Privacy Policy

The data controller for the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws is: Smagpie LLC, United States of America. For privacy-related inquiries: privacy@smagpie.com. For EU/EEA users: our EU Representative contact details are available upon request at privacy@smagpie.com. For UK users: our UK Representative contact details are available upon request at privacy@smagpie.com.

Detailed list of data collected, organized by category: Account (name, email, role, organization), Team (roster, groups, sport assignments), Workout (workout definitions, training plans, exercise selections), Activity (GPS tracks, heart rate, power, pace, RPE, session metrics synced from watches), Device Integration (Garmin Connect and Coros tokens, device identifiers for watch sync). We do not collect biometric data beyond what is voluntarily synced through connected watches. We do not collect: Social Security numbers, driver’s license numbers, financial account numbers, precise real-time geolocation for purposes other than activity tracking, or biometric identifiers for identification purposes. For the purposes of CCPA/CPRA compliance, the following maps our data collection to CCPA categories: (A) Identifiers — name, email, username — collected, not sold, not shared for cross-context behavioral advertising; (B) Personal information per Cal. Civ. Code 1798.80(e) — name, address, phone — collected, not sold, not shared; (D) Commercial information — subscription plan, transaction history — collected, not sold, not shared; (F) Internet or network activity — log data, feature usage — collected, not sold, not shared; (G) Geolocation data — GPS tracks from activities — collected, not sold, not shared; (K) Inferences — fitness trends, training load estimates — collected, not sold, not shared. Sensitive Personal Information (CPRA): We may process precise geolocation (activity GPS data) and health-related data (heart rate, fitness metrics synced from wearable devices). This data is used solely to provide the Smagpie Coaching service and is not used for purposes other than those disclosed at the time of collection. You have the right to limit the use and disclosure of your sensitive personal information.

Specific purposes: workout individualization (scaling intensities to athlete thresholds), watch synchronization (sending workouts to Garmin/Coros devices, receiving completed activities), compliance monitoring (training load, fitness/fatigue tracking), team management (roster organization, group assignments), performance analytics (1RM tracking, effort index calculations). We do not use your data for behavioral advertising, user profiling for third parties, or any purpose unrelated to delivering the Smagpie Coaching service. Under the GDPR, we rely on the following legal bases for processing: Performance of contract (Art. 6(1)(b)) — providing the coaching service, account creation, syncing workouts, compliance dashboards, billing and subscription management, transactional emails. Consent (Art. 6(1)(a)) — syncing health data from wearables (Art. 9(2)(a)), marketing communications. Legitimate interest (Art. 6(1)(f)) — security monitoring and fraud prevention, service improvement using aggregate anonymized data. Legal obligation (Art. 6(1)(c)) — compliance with tax, accounting, and legal requirements. Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You may object to processing based on legitimate interest by contacting privacy@smagpie.com. Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal. You can withdraw consent through your account settings or by contacting privacy@smagpie.com.

Third-party processors: Garmin Connect API (workout sync, activity retrieval), Coros Training Hub API (workout sync, activity retrieval), Microsoft Azure (cloud hosting, database), Cloudflare (CDN, DNS, DDoS protection), email service provider (transactional emails only). Each processor receives only the minimum data necessary for their specific function. We have data processing agreements with all processors. We do not sell, rent, or trade personal data to any third party for any purpose. Our subprocessors may process data in jurisdictions outside your home country. We ensure each subprocessor is bound by appropriate data transfer mechanisms and contractual protections equivalent to those we apply to your data.

Smagpie Coaching is used by coaches and organizations that work with athletes of all ages, including minors. We recognize our heightened obligations under the following laws: United States — COPPA (Children’s Online Privacy Protection Act): We do not knowingly collect personal information directly from children under 13 without verifiable parental consent. When a coach or organization creates an account for an athlete under 13, we require the coach or organization to certify that they have obtained verifiable parental consent before entering the child’s personal information into our system. We collect only the minimum data necessary to provide the coaching service. We do not condition an athlete’s participation on the disclosure of more personal information than is reasonably necessary. Parents or guardians may review, request deletion of, or refuse further collection of their child’s personal information by contacting privacy@smagpie.com. European Union — GDPR Article 8: The age at which a child can independently consent to data processing varies by EU Member State. We apply the following thresholds: Germany (16), France (15), Spain (14), Italy (14), Portugal (13), and the GDPR default (16) for all other EU/EEA countries. For athletes below the applicable age, we require consent from the holder of parental responsibility. We make reasonable efforts to verify that such consent has been given. United Kingdom — UK GDPR and Age Appropriate Design Code (AADC): We apply high-privacy default settings for all users under 18. We do not use profiling or automated decision-making for users under 18 unless strictly necessary for the coaching service. We do not use nudge techniques to encourage minors to lower their privacy settings. Geolocation data for minors is used only for activity tracking as requested by their coach, and is not used for any other purpose. Brazil — LGPD Article 14: We process personal data of children (under 12) only with specific and prominent consent from at least one parent or legal guardian. For adolescents (12–17), we apply enhanced protections and process data only in the best interest of the minor. General commitments for all youth data: Youth data is never used for marketing, advertising, or profiling purposes. Youth data is never sold, shared with, or disclosed to third parties except as strictly necessary to deliver the coaching service (e.g., syncing workouts to a wearable device at the coach’s direction). Youth data is subject to enhanced retention limits — we delete it promptly upon account closure or upon request from a parent, guardian, or the coach/organization. We do not use youth data for AI/ML model training.

