Sarid Run - Privacy Policy

Garmin Connect Data — AI & Third-Party Processing Disclosure

Direct link: https://www.sarid.site/privacy/#garmin-ai-disclosure

This section governs Sarid Run's handling of data obtained through the Garmin Connect Developer Program APIs ("Garmin Connect Data"). Where any other section of this Privacy Policy conflicts with this section with respect to Garmin Connect Data, this section controls.

1. No sharing of Garmin Connect Data with third parties

Sarid Run does not share, sell, rent, lease, publish, trade, or otherwise make Garmin Connect Data available to any third party, including but not limited to:

third-party advertising, analytics, marketing, profiling, or data-broker services;
third-party artificial intelligence ("AI") providers or machine-learning platforms for their own use;
independent data-processing services that operate for their own purposes;
other users, coaches, or third-party integrators, except where the user has explicitly invited a coach and has expressly authorized sharing with that coach.

2. No use of Garmin Connect Data to train AI models

Sarid Run does not use Garmin Connect Data, and does not permit any service provider to use Garmin Connect Data, to train, fine-tune, evaluate, or improve any artificial-intelligence model, large language model, machine-learning model, or generative model, whether operated by Sarid Run or by any third party.

3. Service providers (subprocessors)

Sarid Run operates its Service using a limited set of contractually-bound service providers (subprocessors) that process data only on Sarid Run's behalf and on Sarid Run's written instructions, and that are prohibited from using Garmin Connect Data for their own purposes. Where Sarid Run uses an AI model provider to generate coaching output on Sarid Run's instructions, that provider is engaged as a subprocessor under contractual terms that:

prohibit the use of Garmin Connect Data to train, fine-tune, or improve the provider's models;
prohibit the provider from retaining Garmin Connect Data beyond the minimum period required to return a response to Sarid Run;
prohibit the provider from sharing Garmin Connect Data with any further third party for that third party's own purposes;
require appropriate technical and organizational security measures, including encryption in transit.

The current list of subprocessors that may, in the course of providing the Service, encounter Garmin Connect Data is set out in Section 6 (Third-Party Processors). The list does not constitute a transfer of Garmin Connect Data to any of those parties for their own purposes.

4. Purpose limitation

Garmin Connect Data is processed by Sarid Run and its subprocessors solely for the following purposes, each of which is required to provide the Service the user requested:

generating, adapting, and delivering the user's personalized training plan;
providing post-workout feedback (planned vs. actual pace, heart rate, power, interval compliance);
calculating recovery, readiness, and load-related coaching recommendations;
sending workouts back to the user's Garmin device at the user's request;
displaying the user's own Garmin Connect Data to the user within the Service.

5. Per-athlete isolation

Garmin Connect Data is stored and processed on a per-athlete basis. Sarid Run does not aggregate or combine one athlete's Garmin Connect Data with any other athlete's Garmin Connect Data for purposes other than providing the Service to that specific athlete.

6. Deletion on disconnect

If a user disconnects their Garmin account from Sarid Run, Sarid Run will:

immediately call Garmin's deregistration endpoint to revoke Sarid Run's authorization on Garmin's side;
stop all future syncing of Garmin Connect Data;
delete or invalidate the stored Garmin connection credentials within a reasonable period;
delete, on user request, the previously-synced Garmin Connect Data from the user's Sarid Run account.

7. Changes to this disclosure

Any material change to this disclosure with respect to Garmin Connect Data will be submitted to the Garmin Connect Developer Program team for written approval before the change becomes effective.

1. Who We Are

Sarid Run ("Sarid Run," "we," "us," or "our") is an AI-powered running coach web application operated from Israel by Amir Dotan, operating as Sarid Run.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use Sarid Run at www.sarid.site.

Important Garmin notice: if you choose to connect Garmin, any data you submit through Sarid Run or authorize Sarid Run to receive from Garmin is submitted to Sarid Run, not to Garmin. Garmin is not responsible for Sarid Run's privacy practices, content, or services.

By using Sarid Run, you acknowledge that you have read this Privacy Policy.

2. Scope

This Privacy Policy applies to:

the Sarid Run website and user account;
coaching chats, training plans, and notifications;
data you upload or enter manually;
data you choose to connect from third-party services, including Garmin.

This Privacy Policy does not apply to third-party services that have their own privacy notices, including Garmin Connect and other external providers.

3. Data We Collect

We may collect the following categories of personal data:

A. Account information

email address;
hashed password;
display name;
timezone and account preferences.

B. Garmin-connected fitness data

If you choose to connect Garmin through Garmin's official authorization flow, we may receive the categories of data you authorize, which may include:

running and activity data, such as distance, pace, time, elevation, cadence, heart rate, and workout summaries;
daily and wellness metrics, such as resting heart rate, HRV, stress, sleep, steps, calories, weight, and VO2 max;
related metadata associated with synced records;
route or location-enabled activity data, only if included in the authorized Garmin data you choose to share.

