Privacy Policy

1. Introduction

Dynamic Strategy (a company incorporated in Portugal) ("WattsWise," "we," "us," or "our") operates the WattsWise web application at wattswise.app and the WattsWise companion application for Garmin Edge devices, available through the Garmin Connect IQ Store. This Privacy Policy covers both the web application and the Garmin companion app.

Data collected through the Garmin companion app is sent to and processed by WattsWise, not by Garmin. WattsWise is the data controller for all personal data described in this policy.

This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data. We are committed to processing your data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and applicable data protection legislation.

2. Data We Collect

We collect the following categories of data when you use WattsWise:

a) Data you provide directly

• Account data — your name and email address.
• Password — stored as a bcrypt hash. We never store or have access to your plaintext password.
• Cycling profile — Functional Threshold Power (FTP), body weight, and power/heart-rate zones.

b) Data from third parties

• Strava — OAuth tokens you authorise, activity summaries, athlete profile (including FTP), and detailed data streams including power, heart rate, cadence, speed, altitude, and temperature. Strava GPS coordinates are fetched on-demand for map display and are not permanently stored. OAuth tokens are encrypted at rest using AES-256-GCM. Strava data is used for your individual analytics (power curves, fitness charts, efficiency trends), AI coaching, training plan generation, and race pacing calculations.
• Garmin .FIT file uploads — the same sensor data as above (power, heart rate, cadence, speed, GPS coordinates, temperature), uploaded directly from your device files.

c) Data from devices

• Live GPS position — during course events, the Garmin companion app transmits your GPS position approximately every 4 seconds, along with a device identifier and timestamps. This only occurs during events you actively join.
• Device pairing tokens — a 6-digit pairing code (5-minute TTL) and a JWT device token (90-day validity) used to authenticate your Garmin device with WattsWise.

d) Data we generate or calculate

• FTP estimates and power zone calculations
• Chronic Training Load (CTL), Acute Training Load (ATL), and Training Stress Balance (TSB) fitness metrics
• Power curves and power duration models
• Efficiency Factor and power-to-heart-rate regression analysis
• Personalised training plans and periodisation schedules
• Race pacing strategies and course-specific power targets
• Nutrition plans for course events
• Improvement assessments and performance trend analysis

e) AI coach data

• Messages you send to and receive from the AI coach
• Rider context included in prompts — your FTP, recent rides, fitness level, training plan, and stated goals

f) Blockchain data

• WATTS token balances and transaction history
• Verifiable credentials (race completions, FTP milestones, training achievements)
• Private Vault records (cryptographic hashes only)
• Selective disclosure grants you create for third parties

g) Payment data

• Subscription status, Stripe customer ID, and Coinbase Commerce charge ID. We never store card numbers, CVVs, or raw payment credentials on our servers.

h) Technical data

• Authentication cookies (httpOnly JWT tokens)
• localStorage theme preference (light/dark mode)
• IP address and user-agent string
• Request metadata (timestamps, endpoints accessed)

3. How We Use Your Data

We use the data we collect for the following purposes:

• Operate, maintain, and provide the WattsWise platform and cycling analytics.
• Calculate fitness metrics, power curves, and performance trends from your activity data.
• Generate personalised training plans and race pacing strategies.
• Power the AI coach by sending conversation context (including rider metrics) to the Anthropic Claude API for processing.
• Process subscription payments via Stripe and Coinbase Commerce.
• Manage course events — live leaderboard updates, GPS position tracking, and prize claim validation.
• Perform anti-cheat monitoring — analyse GPS trails, movement speed, timestamps, and trail continuity to ensure fair play (see Section 7).
• Settle race results on the Midnight Network blockchain (cryptographic hashes only).
• Manage WATTS token earning, spending, and balance tracking.
• Mint verifiable credentials for achievements and milestones.
• Send transactional emails — account verification, payment receipts, and policy change notifications.
• Improve the service through aggregated, anonymised analytics.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with applicable legal obligations.

4. Third-Party Data Sharing

We share data with the following third parties only as necessary to operate the service:

Strava may monitor and collect usage data related to your use of the Strava integration within WattsWise. For details, see Strava's Privacy Policy. WattsWise processes Strava data in compliance with the GDPR and the UK GDPR. The legal basis for processing your Strava data is your explicit consent (Article 6(1)(a)) granted when you authorise the OAuth connection.

We do not sell your data. We do not share data with advertisers. We do not use tracking or advertising cookies.

