🚧

EnduraXβ„’ is in pre-launch beta β€” for invited testers only. Features may change and the app is still a work in progress. By using this app you acknowledge it has not been officially launched.

EnduraXβ„’DARSβ„’

Privacy Policy

Effective date: April 18, 2026

Important: EnduraX collects sensitive health data including menstrual cycle information, biometric data, and health-derived readiness scores. Your computed scores may be processed by third-party AI services to generate coaching suggestions (see Section 4.3). Please read this policy carefully.

1. Who we are

EnduraX ("we", "us", "our") operates the EnduraX DARS application at enduraxapp.com. DARS is a daily athlete readiness scoring tool for endurance athletes and their coaches. We are headquartered in New York, USA.

EnduraX is not a HIPAA-covered entity. DARS data is not protected health information (PHI) under HIPAA. EnduraX is a wellness and performance tracking tool, not a medical device or healthcare provider.

2. What data we collect

We collect the following categories of data:

  • Account data: Your email address and password (stored securely via Supabase Auth).
  • Profile data: Biological sex, date of birth, training level, primary sport, display name, height, and body weight β€” used to personalise your readiness score.
  • Check-in data: Daily self-reported inputs including sleep hours, sleep quality, fatigue, mood, soreness, stress, training duration, intensity, and fueling scores.
  • Menstrual cycle and period data: Period start dates, cycle length, and cycle phase β€” used to personalise your readiness score and training guidance. This data is collected only with your explicit consent via an opt-in toggle during onboarding. You can enable or disable cycle tracking at any time. This is sensitive health data treated with heightened protection (see Section 5).
  • Supplement and recovery modifier flags: Optional disclosures about supplement use or recovery medications that affect biometric interpretation. Entirely user-initiated.
  • Wearable data: If you connect an Oura Ring, we retrieve HRV, resting heart rate, sleep data, and SpO2. If you connect Strava, we retrieve training activity data. If you connect Garmin Connect, we retrieve heart rate, HRV, sleep, stress, Body Battery, steps, respiration, and activity data. If you opt in to Women's Health data sharing from Garmin, we also retrieve menstrual cycle schedule information. If you connect Whoop, we retrieve recovery score, HRV, resting heart rate, sleep data, strain, and workout data.
  • Payment data: Billing is handled by Stripe. We store your Stripe customer ID but never see or store full card details.
  • Usage data: Standard server logs (IP address, browser type, pages visited) for security and debugging.

3. How we use your data

  • To calculate and display your daily DARS readiness score.
  • To show your score history, trends, and RED-S risk indicators.
  • To allow coaches (if you join a coach's roster) to view your daily score, D1–D5 domain scores, and 7-day trend. Your personal notes are always private.
  • Coach alert emails: If your composite score drops below the "Rest Day Advised" threshold or your D5 RED-S indicator flags concern, we may send an automated alert email to your coach containing your computed readiness scores for that day. Alert emails contain only computed scores β€” no raw biometrics, cycle data, or personal notes. You can turn this off at any time in Settings β†’ Coach Roster.
  • AI training plan suggestions (coaches only): If your coach uses the Training Plans feature, your anonymised computed readiness scores may be sent to Anthropic's Claude AI to generate workout modification suggestions. No personally identifiable information is sent to Anthropic β€” only computed scores and planned workout details. See Section 4.3.
  • To process subscription payments via Stripe.
  • To improve the app and fix bugs.

4. Data sharing

We do not sell your personal data. We share data only with:

  • Supabase β€” database and authentication provider (US).
  • Vercel β€” application hosting.
  • Stripe β€” payment processing.
  • Resend β€” transactional email delivery (coach alerts, account verification, receipts).
  • Anthropic (Claude AI) β€” AI workout modification suggestions for coaching use. Anonymised computed scores only. No PII transmitted. See Section 4.3.
  • Sentry β€” error monitoring and performance tracking. Collects anonymised technical data (stack traces, device type, browser version) to identify and fix bugs. No health data or PII is sent to Sentry.
  • Oura / Strava / Garmin / Whoop β€” only if you connect these services; we receive data from them on your behalf.
  • Your coach β€” if you accept an invite to join a coach's roster, your daily DARS score, readiness label, D1–D5 domain breakdown, and 7-day trend are visible to that coach. You can leave a roster at any time.

4.3 AI Processing (Anthropic)

When your coach generates AI workout suggestions, only your anonymised computed DARS scores (composite and D1–D5 domain scores) and your planned workout details are sent to Anthropic. No name, email, cycle data, raw biometrics, or any identifier is ever sent to Anthropic. Anthropic cannot identify you from this data. AI suggestions are coaching reference tools only β€” your coach makes all final decisions. This processing is disclosed at onboarding and you can contact us to object.