C. Training and coaching data

training plans;
workout recommendations;
coaching messages and AI chat history;
health reports or notes you choose to submit;
gear information;
notification preferences;
coach style, persona customization, and training settings.

D. Technical and usage data

IP address;
request metadata;
browser and device information;
timestamps of account and security actions;
authentication and session information;
application logs, error logs, and abuse-prevention records.

E. Communication data

password reset emails;
support messages;
service notifications;
opt-in coaching emails and related delivery records.

4. How We Use Your Data

We use your personal data for the following purposes:

Providing the Service

To operate your account and provide AI-powered coaching, training plans, workout recommendations, progress summaries, and related features.

Garmin syncing and analysis

To import, process, and analyze the Garmin-connected data you authorize us to access.

Communication

To send password reset emails, account security notices, service announcements, and optional coaching notifications.

Security and fraud prevention

To rate-limit requests, detect abuse, investigate suspicious activity, and protect the Service.

Service improvement

To improve reliability, usability, and product performance, including through aggregated or de-identified analysis where appropriate.

Legal and compliance purposes

To comply with applicable law, respond to lawful requests, enforce our terms, and protect our rights and users.

We do not sell your personal data.
We do not use your personal data for third-party advertising.
We do not sell, rent, or transfer Garmin-connected end-user personal data to third parties for their own marketing purposes.

5. Legal Bases for Processing

Depending on your location and applicable law, we process personal data under one or more of the following legal bases:

Performance of a contract: to create your account, provide coaching features, deliver training plans, and operate the Service you request.
Consent: to connect Garmin, to process health-related or wellness-related data where required, to send optional coaching notifications, and to use AI systems on Garmin-connected data where required by law or platform obligations.
Legitimate interests: to secure the Service, prevent abuse, debug issues, improve reliability, and maintain internal records.
Legal obligation: where we must retain or disclose data to comply with applicable law.

Where we rely on consent, you may withdraw that consent as described in this Privacy Policy.

6. Third-Party Processors (Subprocessors)

We engage a limited set of contractually-bound subprocessors to operate Sarid Run. Each subprocessor acts solely on Sarid Run's documented instructions and is prohibited from using the data it handles for its own purposes. Our current subprocessors are:

Railway — application hosting and infrastructure;
Neon / PostgreSQL — managed database services;
OpenAI — AI model inference provider. OpenAI processes prompts submitted by Sarid Run on Sarid Run's instructions, under OpenAI's API data-use terms, which prohibit the use of API inputs and outputs to train OpenAI's models. OpenAI is not given Garmin Connect Data for its own use, and is contractually not permitted to train on, retain long-term, or share Garmin Connect Data;
Resend — transactional email delivery;
Garmin Connect Developer Program / Garmin-authorized integration services — connected fitness data source.

With respect to Garmin Connect Data specifically, see the Garmin Connect Data — AI & Third-Party Processing Disclosure at the top of this Policy, which governs over any conflicting language here.

We do not sell, rent, or transfer personal data to any third party for that third party's own marketing or advertising purposes.

7. Garmin Connect Integration

Sarid Run connects to Garmin using Garmin's official authorization flow. We do not request, collect, store, or transmit your Garmin username or password.

When you connect Garmin:

you authenticate directly with Garmin;
Garmin provides Sarid Run with authorization credentials or tokens needed for the approved connection;
Sarid Run stores only the credentials or tokens necessary for the connection, not your Garmin password;
those credentials or tokens are used solely to sync the Garmin data you authorized.

Garmin-connected data is processed only:

in accordance with this Privacy Policy;
in accordance with the permissions you granted;
to the extent needed to provide Sarid Run features.

You can disconnect Garmin at any time through the relevant Sarid Run settings. When you disconnect Garmin, Sarid Run stops future syncing and deletes or invalidates the stored Garmin connection credentials within a reasonable period, subject to technical and operational constraints.

Disconnecting Garmin does not automatically delete data that was already synced into your Sarid Run account. You can request deletion of that data through your account controls or by contacting us.

For information on Garmin's own privacy practices, please review Garmin's privacy materials separately.

8. AI Transparency Statement

Sarid Run uses artificial intelligence, including large language models provided by OpenAI, to generate personalized coaching plans, responses, workout recommendations, summaries, and feedback. OpenAI is engaged as a contractually-bound inference subprocessor under OpenAI's API data-use terms and acts only on Sarid Run's documented instructions. See Section 6 and the Garmin Connect Data — AI & Third-Party Processing Disclosure at the top of this Policy.

What data may be sent to our inference subprocessor

Depending on the feature you use, Sarid Run may submit the following on your behalf to its inference subprocessor for the sole purpose of returning a coaching response to you:

recent fitness activity summaries and wellness metrics (including, where you have authorized it, Garmin Connect Data);
the relevant portion of your current training plan;
chat messages and coaching conversation history within your account;
self-reported health or training information you choose to provide;
settings relevant to the coaching output.

