Last updated: January 27, 2025
Table of Contents
- 1. Overview
- 2. Data Sources & Usage
- 2.5. HealthKit Data Usage & Apple Requirements
- 3. AI Processing & Analytics
- 4. Data Security & Breach Notification
- 5. Your Rights
- 6. Third-Party Services
- 7. Data Retention & Deletion
- 8. GDPR Rights (European Users)
- 9. California Consumer Privacy Act (CCPA)
- 10. Artificial Intelligence & Automated Decision Making
- 11. International Data Transfers
- 12. Children's Privacy Protection
- 13. Contact Information
1. Overview
At OMYRA, we believe in complete transparency about how we use your fitness data. This Privacy Policy explains exactly how we collect, use, and protect your information to provide personalized AI coaching.
Key Principle: We only use data sources that you explicitly grant permission for AI processing. Different data sources serve different purposes in OMYRA.
2. Data Sources & Usage
OMYRA integrates with multiple fitness platforms, but we use them differently based on their terms of service and your consent:
🟢 Garmin Connect & Apple HealthKit - AI-Enabled
Usage: Full AI processing, coaching recommendations, plan adaptations
Data Used: Workouts, heart rate, sleep data, training metrics, recovery indicators
Purpose: Powering Maya's AI coaching, readiness scores, and plan modifications
🔵 Manual Activity Entry - AI-Enabled
Usage: Full AI processing, coaching recommendations, plan adaptations
Data Used: Workout details, RPE ratings, notes, performance metrics
Purpose: Primary data source for users without connected devices
🟡 Strava - Display Only
Usage: Activity display and historical reference only
Data Used: Workout summaries for display in your activity feed
NOT Used For: AI coaching, recommendations, or plan adaptations
Why: Strava's terms of service restrict certain AI applications
2.5. HealthKit Data Usage & Apple Requirements
Specific HealthKit Data Types We Access:
- Workout Sessions (HKWorkoutType): Training duration, activity type, energy burned
- Heart Rate Data (HKQuantityType.heartRate): Real-time heart rate during workouts
- Heart Rate Variability (HKQuantityType.heartRateVariabilitySDNN): Recovery and readiness indicators
- Active Energy Burned (HKQuantityType.activeEnergyBurned): Training load calculations
- Distance Walking/Running (HKQuantityType.distanceWalkingRunning): Pace and distance tracking
- Sleep Analysis (HKCategoryType.sleepAnalysis): Recovery and readiness scoring
- Resting Heart Rate (HKQuantityType.restingHeartRate): Fitness level assessment
How We Use HealthKit Data:
- AI Coaching: Heart rate zones, training load calculation, readiness scoring
- Performance Analysis: Workout trends, progression tracking, recovery insights
- Plan Adaptation: Real-time training modifications based on performance data
- Maya Coaching: Personalized feedback based on your health metrics
HealthKit Data Protection:
- NOT Shared: HealthKit data is never shared with third parties, sold, or used for marketing
- Local Processing: Data processed on your device when possible
- Secure Storage: Encrypted storage with industry-standard security
- Limited Retention: HealthKit data deleted within 30 days of account deletion
Your HealthKit Rights:
- Granular Control: Manage each data type individually in iOS Health app
- Revoke Access: Disconnect HealthKit anytime without affecting other app features
- Data Transparency: View exactly what data OMYRA has accessed
- Immediate Deletion: Request immediate deletion of all HealthKit data
Apple Health Integration Compliance:
OMYRA complies with Apple's HealthKit framework requirements and does not use HealthKit data for advertising, marketing, data mining, or any purpose other than providing personalized health and fitness coaching services.
3. AI Processing & Analytics
Our AI coaching (Maya) only processes data from approved sources:
What Powers Our AI:
- Garmin Connect workout data and biometrics
- Apple HealthKit fitness and health data
- Manual activity entries and RPE ratings
- Your training goals and availability preferences
AI Features Include:
- Personalized training plan adaptations
- Weekly performance analysis and insights
- Readiness score calculations
- Recovery and training load recommendations
- Maya's coaching conversations and feedback
Data Processing Location:
AI processing occurs on secure cloud servers (OpenAI GPT-4) with enterprise-grade security. No personal data is used to train OpenAI's models.
