PaincaveGet Started

Privacy Policy

Effective date: 1 March 2026 · Last updated: 2 March 2026

Paincave (“we”, “us”, “our”) operates the website paincave.io and the Paincave platform (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, and your rights regarding that data.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

Paincave is the data controller responsible for your personal data. For questions about this policy or to exercise your rights, contact us at privacy@paincave.io.

2. Data We Collect

2.1 Account Data

When you register, we collect your name, email address, and a password. Your password is securely hashed before storage and is never stored in plain text.

2.2 Athlete Profile

To personalise your training recommendations, we collect information you voluntarily provide: weight, height, date of birth, experience level, sport preferences, training thresholds, and goal settings.

2.3 Activity Data

When you connect a third-party platform (Strava, Garmin, or Wahoo), we receive activity data via their APIs. This may include activity type, duration, distance, heart rate, power, pace, cadence, elevation, GPS route data, and timestamps.

We only access data you authorise through the connection process. You can revoke access at any time from Settings or directly on the third-party platform.

2.4 Health Data (Sensitive)

With your explicit consent, we may receive health metrics from connected devices: heart rate variability (HRV), resting heart rate, and sleep data. This data is classified as sensitive personal data under GDPR Article 9 and is used solely for recovery recommendations. You may withdraw consent and disconnect the integration at any time.

2.5 Payment Data

Payments are processed by Stripe, a PCI-compliant payment processor. We never receive or store your credit card number or full card details. We only receive subscription status and billing dates to manage your account.

2.6 Usage Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and service improvement. We do not use advertising trackers or third-party analytics that profile you.

3. Legal Basis for Processing

  • Contract (Art. 6(1)(b)) — account data, profile data, activity data, payment data, and transactional emails are necessary to provide the Service.
  • Explicit consent (Art. 9(2)(a)) — health data (HRV, sleep) is only collected with your active consent.
  • Legitimate interest (Art. 6(1)(f)) — server logs are collected for security and service reliability.

4. How We Use Your Data

Your data is used exclusively to:

  • Calculate training metrics and training zones
  • Generate personalised workout recommendations
  • Display nutrition targets
  • Provide recovery assessments (when health data is connected)
  • Send service-related emails (welcome, weekly summaries, alerts)
  • Process subscription payments
  • Maintain platform security

We do not sell, rent, or share your personal data for marketing or advertising. We do not use your data to train machine learning models. We do not serve advertisements.

5. Third Parties

We use a limited number of third-party service providers to operate the platform. These include providers for hosting, database storage, payment processing, and email delivery. Each provider processes data only as necessary to deliver their service and is bound by data processing agreements.

When you connect Strava, Garmin, or Wahoo, you authorise those platforms to share your activity data with Paincave. These connections are initiated and controlled by you and can be revoked at any time.

6. Data Security

We take appropriate technical and organisational measures to protect your personal data, including encryption of data in transit and at rest, secure password storage, and access controls that ensure your data is only accessible to you.

7. Data Retention

  • Active account: your data is retained while your account is active.
  • Account deletion: all personal data is permanently deleted within 30 days of your request.
  • Cancelled subscription: your account and data are retained (you may continue using the free tier). Delete your account from Settings to remove all data.
  • Server logs: automatically purged after 30 days.

8. International Data Transfers

Your data may be processed in the United States and the European Union. Where data is transferred outside the EEA, we ensure adequate protection through EU Standard Contractual Clauses (SCCs) with our processors.

9. Cookies

Paincave uses only strictly necessary cookies for authentication (session management). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or the United Kingdom, you have the right to:

  • Access your data — export all your data from Settings
  • Rectify your data — update your profile and preferences at any time
  • Delete your data — permanently delete your account from Settings
  • Port your data — download your data in machine-readable format
  • Restrict or object to processing — contact us to discuss
  • Withdraw consent — disconnect health data integrations at any time

To exercise any right, use the tools in Settings or email privacy@paincave.io. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Children's Privacy

Paincave is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The “Last updated” date at the top indicates the most recent revision.

13. Contact

For privacy-related questions or data requests: privacy@paincave.io