Privacy Policy

injury.vision is a software application designed to help serious runners assess and manage their injury risk using training load metrics, recovery data, and physiological signals. The service is operated independently and is not affiliated with Garmin Ltd., Strava Inc., or Apple Inc.

We collect only the data necessary to compute injury risk and personalise your training guidance:

• Account data — email address and hashed password (via Supabase Auth), used solely for authentication.
• Profile data — FTP pace (functional threshold pace), body weight, and self-reported injury history score. These are entered voluntarily during onboarding and can be updated at any time.
• Activity data — distance, duration, average heart rate, grade-adjusted pace (NGP), training stress score (TSS), and intensity factor (IF) for each run. This is derived from data you choose to sync via Strava, Garmin, or Apple Health.
• Recovery metrics — heart rate variability (HRV), resting heart rate (RHR), sleep duration, and daily recovery score, imported from Apple Health exports or Garmin devices.
• Computed metrics — chronic training load (CTL), acute training load (ATL), training stress balance (TSB), and risk score components derived from your activity and recovery data.
• Integration tokens — OAuth access tokens for Strava and Garmin (encrypted at rest), used only to fetch your training data on your behalf.

Your data is used exclusively for the following purposes:

• Computing your personalised injury risk score and its breakdown by component.
• Generating return-to-run schedules and training load recommendations.
• Displaying historical training load and recovery trends in your dashboard.
• Projecting risk for planned workouts (What-If analysis, computed locally).

We do not sell, rent, or share your personal health or training data with any third party for advertising, research, or commercial purposes. We do not use your data to train machine learning models belonging to third parties.

injury.vision integrates with the following third-party services at your explicit request:

• Strava — we request the “activity:read_all” OAuth scope to retrieve your run activity history. We store only the fields listed in Section 2; raw Strava payload data is not retained beyond the initial parse. Strava’s own privacy policy governs data held on Strava’s servers.
• Garmin Health API — see Section 5 below for full detail, as required by Garmin’s developer programme.
• Apple Health — data is imported via your manual export only (no direct device connection). We parse the XML export locally on-device where possible, and only the metric fields listed in Section 2 are transmitted to our servers.

Each integration can be disconnected at any time from the Integrations page, which will immediately revoke our access and delete your stored OAuth tokens.

injury.vision uses the Garmin Health API to retrieve activity and wellness data from your Garmin devices. This integration is subject to Garmin’s Health API Terms of Service and is only activated when you explicitly connect your Garmin account via the OAuth 1.0a flow.

Data accessed via Garmin Health API:

• Activity summaries (distance, duration, average heart rate, elevation data)
• Wellness data (heart rate variability, resting heart rate, sleep stages)
• GPS track data (used to compute grade-adjusted pace via the Minetti correction; raw GPS coordinates are not stored)

How this data is used: Garmin data is used solely to compute your injury risk score and populate your training dashboard. It is not shared with any other party.

Data retention: Garmin-sourced activity records are retained for as long as your account is active. You may delete individual activities or your entire account at any time (see Section 7).

Your rights with Garmin data: You can disconnect the Garmin integration at any time from the Integrations page. This revokes our API access immediately. You may also request deletion of all Garmin-sourced data by contacting us (see Section 11).

All data is stored in a Supabase (PostgreSQL) database with row-level security (RLS) enforced — no user can read another user’s data. Databases are hosted in the EU (Supabase Frankfurt region) and are covered by Supabase’s SOC 2 Type II compliance programme.

OAuth tokens are stored encrypted at rest. HTTPS is enforced for all data in transit. We do not log request payloads containing health data.

Your data is retained for as long as your account is active. You can request deletion of:

• Individual activities — contact us with the activity date and source.
• Your entire account — request via email (Section 11) and all user data will be permanently deleted within 30 days.

After account deletion, no personally identifiable data is retained. Anonymised, non-attributable aggregate statistics (e.g. total number of risk computations) may be retained for product improvement.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate profile data directly in the app or via request.
• Erasure — request deletion of your account and all associated data.
• Portability — request an export of your activity and risk score history in JSON or CSV format.
• Withdraw consent — disconnect any integration at any time with immediate effect.

To exercise any of these rights, contact us at the address in Section 11. We will respond within 30 days.

injury.vision is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this policy as the product evolves. Material changes will be communicated via in-app notification and by updating the “Last updated” date above. Continued use of injury.vision after changes are posted constitutes acceptance of the updated policy.

For privacy-related requests, data deletion, or questions about this policy:

For Garmin-related data requests specifically, please include “Garmin Data Request” in your subject line so we can handle it with appropriate priority.