Privacy Policy
Last updated: 18 July 2026
Labthlete (“we”, “the app”) is a performance-testing tool for endurance athletes and coaches. This policy explains what personal data we process, why, and the rights you have under the EU General Data Protection Regulation (GDPR). It is written for the EU/EEA and the Italian data-protection framework.
Who is responsible (controller)
The data controller is Andrea Scapini, a private individual established in Italy, operating under the brand “Labthlete”. Contact for privacy matters: privacy@labthlete.com. No Data Protection Officer or EU representative is required at this stage (the controller is EU-established and processing is not large-scale).
Adults only (18+)
Labthlete is intended for adults: you must be at least 18 years old. We do not knowingly collect data from anyone under 18.
What we collect
- Account data: your email address and a password stored only as a bcrypt hash (we can never read it).
- Health data (special category, Art. 9):the physiological measurements you enter or import, blood-lactate, heart rate, power/pace, body weight and test conditions, plus values we derive from them (thresholds, zones, CP/critical speed, W′/D′, durability). This reveals information about your health and fitness.
- Coach–athlete data: links between a coach account and the athlete profiles it manages.
- No analytics or tracking. We do not use analytics, tracking pixels, advertising identifiers or cross-site tracking of any kind.
Why we process it, and our legal basis
- To provide the service (run analyses, store your tests, generate predictions): performance of a contract with you (Art. 6(1)(b)).
- To process your health data: your explicit consent(Art. 9(2)(a)), given at sign-up and withdrawable at any time by deleting your account.
- To secure the service (rate limiting, abuse prevention): our legitimate interest (Art. 6(1)(f)).
Sharing & where your data is processed
We do not sell your data. We share it only with the providers needed to run the service, acting as our processors under contract: Hetzner (hosting and database, in Germany/EU), Resend (transactional email, US) and Cloudflare(TLS/CDN/DNS, US). For the US providers we put EU Standard Contractual Clauses in place. If you are an athlete linked to a coach, that coach can see the test data on your profile.
Retention & deletion
We keep your data while your account is active. Deleting your account in Settings permanently and irreversibly erases your profile and all your tests, measurements and derived values, and withdraws your health-data consent. There is no keep-data option. Encrypted backups rotate on a short schedule (nightly, kept about 7 daily / 4 weekly) and then expire, so an erased record may persist only briefly in backups.
Your rights
You can access, correct, export (data portability) and erase your data, and withdraw consent, directly in Settings: “Download my data” exports everything we hold about you as JSON, and “Delete account” erases it. You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali (www.garanteprivacy.it).
Cookies
We use a single strictly-necessary session cookie to keep you signed in, and no tracking cookies, so there is no cookie banner. See our Cookie Policy.
Not medical advice
Our outputs are model-based estimates, not clinical measurements or diagnoses, and there is no automated decision producing legal or similarly significant effects (Art. 22). See our Terms.
Changes
We will update this policy as the service evolves and note the date at the top. Material changes affecting health-data processing will be communicated before they take effect.