Privacy Policy

Effective Date: January 16, 2025

Last Updated: June 2, 2026

Overview

Welcome to Beyond the Finish Line ("we," "us," or "our") Endurance Coaching. This Privacy Policy explains how we collect, use, share, retain, and protect personal data when you visit our website, use our platform or coaching services, connect third-party services, or communicate with us. Where we rely on your consent for a specific type of processing, you may withdraw that consent as described below. Withdrawal does not affect processing that was lawful before the withdrawal.

Controller and Contact

For the purposes of this Policy, Beyond the Finish Line Coaching is the controller for personal data processed in connection with the website, platform, and coaching services. For privacy questions, rights requests, or data protection concerns, contact us at info@bflcoaching.com.

1. Information We Collect

We collect information that you provide directly, data collected automatically, and information from third-party sources.

1.1 Information You Provide Directly

• Basic Account Information: Includes your full name, email address, age confirmation or age where provided, running history and goals, phone number, country, city, height, weight, and emergency contact information.
• Sensitive Health Data: Medical and injury history, pre-existing medical conditions, medications, and other health-related information necessary for safe and effective coaching. This constitutes sensitive personal data under GDPR and is subject to enhanced protection measures (see Section 1.4 below).
• Transaction and Billing Information: When purchasing our services, we may process contact details, billing details, payment status, and transaction references. Current payments are handled through Revolut, cash, or another method agreed with you in writing. If card billing is enabled in the future, Stripe may process card and transaction details as a third-party payment provider.
• Athlete-Provided Content: Content such as race reports, blog posts, messages, attachments, profile photos, GPX/route files, feedback, photos, and results. Public use of content, such as testimonials or race reports, is made only where we have appropriate permission or consent.
• Race-Day and Crewing Information: When in-person race support is agreed, we may collect race details, bib number, route schedule, meeting points, aid-station plan, live-tracking or location information you share, nutrition/equipment choices, travel and accommodation details where needed, emergency contacts, and communications with you, support personnel, or the race organizer.
• Comments and Reviews: Feedback and testimonials may be displayed on our website or social media channels.

1.2 Information Collected Automatically

• Log Information: Browser type, IP address, unique device identifiers, language preferences, referring site, access date and time, and operating system.
• Usage Information: Website interactions, including pages viewed and actions performed.
• Location Information: Approximate location derived from IP addresses.
• Cookies and Tracking Technologies: Information collected via cookies, browser storage, and similar technologies for essential functionality, security, preferences, consent-based analytics, and performance monitoring.

1.3 Information from Other Sources

Intervals.icu Integration:

When you connect your Intervals.icu account to our platform, we request the following permissions (OAuth scopes):

• ACTIVITY:READ - Access to your training activities, including runs, rides, and other workouts
• WELLNESS:READ - Access to wellness data such as sleep, stress, and recovery metrics
• CALENDAR:WRITE - Ability to add planned workouts to your training calendar
• SETTINGS:READ - Access to your account settings and preferences

Data We Receive and Store:

• Activity data: distance, duration, pace, heart rate, elevation, calories, and training load metrics
• Workout details: planned and completed workouts, including timing and performance data
• Running thresholds: pace zones and threshold calculations
• Wellness scores: when available from your connected devices

Data Security:

• Your Intervals.icu access tokens are encrypted using AES-256-GCM encryption before storage
• We use secure webhook connections for real-time activity synchronization
• You can disconnect your Intervals.icu account at any time through your platform settings

Other Platforms:

We may also receive data from other platforms you authorize, including Strava directly or Garmin, Wahoo, Zwift, Suunto, Coros, and Polar through Intervals.icu. The data shared depends on the permissions you grant these platforms.

1.4 Special Category Data (Health Data) Protection

Medical and injury information, health conditions, and related data constitute "special category data" under the General Data Protection Regulation (GDPR) Article 9, requiring explicit consent and enhanced protection.

Enhanced Security Measures for Health Data:

• Health data is stored in controlled platform systems, including Google Firebase/Firestore and Firebase Storage where applicable, with encryption in transit and provider-level security measures.
• Access to health data is strictly limited to the Coach and authorized personnel on a need-to-know basis only.
• Health data is kept separate from publicly accessible information and is not publicly shared without your consent.
• We implement appropriate technical and organizational measures including password protection, two-factor authentication, and regular security reviews.
• Health data is retained only as long as necessary to provide coaching services and comply with legal obligations.

Legal Basis for Processing Health Data: We process your health data based on your explicit consent provided when you submit your medical history and health information to us. You have the right to withdraw this consent at any time by contacting us at info@bflcoaching.com. However, withdrawal of consent may affect our ability to provide safe and effective coaching services.

