Legal

Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

1. Who we are

Mara is a training-plan service operated by Broadsea Media Ltd, a company registered in England and Wales, trading as Marathon Handbook ("Broadsea Media", "Marathon Handbook", "we", "us", "our"). This policy describes how we collect, use, store, and share personal information when you use the Mara website at maramiles.com, the Mara iOS app, or any connected service operated by us.

You can reach us about anything in this policy at hi@marathonhandbook.com.

2. What we collect

We collect only the information we need to deliver a useful training plan and progress feedback.

2.1 Information you give us

Account details: email, display name, profile photo, password (hashed), date of birth, distance-unit preference, optional weekly mileage target.
Training inputs: goal race / distance, race date, recent race results, weekly mileage history, training day preferences, free-text notes for the AI coach.
Optional health markers: sleep hours, daily checklist responses, effort ratings — these are user-entered and entirely optional.
Communications: support emails, in-app feedback, chat messages with the AI coach.

2.2 Information from connected services

When you connect a third-party service, we receive only what is needed to compute your training analytics:

Strava: athlete ID, name, profile photo, and your activities (date, distance, duration, pace, heart-rate stream, altitude stream, GPS polyline summary, laps, average and max heart rate, elevation gain, activity type, "is race" flag, activity description and photos when present). We request the scopes read, activity:read_all, and profile:read_all. You can revoke access at any time at strava.com/settings/apps — see Section 7.
Garmin Connect / Apple HealthKit (when enabled): the same shape of workout data as Strava — distance, duration, pace, heart rate, where available.
WordPress / MemberPress (Marathon Handbook account): email, membership tier, and Marathon Handbook user ID, used to single-sign-on into Mara and apply the right tier.
Apple App Store / RevenueCat (iOS): a pseudonymous purchase identifier so we can grant the right membership entitlement after an in-app purchase. We never receive your full card details.

2.3 Information we collect automatically

Usage data: pages you visit, features you use, approximate location (derived from IP at the country level), timestamps.
Device data: browser, OS, screen size, app version.
Crash reports: stack traces and rough device context, via Sentry, to fix bugs.
Cookies: only what is essential for sign-in, the session, and the rare consent banner. We do not use third-party advertising cookies on Mara.

3. How we use your information

Generate and personalise your training plan — this is the core service.
Compute analytics — weekly volume, planned-vs-actual compliance, pace trends, training load (CTL / ATL / TSB), heart-rate zones, race-readiness.
Produce AI coach commentary — when you submit free-text notes or chat with the coach, we send the relevant slice of your training context to Anthropic (Claude) to generate a response.
Send service emails — sign-in confirmations, important account or security messages. We do not enrol you into marketing email without explicit consent.
Provide support — when you contact us.
Improve and secure the product — fix bugs, detect abuse, run aggregated, non-identifying analyses to make the engine better.
Comply with law — when required.

4. Who we share information with

We do not sell your personal information. We share data only with the limited set of recipients we need to operate the service:

Supabase (hosting + database, EU region) — stores your account, plan, completions, and other product data.
Vercel (application hosting) — serves the Mara website and runs the API.
Anthropic (Claude API) — receives only the prompt context needed to generate AI coach responses, summaries, and notes adjustments. Anthropic processes data under their commercial terms (zero data retention enabled where available).
Strava, Garmin, Apple HealthKit — we make outbound calls to retrieve your data per your authorisation; we do not push your Mara data back into these services beyond what you explicitly initiate.
Sentry (error tracking) — receives anonymised stack traces and request context to help us fix bugs. We do not send full request bodies to Sentry.
Stripe / Apple / Google (payments) — process subscriptions for the Marathon Handbook tiers (Weekend Warrior, Serious Runner, Running Sicko) and any iOS in-app purchases.
Marathon Handbook (WordPress / MemberPress) — shared account state, since your Marathon Handbook membership is the same account you use on Mara.
Law enforcement / regulators — only when legally compelled and only the minimum required.

5. Strava-specific terms

Mara's use of Strava-sourced data is governed by Strava's API Agreement in addition to this policy. In particular:

We retrieve your Strava activities only to compute your training metrics — we do not resell, license, or otherwise commercialise Strava data.
We honour disconnection and deletion requests promptly. If you revoke Mara from strava.com/settings/apps, we stop pulling new activities and you can ask us to delete the cached copy from our database (Section 8).
Strava activity data displayed inside Mara remains the property of you and Strava; we display it under our license to use the Strava API.
We display the "Powered by Strava" mark and the Strava brand consistent with the Strava Brand Guidelines wherever Strava data appears.

6. How long we keep your data

Account data: for as long as your account exists, plus up to 30 days after deletion (so accidental deletes can be recovered).
Training data (plans, completions, runs): same as account data.
Strava activity cache: kept while you stay connected; refreshed at most every 24 hours. When you disconnect Strava, we stop refreshing; you can ask us to purge the cached rows at any time (Section 8).
Sentry crash reports: 90 days.
Aggregated / anonymised analytics: retained indefinitely; they can no longer be linked back to you.
Backup snapshots: up to 30 days, then purged.

7. Your rights

Depending on where you live, you have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Correction — fix anything that is wrong; most fields are editable from your settings page.
Deletion — close your account and have your data erased (subject to legal retention windows).
Portability — receive your data in a structured, machine-readable format.
Withdraw consent — disconnect Strava / Garmin / HealthKit, opt out of optional processing, or revoke AI coach features.
Object — to processing that you believe is unjustified.
Lodge a complaint — with your local data-protection authority (e.g. the UK ICO).

To exercise any of these rights, email hi@marathonhandbook.com. We respond within 30 days.

8. Deleting your data

You can delete your account at any time from Settings, or by emailing hi@marathonhandbook.com from the address on file. To remove cached Strava activities specifically (while keeping the rest of your Mara account), email us with the subject "Delete my Strava cache."

9. Security

We use industry-standard practices to protect your data: encryption in transit (TLS), encryption at rest, row-level security on all user-scoped tables, hashed passwords (handled by Supabase Auth), and the principle of least privilege for staff access. No system is perfectly secure — we will tell you about any incident that affects your data in line with the law.

10. International transfers

Mara is operated from Europe (Supabase EU region) and Vercel's global edge network. Some of our service providers (Anthropic, Sentry, Stripe) are based in the United States. Where we transfer data outside the UK / EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Children

Mara is not directed to children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to this policy

We will post material changes to this page and update the "Last updated" date at the top. If the change is significant, we will notify you by email or in-app.

13. Contact

Broadsea Media Ltd (trading as Marathon Handbook)
Registered in England and Wales
Email: hi@marathonhandbook.com
Web: maramiles.com · marathonhandbook.com