such as GPS routes, heart rate, pace, power, cadence, and workout summaries.
• Recovery and sleep data imported from connected services (e.g., Oura), such as sleep scores, readiness, heart-rate variability, and resting heart rate.
• Personal metrics you provide, such as bodyweight, training maxes, injuries, or other health context relevant to your plan.

Some of this information may constitute “health information” under applicable laws. We treat it as sensitive and apply additional safeguards described in Section 7.

c. Chat and Conversation Content

The Service includes a conversational AI interface. We store the messages you send and the responses generated so we can continue coaching you across sessions. These messages may be processed by third-party large language model providers as described in Section 4.

d. Third-Party Integration Tokens

When you connect a third-party service (e.g., Garmin Connect, Strava, Oura), we store the credentials or OAuth tokens needed to access your data on your behalf. These are stored in encrypted form and used only to retrieve the data you authorized.

e. Usage and Device Information

We collect basic technical information about your use of the Service, including IP address, browser or device type, operating system, referring pages, and timestamps. We use this to keep the Service secure and reliable.

f. Cookies and Similar Technologies

We use strictly necessary cookies and authentication tokens to keep you signed in. We do not use advertising or tracking cookies.

3. How We Use Your Information

• Provide, maintain, and improve the Service.
• Generate personalized training plans, recommendations, and coaching responses.
• Display your workouts, progress, recovery, and calendar in the app.
• Authenticate you, secure your account, and prevent abuse of the Service.
• Communicate with you about the Service (see Section 4(d)).
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information and we do not use your health or fitness data for advertising.

4. How We Share Your Information

We share information only as needed to operate the Service, and only with the following categories of recipients:

a. AI / Large Language Model Providers

To generate plans and coaching responses, we send relevant context (such as your goals, workouts, and recent activity) to third-party LLM providers, including Anthropic and OpenAI. These providers process the data under their own terms and, per their standard API agreements, do not use API inputs or outputs to train their models. We only send data necessary to produce a response.

b. Connected Fitness Services

When you authorize a connection to Garmin Connect, Strava, Oura, or another service, we exchange data with that service on your behalf using the scopes you grant. Your use of those services is also governed by their own privacy policies.

c. Infrastructure and Data Storage

We use cloud hosting, managed databases (including PostgreSQL), and other infrastructure providers to operate the Service. Some application data may also be stored in Notion databases used by the Service. These providers process data on our behalf under contractual obligations to keep it confidential and secure.

d. Communications

We may send transactional emails (e.g., account notifications, reminders, security alerts) through email providers such as SendGrid. We do not send marketing emails without your consent.

e. Legal and Safety

We may disclose information if required by law, to comply with legal process, or to protect the rights, property, or safety of our users or others.

f. Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the protections in this Policy.

5. Data Retention

We retain account, workout, and conversation data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or necessary to resolve disputes. We may keep aggregated or de-identified data that cannot reasonably be linked to you.

6. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain uses. To exercise any of these rights, email us at sean@stadia.fit. You can also:

• Disconnect any third-party integration at any time from the Settings page.
• Delete workouts, plans, and messages directly in the app.
• Request full account deletion by emailing us.

If you are in the European Economic Area, United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, and CCPA/CPRA, respectively. We do not sell or share personal information for cross-context behavioral advertising.

7. Security

We implement technical and organizational measures designed to protect your information, including encryption in transit (TLS), encryption of third-party credentials at rest, scoped access controls, and hashed passwords. No system is perfectly secure, and we cannot guarantee absolute security. Notify us immediately if you believe your account has been compromised.

8. Children’s Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. and in other countries where our service providers operate. By using the Service, you consent to such transfers.

10. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice in the Service before the changes take effect. Continued use after the effective date of an update constitutes acceptance of the revised Policy.

11. Contact Us

Questions or requests about this Policy? Email sean@stadia.fit.