Privacy Policy

Last updated: 5 May 2026

This Privacy Policy describes how Straix ("we," "our," or "us") collects, uses, and protects your information when you use the Straix AI coaching service. It applies to the website at straix.fit and the application at app.straix.fit.

1. Information we collect

When you create an account and connect your Garmin account, we collect and process the following data:

• Account: email address (used as your login), display name (optional), the timezone you set, and an admin flag if applicable.
• Garmin credentials: the Garmin username and password you provide. These are encrypted at rest using a server-side master key (Fernet / AES-128 in CBC mode with HMAC-SHA256 authentication) before being written to the database. They are decrypted only in process memory when your account needs to read fresh data from Garmin.
• Activity and health data from Garmin Connect: workout type, duration, distance, pace, heart rate (average, max), perceived effort, daily resting heart rate (RHR), heart rate variability (HRV), sleep duration and stages, training status and load, body battery, weight (if recorded on a paired scale).
• Goal and program data: the goal you set (type, target distance, available days, equipment, constraints), the AI-generated 4-week program, your sync activity, and the workouts that result.
• Subjective feedback: if you log perceived effort, mood, or notes on a session, we store those alongside the session.

2. How we use your information

We use your data solely to:

• Generate a personalized AI coaching program from your goal, recent biometrics, and recent activities.
• Adapt the program mid-block based on objective Garmin signals (HRV trend, RHR drift, sleep, training load).
• Push structured workouts to your Garmin calendar so they appear on your watch on the scheduled day.
• Generate a post-mesocycle review summarizing what worked and what to change next block.
• Send you transactional notifications about your plan (e.g. when the AI proposes a mid-block change, or when a new program is ready to review).

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for marketing purposes.

3. Data storage and security

Account data, goal data, program data, daily metrics, and session history are stored in a managed Postgres database hosted on Supabase (AWS infrastructure). The application server runs on a DigitalOcean droplet. All connections between your browser, our server, the database, and third-party APIs use TLS 1.2 or higher.

Your Garmin credentials are encrypted at rest with a master key that lives only in server environment configuration — it is never stored in the database itself.

4. AI processing

To generate program plans, mid-block proposals, and reviews, we send your training metrics and goal payload to Anthropic's Claude API. We do not send your name, email, Garmin credentials, or other directly identifying information to the AI provider — only the metrics needed to produce a coaching recommendation. Anthropic is contractually prohibited from training their models on this data and from retaining it beyond the request lifecycle.

5. Your rights

You have the right to:

• Access the data we hold about you
• Receive a copy of your data in a portable format
• Correct inaccurate data
• Delete your account and all associated data at any time
• Disconnect your Garmin account at any time, which removes the encrypted credentials and stops any further data collection from Garmin

To exercise any of these rights, email privacy@straix.fit. We respond within 30 days. Requests do not require a paid subscription.

6. Data retention

We retain your data for as long as your account is active. If you delete your account, all personal data — including Garmin credentials, Garmin-derived metrics, goals, programs, and session history — is permanently removed within 30 days. Anonymized, aggregated statistics with no identifiers may be retained for service improvement.

7. Third-party services

Straix uses the following third-party services to operate:

• Garmin Connect — to read your workouts, daily metrics, and sleep, and to push planned workouts to your watch's calendar.
• Supabase — for user authentication and managed Postgres database hosting.
• Anthropic (Claude API) — for AI program generation, mid-block proposals, and reviews. Anonymized metrics only.
• Resend — for transactional email (account confirmations, mid-block proposal notifications, weekly digests).
• DigitalOcean — for hosting the application server.

We have not integrated payment processing yet. When we do, the policy will be updated to identify the payment provider before any charge occurs.

8. Cookies and tracking

Straix uses a small number of cookies and equivalent localStorage entries strictly necessary for authentication and to remember your interface state (for example, whether your goal panel is expanded). We do not use third-party analytics, tracking pixels, or advertising cookies.

9. Children's privacy

Straix is not intended for users under 16. We do not knowingly collect data from children. If you become aware that a child has provided us with personal data, please contact us so we can remove it.

10. International transfers

Straix is operated from Saudi Arabia. Your data may be processed in any country where our service providers operate, including the United States and the European Union. We rely on the providers' standard contractual safeguards for international transfers.

11. Changes to this policy

We may update this Privacy Policy as the service evolves. Material changes will be communicated by email and posted on this page with a new "Last updated" date. Continued use of the service after a material change constitutes acceptance of the updated policy.

12. Contact

For privacy questions, contact: privacy@straix.fit.

Operator: Abdulaziz Aloshin, Riyadh, Saudi Arabia.

← Back to home