Skip to main content
BFL Coaching Logo

Privacy Policy

Effective Date: January 16, 2025

Last Updated: December 18, 2025

Language Notice: This document is available in both English and Greek. In the event of any inconsistency or conflict between the two versions, the English version shall prevail and be considered the official and legally binding version.

Overview

Welcome to Beyond the Finish Line ("we," "us," or "our") Endurance Coaching. Your privacy is our priority, and we are committed to safeguarding your personal information. This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website, use our coaching services, or engage with us in other ways. By accessing our website or purchasing our services, you consent to this Privacy Policy and agree to its terms.

1. Information We Collect

We collect information that you provide directly, data collected automatically, and information from third-party sources.

1.1 Information You Provide Directly

  • Basic Account Information: Includes your full name, email address, date of birth, running history and goals, phone number, country, city, height, weight, emergency contact information.
  • Sensitive Health Data: Medical and injury history, pre-existing medical conditions, medications, and other health-related information necessary for safe and effective coaching. This constitutes sensitive personal data under GDPR and is subject to enhanced protection measures (see Section 1.4 below).
  • Transaction and Billing Information: When purchasing our services, you provide personal and payment information such as your name, billing address, and payment details. We process payments through third-party vendors like Revolut. Please refer to their privacy policies for more details.
  • Athlete-Provided Content: Content such as race reports, blog posts, photos, and results may be made publicly available, including shared media files and reposts on social channels.
  • Comments and Reviews: Feedback and testimonials may be displayed on our website or social media channels.

1.2 Information Collected Automatically

  • Log Information: Browser type, IP address, unique device identifiers, language preferences, referring site, access date and time, and operating system.
  • Usage Information: Website interactions, including pages viewed and actions performed.
  • Location Information: Approximate location derived from IP addresses.
  • Cookies and Tracking Technologies: Information collected via cookies and pixel tags to enhance user experience and monitor website performance.

1.3 Information from Other Sources

Intervals.icu Integration:

When you connect your Intervals.icu account to our platform, we request the following permissions (OAuth scopes):

  • ACTIVITY:READ - Access to your training activities, including runs, rides, and other workouts
  • WELLNESS:READ - Access to wellness data such as sleep, stress, and recovery metrics
  • CALENDAR:WRITE - Ability to add planned workouts to your training calendar
  • SETTINGS:READ - Access to your account settings and preferences

Data We Receive and Store:

  • Activity data: distance, duration, pace, heart rate, elevation, calories, and training load metrics
  • Workout details: planned and completed workouts, including timing and performance data
  • Running thresholds: pace zones and threshold calculations
  • Wellness scores: when available from your connected devices

Data Security:

  • Your Intervals.icu access tokens are encrypted using AES-256-GCM encryption before storage
  • We use secure webhook connections for real-time activity synchronization
  • You can disconnect your Intervals.icu account at any time through your platform settings

Other Platforms:

We may also receive data from other platforms you authorize, such as Garmin, Wahoo, Zwift, Suunto, Coros, Polar, and Strava (via Intervals.icu). The data shared depends on the permissions you grant these platforms.

1.4 Special Category Data (Health Data) Protection

Medical and injury information, health conditions, and related data constitute "special category data" under the General Data Protection Regulation (GDPR) Article 9, requiring explicit consent and enhanced protection.

Enhanced Security Measures for Health Data:

  • All health data is stored using encrypted storage systems (Google Drive with encryption at rest and in transit).
  • Access to health data is strictly limited to the Coach and authorized personnel on a need-to-know basis only.
  • Health data is kept separate from publicly accessible information and is never shared without your explicit consent.
  • We implement appropriate technical and organizational measures including password protection, two-factor authentication, and regular security reviews.
  • Health data is retained only as long as necessary to provide coaching services and comply with legal obligations.

