Privacy Policy

Motus ("we", "our", "the App") is a training analysis and coaching platform for triathletes and endurance athletes operated from Canada. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service, and your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25 (Act respecting the protection of personal information in the private sector), and Canada's Anti-Spam Legislation (CASL).

By creating an account or using the App, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we ask for your explicit consent in addition (for example, for analytics cookies and marketing email).

2.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Password (stored as a one-way bcrypt hash, never in plain text)
• The timestamp at which you agreed to this policy and the Terms of Service

2.2 Athlete Profile

You may optionally provide detailed training profile information to receive personalized coaching:

• Date of birth, gender, height, and weight
• Resting and maximum heart rate, physiological thresholds (FTP, CSS, lactate threshold)
• Training zones for swim, bike, run, and heart rate
• Training availability and weekly schedule
• Equipment details (bikes, power meters, GPS watches)
• Injury history and physical constraints
• Lifestyle factors (work schedule, sleep, nutrition, stress level)
• Training history and experience level per sport

2.3 Strava Data

When you connect your Strava account, we access the following data through the Strava API with your explicit permission:

• Your Strava profile information (name, profile photo)
• Activity summary data: sport type, duration, distance, elevation gain, average heart rate, average power, average pace, and zone distributions
• Personal records (best efforts for standard distances)

We do NOT import or store GPS tracks, heart rate streams, power meter streams, segment efforts, lap-level data, or raw activity descriptions.

2.4 Chat Messages

When you use the "Chat with Coach" feature, your conversation history (your messages and AI responses) is stored to maintain continuity across sessions.

2.5 Video and Photo Analysis

If you use the Video Analysis feature, we process uploaded videos and photos to extract biomechanical data (joint angles, technique scores, form recommendations). Thumbnail images are stored; original video files are processed and not retained long-term.

2.6 Goals and Training Plans

We store your race goals, training plans, season plans, and workout feedback to provide continuous coaching.

2.7 Product Usage Data (only if you consent)

If — and only if — you accept analytics cookies in the consent banner, we collect product usage data through PostHog. See Section 9 for what this includes and how to withdraw consent.

2.8 Technical Data

Each request to our API is logged for security and reliability (IP address, timestamp, HTTP method, path, response status). These logs are retained for up to 30 days and are used only to investigate abuse, debug errors, and apply rate limits. They are not joined to your profile for analytics.

We use your information to:

• Display your training data and analytics
• Calculate performance metrics (training stress, fitness/fatigue trends, zone distributions)
• Provide personalized training plans and coaching insights based on your performance data
• Provide biomechanical video analysis and recommendations
• Track goal progress and race readiness predictions
• Send essential transactional emails (account verification, password recovery, account-deletion confirmations) and — only with your CASL-compliant consent — optional product update and coaching tip emails
• Improve product quality through aggregated analytics, only when you have accepted analytics cookies

What We Do NOT Do

• We do NOT display your data to other users — there are no leaderboards, public profiles, or social features
• We do NOT sell, rent, or share your personal data with third parties for their own marketing purposes
• We do NOT use data obtained through the Strava API to train, fine-tune, or develop artificial intelligence or machine learning models
• We do NOT use your data for advertising, retargeting, or behavioural advertising
• We do NOT combine or cross-reference your personal training data with that of other users to produce coaching outputs

4.1 Your Data Is Private

Your Strava activity data is visible only to you within the App. No other user can see your training data. Every API request is authenticated and filtered to your account only. We do not aggregate, combine, or cross-reference Strava data across different users. No analytics, insights, or derived metrics are computed from data belonging to multiple users.

4.2 Data Processing

We process your Strava data to calculate aggregated training metrics such as Training Stress Score (TSS), Chronic Training Load (CTL), Acute Training Load (ATL), Training Stress Balance (TSB), and zone distributions. These calculations are performed by our own algorithms.

4.3 Disconnecting Strava

You can disconnect your Strava account at any time through the App settings. When you disconnect:

• All activity data obtained from Strava is permanently deleted from our database
• Your Strava access and refresh tokens are revoked and deleted
• All cached data related to your Strava account is cleared

This also applies when you revoke access from Strava.com directly — we process Strava's deauthorization webhook and immediately delete all your Strava data.

