§01

概要 · OVERVIEW

Who we are and what this covers.

Shinobi (shinobi.fit) is a free, open-source endurance race readiness tool operated by Shinobi ("we," "us," or "our"). This Privacy Policy describes how we collect, use, store, and protect information when you use our website and services.

By using Shinobi, you agree to the practices described in this policy. If you do not agree, please do not use the service.

§02

収集 · DATA COLLECTED

What data exists and where it comes from.

AData you provide directly

During the onboarding assessment and subsequent profile updates, you may enter the following information. All fields are optional unless marked otherwise:

CATEGORY

DATA

STORAGE / REFERENCE

Physical Profile

Age (required), weight, height, gender

Browser localStorage

Cardiovascular Metrics

VO2 Max, resting heart rate, HRV (RMSSD), max heart rate

Browser localStorage

Running Metrics

5K pace, weekly running distance, longest run, weekly training hours

Browser localStorage

Multi-sport Metrics

Swimming 100m pace, cycling FTP (watts/kg)

Browser localStorage

Strength & Body Composition

Grip strength, body fat percentage, pull-up count

Browser localStorage

Race Experience

Completed races (selected from catalogue)

Browser localStorage

Activity Logs

Training sessions: type, distance, duration, pace, elevation, power, exercises

Browser localStorage

All data listed above is stored exclusively in your browser's localStorage. It never leaves your device. It is not transmitted to any server, database, or third party. We cannot access, read, or recover this data.

BData from Strava (optional integration)

If you choose to connect your Strava account, we access the following data through Strava's API with your explicit authorization:

CATEGORY

DATA

STORAGE / REFERENCE

Athlete Profile

Strava ID, first name, weight, FTP

Derived metrics in localStorage; tokens in server-side Redis

Activity History

Last 8 weeks of activities: sport type, distance, duration, elevation, heart rate, power

Processed into aggregate metrics in localStorage; raw data is not stored

Authentication Tokens

OAuth access token, refresh token

Server-side encrypted Redis (Upstash) — never exposed to the browser

Strava data handling:

Strava data is used solely to auto-populate your fitness metrics — the same metrics you could enter manually.

Raw activity data from Strava is processed into aggregate statistics (e.g., average weekly distance) and is not stored beyond processing.

Your Strava data is only shown to you, the authenticated user. We never display one user's Strava data to another user.

Derived metrics are cached in your browser's localStorage for no more than 7 days in accordance with Strava's API Agreement.

Strava syncs are rate-limited to 4 per user per day.

We do not use any Strava data for AI model training, machine learning, advertising, or any purpose other than providing readiness assessments to you.

For full details on how Strava handles your data, see the Strava Privacy Policy.

CWaitlist data (Tally.so)

If you join the native app waitlist, the form is provided by Tally.so, a third-party form service. Any information you submit through the waitlist form (such as your email address) is collected and stored by Tally.so under their privacy policy. We access this data solely to notify you when the native app launches.

DAutomatically collected data

Shinobi does not use analytics services, tracking pixels, fingerprinting, or advertising networks. We do not collect:

IP addresses

Device or browser fingerprints

Usage patterns or behavioral analytics

Advertising identifiers

Location data

Our hosting provider (Vercel) may process standard server access logs (IP address, user agent, request path) as part of normal web hosting operations. These logs are managed by Vercel under their privacy policy and are not accessed or used by Shinobi.

§03

使用 · HOW WE USE DATA

Purpose of data collection.

We use the information described above for the following purposes only:

Computing your race readiness scores across the event catalogue

Generating personalized training recommendations based on your target race

Mapping your position on the 8-tier progression system

Displaying your 7-axis demand profile and metric breakdown

Syncing your fitness metrics from Strava (when you explicitly connect)

Notifying waitlist members when the native app launches

We do not sell, rent, trade, or share your personal data with any third party for marketing, advertising, or analytics purposes. Your data is used solely to provide the Shinobi service to you.

§04

健康 · HEALTH DATA

Special treatment for health and fitness data.

Shinobi collects health and fitness information including cardiovascular metrics (VO2 Max, heart rate, HRV), body composition data (weight, height, body fat percentage), and exercise performance data (pace, power, training volume). This data is classified as sensitive personal information under various privacy laws.

Our commitments regarding health data:

Health and fitness data is stored exclusively in your browser's localStorage — it is never transmitted to or stored on our servers.

We never use health data for advertising, profiling, or purposes unrelated to providing the Shinobi service.

We do not aggregate, de-identify, or analyze health data across users.

When you connect Strava, health-related metrics derived from your activities are processed transiently and stored only as aggregate summaries in your browser.

You maintain full control over your health data at all times (see Section 07: Your Rights).

Medical disclaimer: Shinobi is not a medical device and does not diagnose, treat, cure, or prevent any medical condition. Readiness scores and training recommendations are for informational and educational purposes only. Always consult a qualified healthcare professional before beginning or modifying any exercise program.

§05

保存 · COOKIES & STORAGE

Browser storage and cookies.

