The Everyday Athlete
Sign in
Legal

Privacy Policy.

Last updated: 26 May 2026

1. Who we are

The Everyday Athlete (“we”, “us”, “our”) operates the platform at everydayathletehub.com. We are the data controller for personal data collected through this website and the member platform.

If you have any questions about this policy or how we handle your data, please contact us at sarah@everydayathletehub.com.

2. What data we collect

We collect the following categories of personal data:

  • Account data: your name, email address, and password (stored as a secure hash) when you accept an invitation to join the platform.
  • Profile data: optional information you choose to add, including a profile photo, biography, running or fitness goals, social media links (Strava, Instagram, LinkedIn), and pace group preference.
  • Activity data: workout logs and race entries you submit manually within the platform, and — if you choose to connect a third-party device or service — workout summaries pushed from that service (see section 5).
  • Challenge submissions: content you post as part of monthly challenges, including photos, distances, times, and any comments or reactions.
  • Training data: the training plan you are following, your compliance log, and your target event date.
  • Forum activity: posts and replies made in the community forum.
  • Usage data: standard server logs including IP address, browser type, and pages visited, retained for security and diagnostic purposes.

3. How we use your data

We use your personal data to:

  • Provide and maintain your access to the platform.
  • Display your profile and activity to other members of your hub where you have chosen to make it visible.
  • Power the monthly challenge, race calendar, training plan, and leaderboard features.
  • Allow coaches to monitor training progress and engagement across the hub in aggregate.
  • Send you platform notifications and transactional emails (e.g. invitation, challenge reminders).
  • Respond to support requests and troubleshoot issues.
  • Comply with legal obligations.

We do not use your data for advertising, sell it to third parties, or use it to train machine-learning models.

4. Legal basis for processing

We rely on the following legal bases under UK GDPR:

  • Contract: processing your account data is necessary to deliver the platform services you have agreed to use.
  • Legitimate interests: usage logs and security monitoring, where our interest in running a safe, reliable service is not overridden by your privacy rights.
  • Consent: optional integrations with third-party services such as Strava or COROS, which you can withdraw at any time by disconnecting the integration in your profile settings.

5. Third-party integrations

You may optionally connect your Strava or COROS account to The Everyday Athlete. If you do:

  • We receive workout summary data (sport type, duration, distance, heart rate, and similar metrics) from that service and display it in your personal activity feed.
  • Your OAuth access tokens are stored securely and used only to retrieve data on your behalf — they are never shared with other users or third parties.
  • You can disconnect the integration at any time. Disconnecting removes your stored tokens from our systems immediately.

These integrations are governed by Strava's and COROS's own privacy policies in addition to this one.

6. Data sharing

We share personal data only with the following categories of recipients:

  • Supabase: our database and authentication provider, hosted in the EU. Data is processed under a data processing agreement.
  • Vercel: our hosting provider. Request logs may pass through Vercel infrastructure located in the EU and US.
  • Resend: our transactional email provider, used to send invitation and notification emails.
  • Coaches and hub admins: coaches and company administrators can see member profiles and aggregate engagement within their hub. They cannot see data from other hubs.
  • Law enforcement or regulators: where required by applicable law.

7. Data retention

We retain your personal data for as long as your account is active or as necessary to provide the service. If you request deletion of your account, we will erase your personal data within 30 days, except where we are required to retain it by law (for example, financial records).

Challenge submissions and forum posts may be anonymised rather than deleted so that leaderboards and discussions remain coherent for other members.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data — you can update most profile data directly in settings.
  • Erasure (“right to be forgotten”) — request deletion of your account and data.
  • Portability — receive a copy of your data in a machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent for optional integrations at any time.

To exercise any of these rights, email sarah@everydayathletehub.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Cookies

We use a single session cookie to keep you logged in. We do not use advertising, analytics, or tracking cookies. No consent banner is required for strictly necessary cookies.

10. Security

All data is transmitted over HTTPS. Passwords are never stored in plain text. Access tokens for third-party integrations are stored encrypted. We apply row-level security policies so that users can only access data they are authorised to see.

11. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “last updated” date at the top of this page. Material changes will be communicated to active members by email.