HypomoneLabBack to home

Privacy Policy

Last updated Β· 2026-05-12

This policy describes what personal data we collect when you use HypomoneLab (the "service"), for what purpose, how long we retain it, and what rights you have over it. It is written in line with the General Data Protection Regulation (GDPR) and Spain's LOPDGDD (Organic Law 3/2018).

The Spanish version is the legally controlling text. This English translation is provided for reviewer / native-speaker convenience.

1. Data controller

  • Identity: Manuel Alfaro GarcΓ­a
  • Postal address: PeΓ±as 21, 02124, Alcadozo, Albacete, EspaΓ±a
  • Contact email: [email protected]
  • Contact form: /contact β€” we use the email you provide there only to reply to your request.

Given the volume and nature of processing, we are not required to appoint a Data Protection Officer (DPO). You can address the data controller directly via the contact form or by writing to the email above.

2. Data we collect

2.1 Data you provide directly

  • Account data: email, name, password (encrypted with BCrypt), date of birth (optional, used for zone estimates), invitation code.
  • Sport profile: main sport, maximum and resting heart rate (optional), manually configured power / pace thresholds.
  • Manually logged workouts: duration, distance, perceived effort (RPE), notes, tags.
  • Daily readiness survey: sleep, fatigue, motivation. Likert 1–5. Optional, daily.
  • Contact messages: if you write to us at /contact, we retain the message and your email so we can reply.

2.2 Data imported from connected providers

When you connect your Strava, Garmin Connect, COROS or Suunto account and authorise import, we receive from their API:

  • Workout metadata (date, sport, duration, distance, average pace, average power, average and maximum heart rate).
  • Per-second time-series (HR, watts, speed, GPS, altitude, cadence) when available.
  • Provider identifiers to avoid duplicates on re-import.
  • Provider OAuth tokens β€” encrypted at rest with ASP.NET Data Protection before storage. Only our service can decrypt them.

We never receive or store your provider password: auth is done via OAuth 2.0, where the provider returns a token after your explicit consent on their screen.

2.3 Automatic technical data

  • Session cookie (JWT) in httpOnly storage β€” required to keep you signed in between requests. Details in the Cookie Policy.
  • Server logs with IP address, user agent, and accessed routes. Retained up to 30 days for debugging and security-incident response.
  • Audit log (audit_log) of security-relevant events: login, registration, token refresh, provider connect / disconnect, account deletion. No browsing tracking.

We do NOT use Google Analytics, Meta Pixel, Hotjar, or any advertising / third-party tracking tool.

3. Legal bases for processing

PurposeGDPR legal basis
Create and maintain your account; provide the serviceArt. 6.1.b β€” performance of a contract
Import your activity from connected providersArt. 6.1.a β€” consent (revocable by disconnecting)
Compute your metrics and display themArt. 6.1.b β€” performance of a contract
Service security + audit logArt. 6.1.f β€” legitimate interest
Honour rights requests (access, erasure, etc.)Art. 6.1.c β€” legal obligation

4. Who do we share your data with?

No one for commercial purposes. We do not sell, rent, or transfer data to third parties for marketing, advertising, or external profiling.

The only third parties involved are:

  • Hetzner Online GmbH (Alemania (Falkenstein)) β€” hosting provider for the server running the application and the database. Acts as a data processor.
  • Cloudflare, Inc. (CDN / WAF) β€” routes HTTP traffic between your browser and our server to protect against denial-of-service attacks. Processes connection metadata (IP, user agent, URL); does not store the body of authenticated responses.
  • Sport providers you connect (Strava, Garmin, COROS, Suunto): the flow is always from their API to us (import), never the reverse. We do not send them your data except what is needed to authenticate via OAuth and manage their webhook subscriptions.

5. International transfers

All data is stored on servers in the European Union (Alemania (Falkenstein)). Cloudflare may process traffic in other countries; in that case it relies on the European Commission's Standard Contractual Clauses. Sport providers (Strava, Garmin, etc.) are independent controllers with their own policies β€” review theirs before connecting your account.

6. Data retention

  • While your account is active, we retain all data needed to provide the service.
  • If you request account deletion, your account enters a 30-day grace period during which you can cancel. After 30 days, we physically erase all your data (profile, workouts, metrics, tokens, associated messages) in an automatic nightly job.
  • Server logs are rotated at 30 days.
  • The audit log retains security-relevant events for up to 12 months with the user identifier; after account deletion, only the user.deleted event remains, keyed by a SHA-256 hash (no email, no name).
  • Contact-form messages are retained for up to 90 days from submission. The sender's IP address is retained 30 days only (for anti-spam) and then deleted.

7. Your rights

As a data subject, the GDPR grants you the following rights:

  • Access β€” obtain a copy of all your data directly from the settings panel ("Download my data") or via the contact form.
  • Rectification β€” correct your profile directly from the app, or ask us to do it for you.
  • Erasure ("right to be forgotten") β€” request full deletion from /athlete/settings or via /contact.
  • Restriction β€” ask us to stop processing your data while an issue is resolved.
  • Portability β€” the JSON data export fulfils this right.
  • Objection β€” object to processing based on legitimate interest. In practice, the only such processing is the security audit log.
  • Consent withdrawal β€” disconnecting a provider at /athlete/integrations withdraws consent for future imports. Already-imported data remains in your account until you delete it.
  • Complaint to the supervisory authority β€” if you believe we have infringed your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD).

8. Security

We apply reasonable technical and organisational measures:

  • HTTPS / TLS enforced on the whole app and public API.
  • Passwords stored with BCrypt (never plain text).
  • Provider OAuth tokens encrypted at rest with ASP.NET Data Protection keys, rotatable and persisted outside the source-code repository.
  • Authentication cookie with httpOnly, Secure, SameSite=Lax flags.
  • Rate-limiting on sensitive endpoints (login, registration, contact) + Cloudflare in front for DDoS mitigation.
  • Encrypted daily database backups.
  • Append-only audit log of security-relevant events.

If we discover a security breach affecting your personal data, we will notify you without undue delay and, in any event, within 72 hours of becoming aware of it, in line with GDPR art. 33-34.

9. Minors

The service is intended for people aged 14 or over (Spain's LOPDGDD art. 7.1). If we discover that we have collected data from someone under 14 without parental consent, we will erase it as soon as possible.

10. Changes to this policy

We may update this policy to reflect service or regulatory changes. The version in force is the one published at this URL. When the change materially affects how we process your data, we will notify you by email and/or via an in-app banner before it takes effect.

11. Contact

For any question about this policy or to exercise your rights, use the contact form. State the nature of your request clearly in the subject line ("Data access", "Erasure", etc.) so we can route it to a swift response.