42cal logo
42cal
← Back to MarathonOS

Last updated October 27, 2025

MarathonOS Privacy Policy

How 42cal collects, protects, and uses your personal data in the MarathonOS training app.

Privacy policy contents

MarathonOS is a marathon training platform operated by 42cal ("we," "us," or "our") that helps runners manage workouts, race history, and coaching plans across web and iOS experiences. This Privacy Policy explains how we collect, use, store, and protect your personal data across marathonos.app and the MarathonOS mobile application.

We process personal data in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), Apple App Store Review Guidelines, and the terms of the Strava, Garmin Connect, and COROS developer programs. When you use our services, you agree to the practices described below.

Note: This privacy policy applies specifically to the MarathonOS training app. For the 42cal race directory privacy policy, please visit /privacy-directory.

We collect the following categories of personal and activity data, depending on how you use MarathonOS and the third-party services you choose to connect:

  • Account information: Email address, name, profile image, and authentication identifiers provided via Apple Sign In, Google Sign In, or email/password authentication.
  • Running activities: Workout data from Apple HealthKit, Strava, Garmin Connect, and COROS, including distance, duration, pace, cadence, cadence variability, calories, elevation, and heart rate.
  • Activity metadata: GPS route geometry, weather tags, perceived effort, notes, device identifiers, and workout type.
  • Training plans: Scheduled workouts, prescribed intensities, completion status, and user-entered notes or feedback.
  • Race history: Race names, dates, locations, placements, chip/gun times, and related performance data.
  • Workout photos: Photos you attach to workout logs, stored in Supabase Storage.
  • Coach notes: Private notes coaches add about athletes (not visible to athletes).
  • Profile and preference data: Time zone, units of measure, primary discipline, injury and fatigue flags, and integration settings.
  • Support communications: Emails or support tickets you send to us, including attachments you voluntarily provide.
  • Technical telemetry: We collect the following technical data to improve MarathonOS and diagnose issues:
    • Device type and iOS version
    • App version and build number
    • Crash reports via Apple's built-in crash reporting system
    • Feature usage analytics via PostHog (with IP anonymization)
    • Network connectivity status
    • Integration sync timestamps and error states

We do NOT collect:

  • Location data outside of workout routes from HealthKit/Strava/Garmin/COROS
  • Microphone or camera access (except when you choose to take workout photos)
  • Contacts or calendar data (except when you enable training plan calendar sync)

When you sign in with Apple, we receive:

  • Your name (if you choose to share it)
  • Your email address (or Apple's private relay email if you use Hide My Email)
  • A unique user identifier from Apple

We use this information solely to create and authenticate your account. Apple's privacy policy applies to data Apple collects: https://www.apple.com/legal/privacy/

We only collect data from sources that you explicitly authorize:

  • Apple HealthKit: We read workout, heart-rate, and distance data after you grant permissions on your iOS device. We do not write data back to HealthKit without additional consent.
  • Strava API: We access your Strava activities via OAuth2 authorization. Strava tokens and scopes are limited to read operations necessary to sync run data into MarathonOS.
  • Garmin Connect API: We integrate through Garmin's OAuth2 platform to ingest workout files and activity summaries, in compliance with Garmin Developer Program policies.
  • COROS API: We connect to COROS via OAuth2 to import running activities and training status information.
  • User-entered data: You can manually log workouts, update training plan details, or import race results directly within the MarathonOS interface.

We process personal data to deliver and improve MarathonOS:

  • Display dashboards, analytics, and historical trends about your training load and race performances.
  • Calculate personal records, freshness/fatigue scores, and race readiness insights.
  • Synchronize workouts across your connected services and ensure consistent data between devices.
  • Provide dynamic coaching tips, fatigue warnings, and plan adjustments tailored to your progress.
  • Export training plans and workouts to Apple Calendar via EventKit when you request calendar sync.
  • Facilitate collaboration with coaches who you invite to view your data via coach invitation codes.
  • Deliver product updates, system alerts, and transactional communications (e.g., integration notices) via Supabase Realtime.
  • Diagnose performance issues, monitor for abuse, and comply with legal obligations.

We do not use your activity data to train machine learning or artificial intelligence models, fulfilling Strava API requirements. We do not sell data or serve targeted advertising.

When you connect with a coach via invitation code at coach.42cal.com:

  • Your coach can view your training data, workout logs, and race history
  • Coaches can add private notes about your training (not visible to you)
  • You can disconnect from your coach at any time via Profile > My Coach
  • Coaches cannot delete or modify your workout data
  • Coach access is read-only except for coach notes and workout feedback
  • Real-time updates are delivered via Supabase Realtime (WebSocket connections)

We use Supabase Realtime (WebSocket connections) to deliver real-time updates:

  • New coach invitations
  • Coach feedback on workouts
  • Training plan updates from your coach

These connections are encrypted and require authentication. You can manage these connections by signing out or disconnecting integrations.

You can attach photos to workout logs. Photos are:

  • Stored in Supabase Storage (encrypted at rest)
  • Visible only to you and your coach (if connected)
  • Included in data export requests
  • Deleted when you delete the associated workout log

MarathonOS uses Supabase (PostgreSQL) as our primary data store with infrastructure hosted in the United States. We apply the following safeguards:

  • Encryption: All data is encrypted in transit using HTTPS/TLS and at rest via cloud provider-managed keys.
  • Row-Level Security: Supabase Row-Level Security ensures each athlete can access only their own records unless they grant explicit sharing permissions.
  • Credential storage: OAuth tokens and refresh keys for Strava, Garmin, and COROS are stored securely; iOS tokens are persisted in the Apple Keychain, and server-side tokens are stored encrypted with limited internal access.
  • Operational controls: Access to production systems is restricted to authorized 42cal personnel with role-based access controls and audit logging.
  • No data resale: We do not transfer personal data to data brokers or advertisers.

