Privacy Policy
Effective date: March 2026 · Data controller: Voss Media House AS, Norway
We respect your privacy and comply with the EU General Data Protection Regulation (GDPR) and Norwegian personal data law. This policy explains what data we collect, why, and what rights you have.
1. Who is responsible for your data
Voss Media House AS
Norway
[email protected]
2. What data we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Passwordless sign-in (OTP) | Contract performance |
| Food logs, meal data, nutrition targets | Core app functionality | Contract performance |
| Workout data (manual or synced) | Training-aware fueling targets | Contract performance |
| Uploaded photos | Nutrition extraction via AI; deleted after processing | Contract performance |
| AI chat history | Context for AI responses within a session | Contract performance |
| Strava / TrainerRoad tokens and activity data | Optional integrations you explicitly connect | Consent |
| Billing information (name, card details via Stripe) | Pro subscription processing | Contract performance |
| Session cookie | Keeping you logged in | Strictly necessary |
We do not collect data beyond what is listed above. We do not build advertising profiles or sell your data.
3. Cookies
VeloFuel currently uses one cookie: a session cookie (velofuel.sid)
that keeps you signed in. It is strictly necessary for the service to function and does not require your consent.
We do not use analytics or advertising cookies at this time. If we introduce them in the future, we will update this policy and implement a proper consent mechanism before setting any such cookies.
4. Third-party processors
We share data with the following processors, only to the extent necessary to deliver the service:
- MailerSend — delivers one-time login codes to your email.
- Stripe — processes Pro subscription payments. We never see your full card number.
- OpenAI — powers AI features (photo extraction, AI coach). Prompts include your food/workout context. OpenAI's data use is governed by their API data processing addendum.
- Strava — syncs training data if you connect your account.
- TrainerRoad — syncs training data if you connect your account.
- MongoDB Atlas — hosts the database. Data is stored in the EU.
5. Data retention
- Account data (email, logs, settings) is kept until you delete your account.
- After account deletion, all personal data is purged within 30 days.
- Uploaded photos are deleted immediately after nutrition extraction is complete.
- Billing records may be retained longer to satisfy legal accounting obligations.
6. Your rights
Under GDPR you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — delete your account and all associated data.
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to pause processing in certain circumstances.
- Withdraw consent — disconnect integrations (Strava, TrainerRoad) at any time from account settings.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
7. Complaints
If you believe we are handling your data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).
8. Changes to this policy
If we make material changes we will notify you by email before they take effect. The effective date at the top of this page always reflects the latest version.
Privacy questions? Contact us at [email protected]