Data Privacy & Security
Last updated: March 21, 2026
We take data privacy and security seriously. This page explains how we collect, use, store, and protect your personal and fitness data.
Our Commitment
At 10YX, we believe your data is yours. We are committed to:
- Transparent data practices — you always know what we collect and why
- Strong encryption — your data is protected in transit and at rest
- Minimal data retention — we only keep data as long as necessary
- No data sharing — we never sell or share your data with third parties
- GDPR compliance — you have full control over your data
Data We Collect
From Garmin Connect
When you authorize our service to access your Garmin account, we collect:
- Training activities (running, cycling, swimming, yoga, strength training)
- Activity details (distance, duration, pace, heart rate, elevation, cadence)
- Training load and recovery metrics
- Sleep data (duration, quality, REM/deep sleep)
- Stress and HRV (Heart Rate Variability) data
- Body metrics (weight, body fat percentage)
From Your Account
To provide our service, we collect:
- Email address
- Name
- Training preferences and goals
- Notification preferences
- App settings and customizations
Usage Data
To improve our service, we collect:
- App crash reports (to identify and fix bugs)
- Feature usage analytics (which features you use, how often)
- Performance metrics (app load times, API response times)
- Error logs (to improve reliability)
How We Use Your Data
Primary Use: Personalized Training Insights
Your Garmin data is used to generate personalized daily training recommendations. This is the core purpose of our service.
Secondary Uses
- Identify bugs — crash reports help us fix issues and improve stability
- Send notifications — we send you daily briefings and optional alerts
We do not analyse or aggregate user data to train our models or improve our algorithms. Your data is used solely to generate your recommendations.
What We DON'T Do
- Sell your data to third parties or advertisers
- Share your data with other users or platforms
- Use your data for marketing without explicit consent
- Store your data longer than necessary
- Share your data with other companies for their benefit
- Use your data for purposes you didn't authorise
Data Retention
We retain personal data only as long as necessary to provide the service. Our principles:
- When you delete your account or revoke access, your data is deleted
- We do not retain data beyond what is required to deliver and improve the service
- Anonymised, aggregated data (which cannot identify you) may be retained for service improvement
- Specific retention periods will be published when the service launches
Data Security
Encryption
- In Transit — all data transmitted via HTTPS/TLS 1.3
- At Rest — sensitive data encrypted with AES-256 (via SQLCipher and AWS default encryption)
- Secrets — API keys and credentials managed via SOPS/age encryption, never stored in plaintext or committed to version control
Operational Security
- Minimal attack surface — only services required for the application are exposed
- Automated encrypted backups
- Rate limiting on API endpoints
- OAuth 2.0 for all third-party integrations (no passwords stored)
Third-Party Services
We use the following third-party services:
- Garmin Connect API — OAuth 2.0 authentication (pending developer program acceptance)
- AI processing — we may use commercial LLM APIs and/or local on-device inference to generate your personalised recommendations. When commercial APIs are used, only the minimum data necessary is sent, and we select providers whose terms guarantee your data is not used for model training. When local inference is used, your data does not leave your device
- Cloud Infrastructure — AWS with default encryption enabled
Your Rights (GDPR & Privacy Laws)
You have the following rights regarding your data:
- Right to Access — request a copy of all your data
- Right to Correction — update inaccurate or incomplete data
- Right to Deletion — request deletion of your data (right to be forgotten)
- Right to Portability — export your data in a standard format
- Right to Objection — opt out of certain data uses (e.g., analytics)
- Right to Restrict Processing — limit how we use your data
To exercise any of these rights, contact us at info@10yx.co. We will respond within 5 business days.
Compliance
We comply with the following privacy regulations:
- GDPR (General Data Protection Regulation) — as an EU-registered company, we operate under EU data protection law
Changes to This Policy
We may update this policy as our services evolve. We will notify you of significant changes via email and update the "Last updated" date above.
Contact Us
Questions about data privacy or security?
10yx OÜ
Sakala tn 7-2, Kesklinna linnaosa, Tallinn, Harju maakond, 10141
Email: info@10yx.co
Response time: Within 5 business days