rox-strat

Privacy Policy

Last updated: May 11, 2026

Short version: Your data lives in your own iCloud account. We don't run a server, we don't see your training, and we don't sell or share anything about you. No analytics, no ad networks, no tracking.

1. Who we are

rox-strat ("the app," "we," "us") is a personal pacing tool for HYROX® and hybrid-fitness athletes, built for iOS and Apple Watch. rox-strat is not affiliated with HYROX® or Hyrox World GmbH. HYROX® is a registered trademark of Hyrox World GmbH.

2. What data the app handles

Identity

Apple Sign-In identifier — a stable, hashed user ID issued by Apple. We use this only to associate your data with your iCloud account inside the app. We never receive your email, name, or Apple ID password.

Performance data (stored in your iCloud)

Personal fitness test (PFT) results
5K personal best, station personal records
Saved race simulations and race history
App preferences (selected language, aggression level, etc.)

All of this is written to your private CloudKit database in the container iCloud.com.roxstrat.app. It lives in your iCloud, under your Apple ID — not on our servers. We do not have access to it.

Health data (read-only, from Apple Health)

Heart rate variability (HRV / SDNN)
Sleep analysis
Running workouts (distance, duration)

Health data is read directly from Apple Health, used on your device to compute your readiness score and refine pacing projections, and is never transmitted off your device. You can revoke HealthKit permissions at any time in iOS Settings → Privacy & Security → Health → rox-strat.

Strava data (optional, read-only)

If you connect Strava, the app reads your recent running activities to refine your pacing plan. The OAuth handshake goes through our Cloudflare Worker at strava-worker.roxstrat.workers.dev, which exists only to perform the token exchange so that the Strava client secret never lives in the app binary. The Worker does not log, persist, or forward any user data — it relays tokens straight back to your device.

Strava tokens are stored locally in the iOS Keychain. You can disconnect Strava at any time from the Profile screen, which deletes the tokens from your device.

Subscription state

rox-strat uses RevenueCat to manage in-app purchases for rox-strat Pro. RevenueCat receives an anonymous app user identifier and the Apple-issued purchase receipt — enough to verify your subscription. It does not receive any of your training data. See RevenueCat's privacy policy for details.

3. What we do NOT collect

No analytics SDKs (Firebase, Mixpanel, Amplitude, etc.)
No advertising identifiers (IDFA)
No crash-reporting third parties (we rely on Apple's built-in crash logs you opt into via iOS Settings)
No location data
No microphone, camera, or contacts access
No tracking across other apps or websites

4. How your data is used

Everything described above is used for a single purpose: to give you a personalized pacing plan. There is no secondary use, no profiling for ads, no data brokers, and no sale of any data to third parties.

5. Data retention & deletion

Because your data lives in your iCloud, you control its retention. You can:

Delete individual records from inside the app (Profile → History screens).
Sign out to remove the local Apple ID association and Keychain tokens.
Delete the app, which removes all on-device caches.
Remove the iCloud data via iOS Settings → Apple ID → iCloud → rox-strat → Delete Data.

6. Children

rox-strat is intended for users 13 years or older. We do not knowingly collect data from children under 13. If you believe a child has used the app, contact us and we will help walk through deleting their iCloud data.

7. International users

rox-strat is available worldwide. Because all data is stored in the user's own iCloud account, data residency is governed by Apple's iCloud infrastructure for the user's region. We do not transfer data across borders ourselves.

8. Your rights (GDPR, CCPA, etc.)

Under GDPR, CCPA, and similar frameworks, you have the right to access, correct, port, or delete personal data we hold about you. Because we do not hold your data — Apple does, on your behalf — you can exercise these rights directly through iCloud and iOS Settings as described in Section 5. We are happy to assist if you run into trouble: contact details below.

9. Changes to this policy

If we materially change how data is handled, this page will be updated and the "Last updated" date at the top will move. Substantial changes will also be communicated inside the app on next launch.

10. Contact

Questions, requests, or concerns: mehmet.gencol@affirm.com