Privacy Policy
Last updated: April 2026
1. Who we are
Hybrid Athlete is a training management platform for hybrid athletes — people training seriously in both strength and endurance. The platform is operated by Lukas Köhler, a student at MCI Innsbruck (Medizin-, Gesundheits- & Sporttechnologie), Tyrol, Austria.
For all data protection matters, contact: kl4641@mci4me.at
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Email address
- Display name
- Password (stored as a bcrypt hash — never in plain text)
- HR max, HR rest (entered during onboarding for training calculations)
- Starting bodyweight and target weight
2.2 Training data
Data you log directly in the platform:
- Strength sessions: exercises, sets, reps, load (kg), RPE ratings
- Run sessions logged manually: duration, distance, pace, notes
- Daily wellness logs: bodyweight, sleep hours, energy, mood, soreness scores
2.3 Garmin Connect data
If you choose to connect your Garmin account via OAuth 2.0:
- Activity data: duration, distance, average HR, cadence, pace, heart rate zone minutes
- Health data: resting HR, HRV, sleep duration and quality scores
Garmin data is pulled only after explicit user authorisation through Garmin's OAuth flow. You can revoke this access at any time in your account settings or directly in Garmin Connect.
2.4 Usage data
Basic platform usage logs for debugging and improving the service. No third-party analytics tracking without explicit consent.
3. Why we collect it (legal basis)
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account data | Platform authentication and personalisation | Contract (Art. 6(1)(b)) |
| Training data | Core service — HDSS calculation and dashboard | Contract (Art. 6(1)(b)) |
| Garmin data | Core service — HDSS calculation requires run data | Consent (Art. 6(1)(a)) |
| Wellness logs | Recovery scoring and ACWR calculation | Contract (Art. 6(1)(b)) |
| Academic research | Anonymised HDSS dataset for MCI Innsbruck thesis | Consent (Art. 6(1)(a)) |
For academic research use: you are asked explicitly during onboarding whether your anonymised training data may be included in the thesis dataset. This is fully optional and has no effect on platform functionality if declined.
4. How we store and protect your data
- All data is stored in a PostgreSQL database hosted on Supabase (EU region)
- Row-level security (RLS) is enforced at the database level — you can only access your own data
- All data in transit is encrypted via TLS 1.2+
- Passwords are never stored in plain text
- Garmin OAuth tokens are stored encrypted at rest
- Backups are retained for 30 days
6. Your rights (GDPR)
As a user in the EU/EEA, you have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and all associated data
- Portability — receive your data in a machine-readable format (JSON)
- Withdraw consent — revoke Garmin access or academic data consent at any time
- Object — object to processing based on legitimate interests
- Lodge a complaint — with the Austrian Data Protection Authority (Datenschutzbehörde)
To exercise any of these rights, email: kl4641@mci4me.at. We will respond within 30 days.
7. Data retention
- Active account data: retained for the duration of your account
- Deleted account data: permanently erased within 30 days of deletion request
- Anonymised research data: retained for the duration of the thesis project (until December 2026), then deleted or fully anonymised in the final dataset
- Garmin OAuth tokens: deleted immediately upon revocation or account deletion
9. Changes to this policy
We will notify you by email of any material changes to this Privacy Policy at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance.