Privacy Policy

Last Updated: November 4, 2025

Introduction

OneTrack values your privacy and the protection of your personal data. This Privacy Policy describes how your personal information is collected, used, and shared when you visit our website at onetrack.club (the "Site"), use our mobile application, or participate in our live virtual workout services (together the "Services"). This privacy policy should be read alongside our Terms and Conditions which set out the terms applicable to use of our Services.

The Data Controller for the Services is Corriamo Ltd (t/a OneTrack) in the United Kingdom, with its registered address at Suite 1-3 Hop Exchange, 24 Southwark Street, London, England, SE1 1TY. Throughout this Privacy Policy, the terms "OneTrack", "we", "us", "platform" and "our" refer to Corriamo Ltd (t/a OneTrack).

By using the Services, you consent to our use of your personal data in accordance with this Privacy Policy. If you have any queries on this Privacy Policy, please reach out to us via email at hello@onetrack.club.

This Privacy Policy may change from time to time. Your continued use of the Services after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates. You will know if there has been an update since your last visit by referring to the "Last Update" date at the top of this webpage.

 

1. Information We Collect

We collect a range of information on our users to provide you with the Services and to continually improve the user experience. A full list is set out below.

1.1 Website and E-Commerce Information

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as "Device Information".

We collect Device Information using the following technologies:

• Cookies: Data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

• Log files: Track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

• Web beacons, tags, and pixels: Electronic files used to record information about how you browse the Site.

Additionally, when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number. We refer to this information as "Order Information".

1.2 Account and Profile Information

When you create an account with OneTrack for our mobile application and live coaching services, we collect:

• Full name

• Email address

• Password (encrypted)

• Date of birth

• Gender

• Profile photograph (optional)

• Phone number

• Location/country

1.3 Health and Fitness Data

To provide our live virtual workout services and personalized coaching, we collect:

• Real-time biometric data: Heart rate, heart rate variability, resting heart rate during live sessions

• Activity data: Running pace, distance, duration, cadence, stride length

• GPS location data: Precise real-time location tracking during workouts, route maps, elevation, split times. Your location is shared with your coach during live sessions and may be referenced verbally by coaches (e.g., "great work on that hill, Sarah in London"). Routes and maps are stored in your workout history. Location data is not shared with other participants.

• Wearable device data: Data synchronized from connected fitness devices via Bluetooth (real-time heart rate during sessions) and Terra API integration (historical data from wearable cloud platforms)

• Historical workout data from wearable cloud platforms: When you first connect a wearable cloud platform, we import the most recent 30 days of activities, along with current body measurements and recent sleep data. We synchronize all activity types including running, cycling, swimming, strength training, and cross-training to provide comprehensive training insights.

• Sleep data: Sleep duration, quality, and stages (if shared from your wearable platform)

• Recovery metrics: Training load, recovery time, fitness level assessments from your wearable platform

• Body metrics: Weight trends, body composition data (if tracked by your wearable)

• Workout history: Completed sessions, performance metrics, training load (both from OneTrack sessions and imported from connected platforms)

• Physical characteristics: Height, weight, fitness level, running experience

• Health information: Injuries, medical conditions affecting training (voluntarily provided)

• Goals and preferences: Target race distances, training objectives, availability

1.4 Live Workout Session Data

During our live virtual workouts with real coaches, we collect and stream:

• Real-time heart rate from connected wearables via Bluetooth

• Precise real-time GPS location and pace from your phone

• Video data: Brief video capture at the beginning of live sessions for check-in purposes, after which sessions continue as audio-only

• Audio data: Continuous audio throughout live coaching sessions for real-time communication with coaches

• Interaction data with coaches (messages, voice communications)

• Group session data: In group sessions, participants can see the first names of other participants. Participants can hear each other via audio but cannot see other participants' biometric data (heart rate, pace, distance) or GPS location. Your location is only visible to your assigned coach, though coaches may verbally reference your location during the session for encouragement (e.g., "great effort on that climb"). Participants are muted with camera off by default and choose when to unmute or enable camera.

• Post-workout data: Workout summary charts and performance statistics generated at the end of each session and sent via email

1.5 Device and Technical Information

We automatically collect:

• Device type, model, and operating system

• IP address

• Browser type and version

• App version

• Device identifiers (UDID, advertising ID)

• Time zone settings

• Mobile network information

• Crash reports and performance data

1.6 Third-Party Integration Data

When you connect third-party services to OneTrack, we may receive:

From Wearable Cloud Platforms (via Terra API): When you authorize OneTrack to connect to your wearable cloud platform (e.g., Garmin Connect, Polar Flow, Wahoo Cloud, Suunto App, Fitbit, Coros), we request access to all available activity and health data types supported by that platform. This includes:

• Historical activity data: The most recent 30 days of all activity types (running, cycling, swimming, strength training, cross-training)

• Ongoing activity sync: Automatic synchronization of all new workouts completed outside of OneTrack sessions

• Health metrics: Sleep data, recovery scores, training load, fitness assessments, VO2 max estimates, and other health insights

• Body measurements: Weight, body fat percentage, and other metrics tracked by your devices

You cannot selectively choose which data types to share from wearable platforms - it is an all-or-nothing authorization imposed by the wearable platforms' API structures. You can disconnect the integration at any time to stop further data sharing.