2. How We Use Your Information

• Setting up and managing accounts.
• Delivering coaching and related services.
• Coordinating optional race-day support or in-person crewing.
• Personalizing and improving your experience.
• Processing payments and transactions.
• Sending communications including:
  • Workout reminders and training notifications
  • Missed workout alerts
  • Weekly training summaries
  • Training streak milestones and achievements
  • Training load warnings (overtraining/undertraining alerts)
  • Progress updates and goal tracking
  • New training week publications
  • Account and subscription updates
  • Marketing offers and promotions (with your consent)
• Analyzing trends and service quality.
• Complying with legal obligations and protecting rights.

You can manage your email preferences and unsubscribe from specific notification types through your account settings or by contacting us.

3. Legal Bases for Processing (For EU Users)

• Contractual Necessity: To provide services and fulfill agreements.
• Legitimate Interests: For security, abuse prevention, service improvement, error diagnosis, audit logging, and protecting legal rights.
• Consent: For non-essential analytics, direct marketing, push notifications, optional third-party integrations, and health-data processing where required.
• Legal Obligations: To comply with applicable laws or lawful requests.

4. Sharing of Information

Vendors

• Cloud Infrastructure: Google Firebase Authentication, Firestore, Firebase Storage, Firebase Cloud Messaging, Vercel hosting, and Railway workers
• Payment Processors: Revolut for current payments; Stripe may be used if card billing is enabled in the future
• Analytics: Umami Analytics when you accept optional analytics
• Email Service: Resend (transactional emails)
• Error Monitoring: Sentry for error and performance diagnostics, with data minimization where practical
• Performance Monitoring: Vercel Speed Insights
• Integrations and Training Data: Intervals.icu and Strava for connected athlete activity and workout data
• Weather, Media, and Infrastructure: Open-Meteo for route weather, Bunny CDN/Stream for media delivery, and Upstash Redis for rate limiting and queue-related infrastructure

Coach Access to Your Data

When you are assigned to a coach on our platform, your coach has access to:

• Your complete athlete profile, including training history and goals
• All synced activities and workout data from connected platforms
• Training load metrics and performance trends
• Self-assessment scores and weakness evaluations
• Planned and completed workouts

Your coach may also:

• Create and modify your training plans
• Add notes and feedback to your workouts
• Receive notifications about your training activity and progress
• Override or update your self-assessment data when appropriate

This access is necessary to provide personalized coaching services. Your coach is bound by confidentiality obligations and may only use your data for coaching purposes.

Other Sharing

• Employees and Contractors: For service delivery on a need-to-know basis.
• With Consent: For publicly sharing race reports or testimonials.
• Legal Compliance: In response to lawful requests or to protect our rights.
• Business Transfers: If Beyond the Finish Line undergoes acquisition or merger.

5. Retention of Information

We retain your personal data for different periods depending on the type of data and purpose:

Account Data

• Active accounts: Retained for the duration of your coaching relationship plus 3 years for legal compliance
• Account deletion requests: Processed within 30 days; some data may be retained for legal obligations

Training and Activity Data

• Synced activities and workouts: Retained for the duration of your account
• Training load history: Retained for the duration of your account to maintain accurate calculations

Security and Authentication

• Login sessions: Automatically expire after inactivity
• Email verification tokens: 24 hours
• Password reset links: 15 minutes
• OAuth state tokens: 10 minutes

Communications

• Email logs: Retained to prevent duplicate sending
• Support requests: Retained for 2 years after resolution
• Platform conversations: Message text in shared coach/athlete conversations may be retained for service continuity, safety, accountability, dispute resolution, or legal claims. When you delete your account, we reduce visible identity details on retained messages, remove read receipts, and delete attachment files you uploaded unless retention is required for a legal or safety reason.
• Webhook, audit, error, and security logs: Retained as needed for security, troubleshooting, fraud prevention, and legal obligations

Comments and Public Content

• Race reports and testimonials: Retained indefinitely unless removal is requested

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required for legal compliance, dispute resolution, or fraud prevention.

6. Your Rights

If you are in the European Union or similar jurisdictions, you may have the following rights:

• Access, Correction, and Deletion: Request access to, correction of, or deletion of your data.
• Restrict Processing: Limit how your data is processed.
• Object to Processing: Decline specific types of data processing.
• Withdraw Consent: Revoke consent for optional data processing.
• Data Portability: Receive your data in a portable format.

To exercise these rights, contact us at info@bflcoaching.com.