4. Data Security & Breach Notification
Technical Security Measures:
- Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
- Access Control: Multi-factor authentication for all admin access
- Audit Logging: Complete audit trail of all data access
- Data Minimization: We only collect and process necessary data
- Regular Security Reviews: Quarterly security assessments and penetration testing
Data Breach Response:
- Detection: 24/7 security monitoring and immediate incident response
- Regulatory Notification: Notification to supervisory authorities within 72 hours if required
- User Notification: Direct notification to affected users without undue delay
- Remediation: Immediate containment and long-term security improvements
5. Your Rights
You have complete control over your data:
Data Access & Control:
- View: See all data we have about you
- Export: Download your complete training history
- Delete: Remove your account and all associated data
- Modify: Update or correct any information
- Disconnect: Revoke access to any connected service anytime
Granular Permissions:
You can control exactly which data sources OMYRA can access:
- Enable/disable Garmin Connect integration
- Grant/revoke Apple HealthKit permissions
- Choose specific HealthKit data types to share
- Disconnect Strava while keeping other integrations
6. Third-Party Services
OMYRA integrates with these services under their respective privacy policies:
Garmin Connect
We access your Garmin data through official APIs with your explicit permission. This data is used for AI coaching features.
Apple HealthKit
Health data is processed locally on your device when possible, with select metrics used for AI coaching with your consent.
Strava
We display your Strava activities for reference only. No Strava data is used for AI processing or recommendations.
OpenAI (GPT-4)
Anonymized training metrics are processed by OpenAI for AI coaching features. No personally identifiable information is shared.
7. Data Retention & Deletion
Retention Periods by Data Type:
- Training Data: Kept while your account is active, plus 30 days after deletion
- AI Models: Personal AI adaptations deleted immediately upon account deletion
- HealthKit Data: Deleted immediately when HealthKit access is revoked
- Usage Analytics: Anonymized usage patterns kept for 2 years for product improvement
- Support Records: Customer support interactions kept for 1 year
Account Deletion: When you delete your account, all personal training data and AI models are permanently removed within 30 days. This cannot be undone.
8. GDPR Rights (European Users)
Legal Basis for Processing Your Data:
- Contract Performance (Art. 6(1)(b)): Training plan delivery, AI coaching, account management
- Legitimate Interest (Art. 6(1)(f)): Product improvement, security, analytics, customer support
- Consent (Art. 6(1)(a)): HealthKit integration, Garmin Connect access, marketing communications
- Vital Interests (Art. 6(1)(d)): Emergency contact features, safety-related notifications
Your Complete GDPR Rights:
Right of Access (Art. 15)
- Request a copy of all personal data we hold about you
- Understand how your data is being processed
- Receive data in a commonly used, machine-readable format
- How to Request: Email support@omyra.app with "GDPR Access Request"
Right to Rectification (Art. 16)
- Correct any inaccurate or incomplete personal data
- Update your training goals, preferences, or account information
- How to Request: Update directly in app settings or email support@omyra.app
Right to Erasure "Right to be Forgotten" (Art. 17)
- Request deletion of your personal data when no longer necessary
- Withdraw consent for data processing
- How to Request: Use "Delete Account" in app or email support@omyra.app
Right to Data Portability (Art. 20)
- Export your training data to another service
- Receive data in JSON or CSV format
- How to Request: Use "Export Data" feature in app or email support@omyra.app
GDPR Request Processing:
- Response Time: Within 30 days of verified request
- Identity Verification: Required for security (government ID may be requested)
- No Fee: First request is free; excessive requests may incur reasonable fees
Data Protection Contact:
- Email: support@omyra.app
- Response Time: Within 7 business days for initial response
Supervisory Authority:
You have the right to lodge a complaint with your local data protection authority:
- Spain: Agencia Española de Protección de Datos (AEPD) - www.aepd.es
- EU Directory: https://edpb.europa.eu/about-edpb/board/members_en