From Other Third-Party Platforms:

• Health app data (Apple Health, Google Fit, Samsung Health)

• Social media profile information (if you choose to connect these accounts)

• Strava, TrainingPeaks, or other fitness platform data (with your permission)

Important: When you authorize OneTrack to access your wearable cloud account (such as Garmin Connect), you grant us permission to access both your historical data (last 30 days) and ongoing activities. You can revoke this access at any time through your account settings or the wearable platform's connected apps settings.

1.7 Payment Information

• Payment card details (processed securely by our payment processor)

• Billing address and shipping address

• Purchase history and subscription status

1.8 Communications and Support

• Messages sent to and from our coaches

• Customer support inquiries and correspondence

• Survey responses and feedback

• Marketing communication preferences

1.9 Usage and Analytics Data

• Pages viewed and features used within the app and Site

• Session duration and frequency

• Navigation paths through the app and Site

• Button clicks and interactions

• Search queries within the app

When we talk about "Personal Information" in this Privacy Policy, we are referring to all of the above categories of data: Device Information, Order Information, Account Information, Health and Fitness Data, and all other data described in this section.

 

2. How We Use Your Information

2.1 To Provide and Improve Our Services

• Fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations)

• Deliver live virtual workouts with real-time coaching

• Stream your heart rate and pace data to coaches during live sessions

• Analyze your complete training history from connected wearable platforms to create truly personalized training plans

• Assess your fitness progression over time using historical workout data

• Monitor your training progress and adjust recommendations based on comprehensive activity patterns

• Identify training trends, overtraining risks, and recovery needs using historical health data

• Enable real-time performance feedback from coaches

• Sync data from your wearable devices and cloud platforms via Terra API (both real-time and historical)

• Integrate sleep, recovery, and body metrics into your training program

• Provide customer support

• Send service-related notifications and updates

2.2 To Enhance User Experience

• Analyze usage patterns to improve app functionality and Site experience

• Develop new features and services

• Test and optimize the live streaming experience

• Personalize content and coaching recommendations

• Generate analytics about how customers browse and interact with the Site and app

• Assess the success of our marketing and advertising campaigns

2.3 To Communicate With You

• Communicate with you about orders and services

• Send coaching feedback and training updates

• Provide motivational content and training tips

• Share app updates and new feature announcements

• Respond to your inquiries and requests

• Send marketing communications (you are automatically subscribed to marketing communications when creating your account, but can opt out at any time)

• Provide you with information or advertising relating to our products or services

• Notify you about upcoming live workout sessions

We send three types of marketing communications:

1. Weekly Newsletter: Running tips, community stories, product updates

2. Promotional Emails: Special offers, discounts, new feature announcements

3. Training Tips: Coaching insights, workout ideas, performance advice

You can opt out of all marketing communications at any time.

2.4 For Safety and Security

• Verify your identity and prevent fraud

• Screen our orders for potential risk or fraud (in particular, using your IP address)

• Detect and prevent unauthorized access

• Monitor for suspicious activity

• Comply with legal obligations

• Protect the rights, property, and safety of OneTrack, our users, coaches, and the public

2.5 For Research and Analytics

• Conduct aggregated analysis of training patterns

• Generate anonymous statistics about app usage

• Improve our coaching methodologies

• Contribute to sports science research (with anonymized data)

 

3. Legal Basis for Processing (UK GDPR/Data Protection Act 2018)

We process your personal data under the following legal bases:

• Consent: Processing of health data, live streaming of biometric information, accessing historical data from wearable cloud platforms, marketing communications

• Contractual necessity: To fulfill contracts we might have with you (for example if you make an order through the Site or subscribe to coaching services)

• Legitimate interests: To improve our Services, prevent fraud, ensure security, and pursue our legitimate business interests as described above

• Legal obligation: To comply with applicable laws and regulations

3.1 Consent for Wearable Cloud Platform Access

When you connect your wearable cloud account (such as Garmin Connect, Polar Flow, etc.) to OneTrack, you provide explicit consent for us to:

• Access the most recent 30 days of historical workout and health data stored in that platform

• Automatically sync all new activities and health metrics on an ongoing basis

• Share this data with your assigned coaches for training program design

• Use this data for the purposes outlined in Section 2 of this policy

This consent is separate from your general consent to use OneTrack and can be withdrawn independently. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw consent for a specific platform integration, simply disconnect it in your app settings.

 

4. How We Share Your Information

We recognize that much of the information we collect about you is inherently private, and we are not in the business of selling it to others. However, we do sometimes share your information with select third parties to provide the Services to you. These third-party services and tools may have access to your personal information needed to perform their functions, but may not use that information for other purposes.

4.1 Website and E-Commerce Platform

• Wix.com: We use Wix to power our online store. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com's data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall.

4.2 Cloud Infrastructure and Data Storage

• Amazon Web Services (AWS): Your app data is stored using Amazon DynamoDB, an AWS database service. This data is hosted in u-west-2 (London) and protected using industry-standard encryption technologies. AWS may not use this information for its own purposes.

