STRILEGet the app

Privacy Policy

Last updated: 2026-04-24·Polski

This Privacy Policy explains how Strile processes your personal data when you use our mobile application and website. Strile is operated by Dawid Rożenek (sole proprietorship (Poland, CEIDG)) and acts as the data controller under the EU General Data Protection Regulation (GDPR / RODO).

1.Data controller

The data controller for personal data processed through Strile is:

  • Dawid Rożenek
  • sole proprietorship (Poland, CEIDG), Poland
  • Tax ID (NIP): 6472578181
  • Address: ul. 26 Marca 116/2, 44-300 Wodzisław Śląski, Poland
  • Contact for privacy matters: support@strile.app

We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Art. 37 GDPR. For any privacy-related request, please write to the email above.

2.Scope and definitions

Strile is a fitness tracking, community and coaching platform consisting of a mobile application (iOS and Android) and the marketing website at https://www.strile.app. This Policy covers personal data processed in both.

“Personal data” means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR. “Special category data” means health-related data under Art. 9 GDPR.

3.Categories of data we process

We process the following categories of personal data. Categories marked as special category (Art. 9 GDPR) are processed only on the basis of your explicit consent and can be revoked at any time.

  • Account data — email address, display name, avatar image, optional username, authentication tokens.
  • Profile data — date of birth, sex assigned at birth, height, weight, country, city, measurement unit preference.
  • Activity data — GPS coordinates and route geometry, distance, duration, speed, elevation, cadence, power, device make/model, start time, sport type.
  • Health data (special category) — heart rate, heart-rate variability (HRV), resting heart rate, sleep duration and score, body battery, readiness scores, step counts, derived metrics such as training load (TRIMP, TSS), CTL/ATL/TSB.
  • Menstrual cycle data (special category) — period dates, flow intensity, symptoms (cramps, fatigue, mood, bloating, headache). Processing is opt-in and can be disabled at any time in the app.
  • Self-reported wellness (special category) — daily energy, sleep, stress, soreness, motivation ratings, post-activity RPE, injury and pain reports.
  • Social and community data — follows, friend requests, likes, comments, challenge participation, group memberships, group chat messages, personal bests.
  • Device data — push notification tokens, session tokens stored locally on your device, IP address captured in server access logs.

4.Purposes and legal bases

We process personal data only for the purposes listed below, each with an identified legal basis under Art. 6 and (where applicable) Art. 9 GDPR:

PurposeLegal basis
Providing the Strile service (account creation, activity sync, statistics, leaderboards, challenges, data export)Art. 6(1)(b) — performance of the contract with you
Processing health, cycle and self-reported wellness data to show personalized metrics and training insightsArt. 9(2)(a) — explicit consent (and Art. 6(1)(b) for service provision)
AI Coach recommendations generated via Google GeminiArt. 6(1)(f) legitimate interest in improving training outcomes, combined with your Art. 9(2)(a) consent for health data
Sending push notifications about your training and social activityArt. 6(1)(a) — consent granted at the OS level and in-app
Sending transactional emails (magic-link login, account notifications)Art. 6(1)(b) — performance of the contract
Security monitoring, fraud prevention, audit logsArt. 6(1)(f) — legitimate interest in securing the service
Responding to your inquiries and legal requestsArt. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest

5.Sources of data

In addition to data you provide directly, we receive activity, health and workout data from the following third-party services when you connect them to your Strile account (Art. 14 GDPR):

  • Garmin Connect
  • Suunto
  • Polar
  • Fitbit
  • Whoop
  • Oura
  • Ultrahuman
  • Apple Health (iOS HealthKit)
  • Google Health Connect (Android)

Each connection is optional and you control it from the integrations screen in the mobile app.

6.Recipients and sub-processors

We do not sell personal data. We share it only with processors acting on our instructions under a data processing agreement, as required by Art. 28 GDPR:

ProviderPurposeLocationTransfer safeguard
Render Services, Inc.Application hosting and database infrastructureUSA (EU region optional)Standard Contractual Clauses (SCC)
Google LLC (Gemini API)AI Coach — generating training insights and recommendationsUSAStandard Contractual Clauses (SCC)
Resend, Inc.Transactional email (magic links, account notifications)USAStandard Contractual Clauses (SCC)
Expo (650 Industries, Inc.)Mobile push notification deliveryUSAStandard Contractual Clauses (SCC)
Open Wearables GatewaySelf-hosted OAuth gateway for wearables providers (Fitbit, Suunto, Polar, Garmin, Whoop, Oura, Ultrahuman)EUNo third-country transfer (EU-hosted)
Mapbox, Inc.Map tile rendering and route geometry displayUSAStandard Contractual Clauses (SCC)
Google LLC (Sign-In)Optional authentication via Google accountUSAStandard Contractual Clauses (SCC)
Apple Inc. (Sign in with Apple)Optional authentication via Apple IDUSA / IrelandStandard Contractual Clauses (SCC)
RevenueCat, Inc.Subscription management, entitlement sync, and webhook delivery across Apple App Store and Google PlayUSAStandard Contractual Clauses (SCC)
Functional Software, Inc. (Sentry)Error tracking, crash reports, and performance monitoring for the mobile app and APIUSAStandard Contractual Clauses (SCC)

We never display your activity to other users on public or group leaderboards without your explicit permission (profile visibility setting).

