Privacy Policy

Who We Are and Scope

LactateLab is a training and lactate analysis product. This policy explains how LactateLab handles data in the current web and API implementation, including account data, workout imports, lactate measurements, photo OCR ingestion, integrations, sessions, logs, retention, and user choices.

This policy covers LactateLab-operated services. Third-party services you connect to LactateLab, such as Strava or Google sign-in, also apply their own terms and privacy policies.

What LactateLab Does

LactateLab helps you keep workout history, lactate measurements, uploaded lactate meter photos, OCR review results, generated workout analysis, and workout-to-lactate associations in your own account context.

Data We Collect

LactateLab may collect and store the following categories of data:

• Account and authentication data: email address, display name, password hash for email-password accounts, OAuth provider identity IDs, account role, connected identity state, session records, refresh session metadata, IP address, user agent, and failed-login metadata.
• Account settings and time data: lactate meter selection, timezone, timezone confirmation state, timezone source, confirmation timestamp, UTC event times, local event times, source timezone, temporal confidence, and meter-clock correction metadata.
• Workout and activity data: imported workouts, activity titles, provider identifiers, sport type, start and end times, distance, duration, elevation, pace, speed, heart rate, cadence, power, intervals, laps, splits, samples where provided by a file/source, generated interval analysis, generated workout names, correction state, import status, and source metadata.
• Lactate measurement data: lactate values, measurement timestamps, manual or photo-import source state, review and correction status, attached workouts or intervals, association state, and source metadata.
• Uploaded photos, files, and OCR data: lactate meter images or files you upload, normalized photo artifacts, original file metadata, checksums, OCR attempts, provider traces, extracted text, confidence and error metadata, immutable OCR results, reviewed measurements, and admin-only diagnostic snapshots.
• Integration and import data: Strava athlete identifiers, encrypted Strava OAuth tokens, Strava activity import metadata, Strava webhook events, reconciliation state, Intervals.icu athlete identifiers, encrypted Intervals.icu bearer tokens, Intervals.icu activity import metadata, Intervals.icu webhook events, Google OAuth identity data for sign-in or account linking, uploaded FIT file metadata, and sandbox webhook payloads where a documented integration endpoint is configured.
• Technical, cookie, log, and diagnostic data: session cookies, OAuth state cookies, bearer tokens passed through the web BFF, request IDs, correlation IDs, application logs, error logs, health and logging diagnostics, quota state, provider usage metadata, and operational monitoring records.

How We Use Data

LactateLab uses data to:

• create accounts, authenticate users, rotate sessions, and support logout;
• maintain account settings, timezone confirmation, and local event-time accuracy;
• import, normalize, display, reconcile, and analyze workouts;
• store, review, edit, attach, unlink, and delete lactate measurements where supported;
• process uploaded lactate meter photos through OCR and review workflows;
• associate lactate measurements with workouts and generated workout intervals;
• operate connected-account flows for Strava and Google sign-in/linking;
• protect owner-scoped access, admin-only routes, and service reliability;
• debug, support, monitor, and improve the product; and
• comply with legal, security, and integration-provider obligations.

Third-Party Integrations and Service Providers

LactateLab integrates with third parties only where the product or configured backend requires it. Current repository-backed integrations and providers include:

• Strava: account linking, activity import, webhook events, synchronization, and disconnect handling for authorized users.
• Intervals.icu: account linking, activity import, webhook events, synchronization, and disconnect handling for authorized users.
• Google OAuth: sign-in or account linking through Google identity data. The current implementation stores local identity records rather than Google OAuth access tokens.
• Google reCAPTCHA: optional bot-protection checks on authentication flows when configured.
• OCR providers: Google Cloud Vision or OpenAI Responses Vision may process uploaded lactate meter images when selected by backend configuration.
• FIT file parsing: uploaded training files may be parsed with the Garmin FIT SDK to create workout records.
• Runtime and observability infrastructure: LactateLab uses database, cache, logging, and monitoring infrastructure such as PostgreSQL, Redis, Pino logs, Loki, Promtail, and Grafana where deployed.

The repository also contains a COROS webhook sandbox endpoint. Current documentation describes it as a log-and-acknowledge sandbox path, not a production workout import source.

Strava Integration

When you connect Strava, LactateLab requests Strava authorization for activity and profile access. The current OAuth flow requests activity:read_all and profile:read_all so LactateLab can link your Strava athlete identity and import your authorized activity history into your LactateLab account.

Imported Strava data may include activity identifiers, titles, sport type, activity timing, timezone metadata, distance, duration, elevation, pace or speed, heart rate, cadence, power, laps, and related import/reconciliation metadata. Strava activity data is used to provide your workout history, analysis context, and lactate association features inside LactateLab.

The implemented Strava disconnect flow removes the local Strava token and identity, and may also ask Strava to deauthorize LactateLab where that is available. Disconnecting or revoking Strava access stops ongoing Strava access, but it does not automatically delete workouts or import-source records that were already imported into LactateLab.

