Privacy Policy
1. Who operates Insights
Insights is a Garmin Connect IQ application operated by Veloro Labs. For support, privacy questions, data access, or deletion requests, email [email protected].
2. How Strava is connected
Connecting a Strava account is voluntary. Insights sends you to Strava's authorization page and accesses data only after you authenticate with Strava and grant the requested permissions. Insights requests the read and activity:read_all scopes so it can display your own profile and activity information, including activities whose visibility requires that scope.
Insights never receives or stores your Strava password. You may withdraw consent at any time by revoking Insights in your Strava application settings or by asking us to delete your connection.
3. Strava data processed
Depending on the information available for your activities, Insights may process your Strava athlete ID, authorized scopes, activity IDs and names, sport types, timestamps, distance, duration, elevation, heart rate, power, cadence, calories, achievements, kudos and comment counts, splits, approximate activity location supplied by Strava, and route summaries.
This information is requested only to show your own Strava activity information to you on your Garmin watch. Insights does not display another athlete's identity, profile, comments, or activity data.
4. Information stored on the server
The Insights server stores only the account-link information needed to maintain your connection: your Strava athlete ID, authorized scopes, OAuth access and refresh tokens, token expiration time, a one-way hash of the private Insights device-session token, and security-related creation, update, and last-use timestamps.
Activity response payloads, activity history, route coordinates, and derived activity statistics are relayed to the authenticated watch and are not stored in the Insights server database. OAuth credentials are not exposed through the public Insights API.
5. Temporary Garmin device cache
Insights may temporarily cache recent activity details and summary values in the application's private Connect IQ storage so the watch interface can load quickly and remain useful during short connection failures. Cached Strava data is invalidated after seven days and deleted before it can be used again. It is also removed when the application is uninstalled.
If Strava reports that a previously available resource has been deleted or is no longer accessible, Insights will stop displaying it when the application next refreshes, and in all cases within the applicable Strava API policy period.
6. Purposes and legal basis
We process this information only to authenticate your connection, retrieve the Strava data you request, display it to you on your watch, protect the service, diagnose failures, and provide support. Processing is based on your consent when you connect Strava and on providing the service you requested. We do not use Strava data for advertising, user profiling, benchmarking, product analytics, or unrelated product improvement.
7. Prohibited uses and sharing
Insights does not sell, license, rent, disclose, or make Strava data available to advertisers, data brokers, other users, or unrelated third parties. Strava data is not used for artificial intelligence or machine-learning training, evaluation, grounding, embeddings, retrieval-augmented generation, model inference, or ingestion into an AI context window.
Insights does not scrape Strava, create a persistent activity archive or search index, combine Strava data with third-party customer datasets, or provide an API that allows third parties to access Strava data through our credentials.
8. Service providers and international transfers
Railway hosts the Insights server and database. Garmin Connect transports requests between your watch and the server. Strava provides the source data and authenticates your Strava account. These providers process information only as required to provide their respective services and may process it in countries outside your country of residence under their own privacy terms and applicable transfer safeguards.
Veloro Labs and Strava act as separate, independent controllers for the personal data each party processes. Strava's processing is governed by the Strava Privacy Policy.
9. Retention, revocation, and deletion
Server-side account-link credentials are retained only while your Strava account remains connected. Revoking Insights from Strava, deleting your Strava account, or requesting deletion causes us to permanently delete the related Strava credentials and Insights device sessions. Webhook revocations are processed promptly. Other verified deletion requests are completed as soon as reasonably possible and no later than 30 days.
We will provide written confirmation when an emailed deletion request has been completed. If Insights stops using the Strava API, all Strava data and credentials under our control will be permanently deleted. Limited operational security logs may be retained only as reasonably necessary for reliability, abuse prevention, and legal compliance; they do not contain Strava OAuth tokens or complete activity payloads.
10. Access and your rights
You may ask us for access to, correction of, or deletion of personal data controlled by Insights. Depending on your location, including under the UK GDPR and EU GDPR, you may also have rights to restriction, portability, objection, withdrawal of consent, and complaint to your local data-protection authority.
Your activity data remains available directly from Strava, including through Strava's free account export tools. Contact [email protected] to exercise rights relating to Insights.
11. Security and incident response
Insights uses HTTPS, OAuth authorization, short-lived single-use connection codes, private device sessions, one-way session-token hashing, authenticated API endpoints, rate limiting, and ownership checks. Access and refresh tokens remain server-side and are restricted to the service process.
No system can guarantee absolute security. If we discover a security incident involving Strava data, we will investigate, mitigate, and notify Strava and affected users where required by the Strava API terms or applicable law.
12. Strava usage data
Strava may monitor and collect information about our access to and use of the Strava API. Under the Strava API Policy, Strava may use that usage data for business purposes including API improvements, platform operations, developer or user support, and compliance review.
13. Children, changes, and third-party services
Insights is not directed to children below the minimum age required to use Strava in their country. We may update this policy when the service, law, or Strava's requirements change. The effective date above identifies the current version.
Insights is an independent application. Strava, Garmin, Railway, and other third-party providers are not responsible for providing support for Insights. To the fullest extent permitted by law, third-party services are provided without warranties from those providers, and those providers are not liable through Insights for indirect, special, punitive, or consequential damages.