Your data.

ZoneTwo is a coaching product for endurance athletes. To work, we read your Strava activities and the profile you tell us about (age, weight, goals). We use that to compute training metrics and to generate written coaching analyses. We do not sell your data, we do not show ads, and we keep what we collect to the minimum we need.

• Strava activity data — activity type, date, duration, distance, heart rate, power, cadence, elevation, route metadata, and your Strava athlete identifiers. Pulled through the Strava API after you authorize us, subject to Strava's own Terms of Service and Privacy Policy.
• Profile you provide — age, weight, gender, FTP / threshold heart rate / threshold pace, weekly training hours, experience level, training goal, optional injury history.
• Account — name and avatar image returned by Strava at sign-in; session tokens needed to keep you signed in.
• Generated analyses — the written coaching reports and their associated token-usage costs.
• Basic logs — timestamps and error traces from server requests, kept for debugging. No mouse-tracking, no analytics pixel networks.

To do the thing you signed up for: show you your training metrics (CTL, ATL, TSB, monotony), compute personalized zones, and generate coaching analyses from the AI model. That's the only purpose.

We do not use your training data to train or fine-tune any AI model. We do not share aggregated or individual activity data with advertisers, brokers, or anyone else for marketing.

• Strava — source of your activity data. We follow their API Agreement and display the “Powered by Strava” attribution wherever your activity data is shown.
• Anthropic (Claude API) — when you request an analysis or chat with the coach, we send a summary of your activities and metrics to Anthropic's Claude model to generate the response. This is inference only — we do not train or fine-tune any model on your data, and Anthropic does not use API-submitted content to train their models either, per their standard API Terms. See anthropic.com/legal/privacy.
• Hosting infrastructure — the app and its managed PostgreSQL database run on reputable cloud hosting providers. These providers only store data as an operational backend; they do not access it.

• Raw Strava activity rows: 7 days maximum. Required by the Strava API Agreement. After 7 days the raw row (activity name, per-session heart rate, power, route metadata) is deleted automatically by a daily background job.
• Derived daily training load — a per-day number for TSS, duration, and approximate time-in-zone computed by us from your activity — is retained while your account is active. These are statistics we compute, not Strava's data; they power long-range metrics like CTL/ATL.
• Generated analyses and chat history: retained while your account is active so you can read your history. These are our AI-generated output, not Strava data.
• Profile and account: kept while your account exists.
• Server logs: 30 days.
• On Strava deauthorization or account deletion: all of the above, including derived aggregates, is erased within 24 hours.

• Access / export — email us and we'll send a copy of your data.
• Delete — the Settings page lets you log out; to fully erase your ZoneTwo account and all associated activities and analyses, email us and we'll process the deletion within 7 days.
• Disconnect Strava — revoke our access anytime from your Strava settings (strava.com/settings/apps). Strava notifies us via webhook and we automatically delete all your activity data, profile, and generated analyses within 24 hours, as required by the Strava API Agreement.
• Correct — edit your profile on the Settings page any time.
• If you're in the European Union or UK, you additionally have GDPR rights to restrict processing, object, and lodge a complaint with your local data protection authority.

Data at rest is encrypted by our hosting providers. Access to the production database is limited to the project owner and required operational tooling. We use OAuth 2.0 for Strava authentication; we never see or store your Strava password.

That said — no service is bulletproof. If we ever experience a breach affecting your data, we will notify Strava within 24 hours (as required by the Strava API Agreement) and notify affected users by email within 72 hours (GDPR standard), both counted from confirmation of the incident.

We use a single session cookie to keep you signed in. That's it. No analytics cookies, no ad tracking, no cross-site fingerprinting.

ZoneTwo is not intended for anyone under 16. We do not knowingly collect data from minors. If you believe a child has created an account, email us and we will remove it.

If we change anything material, we'll update the “last updated” date at the top of this page and email active users at least 14 days before the change takes effect.

Questions, exports, deletions, or anything else: privacy@zonetwo.app.