Legal Basis for Processing Health Data: We process your health data based on your explicit consent provided when you submit your medical history and health information to us. You have the right to withdraw this consent at any time by contacting us at info@bflcoaching.com. However, withdrawal of consent may affect our ability to provide safe and effective coaching services.

2. How We Use Your Information

  • Setting up and managing accounts.
  • Delivering coaching and related services.
  • Personalizing and improving your experience.
  • Processing payments and transactions.
  • Sending communications including:
    • Workout reminders and training notifications
    • Missed workout alerts
    • Weekly training summaries
    • Training streak milestones and achievements
    • Training load warnings (overtraining/undertraining alerts)
    • Progress updates and goal tracking
    • New training week publications
    • Account and subscription updates
    • Marketing offers and promotions (with your consent)
  • Analyzing trends and service quality.
  • Complying with legal obligations and protecting rights.

You can manage your email preferences and unsubscribe from specific notification types through your account settings or by contacting us.

3. Legal Bases for Processing (For EU Users)

  • Contractual Necessity: To provide services and fulfill agreements.
  • Legitimate Interests: For improving services, monitoring trends, and marketing.
  • Consent: For non-essential cookies or direct marketing communications.
  • Legal Obligations: To comply with applicable laws or lawful requests.

4. Sharing of Information

Vendors

  • Cloud Infrastructure: Google Firebase and Firestore (primary database and authentication), Google Drive (document storage)
  • Payment Processors: Stripe, Revolut
  • Analytics: Umami Analytics (privacy-friendly, GDPR compliant)
  • Email Service: Resend (transactional emails)
  • Error Monitoring: Sentry (anonymized error tracking)
  • Performance Monitoring: Vercel Speed Insights

Coach Access to Your Data

When you are assigned to a coach on our platform, your coach has access to:

  • Your complete athlete profile, including training history and goals
  • All synced activities and workout data from connected platforms
  • Training load metrics and performance trends
  • Self-assessment scores and weakness evaluations
  • Planned and completed workouts

Your coach may also:

  • Create and modify your training plans
  • Add notes and feedback to your workouts
  • Receive notifications about your training activity and progress
  • Override or update your self-assessment data when appropriate

This access is necessary to provide personalized coaching services. Your coach is bound by confidentiality obligations and may only use your data for coaching purposes.

Other Sharing

  • Employees and Contractors: For service delivery on a need-to-know basis.
  • With Consent: For publicly sharing race reports or testimonials.
  • Legal Compliance: In response to lawful requests or to protect our rights.
  • Business Transfers: If Beyond the Finish Line undergoes acquisition or merger.

5. Retention of Information

We retain your personal data for different periods depending on the type of data and purpose:

Account Data

  • Active accounts: Retained for the duration of your coaching relationship plus 3 years for legal compliance
  • Account deletion requests: Processed within 30 days; some data may be retained for legal obligations

Training and Activity Data

  • Synced activities and workouts: Retained for the duration of your account
  • Training load history: Retained for the duration of your account to maintain accurate calculations

Security and Authentication

  • Login sessions: Automatically expire after inactivity
  • Email verification tokens: 24 hours
  • Password reset links: 15 minutes
  • OAuth state tokens: 10 minutes

Communications

  • Email logs: Retained to prevent duplicate sending
  • Support requests: Retained for 2 years after resolution

Comments and Public Content

  • Race reports and testimonials: Retained indefinitely unless removal is requested

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required for legal compliance, dispute resolution, or fraud prevention.

6. Your Rights

If you are in the European Union or similar jurisdictions, you may have the following rights:

  • Access, Correction, and Deletion: Request access to, correction of, or deletion of your data.
  • Restrict Processing: Limit how your data is processed.
  • Object to Processing: Decline specific types of data processing.
  • Withdraw Consent: Revoke consent for optional data processing.
  • Data Portability: Receive your data in a portable format.

To exercise these rights, contact us at info@bflcoaching.com.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience and analyze how our website is used. By using our website, you consent to our use of cookies as described in this Privacy Policy.

