Privacy Policy
Last Updated: March 12, 2026
1. Introduction
ICU Coach ("we", "our", "the app") is an AI-powered training coach application for endurance athletes. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable data protection laws.
Data Controller
The data controller responsible for your personal data is:
2. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Consent (Art. 6(1)(a) GDPR): Health data access (HealthKit / Health Connect), push notifications, optional AI analysis, and coach data sharing (athletes explicitly consent via the invite acceptance flow).
- Contract Performance (Art. 6(1)(b) GDPR): Providing the core app functionality (training analysis, recovery calculation, coaching services) as part of our service.
- Legitimate Interest (Art. 6(1)(f) GDPR): Crash reporting and error monitoring to maintain app stability and security.
3. Data We Collect
3.1 Data You Provide Directly
- Intervals.icu account connection authorization (OAuth consent), display name, and selected sport preferences
- AI provider API keys (OpenAI, Gemini) — stored securely on your device only
- Training preferences (sport type, target race, thresholds, experience level)
- App settings (language, theme, notification preferences)
- Profile information (age, gender, weight)
3.2 Data Accessed from Intervals.icu (with your permission)
- Wellness data (HRV, resting heart rate, sleep hours, weight, SpO2)
- Training activities (distance, duration, power, heart rate, TSS, pace)
- Planned workouts and events
- Athlete profile (FTP, max HR, training zones, VO2max)
- Weather data associated with your location
3.3 Health Data (with your explicit permission)
Health data is only accessed when you explicitly grant permission through your device's health settings. You can revoke this permission at any time.
| Data Type | iOS (HealthKit) | Android (Health Connect) |
|---|
| Sleep Duration & Quality | ✅ | ✅ |
| Heart Rate Variability (HRV) | ✅ | ✅ |
| Resting Heart Rate | ✅ | ✅ |
| Heart Rate | ✅ | ✅ |
| Weight | ✅ | ✅ |
| Blood Oxygen (SpO2) | ✅ | ✅ |
| VO2 Max | ✅ | ✅ |
| Steps | ✅ | ✅ |
| Body Fat Percentage | ✅ | ✅ |
| Active & Total Calories | ✅ | ✅ |
| Distance | ✅ | ✅ |
| Basal Metabolic Rate | ✅ | ✅ |
If you enable Health Sync in the app, the device health metrics listed in the table above (including sleep, HRV, resting heart rate, heart rate, weight, SpO2, VO2 Max, steps, body fat percentage, calories, distance, and basal metabolic rate where available) may be synced to your Intervals.icu wellness account using your OAuth-authorized connection. This sync is used for core app functionality such as wellness continuity, dashboard readiness, and coaching insights. You can disable Health Sync at any time from Settings.
3.4 Coaching Data (with your explicit consent)
When you accept a coach's invitation to join their team, you explicitly consent to sharing your Intervals.icu training data with that coach. This connection is established through the standard Intervals.icu OAuth flow — you authorize access on the Intervals.icu consent screen before any data is shared.
When you join a coaching team, the following data is collected and stored:
- Coach-athlete relationship: Your Intervals.icu athlete ID, display name, the coach you are connected to, and the date you accepted the invitation
- Invite metadata: The invitation token used to join, invite status, and acceptance timestamp
- OAuth access token: Your Intervals.icu OAuth access token is stored in encrypted form (AES-256-GCM) on our server so your coach can access the data you authorized. The encryption key is stored separately from the database and is never exposed. This token grants access only to the scopes you approved on the Intervals.icu consent screen.
The following Intervals.icu data becomes accessible to your coach through their authorized connection:
- Training activities (workouts, rides, runs, swims)
- Wellness data (weight, sleep, HRV, resting heart rate)
- Calendar (planned workouts and events)
- Athlete settings (profile and preferences)
Your coach accesses this data using your individually authorized OAuth token — no additional data access is granted beyond what you approved on the Intervals.icu consent screen. When you revoke the coach connection, the stored encrypted token is permanently deleted.
3.5 Automatically Collected Data
The following data is collected automatically to maintain app stability and improve the service:
- Crash and error reports: Device model, operating system version, app version, crash stack traces, and error context (via Sentry)
- IP address: Collected incidentally by Sentry and cloud services during network requests. Not used for tracking or profiling.
- AI usage metrics: Daily count of AI feature usage, stored locally on your device for rate-limiting purposes only
- Subscription status: Anonymous purchase and entitlement data processed by RevenueCat for subscription management
- Coach push notification tokens: When a coach enables push notifications, an Expo push token is stored server-side (Supabase, EU). Used solely to deliver team activity notifications (athlete joined/disconnected). Removed when the coach disables notifications or uninstalls the app.
