Prevail

Privacy Policy

Last updated: April 4, 2026

This policy explains how Prevail, operated by dontsoft, handles your personal data. We believe in transparency — this document covers exactly what we collect, why, and what control you have over it.

1. Controller

The controller responsible for data processing is dontsoft. For full contact details and legal identification, see our Impressum.

For privacy inquiries: privacy@dontsoft.com

2. Data We Collect

Account Data (required)

  • Email — authentication and account recovery
  • Name — display within the app
  • Password — stored as a one-way bcrypt hash (we cannot read it)

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Training Data (provided by you)

  • Activities (type, date, duration, distance, elevation, heart rate, effort)
  • Goals, events, training plans, assessments
  • Gear (equipment names, types, usage)
  • Live session notes (timestamped entries during workouts)

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Health Data (optional — requires explicit consent)

This data is a special category under Art. 9 GDPR. We only process it with your explicit consent, which you can withdraw at any time.
  • Body measurements (weight, body fat, muscle mass, visceral fat, bone density)
  • Pain and injury logs (body region, type, severity, diagnoses)
  • Profile data (height, date of birth, sex — for BMI/metabolic calculations)

Legal basis: Explicit consent (Art. 9(2)(a) GDPR)

Strava Integration (optional)

If you connect Strava, we receive activity data via OAuth (activity:read_all scope): activity metadata, heart rate, splits, and athlete ID. You can disconnect at any time.

Legal basis: Consent (Art. 6(1)(a) GDPR)

Technical Data

  • Session token — essential JWT cookie for login (no consent needed under TDDDG sec. 25(2))
  • Error reports — technical error data via Sentry, if enabled
  • Server logs — IP addresses for security (retained 14 days)

Legal basis: Legitimate interest in security (Art. 6(1)(f) GDPR)

3. How We Use Your Data

Service delivery

Displaying training data, calculating probability scores, generating coaching and plans

Automated analysis

Probability engine estimates goal achievement likelihood (see Section 8)

We do not use your data for advertising, marketing profiling, or sale to third parties.

4. Data Recipients

RecipientPurposeLocation
Strava Inc.Activity sync (only if connected)USA (EU-US DPF)
SentryError reporting (if enabled)USA (EU-US DPF)

No other third parties receive your data. The app is self-hosted on EU infrastructure.

5. International Data Transfers

Strava and Sentry transfers to the US are protected by the EU-US Data Privacy Framework (Art. 45 GDPR). If invalidated, we will use Standard Contractual Clauses (Art. 46(2)(c)) or suspend the transfers.

6. Data Retention

DataKept until
Account & training dataAccount deletion
Health dataDeletion, consent withdrawal, or account deletion
Strava tokensStrava disconnection or account deletion
Server logs14 days
Error reports90 days
Backups7 days (rolling)

After account deletion, data is removed immediately from the active database. It may persist in backups for up to 7 days before being overwritten.

7. Your Rights

Art. 15

Access

Request a copy of all your personal data

Art. 16

Rectification

Correct inaccurate data via profile settings

Art. 17

Erasure

Delete your account and all data (Settings > Delete Account)

Art. 18

Restriction

Request limitation of processing

Art. 20

Portability

Export data as CSV (Settings > Export Data)

Art. 21

Object

Object to processing based on legitimate interest

Art. 7(3)

Withdraw consent

Withdraw health data or Strava consent anytime

Contact privacy@dontsoft.com or use the in-app features. Data export is free regardless of subscription tier.

Right to Lodge a Complaint

You may contact your state data protection authority or the Federal Commissioner for Data Protection (BfDI) under Art. 77 GDPR.

8. Automated Decision-Making

Prevail uses automated calculations to estimate goal achievement probability based on training volume, consistency, intensity, pace, injury risk, and body composition.

These scores are informational only. They do not produce legal effects, restrict features, influence pricing, or result in automated decisions with legal consequences (Art. 22 GDPR).

9. Cookies and Storage

We use only one essential cookie — a JWT session token for authentication. This is exempt from consent under TDDDG sec. 25(2) Nr. 2.

No advertising cookies, analytics trackers, or social media pixels. The Live Logging feature uses browser localStorage as a local fallback, cleared after sync.

10. Security

HTTPS with HSTS (1-year)
Bcrypt password hashing
JWT sessions (no server state)
Non-root containerized app
Automated backups (7-day)
Restricted database access

11. Medical Disclaimer

Prevail is not a medical device. Probability scores, coaching, and training plans are based on statistical models. They do not replace professional medical or coaching advice. Consult a physician before beginning any new training program.

12. Changes to This Policy

We may update this policy for legal or operational reasons. Significant changes will be communicated via the application. The date at the top shows the latest revision.