Skip to content

Privacy Policy

Last updated: 2026-05-18

This policy explains what data SweatStack handles, why, and what you can do about it. We try to keep it short and honest. If anything here is unclear, email [email protected] and we'll explain.

Who we are

SweatStack is operated by Sweatkraft AS, a company registered in Norway. We are the data controller for the personal data described below. For any privacy question, contact us at [email protected].

What we collect

Account data. Email address, first name, last name, and password (hashed). If you sign in through a third-party provider, we receive the basic profile information they share.

Health and fitness data. When you connect a wearable platform (Garmin Connect, Strava, Intervals.icu, and similar), we receive the activity and physiological data you authorize them to share with us. Depending on the platform this typically includes power, heart rate, speed, location, weight, age, and gender.

Usage data. Standard server logs (IP address, request paths, timestamps) and error reports needed to keep the service running.

Payment data. If you have a paid plan, Stripe handles your card details. We see the billing email, country, and subscription status, not the card itself.

We process your data to provide SweatStack and the features you use. Under GDPR:

  • Contract (Art. 6(1)(b)): running your account, processing your data, delivering the analyses you came here for.
  • Legitimate interests (Art. 6(1)(f)): keeping the service secure, preventing abuse, debugging errors, and improving the product based on aggregate usage.
  • Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests.
  • Explicit consent (Art. 9(2)(a)): health and fitness data is special category data under GDPR. You give us explicit consent to process it when you connect a wearable platform. You can withdraw that consent at any time by disconnecting the platform or deleting your account.

We don't use your data for advertising and we don't sell it.

Third-party apps you authorize

SweatStack has an open API. You can authorize third-party applications to access your data — for example, a coaching app or a training-load tool built on SweatStack.

When you authorize an app:

  • That app receives the data you grant access to, including via webhooks if it subscribes to them.
  • From that moment, the app's developer becomes an independent controller of the data they hold. Their own privacy policy governs what they do with it.
  • You can revoke access at any time in your SweatStack settings. Revocation stops new data flowing, but it does not pull back data the app has already received. To have that data deleted, contact the app's developer directly.

We require developers to handle your data responsibly under our Terms, but we are not responsible for what they do inside their own product.

If you arrived via a third-party app

You may have created your SweatStack account by clicking "Continue with SweatStack" inside another app. That account is yours. It exists independently of the app that sent you here, and you can use it, manage it, or delete it on your own at sweatstack.no — even if you stop using the app that introduced you.

Wearable platforms as sources

When you connect Garmin, Strava, Intervals.icu, or another platform, that platform shares your data with us under the authorization you grant them. Those platforms have their own privacy policies that govern how they handle your data on their side. SweatStack only receives what you authorize them to send.

Who else handles your data

We use a small number of trusted sub-processors to run the service. The current list, with purpose and region, lives at sweatstack.no/sub-processors. We update that page when it changes.

Where your data lives, and international transfers

Your primary data is stored on servers in Finland (EU), operated by Hetzner.

Some sub-processors operate globally or from outside the EEA — for example, Cloudflare runs a global edge and email network through which traffic transits. Where data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the providers' own transfer safeguards. See the sub-processor list for which providers this applies to.

How long we keep it

  • Account and fitness data: until you delete your account, plus up to 30 days while it clears from backups.
  • Server logs and error reports: up to 12 months.
  • Billing records: as long as Norwegian tax law requires (currently 5 years).

Security

We use TLS for data in transit, encryption at rest, scoped access controls, and continuous error monitoring. No system is perfect; if we ever discover a breach affecting your data, we'll tell you and the relevant authority within the timeframes GDPR requires.

Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and the data attached to it.
  • Export your data in a portable format (Art. 20). Most of this is available directly in the app.
  • Withdraw consent for processing your health data, at any time, by disconnecting wearables or deleting your account.
  • Object or restrict processing based on legitimate interests.
  • Lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority, datatilsynet.no) or your local supervisory authority if you think we're handling your data wrongly. We'd rather you tell us first so we can fix it, but the right is yours.

To exercise any of these, email [email protected].

Cookies

We use authentication cookies to keep you signed in. We don't use tracking or advertising cookies. If that ever changes, we'll update this section and ask for consent where required.

Children

SweatStack is for users 16 and older. We don't knowingly collect data from anyone younger. If you believe a child under 16 has created an account, email us and we'll remove it.

Changes to this policy

We'll update this policy when we need to. For material changes we'll notify account holders by email or in-app before they take effect. The "Last updated" date at the top reflects the most recent change.

Contact

Sweatkraft AS Email: [email protected] Address: Laukelandsvegen 247, 6977 Bygstad, Norway