Privacy Policy

Last updated: March 9, 2026

Stimulus ("we", "us", "our") is a workout tracking web application. This policy explains what data we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data We Collect

Account information: When you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Workout data: Exercises, sets, reps, weights, personal records, body metrics, templates, and programs you create within the app.

AI Coach conversations: Messages you send to the AI Coach feature and the responses generated. These are stored to maintain conversation history.

Feedback: Any feedback you voluntarily submit through the app.

Technical data: Server logs may contain IP addresses, browser type, and request timestamps. These are retained for up to 30 days for security and debugging purposes.

2. How We Use Your Data

To provide and operate the workout tracking service
To generate AI coaching responses based on your training history
To sync workouts to connected services (e.g., Strava) at your request
To improve the app based on aggregated, anonymized usage patterns
To respond to your feedback and support requests

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract performance: Processing necessary to provide you with the service you signed up for
Legitimate interest: Server logs for security, aggregated analytics for service improvement
Consent: Optional features like Strava integration and AI Coach — you choose to enable these

4. Third-Party Services

We share data with third parties only as necessary to operate the service:

Google OAuth: Authentication only. We receive basic profile info; Google does not receive your workout data.
Anthropic (Claude AI): When you use AI features (Coach chat, program generation, weekly check-ins, post-workout summaries, dashboard nudges), your training data is sent to Anthropic's API. This includes: workout history, exercise names and performance, body metrics, personal records, program details, and your chat messages. Anthropic does not use API data to train models. See Anthropic's privacy policy.
Strava: If you connect Strava, completed workouts are uploaded to your Strava account. You can disconnect at any time.
Railway: Our hosting provider. Data is stored on Railway's infrastructure in the US.

5. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway's infrastructure. We use HTTPS encryption for all data in transit, httpOnly cookies for session management, and follow security best practices including rate limiting, input validation, and secure headers.

6. Data Retention

Your workout data is retained for as long as your account exists. You can delete individual workouts at any time, or delete your entire account (see below), which permanently removes all associated data.

7. Your Rights

Under the GDPR and similar privacy laws, you have the right to:

Access: Export all your data in JSON or CSV format from Settings
Rectification: Edit your workout data directly in the app
Erasure: Delete your account from Settings, which permanently removes all your data
Data portability: Export your data in machine-readable format (JSON/CSV)
Restriction/Objection: Contact us to restrict or object to specific processing

8. Cookies

We use a single essential cookie (session) for authentication. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is needed as we only use strictly necessary cookies.

9. Children's Privacy

Stimulus is not directed at children under 16. We do not knowingly collect data from children under 16.

10. International Data Transfers

Your data is processed and stored in the United States. By using Stimulus, you acknowledge this transfer. We rely on the service's security measures as appropriate safeguards.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated through the app's announcement banner. The "last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or to exercise your rights, use the feedback form in the app or email us at privacy@stimulus.fit.