Privacy Policy

Effective date: April 9, 2026

Overview

Rudder (“we,” “our,” “us”) is a feel-first training advisor for endurance athletes. This Privacy Policy describes how we collect, use, and protect your personal data when you use tryrudder.com and our related services.

We take your privacy seriously. We collect only the data necessary to provide personalized training recommendations, and we never sell your data.

1. What We Collect

Account information

Email address (for authentication and communication)
Strava profile ID (if connected)

Self-reported training data

Energy level, soreness, motivation, and life stress ratings
Free-text notes you choose to provide
Planned workout details
Post-workout feedback and ratings

Device data (via third-party APIs, with your explicit consent)

Strava: workout history, heart rate zones, activity type and duration
Oura Ring: sleep quality, HRV, resting heart rate, readiness scores
WHOOP: recovery score, HRV, resting heart rate, sleep stages (deep, REM, light), strain, respiratory rate
Polar: Nightly Recharge (HRV-derived recovery), sleep stages, heart rate, training sessions
Withings: weight, body fat percentage, muscle mass, hydration, blood pressure, heart rate
Wahoo: workout data from ELEMNT bike computers and KICKR trainers (power, heart rate, cadence, duration)
Intervals.icu: planned workouts, fitness/fatigue/form metrics (CTL/ATL/TSB), wellness data
Garmin Connect: activity data (distance, duration, pace, heart rate), sleep duration and quality (light, deep, REM stages), resting heart rate, heart rate variability (HRV), Body Battery, stress levels, and VO2 Max estimates
TrainingPeaks: planned workouts from your calendar (via iCal feed)

Usage data

Check-in frequency and timing
Which recommendations you followed or overrode
Feedback you provide on recommendations

2. How We Use Your Data

Generate personalized training recommendations. Your self-reported data and device data are combined to determine whether to train as planned, modify, or rest.
Build your personal model. Over time, we learn your patterns (your “Model of Me”) to improve recommendation accuracy. This model is specific to you and is not shared with others.
Improve the product. We analyze aggregate, anonymized usage patterns to improve our recommendation algorithms. Individual data is never used for this purpose without anonymization.

3. Third-Party Data Sources

Strava

We access your Strava data through their official API with your explicit OAuth consent. In compliance with the Strava API Agreement, we do not use Strava data for AI/ML model training. Your Strava data is used solely to inform your personal recommendations. When you disconnect Strava, we delete your Strava data from our systems.

Oura Ring

We access your Oura Ring data through their official API with your explicit OAuth consent. In compliance with the Oura API Agreement, we do not sell, lease, or share your Oura data. Your Oura data is used solely to inform your personal recommendations. When you disconnect Oura, we delete your Oura data from our systems.

Garmin Connect

We access your Garmin Connect data through Garmin's official Health API using the OAuth 2.0 protocol, with your explicit consent. We request read-only access to your fitness and health data. We cannot post activities, edit existing data, or access any non-fitness information on your Garmin account.

Data we access via the Garmin API:

Activity data: distance, duration, pace, heart rate (average and maximum), cadence, elevation gain
Sleep data: duration and quality breakdowns (light, deep, REM stages)
Recovery metrics: resting heart rate, heart rate variability (HRV), Body Battery, stress levels
Fitness estimates: VO2 Max

This data is used solely to inform your personal training recommendations within Rudder. We do not sell, lease, or commercially distribute your Garmin data. We do not use Garmin data for AI/ML model training on aggregated datasets. Your Garmin data is processed only in the context of your individual account to generate personalized readiness assessments and training guidance.

When you disconnect Garmin from Rudder, we immediately stop accessing your Garmin data and revoke the OAuth tokens. You can disconnect at any time from the Settings page. Garmin's own privacy practices are governed by the Garmin Connect Privacy Policy.

WHOOP

We access your WHOOP data through their official Developer API with your explicit OAuth 2.0 consent. We request read-only access to recovery, sleep, workout, and cycle data. In compliance with the WHOOP Developer Agreement, we do not sell, lease, or share your WHOOP data with third parties. Your WHOOP data is used solely to inform your personal training recommendations. When you disconnect WHOOP from Rudder, we immediately stop accessing your data and revoke the OAuth tokens. WHOOP's own privacy practices are governed by the WHOOP Privacy Policy.

