ReadyRun

Last updated: March 18, 2026

Privacy Policy

ReadyRun (“ReadyRun”, “we”, “us”) is an adaptive running coach that reads biometric data from wearables you connect (such as Oura Ring and Strava) to compute daily training-readiness scores and workout recommendations. This Privacy Policy explains what we collect, how we use it, how we share it, and the rights you have over your data.

By creating an account or connecting a wearable, you agree to this Privacy Policy. If you disagree with any part of this policy, please do not use the service.

1. Who we are

ReadyRun is operated by Christo Alto (“the Operator”). Contact: topher@christoalto.com.

2. Information we collect

2.1 Account information

  • Email address and (optional) display name
  • Encrypted password hash (handled by our auth provider, Supabase)
  • Timezone, account preferences, and subscription status

2.2 Wearable and health data (only when you connect a provider)

  • Oura Ring (via Oura API v2): sleep duration and stages, heart-rate variability (HRV), resting heart rate, readiness score, activity summaries, tags, and SpO2 where available.
  • Strava: activity metadata (type, duration, distance, elapsed time), heart-rate averages, pace, perceived exertion if logged, and activity timestamps. We do not store raw GPS streams unless you explicitly opt in to a future route feature.
  • HealthKit / Health Connect (native app only, future): health samples you explicitly authorize.

2.3 Usage and device data

  • IP address, browser/user-agent, session identifiers
  • Page views, feature usage, error reports (via Sentry where enabled)

2.4 Data you provide directly

  • Training goals, subjective readiness (mood, energy, soreness, motivation), RPE, and post-workout notes
  • Messages you send to the in-app coach

3. How we use your information

  • To compute your daily readiness score and generate adaptive workout recommendations
  • To generate training plans, weekly reviews, and personalized coach messages
  • To send push notifications you have opted in to (e.g. morning readiness, weekly review)
  • To operate, maintain, and secure the service, and to debug errors
  • To process subscription payments (via Stripe)
  • To comply with law and enforce our Terms

4. AI processing

ReadyRun uses large language models (Anthropic Claude, accessed via Vercel’s AI Gateway) to generate coaching recommendations, weekly reviews, and conversational responses. When we call these models, we send only the minimum data needed (your current readiness components, recent training load, stated goal, and the text you sent). We do not send your email, raw wearable provider tokens, or identifiers unrelated to training. Neither Anthropic nor Vercel train their models on your data when accessed via our paid API integrations, per their current published terms.

5. How we share your information

We share data only with the sub-processors required to run the service:

  • Supabase — authentication, database hosting (EU/US regions)
  • Vercel — application hosting and AI Gateway routing
  • Cloudflare — DNS and edge protection
  • Anthropic — LLM inference for coaching (via Vercel AI Gateway)
  • Stripe — subscription and payment processing
  • Oura, Strava — only when you have explicitly connected those integrations; we send OAuth tokens back to those providers to pull your data
  • Sentry — error monitoring (optional)

We do not sell your personal data. We do not share it with advertisers. We may disclose data if required by valid legal process (subpoena, court order) or to protect rights, property, or safety.

6. Data retention

We retain your account, training history, and biometric data for as long as your account is active. If you delete your account, we permanently delete the associated rows within 30 days, except where retention is required for legal, accounting, or fraud-prevention reasons (e.g., invoice records).

7. Your rights

  • Access, correction, deletion: you can view, edit, or delete your data from Settings, or email us at topher@christoalto.com.
  • Data portability: request a machine-readable export of your data.
  • Disconnect integrations: revoke Oura or Strava access at any time in Settings. We will immediately stop pulling new data from those providers.
  • Opt out of notifications: manage push-notification preferences in Settings.
  • EU / UK residents: you have rights under GDPR/UK GDPR including the right to lodge a complaint with your local supervisory authority.
  • California residents: you have rights under the CCPA/CPRA including the right to know, delete, and non-discrimination.

8. Security

Data is transmitted over TLS. At rest, it’s stored in Supabase Postgres with row-level security so your records can only be read by your own account. Third-party OAuth tokens are stored server-side and never exposed to the browser. Payment details are handled by Stripe and never reach our servers.

9. Children

ReadyRun is not directed to children under 16 and we do not knowingly collect their personal information. If you believe a child has provided us data, email us and we will delete it.

10. International users

ReadyRun is operated from the United States. If you access the service from outside the U.S., you consent to the transfer of your information to the U.S. and its processing by our providers.

11. Changes to this policy

We may update this Privacy Policy. If changes are material, we will notify you in-app or by email at least 7 days before they take effect. The “Last updated” date at the top reflects the current version.

12. Contact

Questions or requests? Email topher@christoalto.com.