Boathouse Fitness
Log inSign up

Privacy Policy

Last updated: 10 April 2026

This Privacy Policy explains how Boathouse Fitness ("we", "us", "our") collects, uses, stores and protects your personal data when you use Critical Power (the "Service"). We take your privacy seriously and are committed to handling your data lawfully, transparently and securely.

A note on scope: This policy is written to meet the core principles of the UK Data Protection Act 2018 and UK GDPR, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act 1988. If you are located in a jurisdiction with additional rights, those rights apply to you in full.

1. Who we are

Boathouse Fitness is the data controller for the personal information you provide when you use Critical Power. You can contact us at any time using the details at the bottom of this policy.

2. What data we collect

2.1 Account data

When you create an account, we collect:

  • Your email address (required)
  • A hashed password or your Google sign-in identifier

2.2 Athlete profile data

When you run a calculation, we collect information you enter:

  • Name (paid plans only)
  • Date of birth
  • Sex
  • Competition level
  • Years of rowing experience (optional)
  • Body mass (optional)

2.3 Performance data

Your ergometer test results, calculated Critical Power and W′ values, training zone configurations, and any heart rate data you choose to add.

2.4 Payment data

If you purchase a subscription or pay-per-report, we use Stripe to process your payment. We do not store your card details on our systems. Stripe handles all card data in line with PCI DSS. See Stripe's privacy policy at stripe.com/privacy.

2.5 Technical data

We collect basic technical information needed to run the service: session cookies, IP address, browser type and operating system. We do not use third-party analytics cookies that track you across other sites.

3. How we use your data

We use your personal data for the following purposes:

  • To provide the service: calculating your Critical Power, generating your training zones and sessions, producing your individual report, and saving your results so you can return to them.
  • Account management: authentication, password reset, billing, and customer support.
  • Anonymous research: we may use your performance data in a fully anonymised and aggregated form to improve the Critical Power model, publish statistical analyses, and advance rowing sports science. Anonymised data cannot be linked back to you. You can opt out of this use at any time (see Section 7).
  • Service communications: transactional emails such as sign-up confirmations, receipts, password resets, and important account notices.
  • Legal compliance: meeting our legal and regulatory obligations.

4. Lawful bases for processing (UK/EU GDPR)

We rely on the following lawful bases to process your data:

  • Contract: processing necessary to deliver the service you signed up for.
  • Consent: use of your data for anonymous research, optional marketing emails, and optional data you choose to provide. You can withdraw consent at any time.
  • Legitimate interests: running and securing the service, preventing fraud, and improving our product, provided these interests do not override your rights.
  • Legal obligation: where processing is required by law.

5. Who we share your data with

We only share your data with trusted service providers:

  • Supabase: database, authentication and file storage. Data is stored in the European Union (Frankfurt region).
  • Stripe: payment processing.
  • Vercel (or equivalent): web hosting.

We do not sell your personal information to anyone, ever. We do not share your data with advertisers or data brokers.

6. International transfers

Our primary data storage is in the European Union. Where data is transferred outside the UK or EU (for example, when Stripe processes a payment), those transfers are protected by Standard Contractual Clauses, UK International Data Transfer Agreements, or an equivalent approved mechanism.

7. Your rights

Depending on where you live, you have some or all of these rights:

  • Right to access a copy of the data we hold about you
  • Right to correct data that is inaccurate or out of date
  • Right to erase your data (the "right to be forgotten")
  • Right to restrict or object to how we process your data
  • Right to data portability
  • Right to withdraw consent at any time
  • Right to opt out of the sale or sharing of personal information (California)
  • Right not to be discriminated against for exercising any of these rights
  • Right to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk)

To exercise any of these rights, email us at boathouse@strengthconditioning.academy. We will respond within 30 days.

8. How long we keep your data

  • Account data: for as long as your account is active, plus 90 days after deletion to allow for recovery.
  • Performance data: for as long as your account is active. Deleted when you close your account, except for anonymised records (see below).
  • Anonymised research data: kept indefinitely, because it can no longer be linked back to you.
  • Billing records: kept for 7 years to meet UK tax and accounting obligations.

9. How we protect your data

All data is transmitted over encrypted HTTPS. Passwords are hashed and never stored in plain text. Database access is protected by row-level security, so you can only see your own records. Payments are handled entirely by Stripe, which is PCI DSS Level 1 certified. We review our security practices regularly.

10. Children

Critical Power is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, please contact us and we will delete it. For users aged 13 to 16 in the EU and UK, parental consent may be required for some data processing.

11. Cookies

We use only essential cookies needed to run the service (for example, to keep you signed in). See our Cookie Policy for details.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the site before the changes take effect. The "Last updated" date at the top of this page shows when it was last revised.

13. Contact us

If you have any questions about this policy or how we handle your data, email us at boathouse@strengthconditioning.academy.

This Privacy Policy is provided in good faith but does not constitute legal advice. We recommend consulting a qualified data protection professional for your specific situation.