4.3 Health Data Integration Services

• Terra API: We use Terra API to securely connect and retrieve data from your wearable devices, fitness apps, and wearable cloud platforms (such as Garmin Connect, Polar Flow, Wahoo Cloud, Suunto App, Fitbit, etc.). This includes:

  • Real-time heart rate data during live workout sessions via Bluetooth

  • Historical workout data stored in your wearable cloud accounts (last 30 days)

  • Ongoing automatic synchronization of new activities (all activity types)

  • Health metrics like sleep, recovery, and body measurements

When you authorize OneTrack to connect to your wearable cloud account, you grant Terra API access to read your data on our behalf. Terra processes this data solely to enable synchronization with OneTrack and cannot use your data for other purposes. Your authorization can be revoked at any time through your OneTrack account settings or your wearable platform's connected apps management.

4.4 Third-Party Service Providers

We share your personal data with the following categories of service providers to deliver OneTrack services. We have signed Data Processing Agreements (DPAs) with all service providers that process personal data on our behalf:

Service Provider Category

Purpose

Data Shared

Cloud Infrastructure

Data storage, application hosting, backup

All user data including health metrics, GPS data, account information

Health Data Integration

Synchronization with wearable devices and fitness platforms

Heart rate, activity data, sleep data, body metrics from connected wearables

Payment Processing

Processing subscriptions and payments

Payment card information, billing address, transaction history

Website Platform

Website hosting, e-commerce functionality

Device information, IP address, browsing data, order information

Analytics

Understanding user behavior, improving services

Device information, usage patterns, anonymized user data

Communication Services

Sending workout reminders, coaching messages, marketing emails

Name, email address, phone number (if provided)

Video/Audio Streaming

Enabling live virtual workouts

Real-time video, audio, connection data during live sessions

Customer Support

Providing customer assistance

Name, email, support ticket content, account information

Crash Reporting

Identifying and fixing technical issues

Device model, OS version, error logs, app version

Specific Service Providers:

• AWS - Cloud infrastructure

• Terra API - Wearable device integration

• Wix - Website platform

• AWS SES - Simple Email Service

• TryTerra - Live session streaming

• Sentry.io Crash and error reporting

International Transfers: OneTrack processes and stores your data within the UK. When you choose to connect third-party integrations (such as wearable cloud platforms or fitness apps), those services may process data according to their own privacy policies and may involve international transfers. Please refer to those services' privacy policies for details on their data processing locations and safeguards.

Updated List: The service providers listed in the table above represent all sub-processors used by OneTrack. We do not use additional sub-processors beyond those explicitly mentioned in this Privacy Policy.

4.5 Payment Processors

• Payment gateways: All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. We do not store your full payment card details on our servers.

4.6 Live Streaming and Communications Infrastructure

• Video and audio streaming service providers that enable our live virtual workouts using Amazon Chime SDK

• Real-time data transmission services for heart rate and GPS streaming

4.7 Analytics and Performance Monitoring

• Google Analytics: We use Google Analytics to help us understand how our customers use the Site and app. You can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

• Crash reporting and performance monitoring tools using Sentry.io

• These providers receive anonymized or pseudonymized data

4.8 Customer Support Tools

• Customer service platforms that help us respond to your inquiries using Clickup

• These tools may access your account information and communication history

4.9 Marketing and Communication Services

• Email service providers for sending newsletters and updates

• Push notification services using Firebase

• Marketing analytics platforms (only if you've consented to marketing communications)

4.10 OneTrack Coaches

• Your real-time health and performance data is shared with OneTrack coaches during live workout sessions to provide personalized guidance

• Your complete training history from connected wearable platforms is accessible to assigned coaches for comprehensive program design

• Each live session is led by one assigned coach who can view real-time biometric and GPS data ONLY for participants who have booked into that specific session

• Coaches can view your historical workouts, trends, sleep data, recovery metrics, and other health data imported from wearable cloud platforms

• Coaches cannot download or export your raw session data files

• When you change coaches or unassign a coach from your account, the previous coach's access to your data is immediately revoked

• Coaches are bound by confidentiality agreements and may only use your data to provide coaching services

4.11 Other Scenarios for Data Sharing

We may also share your Personal Information in the following circumstances:

• Business transactions: If we become involved in a business sale, merger, acquisition, securities offering, bankruptcy, reorganization, dissolution or other similar transaction, we may share or transfer your personal data solely in connection with such transaction.
   

• Legal requirements: We may share your data when required to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
   

• Aggregated anonymous data: We may share aggregated, anonymized information that cannot be used to identify you with business partners, researchers, or the public. Following account deletion, we may retain anonymized and aggregated data for route recommendations, training pattern analysis, and sports science research.
   

 

5. Behavioral Advertising

As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative's ("NAI") educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:

• Facebook: https://www.facebook.com/settings/?tab=ads

• Google: https://www.google.com/settings/ads/anonymous

• Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance's opt-out portal at: http://optout.aboutads.info/.

 

6. International Data Transfers

OneTrack is available globally. While we are based in the UK, we welcome users from around the world. Please note:

• Our services and privacy practices comply primarily with UK GDPR and Data Protection Act 2018

• Users outside the UK/EU may have different privacy rights under their local laws

• All user data is processed and stored in accordance with UK/EU standards regardless of user location

OneTrack's Data Processing: We process and store your personal data within the UK. Our primary infrastructure (AWS servers) is located in the UK, and we do not transfer your data outside of the UK or EEA through our own operations.