5. Optional Data Use & Communications

Beyond providing the core platform services, WattsWise offers optional data use programmes and communication preferences that you control from Settings → Privacy. All options are opt-in and can be changed at any time. Changes take effect immediately.

Anonymised research

If you consent, your ride data (power, heart rate, cadence, GPS, elevation) may be included in anonymised datasets for sports science and cycling research. This includes studies in exercise physiology, aerobic efficiency, cardiac drift patterns, altitude adaptation, pacing strategies, and the effects of aging on endurance performance.

Separately, anonymised ride data may also be contributed to aggregated datasets for cycling infrastructure studies, route popularity analysis, and environmental research such as air quality impact on athletic performance.

All research data is fully anonymised— your name, email, and account identity are never included. Data is aggregated across many users and cannot be linked back to any individual. You can withdraw consent at any time; previously contributed anonymised data that has already been aggregated cannot be retroactively removed from published datasets.

Legal basis (GDPR):Your explicit consent (Article 6(1)(a)). You may withdraw consent at any time via Settings → Privacy without affecting the lawfulness of processing carried out before withdrawal.

Communications

You may opt in or out of the following communication categories:

• Surveys and questionnaires— occasional invitations to participate in research questionnaires about training habits, equipment, nutrition, or the cycling experience. Participation is always voluntary.
• Product updates and new features— emails about new WattsWise features, platform enhancements, and important changes to the service.
• Local events and group rides— notifications about cycling events, sportives, and group rides in the regions where you ride, based on your GPS data. Your location data is only used to match events to your riding area and is never shared with event organisers.

We will never share your email address with third parties for marketing purposes. Transactional emails (account verification, payment receipts, security alerts) are always sent regardless of your communication preferences, as they are necessary for the operation of your account.

6. Blockchain Data

What goes on-chain

When you use blockchain features (WATTS tokens, verifiable credentials, race settlement, Private Vault), only SHA-256 hashes of data, zero-knowledge proofs, timestamps, and internal reference identifiers are recorded on the Midnight Network. No names, email addresses, GPS coordinates, or raw performance data are stored on the blockchain.

Immutability

Blockchain records are immutable by design and cannot be modified or deleted once written.

Right to erasure (GDPR Article 17)

If you exercise your right to erasure, WattsWise will:

• (a) Delete all off-chain personal data from our database.
• (b) Destroy the cryptographic keys that link on-chain hashes to your identity.
• (c) Render on-chain records permanently unlinkable to you.

This "cryptographic erasure" makes the orphaned on-chain hashes meaningless — nobody, including WattsWise, can reconnect them to your identity after the mapping keys are destroyed.

Opt-out

You may opt out of blockchain features at any time via Settings > Blockchain. Core WattsWise features — analytics, training plans, AI coach — work fully without blockchain enabled. Opting out prevents new on-chain records but does not remove existing ones (which are already unlinkable to your identity without the off-chain mapping).

Legal basis

Processing of blockchain features is based on your explicit consent (GDPR Article 6(1)(a)). Consent for blockchain features is separate from consent for core platform features and can be withdrawn independently at any time.

7. Anti-Cheat Monitoring

What is monitored

During course events, WattsWise employs automated fair-play systems that analyse GPS position data, timestamps, movement speed, trail continuity, and device identifiers to detect fraudulent or irregular activity.

Automated decisions

The anti-cheat system may automatically reject prize claims, invalidate checkpoints, void event results, or forfeit WATTS tokens. This constitutes automated decision-making under GDPR Article 22.

Your rights

You have the right to request human review of any automated anti-cheat decision. To exercise this right:

• Email info@dynamicstrategies.io within 14 days of the determination.
• WattsWise will conduct human review within 14 business days.
• Contested items (WATTS tokens, results, prize claims) will be held in pending status during the review period.

Legal basis

Anti-cheat monitoring is based on our legitimate interest in maintaining fair competition and preventing fraud.

Data retention

Anti-cheat GPS trail data is retained for 90 days after the event concludes, then automatically deleted.

WattsWise does not disclose the specific thresholds, parameters, or algorithms used by the anti-cheat system, as doing so would undermine its effectiveness.

8. Garmin Device Data

The WattsWise companion app for Garmin Edge devices collects data that is sent to and processed by WattsWise, not by Garmin. WattsWise is the data controller for all data collected through the companion app.

Data collected (during events only, opt-in)

• GPS position (transmitted approximately every 4 seconds)
• Device identifier
• Timestamps

Pairing

Device pairing uses a 6-digit code with a 5-minute TTL (stored in Redis). Upon successful pairing, a JWT device token is issued with a 90-day validity period.

