Privacy & Data Handling

Last updated: 2026-04-05

What we collect

  • Account info — email address and a bcrypt-hashed password. We never store your password in plain text.
  • Hevy API key — encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256). Used only to read your workouts and update your routines on your behalf.
  • Workout data — exercises, sets, reps, and weights pulled from Hevy for the routines you choose to track. Stored locally to generate progression analysis.
  • WHOOP tokens (if connected) — OAuth refresh token, encrypted at rest. Used only to read recovery scores.
  • Telegram chat ID (if connected) — used to deliver review notifications. No message content is stored beyond delivery status.
  • Feedback and review responses — your approve/skip/feedback actions and any freeform text you provide on reviews.
  • Analytics events — page views, onboarding steps, and signup attribution such as landing path, referrer domain, and UTM/referral parameters. No third-party analytics.
  • First-party attribution cookie — a small cookie stores first-touch and last-touch referral data before signup so Overload can understand where new users came from.

How your data is used

  • Analyze completed workouts and generate weight/rep progression recommendations.
  • Apply approved changes to your Hevy routines via the Hevy API.
  • Generate human-readable review summaries using an LLM (Anthropic Claude Haiku, with OpenAI as fallback). The LLM receives only exercise names, sets, reps, weights, and your training goal — never your email, name, or API key.
  • Send review notifications via Web Push or Telegram if you opt in.

What we do NOT do

  • Sell, rent, or share your data with anyone.
  • Use your data for advertising or marketing.
  • Send your email, API key, or personal identifiers to any LLM.
  • Track you across other websites. No third-party cookies, pixels, or analytics scripts.

Where your data lives

All data is stored in a SQLite database on the server. There is no cloud database or third-party data warehouse. Backups are stored on an encrypted local drive.

Security

  • API keys and OAuth tokens are encrypted at rest using Fernet symmetric encryption.
  • Passwords are hashed with bcrypt (never stored in plain text).
  • All traffic is served over HTTPS via Tailscale Funnel with automatic TLS.
  • Session tokens expire and are validated on every request.
  • Login attempts are rate-limited (5 failures per IP in 5 minutes triggers lockout).

No system is perfectly secure. Overload is a solo-developer project in active development. Use it with that in mind.

Data retention

Your data is retained as long as your account exists. Workout analyses are kept indefinitely to power trend detection. If you delete your account, all associated data (analyses, reviews, API keys, tokens) is permanently removed.

Third-party services

  • Hevy API — reads workouts, writes routine updates. Governed by Hevy's privacy policy.
  • Anthropic (Claude Haiku) — generates review summaries from anonymized workout data.
  • OpenAI — fallback LLM provider, same anonymized data scope.
  • Telegram Bot API — delivers optional notifications. Only your chat ID and message content are sent.
  • WHOOP API (if connected) — reads recovery scores. Governed by WHOOP's privacy policy.

Account deletion

To delete your account and all associated data: use the in-app feedback button or contact the operator. Deletion is permanent and typically processed within 48 hours.

Changes to this policy

If this policy changes materially, the "Last updated" date at the top will change. Continued use after an update constitutes acceptance.