PRIVACY POLICY

INTRODUCTION

CARBN.ZONE (“we”, “our”, “us”, or “the Service”) is a cycling performance analytics platform available at carbn.zone. This Privacy Policy explains what personal data we collect, why we collect it, how it is used and protected, and what rights you have with respect to your data.

By creating an account or using CARBN.ZONE, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Service.

This policy applies to all users of carbn.zone and any associated mobile or desktop interfaces. It does not apply to third-party websites or services that we link to, including Strava.

DATA CONTROLLER

The data controller responsible for your personal data is:

• —Name: Danil Koltsov
• —Email: danil@koltsov.net
• —Website: carbn.zone

As an independent developer operating CARBN.ZONE, Danil Koltsov is responsible for decisions about the purposes and means of processing your personal data.

INFORMATION WE COLLECT

3.1 Strava Account Data

When you authenticate via Strava OAuth 2.0, we receive the following data from Strava, subject to the permissions you grant:

• —Athlete profile: name, username, profile photo URL, city, country, athlete ID
• —Activities: ride name, date, distance, duration, elevation gain, average speed, max speed
• —Power data: average power, normalized power, power streams (when available)
• —Heart rate data: average and max HR, HR streams (when available)
• —Cadence data: average and max cadence, cadence streams (when available)
• —GPS data: start/end coordinates, route maps (if not marked private by you on Strava)
• —Kudos count, achievement count, segment efforts (for best-efforts analysis)

We request only the scopes necessary to provide the Service. At this time, we use the read and activity:read_all Strava API scopes. We do not request write access to your Strava data.

3.2 Data You Provide Directly

• —FTP (Functional Threshold Power) — entered voluntarily in Settings
• —Maximum heart rate — entered voluntarily in Settings
• —Training zone preferences and custom labels
• —Workout blocks and training plan data you create in the app

Data you enter in Settings is stored in your browser's localStorage and is never transmitted to our servers. It exists only on your device.

3.3 Automatically Collected Data

• —Session authentication token (server-side, encrypted, used to maintain your login)
• —Access timestamps for security auditing and abuse prevention
• —Browser type and version (from HTTP headers, used for compatibility)

We do not use analytics trackers, advertising networks, or third-party monitoring scripts. We do not collect IP addresses for profiling purposes.

HOW WE USE YOUR DATA

We use the data described above exclusively to:

• —Authenticate you and maintain your session securely
• —Fetch your activities from Strava and display them in the dashboard
• —Calculate training metrics: TSS, ATL, CTL, TSB, power zones, best efforts
• —Generate performance charts and training load analysis
• —Provide AI-generated training insights when you explicitly request them
• —Allow you to build and manage training plans and custom workouts

We explicitly confirm that we do NOT:

• —Use your data to train machine learning or AI models
• —Sell, rent, or trade your data to any third party
• —Share your data with advertisers or marketing platforms
• —Use your data for any purpose other than providing the Service to you
• —Aggregate your anonymised data for sale or research without explicit consent
• —Access your Strava data outside of your active sessions

LEGAL BASIS (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• —Contractual necessity (Art. 6(1)(b) GDPR): Processing your Strava activity data is necessary to provide the analytics service you signed up for.
• —Legitimate interests (Art. 6(1)(f) GDPR): Security logging and abuse prevention are in our legitimate interest to keep the service safe.
• —Consent (Art. 6(1)(a) GDPR): When you connect your Strava account, you explicitly consent to the data access described in Section 3. You may withdraw this consent at any time by revoking Strava access.

STRAVA DATA & API USAGE

CARBN.ZONE is built on the Strava API. Our use of Strava data is governed by the Strava API Agreement and we are committed to full compliance with it.

What we access:

• —We read your activity data via the Strava API on your request
• —Activity data is cached in your browser's localStorage for fast access between sessions
• —We do not maintain a server-side database of your Strava activities
• —Power and heart rate streams are fetched on-demand per activity

What we do not do:

• —We do not write to, modify, or delete your Strava activities
• —We do not access Strava data in the background when you are not using the app
• —We do not share your Strava data with any third party
• —We do not use Strava data for advertising or profiling

Revoking access: You can disconnect CARBN.ZONE from your Strava account at any time by visiting strava.com → Settings → My Apps → CARBN.ZONE → Revoke Access. After revocation, we will not be able to fetch any further data from Strava on your behalf.

CARBN.ZONE is an independent application and is not affiliated with, endorsed by, or sponsored by Strava Inc. The Strava name and logo are trademarks of Strava Inc.

