Privacy Policy

2.1 Information You Provide Directly

When you create an account or use Onda, you may provide:

• Account information: name, email address, password (stored as a cryptographic hash)
• Profile information: date of birth, gender, height, weight, resting heart rate, functional threshold power, training zones, and related athletic profile data you choose to enter
• Race goals, target events, and training preferences

2.2 Information From Connected Services

Onda allows you to connect third-party services — including Garmin Connect, Suunto Cloud API, Apple HealthKit, Zwift via email, and others — to import your activity and health data. When you authorize one of these connections, we receive information from that service on your behalf, which may include:

• Workout activities: date, time, duration, sport type, distance, pace, speed, heart rate, power, cadence, elevation, GPS routes, laps, and splits
• Wellness and health metrics: resting heart rate, heart rate variability, sleep duration and stages, daily steps, stress scores, body composition, and VO2 max estimates
• Training-related data: structured workouts, training plans, and device settings

For Garmin Connect specifically, we access data through the Garmin Connect Developer API only after you have completed the Garmin OAuth2 authorization flow and granted Onda permission to access your data. You can revoke this permission at any time from your Garmin Connect account settings or from within Onda. See Section 2.4 for how Garmin data flows through our systems. Section 2.5 covers the equivalent flow for Suunto. Section 2.6 covers email-based ingestion from Zwift and other indoor-cycling platforms.

2.4 Garmin Connect Integration Details

When you connect your Garmin account, Onda receives and stores the following categories of information from the Garmin Developer API:

• Activity data — each workout you complete on a Garmin device: start time, duration, distance, sport type, heart rate, power, pace, cadence, elevation, GPS track, laps, and device metadata.
• Your Garmin athlete identifier — an opaque numeric ID that Garmin uses to identify your account. Onda stores this only to route incoming activities to the right Onda user.
• OAuth access and refresh tokens — short- and long-lived credentials issued by Garmin that let Onda download your activity data. These tokens are stored on Onda’s backend database and are accessible only to Onda’s server-side services; the Onda iOS app never reads them.

New activities are delivered to Onda by Garmin’s Activity API ping service: when you finish and sync a workout on your device, Garmin notifies Onda’s servers, and Onda downloads the activity details for you. You can disconnect the integration at any time from Onda → Settings → Connected Devices, or from your Garmin Connect account settings → Connected Apps. Disconnecting stops all future data flow from Garmin; activities already imported remain in your Onda account until you delete them (or your account).

2.5 Suunto Cloud API Integration Details

When you connect your Suunto account, Onda receives and stores the following categories of information from the Suunto Cloud API:

• Workout data — each workout you complete on a Suunto device, delivered as the FIT file Suunto exports for that workout: start time, duration, distance, sport type, heart rate, power (where present), pace, cadence, elevation, GPS track, laps, and device metadata.
• Your Suunto username — the identifier Suunto includes in the JWT access token. Onda stores this only to route incoming workouts to the right Onda user.
• OAuth access and refresh tokens — credentials issued by Suunto that let Onda download your workout data. These tokens are stored on Onda’s backend database and are accessible only to Onda’s server-side services; the Onda iOS app never reads them.

We do not ingest 24/7 daily activity data from Suunto — daily steps, calories, sleep, and stress are not requested or stored. Onda is built for workouts, not step tracking.

New workouts are delivered to Onda by Suunto’s notification webhook: when you finish and sync a workout to the Suunto app, Suunto notifies Onda’s servers, and Onda downloads the FIT file for you. You can disconnect the integration at any time from Onda → Settings → Connected Devices, or from the Suunto app’s connected-apps settings. Disconnecting stops all future data flow from Suunto; workouts already imported remain in your Onda account until you delete them (or your account).

2.6 Email-based Activity Ingestion (Zwift)

When you connect Zwift in Onda, the app generates a unique inbox address for you of the form <token>@inbox.ondafit.app. You forward your Zwift FIT files (or any other FIT file) to that address from any email client; Onda’s servers receive the message, extract the FIT attachment, and import it into your account. Onda receives and stores the following from each email:

• FIT-attachment activity data — the workout data inside the FIT file: start time, duration, distance, sport type, heart rate, power, pace, cadence, elevation, GPS track, laps, and device metadata. Non-FIT attachments (PDFs, images, body text) are discarded; we never parse the email body.
• Sender address and email subject— stored alongside each incoming email for up to 30 days for debugging and surfaced to you in the “Recent emails” section of the Zwift settings screen. The email subject may also be used as the activity title when the FIT file doesn’t carry one.
• Your inbox token — a random 8-character string that routes incoming emails to your Onda account. The token is your credential for this channel; anyone who knows it can post FIT files to your account (rate-limited to 20 per hour). You can rotate it at any time from the Zwift settings screen.

Email delivery is handled by Resend, our email infrastructure provider. Resend processes inbound messages on our behalf; their handling of in-transit email is governed by Resend’s privacy policy. Onda only stores the FIT bytes + the forensic fields listed above; the email body, headers, and non-FIT attachments are never persisted.

You can disconnect the integration at any time from Onda → Settings → Connected Devices → Zwift → Disconnect. Disconnecting silently drops any future emails sent to your inbox address; activities already imported remain in your Onda account until you delete them (or your account). If you only want to invalidate the address (for example, because you accidentally shared it publicly), use the “Rotate address” button on the same screen — that mints a fresh token and the old address goes silent.

2.3 Information Collected Automatically

When you use Onda, we automatically collect limited technical information:

• Device and browser type, operating system version, and screen size
• IP address (used for security and regional routing; not used for advertising)
• Service usage events such as page views and feature interactions, for the purpose of debugging and improving the Service
• Crash and error logs

We do not use third-party advertising trackers, cross-site tracking pixels, or data broker integrations.

4.1 Service Providers

We use a small number of infrastructure providers to run Onda. These providers process data on our behalf under contractual obligations that restrict them to the purposes we specify. Current providers include:

• Hosting and infrastructure (e.g., Vercel, Amazon Web Services)
• Authentication (e.g., Supabase)
• Email delivery for account-related messages
• Error monitoring and crash reporting

These providers do not have independent rights to your data and may not use it for their own purposes.

4.2 Legal Requirements

We may disclose information if required to do so by law, subpoena, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Metrica Fit LLC, our users, or the public.

4.3 Business Transfers

If Metrica Fit LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Explicit Consent

We may share information with other parties if you direct us to do so — for example, if you use a future feature to share a workout with a coach or training partner. Such sharing only occurs at your explicit direction.