Privacy Policy
Effective date: 20 April 2026
1. Who We Are
Belite Coaching(“we”, “us”, “our”) is the data controller responsible for your personal data. We operate BELITE at belite.app. For privacy enquiries, contact us at contact@belite.app.
2. What Data We Collect
Account data
When you create an account we collect your email address via Supabase Authentication.
Questionnaire and plan data
To generate your race day plan we ask you to provide performance and personal information, which is stored alongside your plan. This includes:
- Age, weight (and preferred unit)
- Sport, race distance, and race details (name, date, location)
- Performance metrics: FTP (cycling), LTHR, heart rate max, CSS (swimming)
- Goal finish time and experience level
- GI tolerance, known nutrition sensitivities, and preferred products
- Equipment details
This data is stored in your account and linked to each plan you generate. It is not sold or shared with third parties for marketing purposes.
Health-adjacent data notice
Some of the data we collect (age, weight, heart rate metrics, GI conditions) may be considered health-related under GDPR Article 9. We collect this data solely to generate your race plan. We do not process it as medical data and we do not share it with healthcare providers or anyone. By submitting a questionnaire you give explicit consent to our processing of this information for race plan generation.
Payment data
Payments are handled entirely by Stripe. We store only your Stripe session reference ID and payment intent ID — reference numbers that allow us to reconcile your credit purchase. We do not store card numbers, CVV codes, or billing addresses.
Session data
When you log in, an authentication session cookie is set to keep you signed in. See Section 6 (Cookies) for details.
3. Why We Use Your Data (Legal Basis)
| Purpose | Legal basis (GDPR) |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Generating your race day plan | Contract performance (Art. 6(1)(b)); Explicit consent for health-adjacent data (Art. 9(2)(a)) |
| Processing your payment | Contract performance (Art. 6(1)(b)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Responding to legal obligations or requests | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Data Processors
We use the following sub-processors. Each is bound by a Data Processing Agreement:
| Processor | Purpose | Data transferred |
|---|---|---|
| Supabase | Database and authentication hosting | All account and plan data |
| Stripe | Payment processing | Email, payment details |
| Anthropic | AI plan generation (Claude API) | Questionnaire answers (used to build the prompt) |
| Vercel | Website hosting and delivery | IP address, HTTP request metadata |
We do not use Google Analytics, Meta Pixel, or any advertising or tracking technology. We do not sell your data.
5. Data Retention
We retain your data for as long as your account is active. Specifically:
- Account and plan data — kept until you delete your account or request erasure.
- Payment records — kept for 7 years to comply with financial record-keeping obligations.
- Session cookies — expire when you log out or after the session timeout set by Supabase Auth.
6. Cookies
We use one type of cookie only: a strictly necessary authentication session cookie set by Supabase Auth when you log in. This cookie keeps you signed in across page loads. It is:
- HttpOnly (cannot be read by JavaScript)
- Secure (only sent over HTTPS)
- SameSite=Lax (CSRF protection)
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. Because this cookie is strictly necessary for the service to function, no consent is required under the ePrivacy Directive — but we tell you about it anyway.
7. International Data Transfers
Your data may be stored and processed in the United States (Supabase, Vercel, Anthropic, Stripe). Where data is transferred from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or other approved transfer mechanisms, to ensure adequate protection.
8. Your Rights
Under GDPR (EEA/UK residents)
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
Under CCPA (California residents)
- Know — request disclosure of the categories and specific pieces of personal information we have collected.
- Delete — request deletion of your personal information.
- Non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.
- No sale — we do not sell your personal information.
To exercise any of these rights, you can delete your account directly from your account settings, or email contact@belite.app. We will respond within 30 days (GDPR) or 45 days (CCPA).
9. Children
BELITE is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice on the Service. The effective date at the top of this page reflects the most recent revision.
11. Supervisory Authority
If you are in the EEA or UK and believe we have processed your data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, the CNIL in France, or the relevant authority in your EU member state).