Suffercraft
Privacy

What we hold, how we hold it.

Suffercraft is an ultramarathon coaching platform. Coaching requires personal data: medical history, training history, scheduling constraints, sometimes body composition, sometimes addresses for race-day logistics. This page is the full account of what we collect, where it lives, who can read it, and how to remove it.

Last updated: May 26, 2026

Data we collect

From every athlete account: email address, full name, phone number, date of birth, mailing address, training history, injury history, race history, medical screening responses, weekly volume, lactate threshold heart rate, and the answers you give in onboarding.

Generated by the platform during normal use: workout completion records, after-action reports (AARs), body scan classifications and free-text notes, weekly check-ins, threat models, race plans, and messages exchanged with your coach.

From your device whenever you sign in: IP address and user-agent string. Both are bound to the session row, not to your profile, and they expire when the session expires.

If you opt in: Strava activity streams (GPS, heart rate, cadence). This integration is off by default and revocable from your integrations page.

How it is stored

Every field listed above that contains personal information is encrypted at rest with Fernet (AES-128-CBC plus HMAC-SHA256). The encryption key is held only by the application process and is never written to disk. Database backups inherit the same encryption, which means a stolen backup is unreadable without the key.

Your email address is stored twice: once as ciphertext, once as a keyed HMAC hash that lets us look you up at sign-in without decrypting anything. The hash is not reversible.

Passwords are not stored. Authentication is sign-in by one-time code sent to your email. Sessions are tracked by a random token, stored only as a SHA-256 hash, with a short expiry.

The audit log lives on a Postgres role that has INSERT permission only. The application cannot edit or delete entries after the fact. Free-text fields in the audit log (reason, IP, user-agent) are encrypted at rest.

How long we keep it

For as long as your subscription is active, plus 30 days after cancellation, after which all personal data is removed by the account deletion flow described below. Anonymous aggregate metrics (counts, durations, distances with no athlete identifier) may be retained longer for product improvement; they cannot be traced back to you.

The audit log retains a record that your account existed, who took actions on it, and when, as a tamper-evident operational ledger. That record contains no decryptable personal data and references your account only by an opaque identifier.

Your rights

If you are a resident of the European Union or the United Kingdom, the GDPR gives you the right to access, correct, port, and delete your personal data. If you are a resident of California, the CCPA and CPRA give you substantially the same rights. Suffercraft honors these rights worldwide regardless of where you live.

You can exercise them yourself from your account settings. Download your data exports a machine-readable JSON file containing every record we hold about you, decrypted. Delete your account anonymizes your user row, revokes all active sessions, schedules any active subscription to end at the close of the current billing period, and writes a deletion entry to our log.

If you prefer to handle the request through us, email [email protected] from the address on file. We respond within 30 days.

Third parties that process your data

Stripe handles all payment processing. We never see or store your card number; the only billing data we hold is the Stripe customer and subscription identifiers needed to call the Stripe API on your behalf.

Resend sends transactional email (sign-in codes, weekly digests). Resend sees the destination address and the message body of any email we send you.

Anthropic provides language-model processing used internally for drafting plan content and structuring check-in and AAR summaries. We do not allow Anthropic to use your data for model training. The text we send is only the specific content needed for the task, and nothing else.

Cloudflare provides CDN and tunnel transport for the platform. Cloudflare sees the encrypted TLS traffic between your browser and our servers. Our origin servers are not directly exposed to the public internet.

Google Analytics (GA4) measures page views and CTA clicks on the marketing site if and only if you accept analytics cookies. IP addresses are anonymized before storage on Google's side. We do not enable Google Signals, advertising features, or cross-property tracking. You can decline at any time from cookie preferences, which stops the GA script from loading and disables it in any tab already open.

Strava only receives data if you explicitly connect it, and only what you authorize. Disconnecting from your integrations page revokes our access.

We do not use advertising trackers, behavioral profiling SDKs, third-party session-replay tools, or browser fingerprinting.

Cookies

Two categories: required and analytics. Required cookies are always on; they make the platform work. Analytics cookies are off by default and only load if you opt in. There are no advertising cookies, no third-party social-share trackers, and no profile cookies.

Required. sc_session carries your sign-in session, set HttpOnly, Secure, SameSite=Strict, scoped to the application domain. sc_consent stores the choice you make on the cookie preferences page so the banner does not reappear. Both are first-party and non-tracking.

Analytics (optional). If you accept analytics cookies, Google Analytics 4 sets _ga and _ga_* to distinguish anonymous visitors. We have IP anonymization on. Google Signals and advertising features are off. You can withdraw consent at any time from /cookies; the GA script will stop firing in the current tab and will not load on subsequent visits.

Security incidents

If we suffer a confirmed breach affecting your personal data, we will notify you by email within 72 hours of confirmation and post an incident note at this URL. The audit log gives us a precise record of what was accessed by whom and when, which lets us scope disclosures accurately.

Children

Suffercraft is not intended for athletes under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, email [email protected] and we will remove it.

Changes to this policy

We will post any material change at this URL, update the date at the top, and email account holders. Continuing to use the platform after a change constitutes acceptance.

Contact

Reach the team at [email protected]. For privacy-specific requests, the same address routes to the person who handles them.

Cookies
Required cookies keep you signed in. Optional analytics cookies help us understand which pages athletes actually read. You decide. Privacy policy.
Customize