Privacy Policy

1. Introduction

Glasp Inc. ("Glasp," "we," "us," or "our") operates Hashiri.AI (the "Service"). We are committed to protecting your privacy and the security of your personal data, including health and fitness information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI running analysis and coaching service. Please read this policy carefully. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

We collect information to provide and improve our Service. The types of information we collect include:

2.1 Account Information

• Email address
• Name and display name
• Password (encrypted)
• Profile information (optional: location, bio, profile photo, social links)

2.2 Health & Fitness Data

With your consent, we collect health and fitness data to provide personalized coaching. This may include:

• Running activity data (date, time, distance, pace, duration, elevation, GPS routes)
• Heart rate data and heart rate zones
• Advanced running metrics (cadence, ground contact time, vertical oscillation, power)
• Physiological metrics (resting heart rate, HRV, VO2max estimates, respiration rate)
• Body measurements (height, weight, age, gender, maximum heart rate)
• Body composition data (weight, body fat percentage, muscle mass, bone mass — when provided via connected services)
• Sleep data (duration, stages, scores — when provided via connected services)
• Training load and recovery metrics
• Lab test results and medical reports you choose to upload (e.g., VO2 max tests, blood lactate, DEXA scans, blood tests, gait analysis)

Important: We do not sell your health and fitness data. We do not use health data for advertising purposes.

2.3 Data from Connected Services

When you connect third-party services, we receive data from:

• Garmin Connect: activity data, physiological metrics, daily health stats, sleep, HRV, body composition, device information
• Manual uploads: FIT files, GPX files

We only access data you explicitly authorize during the connection process. You can revoke access at any time through your account settings or directly through the third-party service. We may add support for additional platforms (such as Strava, Apple Health, and COROS) in the future.

2.4 Voice Data

Our AI Coach feature includes an optional voice input function. When you use voice input, your audio recording is sent to OpenAI's Whisper API solely for transcription into text. Voice recordings are not stored on our servers and are processed transiently. OpenAI processes the audio according to their data processing agreement and does not use it to train their models.

2.5 Social & Interaction Data

When you use social features of the Service, we collect:

• Follow relationships (who you follow and who follows you)
• Reactions you leave on other users' activities
• Comments and replies you post on activities
• Notification preferences and read status
• User block list

2.6 Usage & Technical Data

• Device information (browser type, operating system)
• IP address and approximate location
• Usage patterns and feature interactions
• Error logs and performance data
• Login history (IP address, device, sign-in method)

2.7 Billing and Subscription Data

If you subscribe to a paid plan, we collect and store:

• Subscription plan (Free or Pro) and subscription status
• Billing period start and end dates
• A Stripe customer identifier that links your account to our payment processor — we do not store your payment card details, card number, or CVV; those are held exclusively by Stripe
• Payment history metadata (invoice dates, amounts, and status) retrieved on demand from Stripe for display in your account

3. How We Use Your Information

We use your information to:

3.1 Provide the Service

• Analyze your running activities and provide insights
• Generate personalized AI coaching recommendations
• Track your training progress over time
• Create training plans tailored to your goals
• Provide performance predictions and race estimates
• Analyze uploaded lab results and generate AI-powered insights
• Enable social interactions (following, reactions, comments, notifications)

3.2 Improve the Service

• Improve our AI coaching algorithms using aggregated, anonymized data
• Develop new features
• Conduct research and analysis

3.3 Communicate With You

• Send service-related notifications (reactions, comments, follows)
• Respond to your inquiries and support requests
• Send marketing communications (only with your consent, which you can withdraw at any time)

4. AI and Machine Learning

Our Service uses artificial intelligence to provide coaching insights. Regarding AI-related data practices:

• Your data is processed by AI systems to generate personalized recommendations
• We use third-party AI providers (OpenAI and Anthropic) for coaching features and lab result analysis
• OpenAI's Whisper API is used for voice-to-text transcription when you use voice input — audio is processed transiently and not stored
• Data sent to AI providers is processed according to their privacy policies and data processing agreements
• We do not permit third-party AI providers to use your personal data to train their models
• Your AI Coach conversation history (messages you send and responses you receive) is stored in our database to maintain chat continuity and enable features like message branching and export. You can delete individual chat threads or your entire account to remove this data

5. Profile Visibility and Public Data

Your profile and activity data visibility is controlled by your privacy settings:

5.1 Default Settings

When you create an account, your profile visibility is set to public by default. This means:

• Your running activities, personal records, progress metrics, and race results are visible to all authenticated users
• Your profile page (name, bio, activity stats) is publicly accessible
• Other users can follow you, react to, and comment on your visible activities

5.2 Privacy Controls

You can adjust your visibility at any time in Settings > Privacy:

• Set each section (Activities, Records, Progress, Races) to "public," "followers only," or "private"
• Choose between open follows or approval-required follows
• Control whether your GPS route maps are shown, have endpoints hidden, or are fully hidden
• Enable or disable your public RSS feed and Runner Context API

5.3 Public APIs

If you opt in, certain data may be accessible via public APIs: an RSS feed of your recent activities and a Runner Context export (training summary for use with external AI tools). Both are disabled by default and require explicit activation in your privacy settings.

