VaPlan Privacy Policy

This Privacy Policy explains how VaPlan collects, uses, and protects personal data in compliance with GDPR (Regulation (EU) 2016/679) and applicable French law. Please read it alongside our Terms of Use.

1. Introduction

This Privacy Policy describes how VaPlan collects, uses, and protects user data in line with GDPR and the French Data Protection Act.

2. Data controller

Data controller: VaPlan, legal address: 142, rue de Rivoli, 75001 Paris, contact email: vaplan@protonmail.com.

3. Data collected

3.1 Google data (mandatory sign-in)

Access requires Google OAuth 2.0. With user consent, we receive: verified email, display name, optional profile photo, unique Google ID (sub). We never access Google passwords or Gmail/Drive/Contacts/private data. Docs: Google OAuth 2.0.

3.2 User-entered data

Training sessions, notes and comments, sport settings, intensity zones, goals.

3.3 Technical data

IP address, connection logs, browser/device type, technical cookies.

3.4 Data from sports APIs (if user connects a third-party service)

Examples: Strava, Garmin, Coros. Possible data: distance, duration, pace, HR, power; GPS, elevation, segments, laps; public profile info; activity history.

4. Purposes of processing

4.1 Service operation

Google sign-in, account management, user data display.

4.2 Sports features

Session creation/management, stats analysis, charts/tables/performance, training planning.

4.3 Service improvement

UI optimization, bug fixing, new feature development.

4.4 Security

Abuse prevention, detection of unauthorized access, OAuth session controls.

5. Legal bases

Contract performance (account, access); consent (Google sign-in, analytics cookies, third-party APIs); legitimate interest (security, service improvement). For potentially sensitive sports data (e.g., heart rate), processing also relies on explicit user consent (GDPR Art. 9.2.a).

6. Cookies

6.1 Technical cookies (mandatory)

Session management, Google authentication, security.

6.2 Analytics cookies (optional)

Used only with user consent (CNIL). Examples: Google Analytics, Matomo.

7. APIs and third-party services

7.1 Google OAuth

No sensitive data transmitted; no access to emails or private data. Revoke at: https://myaccount.google.com/permissions

7.2 Sports APIs (Strava, Garmin, Coros…)

Only OAuth-authorized data are imported; used solely for sports features; access can be revoked from the third-party service; deletion of imported data can be requested.

8. Processors

Potential vendors: Hosting: Render, 525 Brannan St, Suite 300, San Francisco, CA 94107, USA; Database/servers: Coming soon™; Analytics: Coming soon™. All vendors are GDPR-compliant or provide equivalent safeguards.

9. Data retention

User account: as long as active. Sports data: until account deletion. Technical logs: up to 12 months. Analytics cookies: per user choice.

10. User rights

Rights: access, rectification, deletion, portability, objection, restriction, withdrawal of consent. Contact: vaplan@protonmail.com. CNIL complaints: https://www.cnil.fr/fr/plaintes

11. Security

Measures: secure Google authentication, HTTPS, encrypted token storage, protected databases, restricted internal access, anomaly monitoring.

12. Transfers outside the EU

Some services (Google, Strava, etc.) are outside the EU. Transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

13. Account deletion

You can delete your account via: [describe exact procedure or link]. Deletion immediately removes the account, sports data, and imported API data (unless legal obligations apply). This action is irreversible.

14. Changes to the Privacy Policy

This policy may be updated. The current version is the one displayed on this page.