Restrictions that apply to the inference subprocessor

The inference subprocessor is contractually prohibited from, and Sarid Run does not:

using API inputs or outputs to train, fine-tune, evaluate, or improve any model;
retaining API inputs beyond the minimum period required to return the response;
sharing API inputs with any further third party for that third party's own purposes;
using Garmin Connect Data for any purpose other than returning the specific coaching response Sarid Run requested on the user's behalf.

How we use AI

We use AI to:

interpret training data;
generate coaching suggestions;
adapt training plans;
answer your coaching questions;
create summaries, reminders, and recommendations.

Consent and control

AI-powered coaching is a core feature of Sarid Run. By enabling AI coaching features and, where applicable, connecting Garmin data for those features, you consent to the processing needed to provide those features, subject to the restrictions set out above.

Where consent is required, you may withdraw it by:

disabling AI-related features where available;
disconnecting Garmin where relevant;
deleting your account.

Disabling AI processing may significantly limit the functionality of Sarid Run.

9. Automated Decision-Making

Sarid Run uses automated processing to generate personalized training plans, recovery recommendations, pace targets, and coaching feedback.

These outputs are advisory only. They do not produce legal effects or similarly significant effects on you.

You remain free to ignore, override, or modify any recommendation generated by the Service.

We do not use automated decision-making to deny access to your account or remove core service access based solely on automated profiling.

10. Data Storage & Security

We implement technical and organizational measures intended to protect your data, including measures such as:

HTTPS / TLS encryption in transit;
password hashing;
encryption or equivalent protection for sensitive tokens and secrets at rest;
access controls;
rate limiting on sensitive endpoints;
security headers in production environments;
logging, monitoring, and security review practices appropriate to the Service.

No system is perfectly secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your Sarid Run credentials and for contacting us promptly if you suspect unauthorized access.

11. Cookies & Local Storage

Sarid Run primarily uses browser localStorage and similar browser-side storage for core product functionality, such as:

keeping you signed in;
storing limited account display information;
remembering UI preferences and settings.

Sarid Run does not use third-party advertising cookies.

If we introduce non-essential analytics cookies or similar tracking technologies in the future, we will update this Privacy Policy and any required consent mechanisms.

12. International Transfers

Sarid Run is operated from Israel, and some service providers may process data in other countries, including the United States.

As a result, your personal data may be transferred to and processed outside your country of residence. Where required, we take reasonable steps intended to ensure that such transfers are subject to appropriate safeguards.

13. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

maintain your account;
provide the Service;
comply with legal obligations;
resolve disputes;
prevent fraud and abuse;
enforce agreements.

In general:

account data is retained while your account is active;
Garmin connection credentials are retained only while needed to maintain the authorized connection;
security logs, backup copies, and transactional records may remain for a limited period after deletion;
de-identified or aggregated data may be retained where it no longer identifies you.

When you delete your account, we will delete or de-identify your personal data within a reasonable period, except where limited retention is necessary for backup integrity, security, fraud prevention, legal compliance, or dispute resolution.

Where technically feasible, Garmin connection credentials are deleted or invalidated upon disconnection or account deletion.

14. Your Rights

Depending on your location and applicable law, you may have the right to:

access the personal data we hold about you;
correct inaccurate or incomplete data;
delete your account and associated personal data;
export certain data;
withdraw consent;
restrict or object to certain processing;
unsubscribe from optional communications;
complain to an applicable regulator.

Sarid Run may provide some of these controls directly in your settings, such as:

exporting your data;
updating account information;
disconnecting Garmin;
disabling optional AI features;
deleting your account;
unsubscribing from optional coaching emails.

You may also exercise your rights by contacting us at amir@sarid.site.

15. Email Communications

We may send the following categories of email:

Transactional emails

These include password reset emails, account security notices, and service-related announcements. These are necessary for account operation and security.

Optional coaching emails

These may include scheduled coaching messages, reminders, and training-plan updates if you enable them.

You may unsubscribe from optional coaching emails through your settings or the unsubscribe link in the email.

16. Data Breach & Security Incident Handling

We maintain processes for detecting, investigating, and responding to suspected security incidents.

Where required by applicable law, we will notify affected users and regulators of a personal data breach.

Where Sarid Run interfaces with Garmin systems or Garmin-related data, we will also follow applicable Garmin program security and incident-notification obligations.

If you suspect unauthorized access to your account, contact us promptly at amir@sarid.site.

17. Children & Age Requirement

Sarid Run is not directed to children under the age of 16, and we do not knowingly collect personal data from individuals under 16.

If we become aware that we have collected personal data from a child under 16 without appropriate authorization where required, we will delete that data.

By creating an account, you represent that you are at least 16 years old.

18. Changes to This Policy

We may update this Privacy Policy from time to time.

If we make material changes, we may notify you by email, through the Service, or by updating the effective date above, as required by applicable law.

Your continued use of the Service after an updated Privacy Policy becomes effective means the updated Privacy Policy will apply going forward, unless applicable law requires a different form of consent.

19. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Amir Dotan
Sarid Run
Email: amir@sarid.site
Website: www.sarid.site