Back to VerticalK Legal

Privacy Policy

Last updated: 31 May 2026

1. Who we are

VerticalK is an endurance-training service operated by Smeets BV, a Belgian Besloten Vennootschap (BV) trading as “VerticalK”. We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and Belgian data-protection law.

Smeets BV (trading as VerticalK)
Waversesteenweg 53
3360 Bierbeek, Belgium
Enterprise number (KBO/BCE): 0668.497.472
VAT: BE 0668.497.472
Contact: privacy@vertical-k.com

We have not appointed a Data Protection Officer, as we are not legally required to do so. You can reach our team about any privacy matter at the address above.

2. Scope

This policy covers our website at https://verticalk.app (including the waitlist) and the VerticalK application and related services (together, the “Service”). It explains what personal data we process, why, on what legal basis, who we share it with, and the rights you have.

3. Data we collect

Data you give us

  • Waitlist & contact: your email address when you join the waitlist or contact us.
  • Account: name or display name, email, password (stored only as a salted hash), and account preferences.
  • Content you create: training plans, notes, goals, and messages you exchange with the in-app coaching features.

Data we collect automatically

  • Technical data: IP address, device and browser type, and similar diagnostic data needed to deliver and secure the Service.
  • Usage data: server logs about how the Service is used, for security and reliability.

Data from connected providers

When you choose to connect a third-party account, we receive data from that provider via its API. This is the core of the Service. Depending on the provider, this can include activity records, GPS routes, heart-rate, power, cadence, elevation, pace, timestamps, and basic profile information. Providers we support or plan to support include Strava, Garmin Connect, Apple Health, Polar, and Wahoo.

Under GDPR Article 14, where we obtain your data from these providers rather than directly from you, the source of that data is the provider you connected.

4. Health & fitness data

Activity and physiological metrics such as heart rate, power, and other fitness data are treated as special-category “data concerning health” under Article 9 GDPR. We process this data only on the basis of your explicit consent, which you give when you connect a provider or enable a feature that requires it. You can withdraw that consent at any time (see Your rights), after which we stop processing the data and delete it as described in How long we keep data.

5. Purposes & legal bases

We process your personal data for the following purposes and on the following legal bases (Article 6 GDPR, and Article 9 for health data):

PurposeLegal basis
Create and run your account; import, sync, analyse, display and export your activities; provide coaching features Performance of our contract with you (Art. 6(1)(b))
Process your fitness & health metrics from connected providers Your explicit consent (Art. 9(2)(a) + Art. 6(1)(a))
Keep the Service secure, prevent fraud and abuse, and ensure reliability Our legitimate interests, balanced against your rights (Art. 6(1)(f))
Send you product or marketing email (only if you opt in) Your consent (Art. 6(1)(a)); withdraw any time via the unsubscribe link
Comply with accounting, tax and other legal obligations Compliance with a legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms; you can ask us about this assessment using the contact details below.

6. AI & your data

VerticalK includes AI-assisted coaching that analyses your own training data to suggest and adjust workouts. We use AI to give you insight into your data.

We do not use your data — or any data obtained from Strava, Garmin, Apple Health, Polar, Wahoo or any other provider — to train artificial-intelligence or machine-learning models. This commitment also reflects the requirements of the providers’ API agreements.

AI-generated coaching suggestions are informational and are not a substitute for professional medical or training advice. You remain in control and decide whether to accept any suggestion.

7. Connected providers & recipients

We share personal data only with the following categories of recipients, and only as needed:

  • Fitness data providers (Strava, Garmin, Apple, Polar, Wahoo) — when you connect them, to retrieve your data. Their own handling of your data is governed by their privacy policies.
  • Hosting & infrastructure providers — to run and store the Service, acting as our processors under data-processing agreements.
  • Tally — operates the waitlist form embedded on our website.
  • Email provider — to send transactional and (if you opt in) product email.
  • Authorities — where required by law.

We do not sell your personal data, and we do not share it for third-party advertising.

8. Connecting accounts (OAuth)

Provider connections use OAuth, the industry-standard authorisation method. This means:

  • We never see or store your provider password; we receive a limited access token instead.
  • The permissions (scopes) we request are shown to you by the provider before you approve.
  • Tokens are stored encrypted and are used only to retrieve your own data.
  • You can disconnect at any time, in VerticalK or in your provider’s account settings. We then delete the related data as described below.

We only ever display your own data to you. We do not display, share or disclose any other athlete’s data, even where that data is publicly visible on the source platform.

9. How long we keep data

  • Strava data: cached for a maximum of 7 days, after which it is refreshed or deleted; and deleted within 48 hours of you disconnecting Strava, in line with the Strava API Agreement.
  • Garmin data: retained only as long as needed to operate the Service, and deleted when you revoke access or delete your account, in line with the Garmin Connect Developer Program Agreement.
  • Other providers: retained only as long as needed for the features you use, and deleted on disconnection or account deletion.
  • Account & profile data: kept for the life of your account, then deleted, except where we must keep certain records (e.g. invoices) to meet legal obligations.
  • Waitlist email: kept until launch or until you ask us to remove it.

10. International transfers

Some providers and processors (including Strava, Garmin and Apple) are based in, or store data in, the United States. Where your personal data is transferred outside the European Economic Area, we rely on an appropriate safeguard under Chapter V GDPR — either the EU–US Data Privacy Framework (where the recipient is certified) or the European Commission’s Standard Contractual Clauses. You can ask us which safeguard applies to a given transfer, and you have the right to object.

11. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data (“right to be forgotten”);
  • Restrict or object to certain processing;
  • Portability — receive your data in a structured, machine-readable format (we support export as FIT, GPX, JSON or CSV);
  • Withdraw consent at any time, without affecting processing done before withdrawal.

To exercise any right, email privacy@vertical-k.com. We respond within one month, as required by the GDPR.

12. Complaints

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données (Belgian Data Protection Authority)
Drukpersstraat 35, 1000 Brussels, Belgium
contact@apd-gba.be · +32 (0)2 274 48 00
https://www.dataprotectionauthority.be

13. Cookies & similar technologies

We keep this simple. Today we use only what is strictly necessary:

  • A theme preference stored locally in your browser (so the site remembers light/dark mode). This stays on your device.
  • The Tally waitlist form embedded on our site may set cookies needed for the form to work.

We do not currently use analytics, advertising or tracking cookies. If we add any non-essential cookies in future, we will ask for your prior consent through a cookie banner, in line with the ePrivacy rules.

14. Security

We protect your data with measures including encryption in transit, encryption of access tokens at rest, access controls, and regular review. No system is perfectly secure, but we work to keep your data safe and will notify you and the authorities of a breach where the law requires.

15. Children

The Service is not intended for children under 16. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact us and we will delete it.

16. Changes to this policy

We may update this policy from time to time. We will post the new version here with an updated date and, for material changes, notify you by email or in the app.

17. Contact

Questions about this policy or your data? Email privacy@vertical-k.com, or write to Smeets BV, Waversesteenweg 53, 3360 Bierbeek, Belgium.