Third-Party Integrations: When you choose to connect third-party services to OneTrack (such as wearable cloud platforms via Terra API, or other fitness apps like Strava or TrainingPeaks), those services may process your data in accordance with their own privacy policies and may involve data transfers outside the UK/EEA. We recommend reviewing the privacy policies of any third-party services you connect to your OneTrack account to understand how they handle international data transfers.

Where third-party processors are involved, appropriate safeguards are in place as required by law, such as:

• Transfers to countries deemed to provide an adequate level of protection

• Standard Contractual Clauses (SCCs) approved by the UK Government or the European Commission

• Other appropriate safeguards as required by applicable data protection laws

 

7. Data Retention

We keep your personal data only for the time necessary for us to provide the Services to you. Specific retention periods include:

7.1 Standard Retention Periods

• Account data: Retained while your account is active and for up to 12 months after account closure (unless legally required to retain longer)

• Health and fitness data: Retained while your account is active and for up to 6 months after account closure

• GPS route maps and location history: Retained while your account is active and for up to 6 months after account closure

• Historical data imported from wearable platforms: Retained while your account is active and for up to 6 months after account closure or disconnection from the platform

• Live session recordings: OneTrack does not currently record live workout sessions. If we introduce session recording in the future, you will be notified in advance and recordings will be retained for 30 days then automatically deleted (subject to your consent)

• Post-workout charts and summaries: Retained while your account is active and for up to 6 months after account closure

• Order Information: When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information

• Payment records: Retained for 7 years for accounting and tax purposes (as required by UK law)

• Marketing data: Retained until you withdraw consent

7.2 Account Deletion Timeline

Following your account deletion request:

• Immediate: Your account is deactivated and no longer accessible

• Within 7 days: Your data is removed from active production systems

• Within 30 days: Your data is removed from primary backups

• Within 45 days: Your data is completely purged from all systems including archival backups

Note: We may retain certain transaction records for 7 years for accounting, tax, and legal compliance purposes as required by UK law.

7.3 Backups

We maintain encrypted backups of our systems for disaster recovery purposes. These backups are cycled on a rolling basis:

• Daily backups: Retained for 30 days

• Weekly backups: Retained for 90 days

• Monthly backups: Retained for 12 months

Following an account deletion request, your personal data will be purged from backups as each backup cycle expires, with complete removal within 45 days.

7.4 Wearable Platform Data

When you disconnect a wearable cloud platform integration (such as Garmin Connect or Polar Flow):

• Data sharing is immediately stopped - no new data will be imported

• Previously imported historical data remains in your OneTrack account and is retained according to our standard retention schedule (6 months after account closure)

• You can request immediate deletion of all imported data by contacting hello@onetrack.club

• Your wearable platform will no longer show OneTrack as having access to your account

7.5 Extended Retention

We may retain your personal data beyond the standard retention periods only where:

• Required by law (e.g., financial records for 7 years per UK tax regulations)

• Necessary to comply with a valid legal obligation, court order, or regulatory requirement

• Needed to establish, exercise, or defend legal claims

• Required to prevent fraud or abuse of our services

• You have provided explicit consent for extended retention

In such cases, we will retain only the minimum data necessary and will delete it once the legal obligation or purpose no longer applies.

7.6 Anonymized Data

Personal information that is no longer necessary and relevant to provide our Services to you may be de-identified and aggregated with other non-personal information. This anonymized data may be used to:

• Improve route recommendations for other users

• Analyze training patterns to enhance our coaching methodology

• Maintain popular route information

• Conduct sports science research

This anonymized data is stripped of all personal identifiers including name, email, precise timestamps, and specific routes. We cannot re-identify you from this aggregated data.

We may be required to retain information for a longer period whenever required to do so for the performance of a legal obligation or where obliged to do so by a regulatory authority. Specific retention periods for different categories of personal data are available on request.

You can contact us at any time to request that we delete your personal data. See Section 10 below to find out how to request that we delete your personal data.

 

8. Live Session Data and Real-Time Streaming

8.1 How Live Sessions Work

During live virtual workouts:

• Your heart rate data is streamed in real-time from your connected wearable device via Bluetooth

• Your precise GPS location, route, and pace are transmitted from your phone to your coach

• Video capture: Brief video is captured at the beginning of sessions for initial check-in, after which sessions transition to audio-only

• Audio communication: Continuous audio allows real-time coaching feedback and interaction throughout the session

• Your biometric and location data is displayed to your assigned coach only

• In group sessions, participants can see first names of other participants and can hear each other via audio, but cannot see other participants' biometric data or GPS location

• Coaches may verbally reference your location or first name during sessions (e.g., "great effort on that climb, Sarah" or "nice work through the park")

8.2 Group Session Privacy

In group workout sessions:

• Participants can see the first names of other participants

• Participants can hear each other via audio but cannot see other participants' biometric data (heart rate, pace, distance) or GPS location

• Only your assigned coach can view your real-time performance metrics

• You are muted with camera off by default - you choose when to unmute or turn on your camera

• Each session is led by one assigned coach who can only see data for participants in that specific session

8.3 Live Session Recordings

OneTrack does not currently record live workout sessions. If we introduce session recording in the future:

• You will be notified in advance and asked for explicit consent

• Recordings will be encrypted and stored on secure AWS servers

• You will be able to delete individual recordings (feature in development)