5. Health data

EnduraX collects sensitive health-related information including HRV, sleep data, fatigue, mood, menstrual cycle data, and computed readiness scores derived from health inputs. We treat all such data with heightened care:

  • Health data is used solely to calculate your readiness score and provide the Service.
  • We do not use your health data for advertising, profiling, or any purpose beyond delivering the Service.
  • We do not sell your health data to any third party.
  • Coach alert emails contain only computed scores β€” no raw biometric values or sensitive health data categories.
  • AI processing uses only anonymised computed scores β€” no sensitive health data categories are sent to Anthropic.
  • Aggregated, de-identified data may be used for product research only in a form that cannot identify you.
  • If you delete your account, health data is deleted within 30 days.

5a. Legal basis for processing health data (GDPR Article 9)

  • Article 9(2)(a) β€” Explicit consent: Captured via in-app modal, documented with timestamp, and withdrawable at any time without penalty.
  • Article 9(2)(b) β€” Coaching context: Score data shared with coaches who have a legitimate coaching relationship with the athlete.
  • AI processing of anonymised scores: GDPR Article 6(1)(b) (performance of contract) and Article 5(1)(c) (data minimisation) β€” only the minimum computed scores necessary are transmitted, with no PII.

6. Data retention

  • Account and profile data: retained for the lifetime of your account.
  • Check-in and health data: retained for the lifetime of your account for historical trend analysis.
  • Training plan and workout data: retained for the lifetime of the coach account.
  • Coach notification records: retained for 12 months for deduplication, then deleted.
  • AI suggestion outputs: retained as part of your training plan records, subject to the same deletion rights.
  • Upon account deletion: personal data deleted within 30 days.
  • Washington State residents: absolute right to deletion under the My Health My Data Act.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (processed within 30 days).
  • Export your check-in history using the CSV Export feature on the History page.
  • Withdraw consent for wearable data access by disconnecting Oura, Strava, Garmin, or Whoop in Settings.
  • Disconnect from a coach's roster at any time in Settings β†’ Coach Roster.
  • Turn off coach alert emails at any time in Settings β†’ Coach Roster β†’ "Coach alert emails" β€” without leaving your roster (GDPR Article 21 right to object).
  • Object to AI processing of your scores by contacting us. Note: this does not affect scores already shared with your coach on the dashboard.

To exercise any of these rights, contact us at rose@enduraxapp.com.

7a. California residents (CCPA/CPRA)

If you are a California resident, DARS scores and health data constitute Sensitive Personal Information under CCPA/CPRA. You have the right to limit our use of this data to purposes necessary to provide the Service. You also have the right to: know what data we collect; request deletion; opt out of the sale of personal information (we do not sell personal information); and non-discrimination for exercising your rights. To submit a CCPA request, email rose@enduraxapp.com.

7b. Washington State (My Health My Data Act)

If you are located in Washington State, you have additional rights under the MHMDA, including the absolute right to request deletion of your consumer health data with no exceptions. Contact us at rose@enduraxapp.com to exercise these rights.

8. Security

All data is transmitted over HTTPS (TLS). Data at rest is encrypted within Supabase. Row-level security ensures users can only access their own data. Access tokens for Oura, Strava, Garmin, and Whoop are stored encrypted. AI API calls to Anthropic use encrypted connections and contain no PII. Coach alert emails are sent via Resend over encrypted connections.

9. Cookies

We use only functional cookies required for authentication (session tokens). We do not use advertising or tracking cookies.

10. Children

EnduraX is intended for users 18 and older. Because we collect sensitive health data including menstrual cycle information, the Service is not appropriate for anyone under 18. We do not knowingly collect data from anyone under 18.

11. Anti-doping

EnduraX is not affiliated with and has no reporting obligations to WADA, USADA, UK Anti-Doping, or any other anti-doping organisation. No user data β€” including modifier flags, supplement disclosures, readiness scores, or AI suggestions β€” is reported to any anti-doping authority.

12. International data transfers

EnduraX operates primarily from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the United States. Supabase and Vercel maintain EU data processing addenda for users who require them. For EU/UK users, data transfers to the US are made under Standard Contractual Clauses (SCCs) where required. Contact us at rose@enduraxapp.com to request applicable transfer documentation.

13. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before changes take effect. Continued use after the effective date constitutes acceptance.

14. Contact

Questions about this policy? Email us at rose@enduraxapp.com. We aim to respond within 5 business days.

← Back to EnduraX