After Strava is disconnected, deletion of Strava-imported activities is a separate explicit request. That request is processed asynchronously by a provider-scoped and user-scoped cleanup job. If a self-service control is not visible in the product, contact support using the address below.

Strava activity data is not sent to LactateLab OCR providers and is not used for AI or machine-learning training by the current LactateLab implementation.

Intervals.icu Integration

When you connect Intervals.icu, LactateLab stores local authorization state and imports authorized activity data into your LactateLab account for workout history, analysis context, and lactate association features.

The implemented Intervals.icu disconnect flow removes the local bearer token and identity. Disconnecting Intervals.icu stops ongoing Intervals.icu access, but it does not automatically delete workouts or import-source records that were already imported into LactateLab.

After Intervals.icu is disconnected, deletion of Intervals.icu-imported activities is a separate explicit request. That request is processed asynchronously by a provider-scoped and user-scoped cleanup job. If a self-service control is not visible in the product, contact support using the address below.

Photos and OCR Processing

If you upload a lactate meter photo, LactateLab stores a managed normalized artifact and creates an ingestion record for review. Depending on backend configuration, the image may be sent to Google Cloud Vision or OpenAI Responses Vision to extract meter text and candidate lactate data.

LactateLab stores OCR attempts, provider traces, extracted text, confidence values, warnings, error metadata, immutable OCR results, and reviewed measurement decisions. Public user routes are owner-scoped and do not expose raw storage paths or admin-only provider traces. Admin-only ingestion diagnostics can inspect records, attempts, traces, artifacts, results, and failure details for support and debugging.

Cookies and Sessions

LactateLab uses authentication cookies for access and refresh tokens and short-lived OAuth state cookies during Google and Strava authorization flows. These cookies are configured as HTTP-only, SameSite=Lax, and secure in production. The web BFF forwards authenticated requests to the API using bearer tokens derived from those cookies.

The current implementation does not include advertising cookies, targeted advertising flows, or a cookie-preference system. If those features are added, this policy should be updated before launch.

Data Visibility and Sharing

Product data is private and owner-scoped by default. Workout, lactate, ingestion, preview, account settings, and connected-account routes are designed to use the authenticated user as the owner boundary. Public legal and review pages do not expose private user data.

LactateLab may share data with service providers that process data for the product, such as OAuth, OCR, logging, database, cache, and hosting infrastructure. LactateLab may also disclose data if needed for security, abuse prevention, legal obligations, or to protect the service.

Retention and Deletion

LactateLab keeps account, workout, lactate, ingestion, integration, session, and diagnostic records as needed to provide the service, maintain audit and debugging context, operate connected integrations, and comply with legal or provider requirements. Some records include explicit expiration or revocation fields, such as refresh sessions and OAuth token state.

Current product controls support deleting manual lactate measurements, declining photo-imported measurements, unlinking lactate measurements from workouts, disconnecting Google identities, disconnecting Strava, and disconnecting Intervals.icu where the product provides those controls. Provider disconnect removes authorization linkage and tokens; it does not automatically delete previously imported provider workouts.

Strava-imported and Intervals.icu-imported activity deletion is handled only after an explicit deletion request made after the provider is disconnected. Deletion is processed asynchronously by a provider-scoped and user-scoped cleanup job. The cleanup removes imported provider workouts and import-source records in scope, while preserving unrelated manual workouts and lactate measurements.

The current audited implementation does not show a confirmed self-service full account deletion workflow or full data export workflow. You may contact us to request access, correction, export, deletion, or other privacy assistance. Uploaded photo artifacts, ingestion records, provider traces, and OCR results may remain part of ingestion history unless removed through an implemented control or operational support process.

Security

LactateLab uses technical controls reflected in the codebase, including password hashing for email-password accounts, server-side refresh-session records, token rotation, logout revocation, HTTP-only session cookies, internal API tokens for BFF-to-API calls, owner-scoped route checks, admin-only diagnostics, and encrypted storage of Strava OAuth tokens.

No online service can be guaranteed completely secure. The repository does not confirm a general encryption-at-rest commitment for all database or file storage, so this policy does not make that claim.

International Processing

LactateLab, its infrastructure, and configured service providers may process data in the locations where they operate. Production hosting region, database region, and provider-transfer details should be confirmed for legal review because they are not fully specified in the audited repository.

Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, restrict, object to processing of, or receive a portable copy of personal data. You may also withdraw consent for connected integrations where applicable.

Where LactateLab provides product controls, such as measurement deletion, measurement unlinking, provider disconnect, imported provider activity deletion requests, or Google identity disconnect, you can use those controls directly in Settings or the relevant product screen. For requests that are not self-service in the current product, contact us using the address below.

Children

LactateLab is not designed for children. If you believe a child has provided personal data to LactateLab, contact us so the request can be reviewed.

Changes

We may update this policy as LactateLab changes. When the policy changes, we will update the last updated date on this page.

Contact

For privacy requests or questions, contact support@lactatelab.app.