• Recordings will be retained for 30 days and then automatically deleted

• You will be able to opt out of session recording entirely while still participating in live workouts

8.4 Post-Workout Data

• Performance charts and workout summaries are automatically generated at the end of each session

• These summaries are stored in your workout history and sent to your email

• Post-workout data includes metrics such as heart rate zones, pace analysis, route maps, and performance statistics

8.5 Data Streaming Controls

During any live workout, you maintain control over your data sharing:

• You can stop heart rate streaming at any time by removing your wearable device or disconnecting Bluetooth

• You can communicate with your coach via audio if you're uncomfortable with any aspect of data sharing

• You can end the session at any time if you wish to stop sharing data

• Note: GPS tracking is required for outdoor workout sessions as it enables coaches to provide real-time guidance. Disabling GPS will end the current workout session. If you have privacy concerns about GPS tracking, consider using indoor workout modes.

8.6 Data Accuracy and Liability

• We rely on the accuracy of data from your devices and cannot guarantee its precision

• You are responsible for ensuring your devices are properly calibrated and worn correctly

• OneTrack is not liable for coaching decisions based on inaccurate device data

• The heart rate, GPS, and other biometric data collected may not be medically accurate, should not be used for medical purposes, is subject to device limitations and errors, and is provided for fitness training feedback only

 

9. User Account Assistance Mode

In certain circumstances, and only at the explicit request and with the express consent of the user, a OneTrack employee may activate a temporary User Account Assistance Mode to view the user's account from their perspective. This feature is designed solely to assist the user with troubleshooting or resolving specific issues within the app. When this mode is activated:

• Access is logged and audited

• The session is time-limited and specific to the reported issue

• You will be notified when this mode is activated and deactivated

• Only authorized OneTrack support staff can access this mode

• All actions taken during this mode are recorded for security purposes

OneTrack takes security and privacy seriously and employs robust safeguards to ensure this mode is used responsibly and securely. If you have any questions about this feature, please contact us at hello@onetrack.club.

 

10. Security Measures

We work to protect the security of your personal data during transmission by using Secure Sockets Layer (SSL) software and Transport Layer Security (TLS), which encrypts information you input. Transaction information is transmitted in encrypted form using industry-standard SSL connections to help protect such information from interception. We restrict authorized access to your personal data to those persons who need to know that information to provide products or services to you.

10.1 Technical Security Measures

OneTrack employs industry-standard encryption to protect your data:

Data in Transit:

• HTTPS for all website communications

• Encrypted WebRTC connections for live video/audio streams

• VPN-secured connections for administrative access

Data at Rest:

• AES-256 encryption for all data stored on AWS servers

• Encrypted database storage

• Encrypted backup files

Application Security:

• Bcrypt hashing for password storage

• Salted and hashed authentication tokens

• Encrypted API keys and credentials

• JWT Tokens

10.2 Organizational Security Measures

• Employee confidentiality agreements

• Role-based access controls

• Regular security training for staff

• Incident response procedures

Access Controls: Access to user health data is strictly limited and controlled:

• Assigned coaches: Access only to their clients' data for coaching purposes

• Customer support staff: Limited access only when required to resolve specific user-reported issues, with explicit user consent

• Engineering team: Limited senior engineers have read-only access for debugging and system monitoring, subject to audit logs

• Executives: No access to individual user data

All employees with data access:

• Sign confidentiality agreements

• Complete data protection training

• Are subject to background checks

• Access is logged and audited

Two-Factor Authentication: All OneTrack employees with access to production systems, user data, or administrative functions must use two-factor authentication (2FA).

OneTrack follows generally accepted industry standards to protect the personal data submitted to us, both during transmission and once OneTrack receives it. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while OneTrack strives to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

We will not sell, distribute, or lease your personal information to third parties unless we have your permission or are required by law to do so.

10.3 Ongoing Security

OneTrack's security practices include:

• Continuous automated security monitoring

• Regular security audits of third-party integrations

We actively monitor security of our third-party dependencies:

• Automated vulnerability scanning of all libraries and dependencies

• Regular review of security advisories from Terra API and other service providers

• Immediate patching of critical vulnerabilities (within 24-48 hours)

• Communication with service providers about security concerns

10.4 Data Breach Notification

Should a data breach occur that presents a high risk we shall inform the appropriate authorities within 72 hours of the breach and, if required or otherwise appropriate, we shall inform you promptly.

In the event of a data breach that poses a risk to your rights and freedoms:

To Authorities:

• We will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach

To Users:

• We will notify affected users without undue delay, typically within 72 hours

• Notifications will be sent via email to your registered address

• In-app notifications will be displayed upon next login

• For high-risk breaches, we may also send SMS notifications

Notification Content:

• Nature of the breach and data affected

• Likely consequences of the breach

• Measures taken to address the breach

• Recommendations for protecting yourself

• Contact information for questions

 

11. Your Rights and Choices

11.1 Your Privacy Rights

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

Right of Access: You have the right to request a copy of the personal data we hold about you.

Right to Rectification: You can update or correct your personal information at any time through your account settings or by contacting us.

Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data. We will comply unless we have a legitimate reason to retain it (e.g., legal obligations). To delete your account, visit your account settings or contact hello@onetrack.club.

