Privacy

Privacy policy

Last updated: .

supaTRI ("we", "us") is operated from Türkiye and is the party responsible for your data (the "data controller"). For users in Türkiye, this notice also serves as the disclosure required under the Law on the Protection of Personal Data No. 6698 ("KVKK"). For users in the EU/UK, it describes how we comply with the GDPR / UK GDPR. Questions or requests: hello@supatri.com. If you need our full legal entity details to exercise a right, email us and we'll provide them.

What we collect

  • Account. Your email address, used as your login and to send sign-in codes. Sign-in is passwordless: we email you a one-time code and store only a hashed form of it, never a password.
  • Profile. What you enter during onboarding: display name, time zone, and training preferences and goals.
  • Health & fitness data. Optional details such as date of birth, sex, height, weight, heart-rate and power metrics, and injury notes. This is sensitive ("special category") data. See below.
  • Activity. If you connect Strava, supaTRI imports your activities (type, duration, distance, elevation, heart rate, power, pace) so the plan can adapt. Your Strava access tokens are stored encrypted and used only to sync on your behalf.
  • Plans and coach chats. The plans we generate and your conversations with the AI coach.
  • AI settings. Your chosen provider and, if you "bring your own key" (BYOK), your provider API key, stored encrypted.
  • Notifications. A device push token, only if you enable workout reminders.
  • Subscription status. Your plan and entitlement, received from the app store via RevenueCat. We never receive or store your payment card details.
  • Technical & security. IP address (for rate-limiting and abuse prevention), timestamps, and server logs.
  • Crash & diagnostics. When the app or our servers hit an error, we collect crash reports, error logs, and basic device/app information through Sentry, linked to your account ID, so we can find and fix problems. Used only for reliability — never for advertising.

What we don't do

  • We don't sell your personal data.
  • We don't share it with advertisers or data brokers. Ever.
  • We don't embed advertising SDKs or cross-app trackers, and we don't track you across other apps or websites. (We do use Sentry for crash and error diagnostics — see above.)
  • We don't train AI models on your data. Your plans and chats aren't part of any training set.

Health & fitness data

Information such as injury notes, heart-rate and physiological metrics, weight, and FTP is treated as a special category of personal data ("özel nitelikli kişisel veri" under KVKK; Article 9 GDPR). We process it only with your explicit consent, only to deliver the coaching features you ask for, and never for advertising. You can decline to provide it, or delete it at any time.

Who we share with

Only the providers we need to run the service:

  • Hosting. Our servers and database run on Hetzner, in Germany (EU).
  • Strava, if you connect it: the source of your activity data, accessed only within the permissions you grant.
  • Email. Sign-in codes and account emails are sent via Resend.
  • AI providers. DeepSeek (the managed coach) and OpenAI (plan generation); Anthropic optionally; or your own provider if you use BYOK. Each receives the prompt and the training context needed for that request. Some providers process data outside Türkiye and the EU (for example, DeepSeek in China, OpenAI/Anthropic in the United States). See "International transfers" below.
  • Subscriptions. RevenueCat manages your entitlements; the Apple App Store and Google Play process the payment directly. We only receive your subscription status.
  • Push notifications. Delivered via Expo's push service, if you enable reminders.
  • Error tracking. Crash and error diagnostics are processed by Sentry (United States).

We may also disclose data if required by law, to enforce our Terms, or to protect the safety of our users.

International transfers

Your account and training data are stored in the EU (Hetzner, Germany). When you use the AI coach, the relevant content is sent to the AI provider you (or we, by default) selected, which may be in the United States or another country outside Türkiye and the EU. These transfers happen because they're necessary to provide the feature you requested, and on the basis of your explicit consent (KVKK Art. 9; Art. 49 GDPR). To keep this under your control, use BYOK to route AI requests through your own provider, or avoid the AI features.

Where data lives & how long

Servers and database are in the European Union (Hetzner). We keep your data while your account exists. Backups are rotated regularly, and deleted data ages out of backups within 30 days.

How we protect it

  • Strava tokens and BYOK API keys are encrypted at rest.
  • All traffic is encrypted in transit over HTTPS/TLS.
  • The database is not exposed to the public internet. It's reachable only from the application server on a private network.
  • Sign-in is passwordless, with rate-limiting and lockouts against brute-force and abuse.

Your rights

Under KVKK (Art. 11) and, where applicable, the GDPR, you can request access to your data, correct it, delete it, object to or restrict certain processing, request a copy, and withdraw consent at any time.

You can delete your account from inside the app (Settings → Account). Deleting your account removes your data from the active database immediately and from backups within 30 days. You can also email hello@supatri.com to make any request; we respond within the period required by law (under KVKK, within 30 days). In Türkiye you may also apply to the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu); in the EU/UK, to your local Data Protection Authority.

Your Strava connection

You can disconnect Strava at any time, either in the app or from your Strava account settings (Settings → My Apps → revoke access). Once disconnected, we stop syncing new activities. Data already imported stays until you delete your supaTRI data or account.

Children

supaTRI is not intended for users under 16, and we don't knowingly collect data from anyone under 16.

Changes

If we change this policy materially, we'll update the date above and, where appropriate, notify you in the app before the change applies.

Contact

hello@supatri.com

This document is provided for transparency and is not legal advice.