Important: location data is opt-in

Per Garmin Connect IQ developer requirements, location data collection is not the default. GPS position data is only transmitted when you actively join a course event on your device. You can stop transmitting at any time by exiting the event.

GPS position data collected during events is used for live leaderboard updates, prize claim validation, anti-cheat monitoring, and event result determination.

9. AI Coach Data

AI coach conversations are transmitted to Anthropic's Claude APIfor processing. Under Anthropic's commercial API terms, your conversations are NOTused to train Anthropic's AI models.

Rider context

When you send a message to the AI coach, WattsWise includes contextual information to personalise responses. This context includes your FTP, recent ride data, fitness level, current training plan, and stated goals.

Conversation retention and deletion

• Conversations are stored in our database until you delete them or close your account.
• You may delete individual conversations at any time via the Coach interface.
• Upon account deletion, all AI coach conversations are permanently deleted.

Strava data and AI

Strava data referenced by the AI coach is used exclusively for providing you with personalised coaching feedback. This falls within Strava's API agreement exemption for coaching platforms providing user-specific feedback. Your Strava data is never used for AI model training, aggregate analysis, or any purpose other than your individual coaching experience.

10. Cookies and Local Storage

We maintain a minimal cookie footprint:

• Authentication cookies — httpOnly, Secure, SameSite JWT cookies used solely to maintain your login session.
• localStorage (theme) — your light/dark mode preference is stored in browser localStorage. This is client-side only and never leaves your device.

We do not use tracking cookies. We do not use analytics cookies. We do not use advertising cookies. We do not load third-party cookies of any kind.

11. Data Retention

We retain your data for the following periods:

Strava deauthorisation: If you revoke WattsWise's access from your Strava account settings, we will automatically delete your Strava OAuth tokens and all synced activity data within 48 hours of receiving the deauthorisation notification.

Strava data caching: Cached analytics derived from Strava data are retained for a maximum of 7 days and are refreshed automatically.

Withdrawing Strava consent: You can withdraw consent and delete your Strava data in three ways: (1) use the “Delete all Strava data” button in Settings, which removes all synced rides and disconnects your account; (2) click “Disconnect”in Settings to revoke access and remove synced data; or (3) revoke WattsWise's access directly from your Strava account at strava.com/settings/apps, which triggers automatic deletion within 48 hours. For any data deletion questions, contact info@dynamicstrategies.io.

12. Data Export

You may export your personal data in machine-readable JSON format at any time via Settings > Export Data, or by emailing info@dynamicstrategies.io.

This supports your right to data portability under GDPR Article 20. Your export includes:

• Account data and cycling profile
• Activity data (rides, streams, GPS routes)
• Training plans and race strategies
• AI coach conversations
• WATTS token balance and transaction history
• Verifiable credential records

13. Your Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Portugal, you have the following rights under applicable data protection law:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure (right to be forgotten) — request deletion of your personal data. See Section 5 for the blockchain caveat: on-chain hashes cannot be deleted, but cryptographic erasure renders them permanently unlinkable to your identity.
• Portability — receive your data in a structured, machine-readable format (see Section 12).
• Restriction — request that we limit processing of your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing. This is especially relevant for blockchain features, which are based on explicit consent.
• Automated decision-making — request human review of automated anti-cheat decisions that affect you (see Section 6).
• Supervisory authority — you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) or your local data protection authority.

To exercise any of these rights, contact us at info@dynamicstrategies.io. We will respond within 30 days.

14. International Data Transfers

Your data is processed in the EU, the United Kingdom, and the United States. Third-party processors — including Anthropic, Stripe, and Coinbase — may process data in the United States.

For transfers of personal data outside the EEA and the United Kingdom, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate safeguards under GDPR Article 46.

Midnight Network nodes may replicate data across multiple jurisdictions. However, only cryptographic hashes and zero-knowledge proofs — not personally identifiable information — are stored on-chain.

15. Children's Privacy

WattsWise is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we hold data about a child under 16, please contact info@dynamicstrategies.io.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. Your continued use of WattsWise after the effective date of any updated policy constitutes your acceptance of the changes.

17. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can reach us at:

• Privacy enquiries: info@dynamicstrategies.io
• Legal: info@dynamicstrategies.io
• General support: info@dynamicstrategies.io

Data controller: Dynamic Strategy, Portugal.