Right to Restrict Processing: You can request that we limit how we use your personal data in certain circumstances.

Right to Data Portability: You can request a copy of your data in a structured, commonly used, and machine-readable format to transfer to another service. To download your data, visit your account settings.

Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time. This includes:

• Opting out of marketing communications

• Disconnecting wearable devices and third-party integrations

• Disabling live data streaming features

• Opting out of session recordings

Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly. Visit www.ico.org.uk for more information.

11.2 Default Privacy Settings

OneTrack prioritizes your privacy with private-by-default settings:

Profile & Workout Visibility:

• Your profile is set to PRIVATE by default

• Your workout history is visible only to you

• Your routes and performance data are not shared publicly

• No other users can see your activities unless you explicitly change your settings

Live Session Privacy:

• During live virtual workouts, only your assigned coach can see your real-time heart rate and GPS location data

• Other participants in group sessions cannot see your biometric data or precise location

• Coaches may provide verbal encouragement using your first name and general location (e.g., "Great work on that hill, Sarah in London") but do not share specific addresses or routes with other participants

• You are muted with camera off by default - you choose when to be seen or heard

You can adjust these privacy settings at any time in your account preferences.

11.3 Do Not Track

Please note that we do not alter our Site's data collection and use practices when we see a Do Not Track signal from your browser.

11.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at hello@onetrack.club. We will respond to your request within one month.

11.5 Managing Your Privacy Settings

You can control many aspects of data collection through your app settings and browser:

• Disable real-time heart rate streaming

• Turn off GPS tracking and route recording

• Delete specific routes or location history (feature in development)

• Disconnect wearable devices and cloud platform integrations (Garmin Connect, Polar Flow, etc.)

• Revoke access to historical data from connected platforms

• Choose which data types to sync from connected platforms (note: wearable platforms require all-or-nothing authorization)

• Opt out of analytics tracking

• Manage cookie preferences through your browser settings

• Manage marketing preferences

• Delete workout history (including imported historical data and post-workout charts)

11.6 International Users' Rights

OneTrack provides the same privacy controls and rights to all users worldwide, regardless of location. We apply UK GDPR standards globally, ensuring that:

• All users can access, correct, and delete their personal data

• All users can opt out of marketing communications

• All users can export their data

• All users receive the same level of data protection

 

12. Third-Party Links and Integrations

Our Services may contain links to third-party websites, apps, or services (such as Strava, TrainingPeaks, Apple Health, Google Fit). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before connecting your account or sharing data with them.

12.1 Wearable Cloud Platform Integrations

When you connect your wearable cloud account (such as Garmin Connect, Polar Flow, Wahoo Cloud, Suunto App, or Fitbit) via Terra API, you should be aware that:

• You are granting OneTrack access to read data from your wearable platform account

• You are subject to both OneTrack's and the wearable platform's privacy policies and terms of service

• The wearable platform may log and track which apps access your data

• You can revoke OneTrack's access at any time through either:

  • Your OneTrack app settings

  • Your wearable platform's connected apps management page

  • Contacting OneTrack support at hello@onetrack.club

You can view OneTrack's data access permissions by:

1. Visiting your wearable platform's account settings (e.g., Garmin Connect > Settings > Connected Apps)

2. Looking for 'OneTrack' in the list of connected applications

3. Reviewing the specific permissions grantedold street

12.2 Scope of Wearable Platform Access

When you authorize a wearable platform connection, OneTrack requests access to:

• The most recent 30 days of historical workout and activity data

• All activity types (running, cycling, swimming, strength training, cross-training)

• Health metrics (heart rate, sleep data, recovery scores, training load, fitness assessments)

• Body measurements and trends

• Ongoing automatic synchronization of new activities

The minimum data required for OneTrack to function during live workouts is real-time heart rate data via Bluetooth connection. However, to provide comprehensive coaching and training plan personalization, we recommend (but do not require) connecting your wearable cloud platform.

You cannot selectively choose which data types to share from wearable platforms - it is an all-or-nothing authorization imposed by the wearable platforms' API structures.

12.3 Third-Party App Data Sharing

When you connect third-party platforms (such as Strava or TrainingPeaks) to OneTrack:

• OneTrack typically shares completed workout data (date, time, distance, duration), performance metrics (pace, heart rate if available), and workout type

• The data shared is determined by the integration's requirements and cannot be customized on a per-data-type basis

• When you disconnect a third-party platform, data sharing is immediately stopped

• Data previously shared with that platform remains subject to their privacy policy

• You may need to separately revoke OneTrack's access in the third-party platform's settings to fully disconnect

 

13. Health and Safety Disclaimer

13.1 Not a Medical Service

OneTrack is a fitness coaching service and is not a medical service or device. Our Services are designed for fitness and training purposes only and should not be relied upon for:

• Medical diagnosis or treatment

• Detection of medical conditions or abnormalities

• Medical monitoring or health surveillance

• Emergency health services

13.2 Medical Consultation

Before beginning any exercise program, you should consult with your doctor or qualified healthcare provider, especially if you:

