In short: why am i slow stores the Strava and Oura data you authorise, uses it to generate coaching analysis for you, and never sells it or uses it to train AI models. You can disconnect Strava or Oura (each deletes the data it produced) or ask us to delete your account at any time.
1. Who runs why am i slow
why am i slow is built and operated by James Newell, based in Vancouver, British Columbia, Canada. All data-related questions, access requests, and deletion requests go to privacy@whyamislow.com. James is the data controller for the information described below.
2. Data we collect
why am i slow only receives data from services you explicitly authorise via OAuth, or data you enter into the app yourself.
Strava — your Strava athlete ID and display name, and for each activity you sync: sport type, name you've given it, start date, duration, distance, elevation, average heart rate, average speed, calories, and the per-second time-series streams for heart rate, power (watts), velocity, cadence, altitude, distance, time, and the moving flag. We also store the starting latitude/longitude of each activity (a single point used for weather enrichment) but not the full GPS route.
Oura Ring (optional) — daily readiness scores, sleep score and stage breakdown (REM, deep, light, awake durations), sleep efficiency, resting heart rate, heart-rate variability, and body-temperature deviation.
Account data — the email address you use to sign in (managed by Supabase Auth) and a signed JSON Web Token (JWT) kept in your browser's sessionStorage to keep you logged in.
Content you create — training plans, coaching notes, race records, threshold values (FTP, threshold HR, CSS, etc.), and the full conversation history with the coaching assistant (your messages, the assistant's replies, and the tool calls it makes on your behalf).
Derived metrics — training load (TSS), fitness and fatigue scores (CTL, ATL, TSB), power curves, zone distributions, and other values computed from your activity streams.
why am i slow does not use marketing analytics or advertising identifiers. Error monitoring (Sentry, described in Section 6) captures exceptions so we can fix reliability issues; no third-party cookies are set.
3. Why we process your data
The single purpose is to generate personalised coaching analysis for you. Specifically:
Synchronising activities from Strava and health data from Oura.
Computing training-load metrics from your activity streams.
Producing conversational coaching responses via the AI assistant.
Delivering the plan, dashboard, and chat surfaces that make up the product.
The lawful basis is your consent when you connect Strava or Oura, and the app's legitimate interest in providing the coaching analysis you signed up for.
4. What we send to the AI assistant
The coaching assistant is powered by a third-party large language model (see Section 6). When you chat with the assistant, three kinds of data are sent to the model on your behalf:
Your message, along with the conversation so far. Prior messages in the same conversation are replayed so the assistant has context within the chat.
A system prompt (sent at the start of every turn). This contains: your display name, your threshold values, a summary of your current fitness (CTL, ATL, TSB, 7-day and 28-day TSS totals), a one-line summary of your most recent activity, your persistent athlete notes (injuries, goals, and free-form notes), upcoming-race context when relevant to planning, and — if Oura is connected — a daily recovery snapshot (last night's readiness, sleep score and hours, resting heart rate, heart-rate variability) plus 7-day averages and trend labels.
Tool results, when the assistant decides it needs more detail to answer your question. Most tools read your own data (individual activities, lap splits, metric history, plan compliance); some can write to your record on your behalf (save a coaching note, create or update a training plan, confirm a race). The assistant never acts on another athlete's data.
Your data is never used to train any AI model. why am i slow uses the Anthropic Claude API for all production chat. Under Anthropic's Commercial Terms of Service, Anthropic does not train on customer inputs or outputs by default. If the set of production LLM providers ever changes, this page will be updated before the change takes effect, and the no-training commitment will not be weakened.
5. How data is stored
Application data is stored in a Supabase-hosted PostgreSQL database (Canada Central region, ca-central-1). Row-level security policies are enabled on the athlete, activity, health, and chat tables to isolate data between athletes.
OAuth tokens (Strava and Oura) are encrypted at rest with Fernet symmetric encryption. The encryption key lives in an environment variable, never in the database or source code.
The application server runs on Render. Render stores the application code and environment variables only; no athlete data is persisted there.
Your browser also caches a small amount of dashboard data (your latest fitness snapshot, fitness trend, and plan summary) in localStorage, so the home screen renders instantly on return visits. This cache is cleared when you log out. No other athlete data is stored on your local device.
