Privacy & Security

Home

Your physiological data is highly sensitive. We design around encryption-at-rest, least-privilege access, and strict scope limits for support/admin workflows.

Importing from Apple Health & Other Platforms

When you export data from Apple Health, Google Fit, Garmin Connect, or any other wearable or health platform and sync it to Stryde, here is exactly what happens to it:

Encrypted immediately. Your health records are encrypted at the record level using AES-256-GCM before being written to our database.
Used only to coach you. We read your data to compute scores, generate training plans, and answer questions from your AI coach. That is the only purpose.
Never sold. We do not sell, license, or transfer your personal health data to advertisers, data brokers, insurers, or any third party.
Never used for AI training. Your data is never used to train, fine-tune, evaluate, or improve any AI or machine learning model — including the models that power Stryde.
Deleted on request. Deleting your account triggers a cascade that removes your encrypted records from our systems within 30 days.

No AI Training. Ever.

Your health data is yours. Stryde will never use your personal health records, workout history, sleep data, HRV readings, or any other physiological data to train, fine-tune, benchmark, or evaluate any AI or machine learning model — whether operated by Stryde or a third party. This commitment is unconditional and does not depend on any opt-out setting.

Data Protection Architecture

Traditional fitness apps store your heart rate, sleep, and GPS data in a readable format. This means their employees, advertisers, or hackers could potentially see your entire life.

Stryde is different. We use AES-256-GCM encryption at the individual record level.

Google OAuth OnlyStryde does not store passwords. Sign-in is handled by Google, and account MFA or recovery is managed through your Google account.
Encrypted Health PayloadsYour health records, workout data, and coaching context are encrypted at rest. Operational metadata — the information needed to run authentication, sync, and support — is kept separate and is not part of your health payload.

Stryde Stores & Computes. The AI Reasons.

Stryde's role is limited to storing your health data and computing derived metrics — fitness scores, load trends, readiness, running dynamics, and similar calculations.

Any coaching advice, training prescription, workout recommendation, or suggestion you receive is generated by the AI model you have chosen to connect (for example, Claude by Anthropic via MCP). Stryde does not prescribe, recommend, direct, or exhort any course of action.

Stryde has no control over what a connected AI model says. The outputs of that model are governed by the AI operator's own terms and policies — not Stryde's. You are responsible for evaluating whether any AI-generated suggestion is right for your situation.

Medical Disclaimer

Stryde is for informational and educational purposes only. It is not a medical device.

By using this application, you acknowledge that:

Stryde stores and computes your health data — it does not make coaching decisions.
All training suggestions come from the AI model you connected, not from Stryde.
You must never ignore professional medical advice because of anything you read on your dashboard or receive from a connected AI.
You assume all risk for injuries resulting from following any training suggestion.

MCP Data Access

When you connect Claude or another MCP client using your API token, that client can read your health metrics, workout history, training plans, and coaching memory. It cannot access other users' data. Your token is scoped to your account only and can be rotated from Settings at any time. Revoking the token invalidates future MCP access.

No Aggregate Tracking

We do not sell your personal health data. Operational telemetry may still be processed for reliability, abuse prevention, and product quality.

Total Deletion

When you delete your account, we trigger a cascade that wipes your records from our GCP environment. Your encrypted identifiers are also purged, ensuring no "ghost" records remain. Deletion from active systems completes within 30 days. While your account is active, workout and health records are retained for the life of the account. Security and audit logs are retained for 12 months. Billing records are retained for 7 years as required by law.

Cookies

Stryde sets one session cookie on sign-in. It is HttpOnly, Secure, and SameSite=Lax. It expires when your session ends or after 8 hours, whichever comes first. We do not set advertising, tracking, or third-party analytics cookies.

Sub-processors

Stryde uses the following third-party processors to operate the service:

Google Cloud Platform — infrastructure and encrypted database hosting (US). Health and fitness data is stored encrypted at rest; GCP has no access to plaintext health data.
Stripe — billing and payment processing (US). Stripe has no access to your health or fitness data.

Your Rights

Regardless of where you are located, you may:

Access. Request a copy of the personal data Stryde holds about you.
Export. Download your workout and health history from Settings → Data.
Correct. Update inaccurate account information from your profile.
Delete. Remove your account and all associated data from Settings → Account. Deletion completes within 30 days.

For requests not covered by self-service, email privacy@stryde.coach. We respond within 30 days.

Data Type	Security	Access
Health Records	AES-256 Fully Encrypted	User Only
Calculated Scores	AES-256 Fully Encrypted	User Only
Coach Context	Record-Level Encryption	User Only
Account Email	Obfuscated Store	User + Support