Privacy

We try to store as little as possible. Here's exactly what we do — and don't — store.

What we store

When you sign up:

• A random UUID as your internal user id
• The display name returned by your provider's API (e.g. your intervals.icu athlete name)
• The timestamp of your signup

When you connect a provider:

• OAuth access + refresh tokens (for OAuth providers — Intervals.icu, Strava, Oura, Withings), or the API key you pasted (for Hevy)
• The provider-side user id (so we can detect re-linking)
• The display name returned by that provider

When you sign in to /settings:

• A random session token, valid for 7 days, scoped to your user id

When you call connect_<provider> from your AI client:

• A single-use magic-link token, valid for 10 minutes, deleted immediately on first use

All of the above lives in Cloudflare KV, encrypted at rest by the platform.

What we don't store

• Any workout, activity, wellness, or other content from intervals.icu or Hevy — we fetch it live on every tool call and never persist it
• LLM conversations, messages, or tool-call history
• Your IP address (Cloudflare may log it at the network layer for abuse prevention, but our worker code does not access or persist it)
• Anything else not listed in the section above

Operator access

The service operator (the single account configured as admin) can see the data listed in "What we store" — your display name, which providers you've connected, when you signed up, and the count of active OAuth grants. They cannot read your provider API keys in plaintext from any UI. They can revoke your OAuth grants (forcing re-auth) or delete your account on your behalf. All admin actions hit the same KV that you can wipe yourself at any time via /settings.

Third parties

• Cloudflare Workers + KV — runs the service and stores the data listed above
• Intervals.icu — receives API calls with your key when you use intervals tools
• Hevy — receives API calls with your key when you use hevy tools
• Google Fonts — serves the Roboto Mono webfont; each page view fetches the stylesheet

Deleting your account

You can delete your account and everything tied to it at any time from /settings → Danger zone. Deletion is immediate and permanent: all credentials, identity links, session cookies, magic-link tokens, OAuth grants issued to your AI clients, and your user record are removed. Your data on the upstream providers themselves (intervals.icu, Hevy) is untouched.

Audit the code

This service is open source. If you want to verify exactly what's stored and how, read the source:

https://github.com/agiantwhale/workoutcontext