4.4 Coaching Insights and Strava Data

Our coaching features use only internally calculated metrics (training load scores, fitness trends, zone distributions) — never raw Strava data. Your Strava data is not used to train, fine-tune, or develop any models. Coaching insights are generated for your individual use only.

4.5 Strava's Privacy Policy

When you connect to Strava through our App, Strava's own Privacy Policy also applies to your data. You can review it at: strava.com/legal/privacy

4.6 Garmin Data Attribution

Activity data obtained through the Strava API may include data that originates from Garmin devices. When displaying such data, we provide attribution to Garmin in accordance with Garmin's brand guidelines.

We use the following third-party service providers to operate Motus. Each one processes only the categories of data listed and is bound by their own privacy and security obligations.

Strava (USA)

OAuth authentication and activity synchronization. Strava receives only standard OAuth data during the authorization flow.

Google (Gemini API) and OpenAI (USA)

Our coaching features use third-party language model services to generate training insights and respond to athlete questions. Only internally calculated metrics (training load scores, fitness trends, zone summaries) and your chat messages are sent to these services. Raw Strava activity data, GPS tracks, and personally identifiable Strava information are never included in these requests and are never used to train or fine-tune any models.

Railway (USA) — Hosting and Database

Our application servers and PostgreSQL database run on Railway in US-East infrastructure. Your account data, profile, training data, and chat history are stored there. See Section 11 for the Canadian cross-border-transfer disclosure.

Stripe (USA) — Payments

When you upgrade to a paid plan, payment information (card details, billing address) is collected and processed by Stripe directly. We never see or store your card number; we only receive a subscription status and a customer reference.

Resend (USA) — Transactional Email

Used to deliver account-related email (welcome, password reset, account-deletion confirmation, weekly summaries you opt into). Resend receives your email address and the message content.

Sentry (USA) — Error Monitoring

Captures application errors and stack traces so we can fix bugs. Sentry is configured with send_default_pii = false: it receives the technical details of the error and not your personal identifiers. Passwords, tokens, and other secrets are never logged.

PostHog (USA) — Product Analytics (consent-gated)

If you have accepted analytics cookies, PostHog receives events about how you use the App (page views, button clicks, feature usage) and may record sessions to help us understand UX issues. Password fields are masked. PostHog only activates after your explicit consent and stops immediately if you withdraw it. See Section 9 for details.

Telegram (Optional)

If you link your Telegram account, your morning briefings and coaching messages are delivered through Telegram's servers. You can disconnect at any time from Settings.

• All data transmission uses HTTPS encryption (TLS 1.2+)
• HTTP Strict Transport Security (HSTS) is enforced for one year
• Passwords are hashed using bcrypt with per-user salts
• Strava OAuth tokens are encrypted at rest with a server-side key
• Access tokens are automatically refreshed and never exposed to the frontend
• Database access is restricted to authorized services only
• When tokens are revoked, they are immediately and permanently deleted
• We apply industry-standard security headers (Content Security Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy) on every response
• Authentication, registration, and OAuth endpoints are rate-limited to prevent brute force and credential stuffing

Despite these measures, no online service can guarantee absolute security. If we ever experience a security breach that affects your personal information, we will notify you and the appropriate regulators (including the Office of the Privacy Commissioner of Canada and, where applicable, the Commission d'accès à l'information du Québec) as required by law.

• Account data is retained while your account is active
• Strava data is deleted immediately when you disconnect Strava (separate from account deletion)
• Account deletion: you may request deletion at any time. Your account enters a 7-day grace period (which you can cancel via an email link), and then all personal data, activities, chat history, training plans, goals, and cached data are permanently removed.
• Server access logs are retained for up to 30 days for security and abuse prevention
• PostHog analytics events, if you consented, are retained according to PostHog's default retention (typically up to 7 years) but can be deleted on request
• We do not retain backups of deleted data beyond standard database backup cycles (which roll off within 30 days)

Under PIPEDA, Quebec Law 25, and similar privacy laws you have the right to:

• Access your personal data stored in the App (via your profile and settings, or by emailing us)
• Correct inaccurate data (via profile editing or by emailing us)
• Withdraw consent at any time — for analytics cookies via the banner or this page, and for marketing email via the unsubscribe link in every such message
• Delete your account and all associated data (Settings → Delete Account, or by emailing us)
• Disconnect third-party services (Strava, Telegram) at any time
• Export your data on request — email us and we will provide a machine-readable copy within 30 days
• Be informed about how your data is used and to whom it is disclosed

To exercise any of these rights, contact us at [email protected]. We respond to all verifiable requests within 30 days.