Shinobi does not set HTTP cookies. We use the following browser storage mechanisms:

CATEGORY

DATA

STORAGE / REFERENCE

localStorage: race_goals_user_data

Your metrics, assessment results, and Strava connection metadata

Persistent until you clear it

localStorage: shinobi_activity_logs

Your logged training activities

Persistent until you clear it

localStorage: shinobi_strava_session_key

UUID linking your browser to your Strava tokens on the server

Persistent until you disconnect Strava

sessionStorage: shinobi_intro_seen

Flag to skip the landing page intro animation on revisits

Current browser session only

No third-party cookies or tracking technologies are set by Shinobi. The Tally.so waitlist embed may set its own cookies if you interact with the waitlist form — see Tally.so's cookie policy for details.

§06

保持 · RETENTION & DELETION

How long data is kept and how to delete it.

Client-side data (localStorage): Your metrics, assessments, and activity logs persist in your browser until you explicitly delete them. There is no server-side backup or recovery. To delete all client-side data:

Open your browser's Developer Tools (F12 or Cmd+Shift+I)

Navigate to Application > Local Storage > shinobi.fit

Delete the relevant keys, or clear all site data via your browser settings

Strava data (server-side Redis): If you connected Strava, your OAuth tokens are stored in our server-side Redis instance (Upstash). To delete this data:

Use the "Disconnect Strava" button in the onboarding/profile page — this immediately revokes your Strava authorization and deletes all associated tokens and metadata from our servers.

If you revoke access from within Strava's settings, we will delete your tokens upon learning of the revocation.

You may also contact us to request deletion (see Section 11).

We honor all deletion requests within 48 hours of receipt, in compliance with Strava's API Agreement and applicable privacy laws.

Waitlist data: Waitlist submissions are stored by Tally.so. To remove your waitlist entry, contact us at the email provided in Section 11 or submit a deletion request directly to Tally.so.

§07

権利 · YOUR RIGHTS

Data rights under GDPR, CCPA, and other laws.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

For all users

Right to access: Your client-side data is fully accessible to you in your browser at all times. For server-side data (Strava tokens), contact us for a copy.

Right to deletion: Delete client-side data via your browser. Delete server-side data by disconnecting Strava or contacting us.

Right to portability: Your localStorage data can be exported as JSON from your browser's developer tools.

Right to withdraw consent: Disconnect Strava at any time; stop using the service at any time.

European Economic Area, United Kingdom, and Switzerland (GDPR)

Lawful basis: We process health data based on your explicit consent, given when you enter metrics or connect Strava. You may withdraw consent at any time.

Right to rectification: You may update any metric at any time through the profile page.

Right to restriction: Contact us to restrict processing of your server-side data.

Right to object: You may object to processing by contacting us.

Right to lodge a complaint: You may file a complaint with your local supervisory authority.

Data transfers: Strava tokens are stored in Upstash Redis (US-based infrastructure). This transfer is necessary to perform the service you requested.

California (CCPA/CPRA)

We do not "sell" or "share" your personal information as defined under the CCPA.

We do not use personal information for cross-context behavioral advertising.

You have the right to know, delete, and correct your personal information.

We will not discriminate against you for exercising your privacy rights.

Washington State (My Health My Data Act)

We collect consumer health data (fitness metrics) only with your voluntary input.

We do not sell or share consumer health data.

You may request deletion of any health data at any time.

We process health data solely to provide the race readiness service you requested.

§08

外部 · THIRD-PARTY SERVICES

Services that interact with your data.

CATEGORY

DATA

STORAGE / REFERENCE

Strava

OAuth authentication, activity sync

strava.com/legal/privacy

Upstash Redis

Server-side storage of Strava tokens

upstash.com/trust/privacy-policy

Vercel

Web hosting and server functions

vercel.com/legal/privacy-policy

Tally.so

Waitlist form collection

tally.so/help/privacy-policy

Google Fonts

Font loading (preconnect)

policies.google.com/privacy

Each third-party service operates under its own privacy policy. We encourage you to review their respective policies linked above.

§09

安全 · SECURITY

How we protect your data.

We implement the following security measures:

All data transmission occurs over HTTPS (TLS encryption in transit).

Strava OAuth tokens are stored server-side in encrypted Redis — they are never exposed to the browser client.

Strava access tokens are automatically refreshed before expiry; refresh tokens are never sent to the client.

Session keys are generated using cryptographically secure randomUUID().

Rate limiting prevents abuse of the Strava sync endpoint (4 syncs per user per day).

A platform-wide user cap ensures server resources remain secure and stable.

The application source code is open-source and auditable on GitHub.

In the unlikely event of a security breach affecting server-side data (Strava tokens), we will notify affected users and Strava within 24 hours of discovery, and relevant supervisory authorities within 72 hours as required by GDPR.

§10

未成年 · CHILDREN

Children’s privacy.

Shinobi is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will take steps to delete such information.

§11

連絡 · CONTACT

How to reach us.

For privacy-related inquiries, data access requests, deletion requests, or complaints:

Email: privacy@shinobi.fit

GitHub: github.com/mugen-space-claude/shinobi (open an issue)

We aim to respond to all privacy requests within 30 days, and within 45 days for CCPA requests as required by law.

§12

変更 · CHANGES

Updates to this policy.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and post a notice on the Shinobi homepage. Your continued use of Shinobi after any changes constitutes acceptance of the updated policy.

“Privacy is not a feature — it is a constraint. Your data never crosses the wire unless you say so. 忍 endures by keeping nothing.”

— Shinobi design principles