• Have any pre-existing medical conditions

• Are pregnant or planning to become pregnant

• Are taking any medications

• Have experienced chest pain, dizziness, or shortness of breath during exercise

• Have been advised by a medical professional to limit physical activity

• Have any concerns about your ability to safely participate in exercise

13.3 Coach Qualifications

OneTrack coaches are qualified fitness professionals but are not medically trained healthcare providers. Coaches may:

• Ask if you are feeling okay if they observe unusual heart rate patterns or performance indicators

• Recommend modifying or stopping a workout if they have concerns

• Provide fitness guidance within their scope of practice

Coaches cannot and will not:

• Diagnose medical conditions

• Provide medical advice or treatment

• Monitor for medical abnormalities or emergencies

• Replace consultation with medical professionals

13.4 Your Responsibility

By using OneTrack, you acknowledge and accept that:

• You participate in all workouts at your own risk

• You are responsible for monitoring your own health and safety during workouts

• You will stop exercising immediately if you feel faint, dizzy, in pain, or experience any discomfort

• You will seek immediate medical attention if you experience any adverse symptoms

• You will inform your coach of any relevant health conditions that may affect your training

• The heart rate and biometric data provided is for informational and coaching purposes only

13.5 Emergency Situations

If you experience a medical emergency during a workout:

1. Stop exercising immediately

2. Call emergency services (999 in the UK, or your local emergency number)

3. Seek immediate medical attention

4. Inform your coach after you are safe

OneTrack and our coaches are not responsible for providing emergency medical services.

13.6 Data Limitations

The heart rate, GPS, and other biometric data collected:

• May not be medically accurate

• Should not be used for medical purposes

• Is subject to device limitations and errors

• Is provided for fitness training feedback only

 

14. Children's Privacy

Our services are not intended for children under 18 years of age. If you are under this age, you should not use the Services.

We implement several technical measures to prevent minors from creating accounts:

• Mandatory date of birth field during registration

• Automated age verification that prevents account creation if birthdate indicates age under 18

• Device-level age restrictions on app stores (18+ rating)

• Terms of Service that require users to confirm they are 18 or older

Our Services use technical measures to help prevent children under 18 years of age from creating an account and therefore we do not knowingly collect personal data from any persons under such age.

If we become aware that a child has provided us with personal information, we will:

• Immediately deactivate the account

• Delete all associated personal data within 7 days

• Terminate that person's account and restrict access

If you are a parent that has become aware that your child has provided us with personal information, please contact us immediately at hello@onetrack.club.

 

15. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience, analyze usage, and deliver personalized content.

15.1 Types of Cookies We Use

Essential Cookies (Cannot be Disabled):

• Session cookies: Keep you logged in during your session

• Authentication cookies: Verify your access to the app

• Security cookies: Protect against cross-site request forgery attacks

Functional Cookies:

• User preference cookies: Remember your app settings and preferences

• Language preference cookies: Store your language selection

Analytics Cookies (Can be Disabled):

• Google Analytics cookies (_ga, _gid, _gat): Help us understand how users interact with OneTrack

15.2 Do We Use Cookies for Cross-Site Tracking?

No. OneTrack does not use cookies for cross-site tracking or targeted advertising on other websites. We use analytics cookies only to understand how users interact with OneTrack itself, and we do not share this information with advertising networks for the purpose of tracking you across the internet."

15.3 Managing Cookies

You can control cookie preferences through:

• Your device settings

• Your browser settings

• Our cookie consent banner (when first visiting the Site)

For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

You can reject all non-essential cookies (analytics and marketing) and still fully use OneTrack's services. Only essential cookies required for security and core functionality are mandatory. Rejecting non-essential cookies will not impact any core OneTrack features.

Note that disabling certain cookies may affect app and Site functionality.

 

16. Marketing Communications

When you create a OneTrack account, you are automatically subscribed to our marketing communications but you can opt out at any time.

We send three types of marketing communications:

1. Weekly Newsletter: Running tips, community stories, product updates

2. Promotional Emails: Special offers, discounts, new feature announcements

3. Training Tips: Coaching insights, workout ideas, performance advice

You can opt out of all marketing communications at any time by:

• Clicking "unsubscribe" in any marketing email

• Adjusting your communication preferences in Settings > Notifications

• Contacting us at hello@onetrack.club

Currently, marketing communication preferences are managed as a single opt-in/opt-out. We are working on adding granular controls that will allow you to choose which types of marketing emails you receive. In the meantime, if you wish to receive only certain types of communications, please contact hello@onetrack.club and we will manually adjust your preferences.

Even if you opt out of marketing communications, we will still send you essential service-related messages (e.g., account notifications, payment confirmations, important product updates, live session reminders) as they are necessary to provide the Services you requested.

You are responsible for providing us with a valid email address and keeping it updated to ensure you receive these important email notifications.

 

17. Artificial Intelligence and Automated Decision-Making

17.1 Current AI Use

OneTrack does not currently use artificial intelligence or automated decision-making systems. All training plans are created by qualified human coaches, and all coaching decisions are made by humans, not algorithms.