Types of Cookies We Use

Strictly Necessary Cookies (No consent required):

  • Language Preference: Stores your selected language (English/Greek)
  • Authentication Session: Firebase authentication cookies that keep you logged into the platform
  • Cookie Consent: Stores your cookie preference choice

Analytics Cookies (Consent required):

  • Umami Analytics: We use Umami Analytics, a privacy-friendly analytics service, to understand how visitors interact with our website, including page views, time spent on pages, traffic sources, and user behavior patterns. Umami does not use tracking cookies, does not collect personal data, and is fully GDPR compliant. All data is anonymized and used solely for improving our website and services.
  • Sentry (Error Monitoring): We use Sentry to monitor website errors, performance issues, and user experience problems. This helps us identify and fix technical issues quickly. Sentry may collect information such as error messages, browser type, IP addresses, and session recordings to help us diagnose problems. All data is anonymized where possible and used solely for improving website functionality and user experience.

Managing Your Cookie Preferences

You can control and manage cookies in several ways:

  • Browser Settings: Most web browsers allow you to manage cookie preferences through your browser settings. You can set your browser to refuse cookies or delete certain cookies. Please note that disabling cookies may affect the functionality of our website.

For more information about Umami's privacy practices, please visit Umami's Privacy Policy.

8. International Data Transfers

Beyond the Finish Line operates primarily in Cyprus. However, some of our service providers and technology platforms may be located outside the European Economic Area (EEA), including in the United States and other countries.

When your personal data is transferred outside the EEA, we ensure appropriate safeguards are in place to protect your information in accordance with GDPR requirements. These safeguards include:

  • Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission for transfers to countries without adequate data protection laws.
  • Adequacy Decisions: We may transfer data to countries that the European Commission has determined provide an adequate level of data protection.
  • Service Provider Commitments: Our third-party service providers (such as Google Drive, Umami Cloud, Sentry, Resend, Stripe, Revolut) are contractually obligated to protect your data and comply with applicable data protection laws.

Third-party services that may involve international data transfers include:

  • Google Firebase/Firestore (cloud database and authentication) - United States
  • Google Drive (cloud storage) - United States
  • Umami Cloud (website analytics) - United States
  • Sentry (error monitoring) - United States
  • Resend (email service for contact forms) - United States
  • Stripe (payment processing) - United States
  • Revolut - United Kingdom/EEA
  • Vercel (hosting and performance monitoring) - United States
  • Training platforms (Intervals.icu, Garmin, etc.) - Various locations

If you have questions about international data transfers or would like more information about the safeguards we have in place, please contact us at info@bflcoaching.com.

9. Third-Party Services

Our website may include links to external platforms or embedded content. We are not responsible for their privacy practices. Review their privacy policies before sharing information.

10. Security Measures

We implement reasonable security measures, including encryption and secure storage systems, to protect your data. However, no system is entirely secure, and absolute protection cannot be guaranteed.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we are committed to responding promptly and transparently in accordance with GDPR requirements.

Our Data Breach Response Process:

  • Timely Notification: If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (Cyprus Commissioner for Personal Data Protection) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
  • Breach Details: We will inform you about the nature of the breach, including the categories and approximate number of individuals affected, the categories and approximate number of personal data records concerned, and the likely consequences of the breach.
  • Mitigation Measures: We will describe the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects and steps you can take to protect yourself.
  • Contact Information: We will provide contact details for our data protection point of contact where you can obtain more information about the breach.

If you suspect any unauthorized access to your account or personal information, please contact us immediately at info@bflcoaching.com.

12. Updates to This Policy

We may revise this Privacy Policy periodically. Updates will include a "Last Updated" date, and significant changes will be communicated via email or our website.

13. Contact Information

For questions or concerns about this Privacy Policy, contact us at: info@bflcoaching.com

By using our services, you acknowledge that you have read and understood this Privacy Policy.