In short: why am i slow stores the Strava and Oura data you authorise, uses it to generate coaching analysis for you, and never sells it or uses it to train AI models. You can disconnect Strava (which deletes your synced activity data) or ask us to delete your account at any time.
1. Who runs why am i slow
why am i slow is built and operated by James Newell, based in Vancouver, British Columbia, Canada. All data-related questions, access requests, and deletion requests go to privacy@whyamislow.com. James is the data controller for the information described below.
2. Data we collect
why am i slow only receives data from services you explicitly authorise via OAuth, or data you enter into the app yourself.
Strava — your Strava athlete ID and display name, and for each activity you sync: sport type, name you've given it, start date, duration, distance, elevation, average heart rate, average speed, calories, and the per-second time-series streams for heart rate, power (watts), velocity, cadence, altitude, distance, time, and the moving flag. We also store the starting latitude/longitude of each activity (a single point used for weather enrichment) but not the full GPS route.
Oura Ring (optional) — daily readiness scores, sleep score and stage breakdown (REM, deep, light, awake durations), sleep efficiency, resting heart rate, heart-rate variability, and body-temperature deviation.
Account data — the email address you use to sign in (managed by Supabase Auth) and a signed JSON Web Token (JWT) kept in your browser's sessionStorage to keep you logged in.
Content you create — training plans, coaching notes, race records, threshold values (FTP, threshold HR, CSS, etc.), and the full conversation history with the coaching assistant (your messages, the assistant's replies, and the tool calls it makes on your behalf).
Derived metrics — training load (TSS), fitness and fatigue scores (CTL, ATL, TSB), power curves, zone distributions, and other values computed from your activity streams.
why am i slow does not use marketing analytics or advertising identifiers. Error monitoring (Sentry, described in Section 6) captures exceptions so we can fix reliability issues; no third-party cookies are set.
3. Why we process your data
The single purpose is to generate personalised coaching analysis for you. Specifically:
Synchronising activities from Strava and health data from Oura.
Computing training-load metrics from your activity streams.
Producing conversational coaching responses via the AI assistant.
Delivering the plan, dashboard, and chat surfaces that make up the product.
The lawful basis is your consent when you connect Strava or Oura, and the app's legitimate interest in providing the coaching analysis you signed up for.
4. What we send to the AI assistant
The coaching assistant is powered by a third-party large language model (see Section 6). When you chat with the assistant, three kinds of data are sent to the model on your behalf:
Your message, along with the conversation so far. Prior messages in the same conversation are replayed so the assistant has context within the chat.
A system prompt (sent at the start of every turn). This contains: your display name, your threshold values, a summary of your current fitness (CTL, ATL, TSB, 7-day and 28-day TSS totals), a one-line summary of your most recent activity, your persistent athlete notes (injuries, goals, and free-form notes), upcoming-race context when relevant to planning, and — if Oura is connected — a daily recovery snapshot (last night's readiness, sleep score and hours, resting heart rate, heart-rate variability) plus 7-day averages and trend labels.
Tool results, when the assistant decides it needs more detail to answer your question. Most tools read your own data (individual activities, lap splits, metric history, plan compliance); some can write to your record on your behalf (save a coaching note, create or update a training plan, confirm a race). The assistant never acts on another athlete's data.
Your data is never used to train any AI model. why am i slow uses the Anthropic Claude API for all production chat. Under Anthropic's Commercial Terms of Service, Anthropic does not train on customer inputs or outputs by default. If the set of production LLM providers ever changes, this page will be updated before the change takes effect, and the no-training commitment will not be weakened.
5. How data is stored
Application data is stored in a Supabase-hosted PostgreSQL database (Canada Central region, ca-central-1). Row-level security policies are enabled on the athlete, activity, health, and chat tables to isolate data between athletes.
OAuth tokens (Strava and Oura) are encrypted at rest with Fernet symmetric encryption. The encryption key lives in an environment variable, never in the database or source code.
The application server runs on Render. Render stores the application code and environment variables only; no athlete data is persisted there.
Your browser also caches a small amount of dashboard data (your latest fitness snapshot, fitness trend, and plan summary) in localStorage, so the home screen renders instantly on return visits. This cache is cleared when you log out. No other athlete data is stored on your local device.
6. Sub-processors
We rely on the following vendors to deliver the service. Each is bound by their published terms and has access only to the data necessary for the role below.
Sentry (error monitoring) — receives server-side exception data: stack traces, request URL, HTTP method, and non-sensitive headers (e.g. content type, user agent). Authorization headers, cookies, admin keys, and request bodies are stripped before events are sent. Not used for product analytics or marketing. sentry.io/privacy
Strava and Oura — source services you authorise directly. See their privacy policies for how they handle data on their side.
7. Weather enrichment
When an activity includes GPS data, why am i slow sends the activity's starting location (latitude and longitude rounded to one decimal place — roughly city-level precision) and date to Open-Meteo to fetch historical weather conditions for that activity. Open-Meteo is a free weather API that requires no account; its handling of submitted queries is governed by its own terms.
8. Retention
Retention periods per data type:
Strava activities, streams, and derived metrics — kept while your account is active. Deleted on account-deletion request. Deleted immediately when you disconnect Strava inside the app, or when Strava sends a deauthorisation webhook.
Oura data — kept while your account is active. Disconnecting Oura revokes the token and stops future sync, but your historical Oura data remains in our database until you request deletion.
Coaching notes, training plans, race records, threshold values — kept while your account is active. Deleted on account-deletion request.
Chat conversations — retained for up to 12 months from the last message in a conversation; older conversations are deleted during routine cleanup. You can also delete individual conversations from the app at any time.
Usage metadata (timestamps, model, input/output token counts, cost per turn) — kept while your account is active and erased on account deletion.
Account and authentication records — kept while your account is active. Removed on account-deletion request except where retention is required to satisfy a legal obligation.
9. Your rights and how to exercise them
You can, at any time:
Disconnect Strava from inside the app. This revokes the OAuth token and triggers immediate deletion of your Strava-sourced data: activities and their streams, lap splits, per-activity derived metrics (TSS, intensity factor, drift), and threshold suggestions. Athlete-level threshold values you've set yourself (FTP, threshold HR, etc.) are kept so they're still available if you reconnect later.
Disconnect Oura from inside the app. This revokes the Oura OAuth token and stops future sync. Historical Oura data remains until you request its deletion.
Request a copy of your data by emailing privacy@whyamislow.com. We'll respond as soon as practicable.
Request full account deletion by emailing the same address. We'll remove your record as soon as practicable.
Withdraw authorisation at Strava's end, via Strava's settings. Strava sends a deauthorisation webhook and we delete all your Strava-sourced data immediately.
10. Who sees your data
Only you (the authenticated athlete) and the developer (for support and operations) can access your account. We do not share your data with advertisers, analytics providers, or any third party outside the sub-processors listed in Section 6. Coaching analysis is produced and returned to you alone.
11. International transfer
Application data resides in Canada (Supabase ca-central-1). Anthropic and Sentry may process requests in the United States. OAuth flows with Strava and Oura reach the regions those services operate in. By using why am i slow you consent to these transfers; each vendor is bound by its own privacy terms.
12. Monetisation model
why am i slow is not currently charged for. If paid tiers are introduced in future, they will cover the coaching and analysis layer (metric calculations, AI assistant, plan rendering, dashboard); this page will be updated before any charge takes effect. Your Strava-derived data itself is never sold, syndicated, or used for any purpose other than generating the analysis you see in the app.
13. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced in the app. The "Last updated" date at the top of this page always reflects the current version.