17.2 Future AI Features

If OneTrack introduces AI features in the future:

• You will receive advance notice before AI features are implemented

• You will be opted OUT of AI coaching by default - you must actively opt IN to use AI features

• You will always have the choice between AI and human coaching

• We will clearly explain how AI makes recommendations or decisions

• You will have the right to request human review of any AI-generated training recommendations (GDPR Article 22 right)

• AI will be used primarily for administrative tasks (e.g., scheduling coaching calls based on availability) rather than training plan decisions

• Any AI coaching features will be clearly labeled and you can opt out at any time

 

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Updating the "Last Updated" date at the top of this policy

• Sending you an email notification to your registered address at least 14 days before the changes take effect

• Displaying a prominent in-app notification when you next log in

• For significant changes that affect your rights, we may require you to review and accept the updated policy before continuing to use OneTrack

Your continued use of OneTrack after changes become effective constitutes acceptance of the updated Privacy Policy. We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website or in the app, except where we are required by law to provide advance notice.

18.1 Summary of Changes

With each Privacy Policy update, we will provide:

• A plain-language summary of what changed

• Highlights of the most important changes

• Links to the specific sections that were updated

• The option to view the full updated policy

We make every effort to communicate changes clearly and transparently, avoiding legal jargon whenever possible.

18.2 Version History

We maintain a version history of our Privacy Policy on this page. Each update includes:

• The "Last Updated" date at the top of this policy

• A summary of material changes (when applicable)

• The effective date of changes

Previous versions of this Privacy Policy are available upon request by contacting hello@onetrack.club.

 

19. Transparency and Accountability

19.1 Data Protection Officer

OneTrack has designated a Data Protection Officer responsible for overseeing our data protection practices and ensuring compliance with UK GDPR. Our DPO can be contacted at:

• Email: hello@onetrack.club

• Postal Address: Data Protection Officer, Corriamo Ltd (t/a OneTrack), Suite 1-3 Hop Exchange, 24 Southwark Street, London, England, SE1 1TY

You can contact our Data Protection Officer directly for any data protection concerns:

• For general privacy questions: hello@onetrack.club

• For specific data protection matters: hello@onetrack.club

• For formal data subject requests: hello@onetrack.club

We aim to respond to all data protection inquiries within 72 hours and fulfill data subject requests within 30 days.

19.2 Sub-Processor Changes

If we engage new service providers that will process your personal data, or make material changes to how existing service providers handle your data, we will:

• Update this Privacy Policy to reflect the new services

• Notify users via email if the change involves sensitive categories of data (health data, precise location, biometrics)

• Follow the privacy policy update procedures outlined in Section 18

All current service providers who process personal data are listed in Section 4 of this Privacy Policy.

19.3 Transparency Reporting

We are committed to transparency. As OneTrack grows, we plan to publish annual transparency reports that include:

• Number of data subject access requests received and fulfilled

• Number of data deletion requests

• Number of law enforcement requests for user data

• Any data breaches or security incidents

• Number of users by region

We will publish our first transparency report once we reach 10,000 active users.

 

20. Business Continuity

20.1 Service Termination

In the unlikely event that OneTrack ceases operations:

• We will provide at least 90 days' advance notice

• You will be able to export all your data during this period

• We will permanently delete all user data within 30 days of service termination

• We will not sell or transfer user data to any third party unless explicitly required for service continuity (e.g., if another coaching service acquires OneTrack to maintain service for existing users)

If there is an acquisition or service transfer, you will be notified and given the option to opt out and have your data deleted.

20.2 Merger or Acquisition

In the event of a merger, acquisition, or sale of OneTrack:

• We will notify all users via email at least 30 days before the transaction completes

• We will explain how the transaction affects your data

• We will identify the acquiring company and provide links to their privacy policy

• You will have the option to delete your account and data before the transfer occurs

• The acquiring company will be required to honor this Privacy Policy for at least 90 days after the acquisition, giving you time to review their policies and decide whether to continue using the service

User data will only be transferred to an acquiring company if:

• The acquisition is for the purpose of continuing OneTrack services for existing users

• The acquirer agrees to be bound by this Privacy Policy (or provides equal or better privacy protections)

• Users are notified at least 30 days in advance

• Users are given the option to delete their account and data before the transfer

If OneTrack ceases operations without an acquisition, all user data will be permanently deleted within 30 days.

 

21. Contact Information

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us:

General Inquiries:
Email: hello@onetrack.club
Website: onetrack.club

Data Protection Officer:
Email: hello@onetrack.club

Postal Address:
Corriamo Ltd (t/a OneTrack)
[Re: Privacy Compliance Officer]
Suite 1-3 Hop Exchange
24 Southwark Street
London, England
SE1 1TY
United Kingdom

For matters related to data protection and your rights under UK GDPR, you may contact our Data Protection Officer directly.

 

22. Definitions

• Personal Data: Information that identifies you as an individual or relates to an identifiable individual

• Processing: Any operation performed on personal data, including collection, storage, use, and deletion

• Controller: The entity that determines the purposes and means of processing personal data (OneTrack)

• Processor: A third party that processes personal data on behalf of the controller

• Health Data: Special category data under UK GDPR relating to physical or mental health

• Data Subject: An individual whose personal data is being processed

• Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal data

• DPO: Data Protection Officer

• GDPR: General Data Protection Regulation

• UK GDPR: UK General Data Protection Regulation (as implemented by the Data Protection Act 2018)

• ICO: Information Commissioner's Office (UK data protection supervisory authority)

 

OneTrack - Get Ahead. Get a Real Running Coach.

© 2025 Corriamo Ltd (t/a OneTrack). All rights reserved.