Privacy

Privacy Policy

Effective date: April 22, 2026

This policy applies to STRV websites, mobile apps, and related services. It should be read with our Terms of Service, Health Data Policy, and Health Disclaimer.

Summary

  • We do not sell your personal data.
  • We do not use health data for cross-context behavioral advertising.
  • We process data to operate STRV, protect users, and deliver requested features.
  • You can request access, correction, deletion, and export, subject to legal limits.

1. Who we are

For privacy requests, contact: [email protected].

Before production launch, insert your full legal entity name, ABN (if applicable), and registered business address.

2. Personal information we collect

  • Account data: name, email, sign-in identifiers, account preferences.
  • Subscription and transaction metadata.
  • User inputs: workouts, food logs, goals, notes, progress entries.
  • Health and wellness data you enter or sync via permitted integrations.
  • Technical and diagnostic data: device type, OS, app version, crash logs, events.
  • Support records: support requests, attachments, and troubleshooting metadata.

3. How and why we use personal information

  • Provide, personalize, and maintain the service you requested.
  • Authenticate users and secure accounts.
  • Generate analytics and AI responses inside product features.
  • Process purchases, subscriptions, and customer support.
  • Prevent abuse, enforce terms, investigate incidents.
  • Comply with legal obligations and lawful requests.

Where required by law, we rely on consent, contractual necessity, legitimate interests, and legal obligations as applicable.

4. Service providers and integrations

We use vetted providers under contractual controls and privacy/security obligations.

  • OpenAI: AI model inference for in-product AI features.
  • AWS: cloud infrastructure, storage, networking, and service operations.
  • Supabase: backend data services and platform tooling.
  • Apple APNs: push notification delivery tokens and routing metadata.
  • Google authentication: sign-in identity data where you choose Google login.
  • Strava (optional): activity data only if you explicitly connect and authorize.

5. Strava-specific disclosure

  • Strava is opt-in only and controlled by OAuth permissions you approve.
  • Strava data is shown to the connected STRV account holder who authorized access.
  • Disconnecting Strava stops ongoing sync and invalidates local connection tokens.
  • Use of Strava data is subject to applicable Strava API rules in addition to this policy.

6. Disclosure of personal information

We may disclose personal information to service providers, corporate transaction parties, regulators, or law enforcement where legally required. We do not sell personal information.

7. International disclosures

We may disclose or process personal information outside Australia. Where Australian Privacy Principle 8 applies, we take reasonable steps to ensure overseas recipients handle data consistently with applicable privacy protections.

8. Data retention

We retain personal information for as long as required to deliver services, meet legal and accounting requirements, resolve disputes, and enforce agreements. Retention periods differ by data type and account state.

If you request deletion, we delete or de-identify eligible data within operational retention windows, except where retention is required by law.

9. Security

We use administrative, technical, and organizational controls designed to protect personal information, including encryption in transit, access controls, and monitoring. No system can be guaranteed perfectly secure.

10. Your rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, objection, restriction, withdrawal of consent, and portability.

For Australian users, we support requests consistent with APP 12 (access) and APP 13 (correction) where applicable. We respond within reasonable timeframes.

You can also manage many controls directly in-app, including linked-provider connections and account settings.

11. Marketing messages

Where we send commercial electronic messages to users in Australia, we aim to comply with the Spam Act 2003, including sender identification and unsubscribe functionality.

12. Complaints

If you have a privacy concern, contact us first at [email protected] so we can investigate and respond.

If you are in Australia and remain unsatisfied, you may be able to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

13. Children

STRV is not directed to children under 13 and is intended for users who can lawfully enter these terms in their jurisdiction.

14. Changes to this policy

We may update this policy from time to time. Material updates may be notified in-app, on our site, or through other reasonable channels.