BELITE

Privacy Policy

Effective date: 22 May 2026

1. Who We Are

Belite Coaching(“we”, “us”, “our”) is the data controller responsible for your personal data. We operate BELITE at belite.app. For privacy enquiries, contact us at contact@belite.app.

2. What Data We Collect

Account data

When you create an account we collect your email address via Supabase Authentication.

Questionnaire and plan data

To generate your race day plan we ask you to provide performance and personal information, which is stored alongside your plan. This includes:

  • Age, weight (and preferred unit), optionally sex
  • For female athletes only and only if you choose to share it: menstrual cycle phase on race day
  • Sport, race distance, and race details (name, date, city, country)
  • Performance metrics: FTP (cycling), LTHR, heart rate max, CSS (swimming)
  • Goal finish time and experience level
  • GI tolerance, known nutrition sensitivities, and preferred products
  • Equipment details

This data is stored in your account and linked to each plan you generate. It is not sold or shared with third parties for marketing purposes.

Health-adjacent data notice

Some of the data we collect (age, weight, heart rate metrics, GI conditions, and — if you choose to share them — sex and menstrual cycle phase) may be considered health-related under GDPR Article 9. We collect this data solely to generate your race plan. We do not process it as medical data and we do not share it with healthcare providers or anyone. By submitting a questionnaire you give explicit consent to our processing of this information for race plan generation. The optional fields (sex, cycle phase) can be skipped — leaving them blank simply means your plan is calibrated against neutral defaults.

Course profile (GPX uploads)

If you upload a GPX file for your race course, the file is parsed entirely in your browser — the original file never leaves your device. We only persist a compact summary of the course (distance, elevation profile, key climbs) inside your plan record so the AI can reason about pacing and fueling on that specific course. Deleting your plan deletes this summary.

Race results history

If you log a finish time (and optional perceived effort / notes) for a past race — via the plan page, the post-race email, or the questionnaire’s past-races section — we store that result in your account. It feeds the AI when it calibrates pacing for your next plan, and is shown back to you on your dashboard.

Nutrition photos & barcode scans

When you add a custom nutrition product, you may:

  • Scan a barcode— your device’s camera is used locally to read the barcode. The image itself is not stored or transmitted; only the decoded barcode number is sent to our server to look the product up.
  • Upload product photos (front of pack + nutrition panel) — these are stored privately in Supabase Storage at a path scoped to your user ID and used to (a) run an OCR pass that extracts the macros and (b) let an admin review your submission for the community catalog.

Photos are not publicly accessible. They are visible only to you and to BELITE administrators via a private moderation queue. The OCR pass is performed by OpenAI; only the photos themselves are sent — no other personal data is included in the prompt.

Automatic 90-day deletion:photos attached to private (“bronze”) submissions are automatically deleted from storage 90 days after upload. The submission itself stays — only the image files go. Once a submission is promoted to the community catalog (“silver” or “gold”), its label photos are retained as part of the catalog record and no longer fall under this 90-day rule.

Community catalog contributions

If a BELITE administrator promotes one of your nutrition submissions from “bronze” (private) to “silver” or “gold” (community-shared), the product macros and label photos become part of the catalog used by all users. Your account email and identity are notsurfaced anywhere alongside the catalog entry. If you delete your account, the underlying photos and your private submissions are removed; promoted catalog entries that BELITE has separately confirmed against the label may be retained anonymously as part of the shared catalog.

Ratings & feedback

Any rating, review, or free-form feedback you submit through BELITE is stored in your account and visible to BELITE administrators via the Customer Support and Feedback admin pages. Featured ratings may be displayed publicly on the homepage under the first name you set on your profile — you can opt out by deleting the rating or contacting us.

Payment data

Payments are handled entirely by Stripe. We store only your Stripe session reference ID and payment intent ID — reference numbers that allow us to reconcile your credit purchase. We do not store card numbers, CVV codes, or billing addresses.

Session data

When you log in, an authentication session cookie is set to keep you signed in. See Section 6 (Cookies) for details.

3. Why We Use Your Data (Legal Basis)

PurposeLegal basis (GDPR)
Account creation and authenticationContract performance (Art. 6(1)(b))
Generating your race day planContract performance (Art. 6(1)(b)); Explicit consent for health-adjacent data (Art. 9(2)(a))
Processing your paymentContract performance (Art. 6(1)(b))
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))
Responding to legal obligations or requestsLegal obligation (Art. 6(1)(c))

4. Third-Party Data Processors

We use the following sub-processors. Each is bound by a Data Processing Agreement:

ProcessorPurposeData transferred
SupabaseDatabase, authentication, and private storage (nutrition photos)All account and plan data; nutrition photos
StripePayment processingEmail, payment details
AnthropicAI plan generation (Claude API)Questionnaire answers (used to build the prompt)
OpenAIOCR on nutrition-panel photos (vision API)Only the front-of-pack and nutrition-panel photos you upload
OpenFoodFactsPublic product database queried by barcodeOnly the decoded barcode number — no personal data
ResendTransactional email delivery (account, post-race nudges)Email address
VercelWebsite hosting and deliveryIP address, HTTP request metadata

We do not use Google Analytics, Meta Pixel, or any advertising or tracking technology. We do not sell your data.

5. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account and plan data — kept until you delete your account or request erasure. Plan data includes the parsed GPX course profile when applicable.
  • Race results — kept until you delete your account or remove the row from your dashboard.
  • Nutrition photos — photos attached to private (“bronze”) submissions are automatically deleted from storage 90 days after upload; the submission itself stays. You can also delete photos earlier via the per-category options on the Privacy page or by deleting the submission. Photos behind submissions that BELITE has promoted to the community catalog (“silver”/“gold”) are retained anonymously as part of the shared catalog and are not affected by the 90-day rule.
  • Payment records — kept for 7 years to comply with financial record-keeping obligations.
  • Session cookies — expire when you log out or after the session timeout set by Supabase Auth.

6. Cookies

We use one type of cookie only: a strictly necessary authentication session cookie set by Supabase Auth when you log in. This cookie keeps you signed in across page loads. It is:

  • HttpOnly (cannot be read by JavaScript)
  • Secure (only sent over HTTPS)
  • SameSite=Lax (CSRF protection)

We also use a small amount of localStoragein your browser to remember UI preferences — whether you’ve dismissed this cookie notice, whether the admin sidebar is collapsed, and similar interface state. localStorage is not a cookie, is never transmitted to our servers, and does not contain personal data. Because it is strictly necessary for the interface to behave consistently, no consent is required under the ePrivacy Directive.

We do not use advertising cookies, analytics cookies, fingerprinting, or any third-party tracking technology.

7. International Data Transfers

Your data may be stored and processed in the United States (Supabase, Vercel, Anthropic, Stripe). Where data is transferred from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or other approved transfer mechanisms, to ensure adequate protection.

8. Your Rights

Under GDPR (EEA/UK residents)

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to limit processing in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

Under CCPA (California residents)

  • Know — request disclosure of the categories and specific pieces of personal information we have collected.
  • Delete — request deletion of your personal information.
  • Non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.
  • No sale — we do not sell your personal information.

To exercise any of these rights, you can:

  • Use the per-category controls on the Privacy page (delete only your photos, only your past races, etc.).
  • Delete your entire account from the Delete account page.
  • Email contact@belite.appfor anything else (access requests, portability, partial erasure that isn’t covered above).

We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Children

BELITE is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice on the Service. The effective date at the top of this page reflects the most recent revision.

11. Supervisory Authority

If you are in the EEA or UK and believe we have processed your data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, the CNIL in France, or the relevant authority in your EU member state).