Legal
Privacy Policy
Last updated: March 6, 2026
1. Data Controller
Gneta is operated by Solidary Solutions AB, a company registered in Sweden.
- Company: Solidary Solutions AB
- Org. nr: 559176-7495
- Address: Vastansjovagen 86, 770 14 Nyhammar, Sweden
- Contact: joakim.eriksson@solidarysolutions.se
As the data controller, Solidary Solutions AB determines the purposes and means of processing your personal data and is responsible for compliance with applicable data protection laws.
2. Information We Collect
We collect the following categories of personal data:
Account Information
Your name, email address, and password (stored as a bcrypt hash). Collected when you create an account.
Health and Fitness Data
When you connect your Garmin account, we sync activity and health data including:
- Workouts and activities (type, duration, distance, pace, elevation)
- Heart rate data (resting, average, max, heart rate zones)
- Sleep data (duration, sleep stages, sleep score)
- Stress levels and body battery
- Fitness metrics (VO2 max, training load, training status)
Under GDPR, health data is considered special category data (Article 9) and receives additional protection. See Section 3 for the legal basis.
Payment Information
Subscription payments are processed by Stripe. We store your Stripe customer ID and subscription status but never have access to your full card number or bank details.
Usage Data
We use Umami, a privacy-focused analytics tool, to collect anonymous usage statistics (page views, referrers, device type, country). Umami does not use cookies and does not collect personally identifiable information.
3. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Data | Legal Basis | GDPR Article |
|---|---|---|
| Account data | Performance of contract | Art. 6(1)(b) |
| Health & fitness data | Explicit consent | Art. 9(2)(a) |
| AI coaching analysis | Explicit consent | Art. 9(2)(a) |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| Anonymous analytics | Legitimate interest | Art. 6(1)(f) |
| Transactional emails | Performance of contract | Art. 6(1)(b) |
You provide explicit consent for health data processing when you connect your Garmin account. You may withdraw this consent at any time by disconnecting Garmin from your settings, which will stop further data syncing. Previously synced data can be deleted upon request.
4. How We Use Your Data
Your data is used to:
- Display your fitness and health metrics on your personal dashboard.
- Provide AI-powered training insights and coaching recommendations based on your workout history.
- Track personal records, training trends, and goal progress.
- Process subscription payments and manage your account.
- Send transactional emails (welcome, trial reminders, payment notifications, weekly summaries).
- Improve the service and diagnose technical issues.
We do not use your data for advertising, profiling for third parties, or any purpose unrelated to providing the Gneta service.
5. AI-Powered Coaching and Automated Processing
Gneta uses Anthropic's Claude API to generate training insights and coaching recommendations. When you use AI coaching features:
- Workout summaries and health metrics are sent to Anthropic for analysis.
- Your name and email are not included in AI requests.
- Anthropic does not use your data to train their models (per their API terms).
- AI-generated recommendations are informational only and do not constitute medical or professional training advice.
Per GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. AI coaching recommendations are supplementary tools — no automated decisions are made about your account, subscription, or access based on this processing.
6. Data Sharing and Sub-processors
We do not sell, rent, or share your personal data with third parties for marketing or advertising. We use the following service providers (sub-processors) to operate Gneta:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Backend hosting & database | United States |
| Vercel | Frontend hosting | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional emails | United States |
| Anthropic | AI coaching analysis | United States |
| Garmin | Fitness data source | United States |
Each sub-processor is bound by their respective data processing agreements and privacy policies. We only share the minimum data necessary for each provider to perform its function.
7. International Data Transfers
Gneta is operated from Sweden, but our sub-processors are located in the United States. When your data is transferred outside the EU/EEA, we ensure adequate protection through EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by GDPR Chapter V. You can request a copy of the relevant safeguards by contacting us.
8. Data Storage and Security
We implement appropriate technical and organizational measures to protect your data:
- All data is stored in a secure PostgreSQL database with encrypted connections.
- Garmin credentials are encrypted at rest using Fernet symmetric encryption with a dedicated encryption key.
- Passwords are hashed using bcrypt with salt.
- All communication is encrypted via HTTPS/TLS.
- Authentication uses httpOnly secure cookies with short-lived access tokens.
- API endpoints are rate-limited to prevent abuse.
- Content Security Policy (CSP) headers protect against cross-site scripting.
9. Data Retention
We retain your data for the following periods:
- Account data: Retained while your account is active. Deleted upon account deletion request.
- Fitness and health data: Retained while your account is active and Garmin is connected. Deleted upon account deletion or request.
- AI coaching history: Retained while your account is active. Deleted upon account deletion.
- Payment records: Retained as required by Swedish bookkeeping law (Bokforingslagen) — 7 years from the end of the fiscal year.
- Email logs: Retained for 90 days to prevent duplicate sends, then automatically purged.
When data is deleted, it is permanently removed from our databases and cannot be recovered.
10. Cookies and Analytics
Cookies
Gneta uses only strictly necessary cookies for authentication (session management). We do not use advertising, tracking, or third-party cookies. No cookie consent banner is required as these cookies are essential for the service to function (ePrivacy Directive, Article 5(3) exemption).
Analytics
We use Umami, a privacy-focused, open-source analytics tool self-hosted on our infrastructure. Umami does not use cookies, does not collect personal data, and does not track individual users. All analytics data is aggregated and anonymous. This is compliant with GDPR without requiring consent.
11. Your Rights — EU/EEA (GDPR)
If you are in the EU/EEA, you have the following rights under GDPR:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate data.
- Right to erasure (Art. 17) — Request deletion of your account and all associated data.
- Right to restrict processing (Art. 18) — Request that we limit how we use your data.
- Right to data portability (Art. 20) — Request your data in a structured, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — Withdraw consent for health data processing at any time by disconnecting Garmin or contacting us. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights, contact us at joakim.eriksson@solidarysolutions.se. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se, or with your local supervisory authority.
12. Your Rights — United States
California (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected.
- Right to delete — Request deletion of personal information we have collected.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt out of sale/sharing — We do not sell or share your personal information as defined by CCPA/CPRA. No opt-out is necessary.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected
For purposes of CCPA/CPRA disclosure:
- Identifiers: name, email address
- Health information: heart rate, sleep, stress, body battery, fitness metrics
- Commercial information: subscription status, payment history (via Stripe)
- Internet activity: anonymous, aggregated usage data (via Umami)
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than providing the service.
Other US States
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other states with consumer privacy laws, you may have similar rights to access, delete, and correct your data, and to opt out of the sale of personal information. We do not sell personal information in any jurisdiction. To exercise your rights, contact us at the email above.
13. Children's Privacy
Gneta is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will promptly delete it. If you believe a child has provided us with personal data, please contact us.
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Swedish supervisory authority (IMY) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34).
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Gneta after changes constitutes acceptance of the updated policy.
16. Contact
For questions about this Privacy Policy, to exercise your data rights, or to raise a privacy concern:
- Email: joakim.eriksson@solidarysolutions.se
- Company: Solidary Solutions AB
- Address: Vastansjovagen 86, 770 14 Nyhammar, Sweden
We aim to respond to all privacy-related requests within 30 days.