VO3← Back

Privacy Policy

Last updated: 20 June 2026
⚠️ This is a starting-point policy for alpha testing. Replace the bracketed placeholders and have it reviewed by a qualified data-protection professional before public launch.

This policy explains how VO3 (“we”, “us”) collects, uses and protects your personal data when you use the VO3 app at vo3.fit. We are committed to handling your data lawfully and transparently under the UK GDPR and Data Protection Act 2018.

1. Who we are

The data controller is [Your legal/company name], [address]. For any privacy questions or to exercise your rights, contact us at [privacy@vo3.fit].

2. What data we collect

  • Account data: your name, email address, and a securely hashed password.
  • Health & training data (special-category data): age, weight, injuries, training history, and metrics such as heart-rate variability, resting heart rate, sleep, VO₂ max and readiness — provided by you or imported from connected services.
  • Connected services: VO3 imports your training and recovery data from intervals.icu — a hub that itself aggregates Garmin, Whoop, Strava, Wahoo and others. We store your intervals.icu API key encrypted and sync your data automatically each night and whenever you tap Sync. Direct Garmin, Whoop and Strava connections are coming soon.
  • Coaching data: your conversations with the AI coach (“Max”) and the training plans generated for you.
  • Usage data: aggregated, non-identifying analytics about how features are used, and basic operational logs.

3. Legal basis for processing

  • Explicit consent — for processing your health & training data (special-category data under Article 9 UK GDPR). You give this separately from accepting our Terms, at the moment you connect a data source (intervals.icu). You can withdraw it any time by disconnecting the source — which deletes the data we imported from it — or by deleting your account.
  • Contract — to provide the coaching service you sign up for.
  • Legitimate interests — to keep the service secure, prevent abuse, and improve features using aggregated data.

4. How we use your data

To create and personalise your training plans, power the AI coach, show your progress, refresh your data on an automated nightly schedule, sync workouts to your devices, and operate and secure the service. Our AI coach (“Max”) provides athletic-performance guidance only — it is not a medical device and does not give medical advice or diagnosis (see our Terms). We do not sell your personal data or use it for third-party advertising.

5. Who we share it with (processors)

We use trusted service providers who process data on our behalf under data-processing agreements:

  • intervals.icu — our data source: only after you connect it, we import your activities and recovery metrics and sync planned workouts back. Your use of intervals.icu is also governed by its own terms and privacy policy.
  • Anthropic — the AI model behind the coach. Your relevant training context is sent to generate responses; it is not used to train their models.
  • Neon — database hosting (your account and training data).
  • [Hosting provider, e.g. Vercel] — application hosting.
  • Garmin, Whoop and Strava (direct) — planned; not active yet. For now their data reaches us only via intervals.icu, if you connect it there.

6. International transfers

Some providers may process data outside the UK/EEA. Where they do, transfers are protected by appropriate safeguards such as Standard Contractual Clauses. [Confirm and detail per provider.]

7. How we protect your data

Passwords are hashed (bcrypt). Third-party access tokens and API keys are encrypted at rest (AES-256-GCM). Data is encrypted in transit (TLS) and at rest by our database provider. Access is restricted so no user can see another user's data, and administrators only see aggregated, non-identifying statistics.

8. How long we keep it

We keep your data for as long as your account is active. If you disconnect a data source, we delete the activities and recovery data we imported from it. If you delete your account, your personal data is erased promptly (including connected-service credentials); anonymised, aggregated statistics that can no longer identify you may be retained. [Set specific retention periods.]

9. Your rights

Under UK GDPR you have the right to access, correct, export, restrict, object to, and erase your data, and to withdraw consent at any time. You can download all your data or delete your account directly from your Profile page. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use essential, first-party cookies only — to keep you signed in and remember that you've completed onboarding. We do not use advertising or third-party tracking cookies.

11. Children

VO3 is not intended for anyone under [16/18]. We do not knowingly collect data from children.

12. Changes to this policy

We may update this policy. If changes are material we will notify you and, where required, ask for your consent again.

13. Contact

Questions or requests: [privacy@vo3.fit].

← Back to sign up