Smagpie operates in a dual-role model depending on the context of data processing. Smagpie as Controller: We act as the data controller for account registration data, billing information, service usage analytics, and direct communications with users. For this data, we determine the purposes and means of processing and are directly responsible for compliance with applicable data protection laws. Smagpie as Processor: When a coach or organization enters athlete training data — including workout assignments, performance metrics, activity results, and roster information — the coach or organization acts as the data controller, and Smagpie acts as the data processor. In this capacity, we process athlete data only on the documented instructions of the coach or organization. We provide Data Processing Agreements (DPAs) to coaches and organizations upon request, as required by GDPR Article 28. Coach Responsibilities: Coaches and organizations using Smagpie are responsible for: (a) obtaining any necessary consents from athletes or their parents/guardians before entering personal data; (b) complying with applicable privacy laws in their jurisdiction when accessing, using, downloading, or sharing athlete data; (c) ensuring that any data exported from Smagpie is handled in accordance with applicable privacy laws. Smagpie is not responsible for a coach’s or organization’s independent data handling practices outside of our platform. Athlete Visibility: Athletes on the platform can see what data their coach has entered and what has been synced from their devices. Athletes can export their own data at any time.

Smagpie collects and processes health and fitness data as defined under the Washington My Health My Data Act (RCW 19.373), the EU GDPR (as data concerning health under Article 9 where applicable), and analogous laws. This includes but is not limited to: GPS location tracks recorded during activities, heart rate and heart rate variability data, power output (cycling, rowing), pace and speed data, rate of perceived exertion (RPE), session duration/distance/elevation, and derived metrics such as Training Stress Score, fitness/fatigue estimates, and effort indices. Collection: We collect health and fitness data only when a user or their coach actively syncs a wearable device (Garmin, Coros) or manually enters data. We do not passively collect health data. We do not collect health data from devices or sources the user has not explicitly connected. Use: We use health and fitness data solely to provide the Smagpie Coaching service, including: displaying activity results, calculating compliance metrics, tracking fitness/fatigue trends, computing individualized workout intensities, and presenting performance analytics. We do not use health and fitness data for advertising, user profiling for third parties, or any purpose unrelated to the coaching service. Sharing: Health and fitness data is shared only with: (a) the coach or organization the athlete is connected to on the platform; (b) Garmin Connect or Coros Training Hub APIs as necessary to sync workouts and retrieve activities, transmitting only the minimum data required; (c) our infrastructure providers (Microsoft Azure) for hosting and storage. We never sell health or fitness data. We do not share it with advertisers, data brokers, or any third party for commercial purposes. Consumer Health Data Rights (Washington): Washington state residents have the right to access their consumer health data, request correction or deletion, withdraw consent to collection or sharing, and receive confirmation that opt-out requests have been processed. To exercise these rights, use the self-service tools in your account settings or email privacy@smagpie.com.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods: Account data (name, email, role) — duration of account plus 30 days after deletion request. Team and roster data — duration of account plus 30 days. Workout definitions and training plans — duration of account plus 30 days. Activity data (GPS, HR, power, pace) — duration of account plus 30 days. Device integration tokens — until disconnected or account deleted. Billing and transaction records — 7 years after transaction (tax and legal compliance). Server logs (anonymized) — 90 days (security monitoring and debugging). Support correspondence — 2 years after resolution (quality assurance). Upon receiving a valid deletion request, we delete or anonymize your personal data within 30 days. Encrypted backup copies are purged on their normal rotation cycle, not exceeding 90 days. We may retain limited data where required by law (e.g., tax records) or to resolve disputes, and will inform you if this applies.