Polar

We access your Polar data through the Polar AccessLink API with your explicit OAuth consent. We request read-only access to sleep, Nightly Recharge, and training data. Your Polar data is used solely to inform your personal recommendations. When you disconnect Polar, we immediately stop accessing your data. Polar's own privacy practices are governed by the Polar Privacy Notice.

Withings

We access your Withings data through their official API with your explicit OAuth consent. We request read-only access to body composition (weight, body fat, muscle mass) and vitals (blood pressure, heart rate). Your Withings data is used solely to inform your personal recommendations. When you disconnect Withings, we immediately stop accessing your data. Withings' own privacy practices are governed by the Withings Privacy Policy.

Wahoo

We access your Wahoo workout data through their official API with your explicit OAuth consent. We request read-only access to completed workouts (power, heart rate, cadence, duration) from ELEMNT bike computers and KICKR trainers. Your Wahoo data is used solely to inform your personal recommendations. When you disconnect Wahoo, we immediately stop accessing your data. Wahoo's own privacy practices are governed by the Wahoo Privacy Policy.

Intervals.icu

We access your Intervals.icu data through their official API with your explicit OAuth consent. We request read-only access to planned workouts, wellness data, and fitness metrics (CTL, ATL, TSB). Your Intervals.icu data is used solely to inform your personal recommendations. When you disconnect Intervals.icu, we immediately stop accessing your data.

TrainingPeaks

If you provide a TrainingPeaks iCal feed URL, we read your planned workouts to pre-populate your daily training plan. We access only the calendar data you share and do not modify your TrainingPeaks account.

4. Data Sharing

We do not sell your personal data. We do not share your individual data with third parties for their marketing or commercial purposes.

We may share data only in these limited circumstances:

With service providers who help us operate Rudder (hosting, database), under strict data processing agreements
If required by law or legal process
To protect the safety of our users or the public

5. Data Retention & Deletion

Your data is retained for as long as your account is active. You can delete your account and all associated data at any time from Settings.

When you delete your account:

All personal data, check-ins, recommendations, and device data are permanently deleted
All OAuth tokens (Strava, Oura, WHOOP, Polar, Withings, Wahoo, Intervals.icu, Garmin) are revoked
Your user record is anonymized (tombstoned). we retain only a non-identifiable record that an account existed
This process is irreversible

When you disconnect a device (any provider), we immediately revoke the OAuth tokens and stop accessing your data from that service. Historical data pulled from that device remains to preserve your recommendation history, unless you delete your account entirely.

6. Security

We implement reasonable security measures to protect your data:

All data is encrypted in transit (HTTPS/TLS)
Authentication tokens are hashed (SHA-256) before database storage
OAuth tokens for all connected services (Strava, Oura, WHOOP, Polar, Withings, Wahoo, Intervals.icu, Garmin) are stored encrypted
Database access is restricted to our application servers

No system is perfectly secure. If we discover a data breach affecting your personal data, we will notify you promptly.

7. Your Rights

You have the right to:

Access your data. View your profile, check-in history, and Model of Me in the app
Delete your data. Delete your entire account from Settings
Withdraw consent. Disconnect devices or revoke data processing consent at any time
Data portability. Contact us to request an export of your data

To exercise these rights, use the in-app controls or contact us at privacy@tryrudder.com.

8. Health Data (GDPR Article 9)

Rudder processes health-related data, including biometric data from wearable devices and subjective wellness assessments. Under GDPR Article 9, this data requires explicit consent for processing, separate from general terms of service acceptance.

We obtain explicit consent for each category of health data:

Self-reported feel data. consented during onboarding
Strava biometric data. consented before OAuth connection
Oura biometric data. consented before OAuth connection
WHOOP biometric data. consented before OAuth connection
Polar biometric data. consented before OAuth connection
Withings body composition data. consented before OAuth connection
Wahoo workout data. consented before OAuth connection
Intervals.icu planned workout and fitness data. consented before OAuth connection
Garmin biometric data. consented before OAuth connection

Each consent is recorded with a timestamp. You may withdraw any consent at any time by disconnecting the relevant data source or deleting your account.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification. Your continued use of Rudder after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this Privacy Policy? Contact us at privacy@tryrudder.com.