7.International data transfers

Some of our sub-processors are established outside the European Economic Area, primarily in the United States. Transfers are safeguarded using the European Commission's Standard Contractual Clauses (2021/914/EU) under Art. 46(2)(c) GDPR, combined with supplementary technical measures (encryption in transit, minimized payloads). You can request a copy of the relevant clauses by contacting support@strile.app.

8.Retention periods

  • Account and profile data — until you request account deletion. Dormant accounts (no activity for 36 months) may be deleted after a 30-day notice.
  • Activity, health, cycle and social data — retained for the life of your account. Deleting your account removes all associated data within 30 days.
  • Data export archives — 7 days after generation, then automatically purged.
  • Server access logs — up to 90 days for security and debugging.
  • Webhook events (from wearable providers) — retained as an idempotency / audit record; subject to deletion on account removal.
  • Magic-link and session tokens — short-lived; expire automatically (typically minutes to days).
  • Transactional email records — up to 12 months for deliverability diagnostics.

9.Your rights

Under the GDPR you have the following rights, which you can exercise free of charge by emailing support@strile.app:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data. Edit your name, date of birth, sex, height, weight and location in Settings → Edit profile; training thresholds in Settings → Training thresholds; avatar in Settings → Profile picture.
  • Right to erasure (Art. 17) — delete your account and all associated data directly from Settings → Privacy → Delete account. The deletion is immediate and irreversible and cascades through all our databases; archived exports and server backups are purged on their normal rotation (up to 30 days).
  • Right to data portability (Art. 20) — export your activity and health data in machine-readable form. Strile provides a built-in export (ZIP with JSON + FIT files) accessible in Settings → Privacy → Download your data.
  • Right to restriction (Art. 18) — request temporary restriction of processing while disputed. Email us; no in-app flow yet.
  • Right to object (Art. 21) / opt out of AI processing — disable AI Coach (Gemini) processing at any time in Settings → General → AI Coach. When off, we stop sending your training data to Gemini, skip all AI-generated insights and plan notes, and continue to serve you the non-AI features.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent to cycle tracking (Settings → Cycle tracking → Track my cycle), push notifications (device OS settings), or any other optional feature at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

10.Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for Poland is:

  • Prezes Urzędu Ochrony Danych Osobowych (UODO)
  • ul. Stawki 2, 00-193 Warszawa, Poland
  • uodo.gov.pl

11.Automated decision-making and profiling

Strile's AI Coach feature uses Google Gemini to generate training recommendations (e.g., suggested workouts, intensity guidance). These are informational only — they do not produce legal effects or similarly significantly affect you in the sense of Art. 22 GDPR. You are free to ignore any recommendation, and no adverse consequences follow from doing so.

We do not use automated decision-making for anything that would meaningfully affect your rights (such as credit decisions, access to services, eligibility for features).

12.Security

We apply industry-standard technical and organizational measures to protect your data:

  • All traffic encrypted in transit with TLS 1.2 or higher.
  • Session tokens stored in the operating system secure enclave (iOS Keychain / Android Keystore) on mobile, never in browser cookies.
  • Passwords hashed with bcrypt (never stored in plaintext).
  • Database connections encrypted; backups stored with access controls.
  • Access to production systems limited to authorized personnel and logged.
  • Third-party sub-processors are contractually bound to GDPR-level security.

In case of a personal data breach likely to result in a high risk to your rights, we will notify you and the supervisory authority within 72 hours in accordance with Art. 33–34 GDPR.

13.Children and minors

The minimum age to use Strile is 13 years. Users aged 13 or older but below the age at which, under local law, they can consent on their own behalf to information society services (16 in Poland and most EU Member States, under Art. 8 GDPR and Art. 4a of the Polish Data Protection Act of 10 May 2018) may use Strile only with the consent of a parent or legal guardian. By creating an account, a minor represents that such consent has been obtained.

We do not knowingly collect personal data from anyone under 13 years of age. If you become aware that a person under 13 has provided us with personal data, or that a minor is using Strile without the required parental consent, please contact support@strile.app and we will delete the account.

14.Cookies and local storage

The marketing website (https://www.strile.app) does not use advertising, analytics, or tracking cookies. Essential browser storage may be used for UI preferences (e.g., theme). The mobile application does not use cookies; it stores authentication tokens in the OS secure enclave.

15.Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days in advance via email or an in-app notice. The “Last updated” date at the top of this document indicates when the current version took effect.

Questions? Write to support@strile.app.