VaPlan Privacy Policy

This Privacy Policy explains how VaPlan collects, uses, and protects personal data in compliance with GDPR (Regulation (EU) 2016/679) and applicable French law. Please read it alongside our Terms of Use.

1. Introduction

This Privacy Policy describes how VaPlan collects, uses, and protects user data in line with GDPR and the French Data Protection Act.

2. Data controller

Data controller: VaPlan, legal address: 60, rue François 1er – 75008 Paris, contact email: vaplan@protonmail.com.

3. Data collected

3.1 Authentication data

Access can use email magic-link (confirmation email) or Google OAuth 2.0. For email sign-in, we store your email and temporary one-time connection tokens (hashed server-side). For Google sign-in, with user consent we receive verified email, display name, optional profile photo, and unique Google ID (sub). We never access Google passwords or Gmail/Drive/Contacts/private data. Docs: Google OAuth 2.0.

3.2 User-entered data

Training sessions, notes and comments, sport settings, intensity zones, goals.

3.3 Technical data

IP address, connection logs, browser/device type, technical cookies.

3.4 Data from sports APIs (if user connects a third-party service)

Examples: Strava, Garmin, Coros. Possible data: distance, duration, pace, HR, power; GPS, elevation, segments, laps; public profile info; activity history.

4. Purposes of processing

4.1 Service operation

Email/Google sign-in, account management, user data display.

4.2 Sports features

Session creation/management, stats analysis, charts/tables/performance, training planning.

4.3 Service improvement

UI optimization, bug fixing, new feature development.

4.4 Security

Abuse prevention, detection of unauthorized access, OAuth session controls.

5. Legal bases

Contract performance (account, access); consent (OAuth sign-in, analytics cookies, third-party APIs); legitimate interest (security, service improvement). For potentially sensitive sports data (e.g., heart rate), processing also relies on explicit user consent (GDPR Art. 9.2.a).

6. Cookies

6.1 Technical cookies (mandatory)

Session management, authentication, security.

6.2 Analytics cookies (optional)

Used only with user consent (CNIL). Examples: Google Analytics, Matomo.

7. APIs and third-party services

7.1 Google OAuth

No sensitive data transmitted; no access to emails or private data. Revoke at: https://myaccount.google.com/permissions

7.2 Sports APIs (Strava, Garmin, Coros…)

Only OAuth-authorized data are imported; used solely for sports features; access can be revoked from the third-party service; deletion of imported data can be requested.

8. Processors

Potential vendors: Hosting: Render, 525 Brannan St, Suite 300, San Francisco, CA 94107, USA; Database/servers: Coming soon™; Analytics: Coming soon™. All vendors are GDPR-compliant or provide equivalent safeguards.

9. Data retention

User account: as long as active. Sports data: until account deletion. Technical logs: up to 12 months. Analytics cookies: per user choice.

10. User rights

Rights: access, rectification, deletion, portability, objection, restriction, withdrawal of consent. Contact: vaplan@protonmail.com. CNIL complaints: https://www.cnil.fr/fr/plaintes

11. Security

Measures: secure authentication (one-time email links and OAuth), HTTPS, encrypted token storage, protected databases, restricted internal access, anomaly monitoring.

12. Transfers outside the EU

Some services (Google, Strava, etc.) are outside the EU. Transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

13. Account deletion

You can delete your account via: [describe exact procedure or link]. Deletion immediately removes the account, sports data, and imported API data (unless legal obligations apply). This action is irreversible.

14. Changes to the Privacy Policy

This policy may be updated. The current version is the one displayed on this page.