How we handle your data

Fitter at 40 is a personal running coaching service operated by Gareth Hiron (England Athletics Level 3 coach), based in Kent, United Kingdom. For the purposes of UK data protection law, Gareth Hiron is the data controller for the information you provide through this coaching platform.

You can contact us at any time at gareth@fitterat40.co.uk.

To deliver your coaching, we collect and process:

• Account details — your name and email address.
• Training data — sessions you log or upload (.fit/.gpx files), including distance, pace, duration, route, elevation and cadence.
• Health & fitness data — heart rate, perceived effort (RPE), and derived metrics such as aerobic efficiency and training load. This is considered "special category" data under UK GDPR and is treated with extra care.
• Strava data — if you choose to connect Strava, we access your activity data via Strava's API to save you logging sessions manually.
• Profile details — target races, personal bests, and goals you share with your coach.

We use your data solely to provide and improve your personal coaching — building your training plan, reviewing your sessions, tracking progress, and communicating with you.

Our lawful bases under UK GDPR are:

• Performance of a contract — processing your training data is necessary to deliver the coaching you've signed up for.
• Explicit consent — for your health and fitness data (e.g. heart rate), which you give when you create your account. You can withdraw this at any time.

We never sell your data. We share it only with the service providers that run this platform, who process it on our behalf under strict data-protection terms:

• Supabase — secure database and login.
• Vercel — application hosting.
• Resend — sending you emails.
• Anthropic — generating coaching summaries from your training data (not used to train AI models).
• Strava — only if you connect it, and only to read your activities.

We keep your data for as long as you are an athlete with Fitter at 40. If you stop coaching with us or ask us to delete your account, we will permanently remove your personal data, including any Strava data, from our systems. If you disconnect Strava, your stored Strava tokens are removed immediately.

Under UK GDPR you have the right to: access the data we hold about you; correct inaccurate data; have your data deleted; restrict or object to processing; receive your data in a portable format; and withdraw consent at any time. To exercise any of these, email gareth@fitterat40.co.uk.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you're unhappy with how we've handled your data.

Your data is protected with industry-standard security: encrypted connections, access controls, and row-level security so that only you and your coach can see your information.