9. California Consumer Privacy Act (CCPA)
Categories of Personal Information We Collect:
Identifiers:
- Email address, user ID, device identifiers
- Purpose: Account creation, authentication, customer support
- Sources: Directly from you, automatically from device
Health/Fitness Data:
- Workout data, biometrics, training metrics, performance data
- Purpose: AI coaching, plan adaptation, progress tracking
- Sources: HealthKit, Garmin Connect, manual entry
Internet Activity:
- App usage patterns, feature interactions, performance analytics
- Purpose: Product improvement, bug fixes, feature development
- Sources: Automatically collected through app usage
Your CCPA Rights:
Right to Know (Cal. Civ. Code § 1798.100)
- Know what personal information we collect
- Know how personal information is used and shared
- Know if personal information is sold or disclosed (We don't sell data)
- How to Request: Email support@omyra.app
Right to Delete (Cal. Civ. Code § 1798.105)
- Request deletion of personal information we collected from you
- Exceptions: Necessary for service delivery, legal compliance, security
- How to Request: Use "Delete Account" in app or email support@omyra.app
Right to Opt-Out of Sale (Cal. Civ. Code § 1798.120)
- We do NOT sell personal information to third parties
- We do NOT share personal information for cross-context behavioral advertising
- Status: No opt-out needed as we don't sell data
CCPA Request Process:
- Email: support@omyra.app with "CCPA Request"
- Verification: Required to protect your data security
- Response Time: Within 45 days (may extend to 90 days if complex)
- No Fee: CCPA requests are always free
10. Artificial Intelligence & Automated Decision Making
AI Systems We Use:
Training Plan Generation:
- Technology: Algorithmic creation based on sports science principles
- Data Used: Goals, availability, current fitness level, performance history
- Decisions Made: Workout scheduling, intensity distribution, training phases
- Human Override: You can manually adjust any generated plan
Maya AI Coach:
- Technology: GPT-4 powered conversational coaching
- Data Used: Workout data, performance trends, training context
- Decisions Made: Coaching advice, motivational messages, educational content
- Human Override: All suggestions are optional; you control your training
Readiness Scoring:
- Technology: Automated fitness level and recovery assessment
- Data Used: Heart rate variability, sleep data, training load, subjective ratings
- Decisions Made: Daily readiness score, recovery recommendations
- Human Override: Manual override available; you know your body best
Your AI Rights:
- Right to Human Review: Request human review of any AI recommendation
- Right to Explanation: Understand how AI decisions are made
- Right to Override: Manually adjust or reject any AI suggestion
- Right to Opt-Out: Use manual planning instead of AI features
AI Limitations and Disclaimers:
- Not Medical Advice: AI coaching is for informational purposes only
- Potential for Errors: AI may contain biases, errors, or limitations
- Human Judgment: Your judgment should always override AI for safety
- Continuous Improvement: AI systems are continuously updated and improved
11. International Data Transfers
Data Processing Locations:
- Primary Processing: European Union (Dublin, Ireland - AWS Europe)
- AI Processing: United States (OpenAI - Microsoft Azure) with Standard Contractual Clauses
- Mobile Apps: Global (App Store/Play Store distribution)
International Transfer Safeguards:
- Standard Contractual Clauses (SCCs): EU Commission approved SCCs for all transfers
- Additional Safeguards: Technical and organizational measures beyond SCCs
- Regular Review: Annual review of SCC effectiveness
12. Children's Privacy Protection
Age Requirements:
- Users must be 13 years or older
- Users 13-17 require verifiable parental consent
- Users 18+ can accept these terms independently
Parental Rights:
- Parents can review and delete their child's data
- Parents can revoke consent and delete child's account
- Special protections apply to users under 18
- No behavioral advertising to users under 18
13. Changes to This Policy
We may update this Privacy Policy as OMYRA evolves. We'll notify you of significant changes via:
- Email notification to your registered address
- In-app notification
- Updated "Last Modified" date at the top of this policy
Continued use of OMYRA after policy updates constitutes acceptance of the changes.
Contact Information
Response time: Within 7 business days for privacy requests, 5 business days for general support