9.1 Strict-Essential Storage

We use the browser's localStorage for items that are required to operate the service you requested:

• Your authentication token (so you stay logged in)
• Your theme preference (light/dark)
• Your dashboard layout and saved app preferences
• Your cookie consent decision itself

These do not require consent under PIPEDA or Quebec Law 25 because they are strictly necessary to deliver the service.

9.2 PostHog Product Analytics (opt-in)

If — and only if — you click Accept analytics in our cookie banner, we load PostHog and collect product usage data. This includes:

• Page views and navigation paths within the App
• Button clicks and feature interactions (autocapture)
• Session replays of your visit so we can debug UX issues (password fields and elements marked sensitive are masked)
• Browser/device type, screen size, language, and approximate location (country/region from IP)

PostHog stores this data on servers operated by PostHog Inc. in the United States. We use it only to improve the App. We do not sell it, share it with advertisers, or use it for cross-site tracking.

9.3 Withdraw Consent

You can change your decision at any time below. When you withdraw consent, PostHog stops collecting new data immediately, your local session ID is reset, and we will not load PostHog on subsequent visits until you opt in again.

9.4 No Other Trackers

We do not use Google Analytics, Meta Pixel, Mixpanel, advertising cookies, or any third-party advertising or data-brokerage services.

The App is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11.1 Where Your Data Is Stored

Motus is operated from Canada, but our hosting, database, and most of our service providers are located in the United States. Specifically, our application and PostgreSQL database run on Railway's US-East infrastructure, and our analytics (PostHog), email (Resend), payments (Stripe), error monitoring (Sentry), and AI services (Google Gemini, OpenAI) are also US-based.

This means your personal information is transferred to, stored in, and processed in the United States. While in the US, it is subject to US laws, including laws that may permit government access for national-security or law-enforcement purposes that differ from Canadian law.

We rely on contractual safeguards with each provider and on technical controls (encryption in transit and at rest, access restrictions, minimum-necessary data sharing) to provide a comparable level of protection to PIPEDA. By creating an account you acknowledge this cross-border transfer.

11.2 Quebec Residents — Additional Rights

If you reside in Quebec, you also have the rights granted under the Act respecting the protection of personal information in the private sector (Law 25), including:

• The right to be informed before your data is communicated outside of Quebec (this section serves that purpose)
• The right to data portability (we will provide your data in a structured, commonly used format on request)
• The right to refuse automated decision-making and to ask a human to review any decision that affects you significantly
• The right to lodge a complaint with the Commission d'accès à l'information du Québec

11.3 Filing a Complaint

If you believe we have not handled your personal information in accordance with PIPEDA, please contact us first so we can try to resolve the issue. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

11.4 Privacy Officer

Our designated Privacy Officer can be reached at [email protected] for all data-protection and access-request enquiries.

Canada's Anti-Spam Legislation (CASL) requires us to obtain your consent before sending commercial electronic messages, to identify ourselves clearly, and to provide a working unsubscribe mechanism in every message.

12.1 Transactional Emails (no separate consent required)

We send the following essential emails as part of providing the service. These are transactional and not classified as commercial messages under CASL:

• Account confirmation, password reset, and login alerts
• Account-deletion scheduling and cancellation links
• Strava connection and subscription billing notifications
• Critical security or privacy notices (e.g., changes to this policy, security incidents)

12.2 Optional / Marketing Emails (opt-in)

Optional content such as weekly summaries, training tips, product updates, and coaching newsletters is only sent if you explicitly enable it in Settings → Notifications, or check the corresponding box at sign-up. Every such message includes our sender identification and a one-click unsubscribe link, in compliance with CASL.

12.3 Withdrawing Consent

You can withdraw consent for marketing email at any time by clicking the unsubscribe link, by toggling notifications in Settings, or by emailing us. Unsubscribe requests are honoured within 10 business days, as required by CASL.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision. If a change requires fresh consent (for example, a new analytics provider), we will ask you before applying it to your data.

If you have questions about this Privacy Policy, your data, or wish to exercise any of your privacy rights, please contact us at:

General support: [email protected]

Privacy Officer (PIPEDA / Law 25 enquiries): [email protected]