You may also lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus. The authority publishes contact details including commissioner@dataprotection.gov.cy and +357 22818456.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience and analyze how our website is used. Non-essential analytics and client-side error monitoring are enabled only after you accept them.

Types of Cookies We Use

Strictly Necessary Cookies (No consent required):

• Language Preference: Stores your selected language (English/Greek)
• Authentication Session: Firebase authentication cookies that keep you logged into the platform
• Cookie Consent: Stores your cookie preference choice
• Browser and Offline Storage: The platform may use localStorage, sessionStorage, IndexedDB, and PWA caches for language choice, Firebase offline cache, pending offline actions, app installation, and account activity state

Analytics Cookies (Consent required):

• Umami Analytics: We use Umami Analytics, a privacy-friendly analytics service, to understand how visitors interact with our website, including page views, time spent on pages, traffic sources, and user behavior patterns. Umami is designed as a limited-data analytics service without traditional tracking cookies. The data is used to improve our website and services.
• Sentry (Error Monitoring): We use Sentry to monitor website errors, performance issues, and user experience problems. This helps us identify and fix technical issues quickly. Sentry may collect information such as error messages, browser type, IP addresses, technical device context, and account or request details where needed to diagnose an issue. We limit data where practical and use it to improve website functionality, security, and user experience.

Managing Your Cookie Preferences

You can control and manage cookies in several ways:

• Browser Settings: Most web browsers allow you to manage cookie preferences through your browser settings. You can set your browser to refuse cookies or delete certain cookies. Please note that disabling cookies may affect the functionality of our website.
• Platform Settings: Signed-in users can reset their cookie choice from Privacy Controls in Settings so the consent banner is shown again.

For more information about Umami's privacy practices, please visit Umami's Privacy Policy.

8. International Data Transfers

Beyond the Finish Line operates primarily in Cyprus. However, some of our service providers and technology platforms may be located outside the European Economic Area (EEA), including in the United States and other countries.

When your personal data is transferred outside the EEA, we ensure appropriate safeguards are in place to protect your information in accordance with GDPR requirements. These safeguards include:

• Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission for transfers to countries without adequate data protection laws.
• Adequacy Decisions: We may transfer data to countries that the European Commission has determined provide an adequate level of data protection.
• Service Provider Commitments: Where required, we rely on appropriate contracts, transfer mechanisms, and service-provider arrangements. Our third-party service providers (such as Google Firebase, Vercel, Railway, Umami Cloud, Sentry, Resend, Stripe if enabled, Revolut, Intervals.icu, Strava, Open-Meteo, Bunny, and Upstash) have their own obligations and privacy notices.

Third-party services that may involve international data transfers include:

• Google Firebase/Firestore/Storage/FCM - United States
• Umami Cloud (website analytics) - United States
• Sentry (error monitoring) - United States
• Resend (transactional email) - United States
• Stripe (conditional card billing infrastructure) - United States
• Revolut - United Kingdom/EEA
• Vercel and Railway (hosting, workers, and performance monitoring) - Various
• Intervals.icu and Strava (connected training platforms) - Various
• Open-Meteo, Bunny, and Upstash - Various

If you have questions about international data transfers or would like more information about the safeguards we have in place, please contact us at info@bflcoaching.com.

9. Third-Party Services

Our website may include links to external platforms or embedded content. We are not responsible for their privacy practices. Review their privacy policies before sharing information.

10. Security Measures

We implement reasonable security measures, including encryption and secure storage systems, to protect your data. However, no system is entirely secure, and absolute protection cannot be guaranteed.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we are committed to responding promptly and transparently in accordance with GDPR requirements.

Our Data Breach Response Process:

• Timely Notification: If we become aware of a personal data breach, we will assess the risk and notify the competent supervisory authority where required. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR requirements.
• Breach Details: We will inform you about the nature of the breach, including the categories and approximate number of individuals affected, the categories and approximate number of personal data records concerned, and the likely consequences of the breach.
• Mitigation Measures: We will describe the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects and steps you can take to protect yourself.
• Contact Information: We will provide contact details for our data protection point of contact where you can obtain more information about the breach.

If you suspect any unauthorized access to your account or personal information, please contact us immediately at info@bflcoaching.com.

12. Updates to This Policy

We may revise this Privacy Policy periodically. Updates will include a "Last Updated" date, and significant changes will be communicated via email or our website.

13. Contact Information

For questions or concerns about this Privacy Policy, contact us at: info@bflcoaching.com

This Privacy Policy is provided for transparency about our personal-data practices. It does not limit rights that cannot be limited under applicable law.