Skip to main content

Privacy Policy

Exactly what data we collect, why, who we share it with, and what you can do about it. No fine print.

Who we are

Vetta Trainer is a training-planning service operated by Renso Ontiveros (sole proprietor, Argentina). General contact: rensont@gmail.com. Privacy / DPO contact: rensont@gmail.com. Site: vettatrainer.com.

Legal bases for processing (GDPR Art. 6)

We process your data on these legal bases: (a) Contract performance — to run the app, build your plan, sync Strava, charge your subscription. (b) Consent — to connect Strava, receive newsletter or contextual notifications. Withdrawable any time. (c) Legitimate interest — aggregate, anonymized usage metrics to improve the service. (d) Legal obligation — billing, tax authorities, anti-fraud.

What we collect

Account data: email, name, password (bcrypt-hashed — we never see the plaintext). Training data: activities, pace, HR, power, routes — only what Strava authorizes us to read when you log in (you pick the scope). Usage data: page visits, language, truncated IP, user-agent. Payment data: Vetta does NOT store cards; payments are processed by Lemon Squeezy (USD/EUR) and Mercado Pago (ARS), which are PCI-DSS certified. We only keep your subscription ID to know which plan is active.

Sensitive data — what we do NOT collect

We do not collect HIPAA-protected health information or GDPR Art. 9 special categories. Vetta is not a medical service; activity data (HR, pace, etc.) does not constitute medical data under HIPAA. If you have a medical condition, consult your doctor before following any Vetta-generated plan. See Terms § Medical disclaimer.

How we use it

To run the app, improve the service (aggregate metrics), and communicate with you (transactional email). We do not sell your data. We do not share it with third-party advertisers. We do not use it for ad profiling. If we ever decide to (not the plan), we'd email you and ask explicit consent first.

Who we share it with (subprocessors)

Your data travels to these services because the app needs them. Each has its own policy and DPA. Full always-updated list at /legal/subprocessors: Strava (activity sync), Supabase (auth + session storage), Lemon Squeezy and Mercado Pago (payments), Resend (transactional email), Railway (hosting), Cloudflare (CDN/DNS), Sentry (error telemetry, no PII in stack traces). No other third parties have access.

International transfers

Vetta's server is hosted on Railway (US). Argentina, where Vetta operates, has held an EU Commission adequacy decision since 2003reconfirmed in 2026 — meaning EU-to-Argentina data flows do not require additional safeguards (SCCs). For data that touches Railway/Supabase (US), we apply standard SCCs and/or the EU-US Data Privacy Framework where applicable. Wherever your data goes, it gets the same level of protection it would at home.

Retention

While your account is active, plus 30 days after deletion. Accounts inactive 24+ months get an email warning and are deleted 30 days later if no response. Security logs kept max 90 days. Backups rotated every 90 days. Delete anything any time from Settings → My Account → Delete account — instant effect.

Your rights (GDPR / Argentine Law 25.326 / CCPA-CPRA / LGPD)

All of these, regardless of where you live: Access: download a ZIP of ALL your data from Settings → My Account → Export. Rectification: edit your profile any time. Erasure / right to be forgotten: delete your account any time. Portability: export ZIP is standard (JSON + parquet), importable elsewhere. Objection / restriction: email rensont@gmail.com and we respond within 30 days. Withdraw consent: unsubscribe via any newsletter email, or revoke Strava at strava.com/settings/apps. California residents also have the right to opt out of sale/share — Vetta does not sell or share your data, so this right is satisfied by default. We do not discriminate against users who exercise their privacy rights (no degraded service, no different prices).

Cookies

Vetta uses strictly necessary cookies only: one HttpOnly session cookie. No advertising trackers. No third-party analytics that cross-link users (no Google Analytics, no Facebook Pixel). No cookie banner because no consent is legally required for technical cookies. If we ever add privacy-friendly analytics (e.g. Plausible), we'll update this.

Marketing

If you checked the newsletter box at signup or enabled it later, we send product news (max 1/month). One-click unsubscribe in every email. CAN-SPAM (US): every marketing email has a physical address, a reason you're receiving it, and an unsubscribe link. GDPR: consent is specific, granular, withdrawable.

Minors

Vetta is not directed to minors. To register you must be at least 16 years old (GDPR-EU) or 13 years old (COPPA-US, with written parental consent emailed to rensont@gmail.com). If we learn a minor under 13 signed up without consent, we delete the account and data.

Security

Full technical detail at /legal/security. Summary: bcrypt password hashing, HTTPS-only, security headers (HSTS, CSP, X-Frame-Options), rate limiting, automated dependency auditing, error monitoring. No system is perfect — if you find a security issue, email rensont@gmail.com before going public and we'll credit you.

Changes

If we change this policy, we email you at the address on your account at least 14 days before changes take effect, except urgent legal changes. Last-updated date at the bottom of this document.

Formal complaints

If you think we're violating your privacy and we want to resolve it without authorities: rensont@gmail.com. If you still want to file formally: EU: your local data-protection authority (list at edpb.europa.eu). US: FTC (ftc.gov). California: Privacy Protection Agency (cppa.ca.gov). Argentina: AAIP (argentina.gob.ar/aaip). Brazil: ANPD (gov.br/anpd). Canada: OPC (priv.gc.ca).

Last updated: 2026-05-28