Despite our safeguards, no system is completely secure. We maintain an incident response plan and will notify affected users and regulators of data breaches as required by law.

We only share your data when necessary to deliver MarathonOS features or when you explicitly request it:

  • Coaches and collaborators: You may invite a coach via invitation code to view your workouts. Access can be revoked at any time.
  • Public profiles: You can mark races as public, making select details viewable on marathonos.app. By default, race data remains private.
  • Service providers: Infrastructure vendors such as Supabase and Vercel process data on our behalf under data processing agreements and cannot use it for their own purposes.
  • Legal compliance: We may disclose data if required by law, subpoena, or to protect the rights, property, or safety of MarathonOS users.

We never sell personal data, rent contact lists, or share OAuth tokens with unauthorized third parties.

Depending on your location, you have the following rights over your personal data:

  • Access: Request a copy of your training data at any time. We provide exports in JSON or CSV within 30 days.
  • Portability: Transfer your data to another service by requesting a structured export.
  • Correction: Update profile details or submit a request for us to amend inaccurate records.
  • Deletion: Permanently delete your account and all associated data. We erase account data within 30 days of a verified request and revoke connected OAuth tokens.
  • Revocation: Disconnect Strava, Garmin, COROS, or Apple Health integrations at any time. When you disconnect, we stop receiving new data and can remove historical data on request.
  • Opt-out (CCPA): California residents can opt out of any data sharing that qualifies as a "sale" or "sharing." MarathonOS does not sell personal information, but you may still submit a request via support@42cal.com.
  • Complaint: EU users can lodge a complaint with their local supervisory authority if they believe our processing violates GDPR.

To exercise any of these rights, email support@42cal.com with the subject "Privacy Request." We may need to verify your identity before fulfilling requests.

MarathonOS relies on trusted vendors to deliver the platform. Each provider is contractually bound to protect your data and use it only as instructed:

  • Strava API: Imports running activities and related metrics via OAuth2. We comply with Strava API Terms, including policies prohibiting AI/ML model training and virtual event creation.
  • Garmin Connect API: Syncs workouts and activity metadata. We adhere to Garmin data retention and security requirements.
  • COROS Training API: Retrieves run sessions and training load. We respect COROS usage policies and only access scopes authorized by you.
  • Apple HealthKit: Reads fitness data after device permission. Health data is used solely to populate your training dashboard and is never shared with advertisers.
  • Supabase: Provides SOC 2 Type II compliant database hosting with row-level security and audited access logs.
  • Vercel: Hosts the MarathonOS web dashboard within ISO 27001 certified infrastructure.
  • PostHog: Supplies privacy-first product analytics with IP anonymization and respect for Do Not Track signals.
  • Apple Crash Reporting: Collects crash reports via Apple's built-in system to help us diagnose and fix issues.

MarathonOS uses essential cookies and similar technologies to operate the service:

  • Session cookies for authentication and account security.
  • Preference cookies to remember theme settings (light/dark) and unit selections.
  • PostHog analytics with IP truncation and no cross-site tracking.

We do not use advertising networks, third-party marketing pixels, or social sharing trackers. You can manage cookies through your browser settings, but disabling session cookies may limit functionality.

We retain data only as long as needed to provide MarathonOS:

  • Active accounts: Training data is retained indefinitely so long as your account remains active.
  • Deleted accounts: All personal data is permanently erased from our production systems within 30 days of deletion request confirmation.
  • Inactive accounts (no login for 3+ years): We will email you before deleting inactive account data.
  • Integration tokens: OAuth tokens are stored only while integrations remain connected and are revoked immediately upon disconnect.
  • Backups: Encrypted database backups are retained for up to 90 days for disaster recovery, then securely purged. Deleted data may remain in backups during this period.

42cal is based in the United States. If you access MarathonOS from the European Economic Area (EEA), United Kingdom, or other regions with laws governing data collection, we transfer personal data to the U.S. under standard contractual clauses (SCCs) and other appropriate safeguards. We ensure vendors receiving EU personal data maintain comparable levels of protection.

MarathonOS integrates with partner APIs and app distribution platforms under strict compliance obligations:

  • Strava: We use Strava data only to populate your MarathonOS account, do not train AI/ML models or simulate virtual events, and honor athlete privacy and data deletion lifecycle requirements.
  • Garmin Connect: We adhere to Garmin's developer terms, protect OAuth tokens, implement HTTPS and least privilege access, and delete data when accounts are removed.
  • COROS: We comply with COROS partner policies, request only necessary scopes, and promptly revoke access on user request.
  • Apple App Store: Our iOS app follows Apple's App Store Review Guidelines, including user consent flows for HealthKit data, respect for parental controls, and clear disclosure of data practices.
  • Security practices: All data transmissions use HTTPS; integrations use OAuth2 with refresh token rotation and short-lived access tokens.

MarathonOS is intended for athletes aged 13 and older. We do not knowingly collect personal data from children under 13 or the applicable minimum age in your jurisdiction. If we learn that a child has provided us with personal data, we will delete it within 30 days. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@42cal.com and we will delete it within 30 days.

We may update this Privacy Policy to reflect changes in our products, legal requirements, or industry practices. When we make material changes, we will notify you via email and update the "Last updated" date at the top of this page. Continued use of MarathonOS after any changes constitutes acceptance of the revised policy.

For questions, requests, or concerns about this Privacy Policy, reach out to us: