Our commitment
At 10yx, your data is yours. We are committed to:
- Transparent data practices — you always know what we collect and why
- Strong encryption — your data is protected in transit and at rest
- Minimal retention — we keep data only as long as necessary
- No data sharing — we never sell or share your data with third parties
- GDPR compliance — you have full control over your data
Data we collect
From Garmin Connect
When you authorise access to your Garmin account, we collect:
- Training activities (running, cycling, swimming, yoga, strength training)
- Activity details (distance, duration, pace, heart rate, elevation, cadence)
- Training-load and recovery metrics
- Sleep data (duration, quality, REM/deep sleep)
- Stress and HRV (Heart Rate Variability) data
- Body metrics (weight, body-fat percentage)
From your account
- Email address and name
- Training preferences and goals
- Notification preferences
- App settings and customisations
Usage data
- App crash reports (to identify and fix bugs)
- Feature-usage analytics (which features you use, how often)
- Performance metrics (load times, API response times)
- Error logs (to improve reliability)
How we use your data
Primary use — personalised insight
Your Garmin data is used to generate personalised daily training recommendations. This is the core purpose of our service.
Secondary uses
- Identify bugs — crash reports help us fix issues and improve stability.
- Send notifications — we send daily briefings and optional alerts.
We do not analyse or aggregate user data to train our models. Your data is used solely to generate your recommendations.
What we don't do
- Sell your data to third parties or advertisers
- Share your data with other users or platforms
- Use your data for marketing without explicit consent
- Store your data longer than necessary
- Use your data for purposes you didn't authorise
Data retention
We retain personal data only as long as necessary to provide the service:
- When you delete your account or revoke access, your data is deleted
- We do not retain data beyond what is required to deliver and improve the service
- Anonymised, aggregated data (which cannot identify you) may be retained for service improvement
- Specific retention periods will be published when the service launches
Data security
Encryption
- In transit — all data transmitted via HTTPS / TLS 1.3
- At rest — sensitive data encrypted with AES-256 (via SQLCipher and AWS default encryption)
- Secrets — API keys and credentials managed via SOPS / age, never stored in plaintext or committed to version control
Operational security
- Minimal attack surface — only required services are exposed
- Automated encrypted backups
- Rate limiting on API endpoints
- OAuth 2.0 for all third-party integrations (no passwords stored)
Third-party services
- Garmin Connect API — OAuth 2.0 (pending developer-program acceptance)
- AI processing — commercial LLM APIs and/or local on-device inference. When commercial APIs are used, only the minimum data necessary is sent, to providers whose terms guarantee your data is not used for training. With local inference, your data never leaves your device.
- Cloud infrastructure — AWS with default encryption enabled
Your rights (GDPR)
- Access — request a copy of all your data
- Correction — update inaccurate or incomplete data
- Deletion — request deletion (right to be forgotten)
- Portability — export your data in a standard format
- Objection — opt out of certain uses (e.g. analytics)
- Restrict processing — limit how we use your data
To exercise any of these rights, contact us at [email protected]. We will respond within 5 business days.
Compliance
As an EU-registered company, we operate under the GDPR (General Data Protection Regulation).
Contact us
Questions about data privacy or security?
10yx