6. Social Features

The Service includes social features that involve sharing data with other users:

• When you follow another user, they receive a notification and can see you in their followers list
• Reactions and comments you leave on activities are visible to other users who can view that activity
• Your username, name, and profile photo are shown alongside your social interactions
• You can block users to prevent them from viewing your profile or interacting with your content. Blocking also removes mutual follow relationships
• You can report comments that violate our community guidelines. Reported comments are hidden from your view

Social interactions (follows, reactions, comments) cannot be made fully anonymous. Your profile name and username will be visible to other users in these contexts.

7. Data Sharing

We do not sell your personal data.

We may share your information in the following circumstances:

7.1 Service Providers

We work with trusted third-party service providers who assist in operating our Service:

• Google Cloud Platform (GCP): cloud hosting and infrastructure
• Supabase: database, authentication, and file storage
• Cloudflare: content delivery network (CDN) and web application firewall
• Google: OAuth authentication (Google Sign-In)
• OpenAI: AI coaching chat and voice transcription
• Anthropic: AI coaching chat
• Google Analytics: usage analytics
• Apple MapKit: map rendering and route visualization
• Open-Meteo: weather data for activity conditions
• OpenStreetMap Nominatim: reverse geocoding (GPS coordinates to location names)
• Stripe (https://stripe.com): payment processing for subscriptions — Stripe receives your name, email, billing address, and payment method information directly via their secure checkout; we do not store or have access to your full payment card details. See Stripe's Privacy Policy at https://stripe.com/privacy

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

7.2 Legal Requirements

We may disclose your information when required by law, legal process, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7.3 Business Transfers

If we undergo a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your choices regarding your information.

8. Location Data and Mapping

We process location data in the following ways:

• GPS coordinates from your running activities are used to display route maps via Apple MapKit JS
• GPS coordinates may be sent to the OpenStreetMap Nominatim service to determine a human-readable location name (e.g., neighborhood and city) for your activities
• Static map images of your routes may be generated and stored for display purposes
• Your browser's geolocation (if permitted) may be used to provide local weather data

GPS data is only collected from activities you record or sync. We do not track your location in the background.

9. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms including multi-factor authentication (TOTP)
• Sensitive tokens (e.g., third-party OAuth tokens) are encrypted using Supabase Vault
• Row Level Security (RLS) on all database tables ensuring users can only access their own data
• Regular security assessments and monitoring
• Access controls limiting employee access to personal data
• Content Security Policy (CSP) and HTTP security headers on all responses

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. We may also retain data as necessary to:

• Comply with legal obligations
• Resolve disputes
• Enforce agreements
• Support business operations

When you delete your account, we immediately delete your data including encrypted tokens, integration records, stored files, and all associated database records. Residual data in backups may persist for up to 45 days before being purged.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

11.1 Access and Portability

• Request a copy of your personal data
• Export your data in a portable, machine-readable format (available via Settings > Security > Export Data)

11.2 Correction and Deletion

• Correct inaccurate or incomplete data
• Request deletion of your personal data
• Delete specific activities or data points
• Delete your entire account and all associated data (via Settings > Security)

11.3 Control and Consent

• Withdraw consent to data processing
• Opt out of marketing communications
• Disconnect third-party service integrations
• Adjust profile visibility and privacy settings
• Restrict certain data processing activities

To exercise these rights, contact us at [email protected] or use the features in your account settings. We will respond to your request within 30 days.

12. Third-Party Services and Integrations

Our Service integrates with third-party fitness platforms and devices. When you connect these services:

• You authorize us to access certain data from those services
• Your data on those platforms is also subject to their privacy policies
• You can revoke access at any time through your account settings or directly through the third-party service

Currently supported integrations:

• Garmin Connect - Privacy Policy

We may add support for additional platforms (such as Strava, Apple Health, and COROS) in the future. This policy will be updated accordingly when new integrations are launched.

13. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you logged in and manage your session (essential cookies)
• Remember your preferences such as language, theme, and unit system
• Understand how our Service is used (Google Analytics)
• Protect against malicious traffic (Cloudflare)

We use Google Analytics to collect aggregated usage data. Cloudflare may set cookies for security and performance purposes as part of its CDN and WAF services.

You can manage cookies through your browser settings. Disabling certain cookies may affect the functionality of our Service.

14. International Data Transfers

Glasp Inc. is based in the United States. If you are accessing our Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers are located (including but not limited to Google Cloud Platform in the US). We take appropriate measures to ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws.

15. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

16. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose
• The right to request deletion of your personal information
• The right to opt-out of the sale of your personal information
• The right not to be discriminated against for exercising your privacy rights

As noted above, we do not sell your personal information. To exercise your CCPA rights, contact us at [email protected].

17. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectify inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

Our legal bases for processing include your consent, performance of a contract, and legitimate business interests. You have the right to lodge a complaint with your local data protection authority.

18. Japanese Privacy Rights (APPI)

If you are located in Japan, you have rights under the Act on the Protection of Personal Information (APPI):

• Right to request disclosure of your personal information
• Right to request correction, addition, or deletion of your personal information
• Right to request cessation of use or provision to third parties
• Right to be informed of the purpose of use of your personal information

We handle your personal data in compliance with applicable Japanese data protection laws. To exercise your APPI rights, contact us at [email protected] and include "APPI Request" in the subject line.

19. Changes to This Policy

We may update this Privacy Policy from time to time due to changes in our practices, legal, operational, or regulatory reasons. We will notify you of any significant changes by posting the updated policy on this page and updating the "Last updated" date. We may also notify you via email for material changes.

20. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

For data protection inquiries specific to European users, please include "GDPR Request" in the subject line. For Japanese users, please include "APPI Request" in the subject line.