Smagpie LLC is based in the United States. Our primary infrastructure is hosted on Microsoft Azure. When you use Smagpie from outside the United States, your personal data is transferred to, stored in, and processed in the United States. EU/EEA and UK Users: We transfer personal data from the EU/EEA and UK to the United States pursuant to the EU-U.S. Data Privacy Framework (DPF), and/or Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), as supplemented by any necessary additional safeguards identified through a Transfer Impact Assessment (TIA). You may request a copy of the applicable transfer mechanism by contacting privacy@smagpie.com. Brazilian Users: We transfer personal data from Brazil pursuant to LGPD Article 33, relying on Standard Contractual Clauses or your explicit and specific consent for the transfer, with clear information about the international nature of the transfer provided prior to consent. Subprocessor Transfers: Our subprocessors (listed in the “Who We Share With” section) may process data in jurisdictions outside your home country. We ensure each subprocessor is bound by appropriate data transfer mechanisms and contractual protections equivalent to those we apply to your data.

We use the following categories of cookies and similar technologies: Strictly Necessary Cookies — essential for the operation of our website and application, including session authentication cookies, security tokens (CSRF protection), and load balancing cookies. These cannot be disabled without breaking core functionality. Analytics — we use privacy-focused analytics that do not track individual users across sites and do not collect personal data for analytics purposes. We do not use: third-party advertising cookies or tracking pixels, cross-site tracking technologies, fingerprinting or similar identification techniques, or social media tracking widgets. Cookie Controls: You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may impair the functionality of the application. For EU/EEA and UK users, non-essential cookies (if any) are loaded only after obtaining your consent.

Right to access: view all data we hold about you and your athletes. Right to export: download your data in industry-standard formats (.fit for activities, .csv for structured data). Right to correction: update or correct any personal information. Right to deletion: request complete removal of your account and all associated data. Right to restriction: limit how we process your data. Right to object: opt out of any non-essential processing. Your rights vary depending on your jurisdiction: EU/EEA and UK Residents (GDPR/UK GDPR): Right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), right to object (Art. 21), right not to be subject to automated decision-making (Art. 22), right to withdraw consent, right to lodge a complaint with your local supervisory authority. California Residents (CCPA/CPRA): Right to know (categories and specific pieces of personal information), right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive personal information, right to non-discrimination for exercising your rights. You may designate an authorized agent to make requests on your behalf. Brazilian Residents (LGPD): Right to confirmation of processing, right of access, right to correction, right to anonymization/blocking/deletion of unnecessary data, right to data portability, right to information about shared data, right to revoke consent. Washington State Residents: Rights under the My Health My Data Act as described in the Health & Fitness Data section above. All Users: Regardless of your jurisdiction, you can always export your data, update your information, request deletion, and contact us with privacy questions. We do not discriminate against users who exercise their privacy rights. To exercise any of these rights: use the self-service tools in your account settings, or email privacy@smagpie.com. We respond to all requests within 30 days (or 45 days for CCPA requests, with notice of extension if needed).

California Residents (CCPA/CPRA): Smagpie does not sell personal information as defined under the California Consumer Privacy Act. Smagpie does not share personal information for cross-context behavioral advertising as defined under the CPRA. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid opt-out request, as required by California law effective January 1, 2026. If you are a California resident and wish to exercise your rights under the CCPA/CPRA — including the right to know, delete, correct, or opt out — you may do so through your account settings or by contacting privacy@smagpie.com. We will verify your identity before processing your request and will respond within 45 days. All Users: We do not sell, rent, license, or trade your personal data to any third party for monetary or other valuable consideration, regardless of your jurisdiction.

Technical measures: TLS 1.2+ encryption for all data in transit, AES-256 encryption for data at rest, role-based access controls, regular security audits, automated vulnerability scanning, secure development practices. Payment processing is handled entirely by our PCI DSS-compliant payment processor — we never see, store, or process credit card numbers. Infrastructure hosted on Microsoft Azure with SOC 2 Type II compliance. Database backups are encrypted and stored in geographically separate regions.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: Regulatory Notification — notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. For US state law breaches, we will comply with the notification timelines of each applicable state (e.g., California requires notification “in the most expedient time possible and without unreasonable delay”). User Notification — where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users directly and without undue delay via email. The notification will include: (a) the nature of the breach; (b) the categories and approximate number of individuals affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach; (e) contact information for follow-up questions. Mitigation — we will take immediate steps to contain and remediate the breach, assess its scope and impact, preserve evidence for investigation, and implement measures to prevent recurrence.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes: We will notify you by email at least 30 days before the changes take effect, and will provide a clear summary of what changed and why. Where required by law, we will obtain your renewed consent before applying material changes to data processing. Non-material changes: Minor clarifications, formatting adjustments, or updates to contact information may be made without advance notice but will be reflected in the “Last Updated” date at the top of this policy. Version History: We maintain a version history of this policy. You may request previous versions by contacting privacy@smagpie.com.