Account-lifecycle emails (signup confirmation, approval or rejection, and a notice if someone attempts a duplicate signup against your address) are sent via Resend — see Section 6. If a send fails transiently, the message is held in a small retry queue inside our database (recipient address, subject, and template variables for that email) until it is delivered or aged out; nothing is shared with third parties from this queue.
6. Sub-processors
We rely on the following vendors to deliver the service. Each is bound by their published terms and has access only to the data necessary for the role below.
Resend (transactional email delivery for signup confirmations, approval / rejection notices, and the duplicate-signup notice described in Section 5) — resend.com/legal/privacy-policy
Sentry (error monitoring) — receives server-side exception data: stack traces, request URL, HTTP method, and non-sensitive headers (e.g. content type, user agent). Authorization headers, cookies, admin keys, and request bodies are stripped before events are sent. Not used for product analytics or marketing. sentry.io/privacy
Strava and Oura — source services you authorise directly. See their privacy policies for how they handle data on their side.
7. Weather enrichment
When an activity includes GPS data, why am i slow sends the activity's starting location (latitude and longitude rounded to one decimal place — roughly city-level precision) and date to Open-Meteo to fetch historical weather conditions for that activity. Open-Meteo is a free weather API that requires no account; its handling of submitted queries is governed by its own terms.
8. Retention
Retention periods per data type:
Strava activities, streams, and derived metrics — kept while your account is active. Deleted on account-deletion request. Deleted immediately when you disconnect Strava inside the app, or when Strava sends a deauthorisation webhook.
Oura data — kept while your account is active. Deleted on account-deletion request. Deleted immediately when you disconnect Oura inside the app: this removes your synced sleep and readiness history along with the OAuth token.
Coaching notes, training plans, race records, threshold values — kept while your account is active. Deleted on account-deletion request.
Chat conversations — retained for up to 12 months from the last message in a conversation; older conversations are deleted during routine cleanup. You can also delete individual conversations from the app at any time.
Usage metadata (timestamps, model, input/output token counts, cost per turn) — kept while your account is active and erased on account deletion.
Account and authentication records — kept while your account is active. Removed on account-deletion request except where retention is required to satisfy a legal obligation.
9. Your rights and how to exercise them
You can, at any time:
Disconnect Strava from inside the app. This revokes the OAuth token and triggers immediate deletion of your Strava-sourced data: activities and their streams, lap splits, per-activity derived metrics (TSS, intensity factor, drift), and threshold suggestions. Athlete-level threshold values you've set yourself (FTP, threshold HR, etc.) are kept so they're still available if you reconnect later.
Disconnect Oura from inside the app. This revokes the Oura OAuth token and triggers immediate deletion of your Oura-sourced data: sleep sessions and daily readiness records.
Request a copy of your data by emailing privacy@whyamislow.com. We'll respond as soon as practicable.
Delete your account from inside the app (Settings → Delete account). This immediately removes all your data from live systems: Strava and Oura data, training plans, race records, threshold values, coaching notes, chat history, and your authentication record. Database backups are retained by our hosting provider for up to 30 days for disaster recovery, after which no copy of your data remains. Email privacy@whyamislow.com only if you cannot sign in.
Withdraw authorisation at Strava's end, via Strava's settings. Strava sends a deauthorisation webhook and we delete all your Strava-sourced data immediately.
10. Who sees your data
Only you (the authenticated athlete) and the developer (for support and operations) can access your account. We do not share your data with advertisers, analytics providers, or any third party outside the sub-processors listed in Section 6. Coaching analysis is produced and returned to you alone.
11. International transfer
Application data resides in Canada (Supabase ca-central-1). Anthropic, Resend, and Sentry may process requests in the United States. OAuth flows with Strava and Oura reach the regions those services operate in. By using why am i slow you consent to these transfers; each vendor is bound by its own privacy terms.
12. Monetisation model
why am i slow is not currently charged for. If paid tiers are introduced in future, they will cover the coaching and analysis layer (metric calculations, AI assistant, plan rendering, dashboard); this page will be updated before any charge takes effect. Your Strava-derived data itself is never sold, syndicated, or used for any purpose other than generating the analysis you see in the app.
13. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced in the app. The "Last updated" date at the top of this page always reflects the current version.