DATA STORAGE & SECURITY

Server-side storage:

• —Authentication session tokens are stored server-side using encrypted, httpOnly cookies
• —Strava OAuth refresh tokens are stored in an encrypted server-side session store
• —We use Supabase as our database provider, with row-level security enabled
• —All data in transit is protected by TLS 1.2+ (SSL A+ grade)
• —Our infrastructure is hosted on Vercel (EU region available)

Client-side storage:

• —FTP, HR max, and zone preferences are stored in localStorage on your device only
• —Cached activity lists are stored in localStorage for performance
• —This client-side data never leaves your browser and is not accessible to us

We apply industry-standard security practices including HTTPS enforcement, security headers (CSP, HSTS, X-Frame-Options), and regular dependency updates. You can view our security grades at carbn.zone/security.

DATA RETENTION & DELETION

We retain your authentication session for as long as you remain an active user. If you have not used CARBN.ZONE for 12 months, your server-side session data will be automatically deleted.

To delete your data:

• —Revoke CARBN.ZONE access on Strava — this immediately invalidates all tokens
• —Clear your browser\'s localStorage to remove all cached activity data and settings
• —Email danil@koltsov.net with subject "Data Deletion Request" to request removal of any server-side session data

Upon receiving a deletion request, we will confirm deletion within 30 days. Since we do not store a persistent copy of your Strava activities server-side, there is typically very little data to delete beyond your authentication session.

COOKIES & LOCAL STORAGE

CARBN.ZONE uses a minimal number of browser storage mechanisms:

• —Session cookie (essential): A single encrypted cookie used to maintain your authentication session. This cookie is httpOnly, Secure, and SameSite=Strict. It expires when you log out or after a period of inactivity.
• —localStorage (functional): Used to cache your Strava activity list and store your settings (FTP, HR max, theme preference). This data never leaves your browser.
• —CSRF token (security): A short-lived token used to protect against cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie consent banner is shown because we use only strictly necessary and functional cookies that do not require consent under GDPR.

THIRD-PARTY SERVICES

CARBN.ZONE integrates with the following third-party services. Each has its own privacy policy and terms:

• —Strava — Activity data provider via OAuth API. Privacy: strava.com/legal/privacy
• —Vercel — Application hosting and serverless functions. Privacy: vercel.com/legal/privacy-policy
• —Supabase — Database infrastructure for session management. Privacy: supabase.com/privacy
• —Anthropic (Claude API) — AI-generated training insights, used only when you explicitly request a training suggestion. We send only anonymised activity metrics (power, TSS, zone distribution), never your name or athlete ID. Privacy: anthropic.com/legal/privacy

We do not use Google Analytics, Meta Pixel, Hotjar, or any advertising or behavioural tracking services.

DATA SHARING

We do not sell, rent, license, or share your personal data with any third party, except in the following limited circumstances:

• —Service providers: We share data with Vercel and Supabase solely to operate the Service (hosting, sessions). These providers are contractually bound to process data only as instructed.
• —Legal obligation: We may disclose data if required by law, court order, or governmental authority. We will notify you of such requests to the extent permitted by law.
• —Business transfer: In the event of a merger or acquisition, user data may be transferred. You will be notified with at least 30 days' notice and the option to delete your account before the transfer.

In all other circumstances, your data is not shared. We have no advertising partners and do not monetise user data.

YOUR RIGHTS

Under the GDPR (EU/EEA/UK users) and applicable privacy laws, you have the following rights:

• —Right to access: Request a copy of the personal data we hold about you.
• —Right to rectification: Request correction of inaccurate or incomplete data.
• —Right to erasure: Request deletion of your personal data (“right to be forgotten”).
• —Right to restrict processing: Request that we limit how we use your data.
• —Right to data portability: Receive your data in a structured, machine-readable format (JSON export available on request).
• —Right to object: Object to processing based on legitimate interests.
• —Right to withdraw consent: Withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email danil@koltsov.net with the subject line “Privacy Request — [Right Name]”. We will respond within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority.

INTERNATIONAL TRANSFERS

CARBN.ZONE is hosted on Vercel infrastructure, which may process data in the United States and other countries. When data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms. Supabase offers EU region hosting; if you require EU-only data processing, please contact us.

CHILDREN'S PRIVACY

CARBN.ZONE is not directed at, and is not intended for use by, individuals under the age of 16 (or the applicable digital age of consent in your country). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at danil@koltsov.net and we will delete it promptly.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or our data practices. When we make material changes, we will:

• —Update the "Last Updated" date at the top of this page
• —Display a notice on the CARBN.ZONE dashboard for logged-in users
• —For significant changes, notify you by email where we have your address

Your continued use of CARBN.ZONE after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

CONTACT

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact:

• —Email: danil@koltsov.net
• —Subject line: Privacy — CARBN.ZONE
• —Website: carbn.zone
• —Response time: We aim to respond to all privacy enquiries within 5 business days, and to formally act on data requests within 30 days.