3.6 AI Service Data Sharing (with your explicit consent)
Before any data is sent to an AI service, the app asks for your explicit consent. You must review and accept which data is shared, who it is shared with, and how it will be used. You can decline at any time, in which case no data is sent and AI features will not be available until you provide consent.
When you use AI-powered features (Auto Coach, reports, nutrition advice, race predictions), the following data may be sent to your selected AI provider:
- Training data: Recent activities (type, duration, load, pace, power zones), planned workouts, and weekly volume
- Health metrics: HRV, resting heart rate, sleep duration (from Apple Health / Health Connect or Intervals.icu)
- Profile information: Age, weight, height, gender, active sports, fitness level (CTL/ATL/TSB scores)
- Wellness data: Recovery state, fatigue scores, form rating
Data is sent to one of the following AI providers, depending on your configuration:
- Google Gemini — when you use your own Gemini API key (data sent directly from your device to Google's servers)
- OpenAI (GPT-4o) — when you use your own OpenAI API key (data sent directly from your device to OpenAI's servers)
- ICU Coach Cloud AI — when you use the Cloud AI subscription (data sent to our Vercel backend, processed via OpenAI, then discarded)
All AI providers are subject to their own privacy policies. Data sent for AI analysis is:
- Used solely to generate the requested coaching response
- Not stored by ICU Coach after the response is generated
- Not used for advertising, profiling, or model training by ICU Coach
- Subject to the AI provider's data handling policy (see Google's and OpenAI's privacy policies for details)
4. How We Use Your Data
- Generate personalized AI training recommendations
- Calculate recovery status and training readiness
- Provide nutrition advice based on your activity
- Predict race performance
- Display weather conditions for your training location
- Send scheduled training notifications (with your permission)
- Monitor and fix app crashes and errors
- Manage your subscription and in-app purchases
- Facilitate coach-athlete connections so coaches can view athlete training data and provide personalized coaching guidance
We do NOT use your data for advertising, profiling, or automated decision-making that produces legal effects.
5. Data Storage and Security
- Intervals.icu OAuth access tokens are stored locally on your device using encrypted secure storage (Expo SecureStore).
- Training preferences and app settings are stored locally on your device (AsyncStorage).
- Coach-athlete relationship data (athlete ID, display name, coach ID, invite token, connection status) and encrypted OAuth tokens are stored in a secure PostgreSQL database hosted on Supabase (EU — Frankfurt, Germany). OAuth tokens are encrypted at the application layer using AES-256-GCM before storage; the encryption key is held only on the application server (Vercel) and never stored in the database.
- When using the Cloud AI option, your training context is sent to our secure backend (hosted on Vercel, US region) for AI processing. This data is processed in memory and not persisted — it is discarded immediately after the AI response is generated.
- When using your own AI keys (OpenAI/Gemini), data is sent directly from your device to the AI provider's servers.
- OAuth client secrets are never stored in the mobile app. Authorization code exchange is handled on a secure backend endpoint.
- API request rate limiting metadata (request counts per identifier) is processed by Upstash Redis (serverless, EU region) to prevent abuse. No personal data beyond an anonymized request identifier and timestamp is stored. Rate limiting data expires automatically within the configured time window (typically 60 seconds).
6. Data Retention
| Data Type | Retention Period | Location |
|---|
| Intervals.icu OAuth tokens & AI provider API keys | Until you delete them or uninstall the app | Your device (SecureStore) |
| App settings & preferences | Until you delete them or uninstall the app | Your device (AsyncStorage) |
| Cached training data | Automatically refreshed; stale data expires within 24 hours | Your device (AsyncStorage) |
| AI usage counters | Reset daily; cleared on uninstall | Your device (AsyncStorage) |
| Crash reports (Sentry) | 90 days (Sentry default retention) | Sentry servers (EU — Frankfurt, DE) |
| Subscription data (RevenueCat) | As per RevenueCat's retention policy | RevenueCat servers (US) |
| Cloud AI processing data | Not stored — discarded after response | Vercel (US) |
| Coach-athlete relationship data | Until the athlete or coach revokes the connection, or upon deletion request | Supabase (EU — Frankfurt, DE) |
| Encrypted OAuth tokens (coaching) | Until the connection is revoked — deleted immediately upon revocation | Supabase (EU — Frankfurt, DE), encrypted with AES-256-GCM |
| Coach push notification token | Until coach disables notifications or uninstalls the app | Supabase (EU — Frankfurt, DE) |
| Rate limiting metadata | Automatically expires within 60 seconds | Upstash Redis (serverless, EU) |
7. Third-Party Services
The app integrates with the following third-party services. Each has its own privacy policy governing their data handling:
| Service | Purpose | Data Shared | Server Location |
|---|
| Intervals.icu |
Training data platform |
OAuth-based authorized access token; planned workouts created by the app; selected wellness metrics synced from device health when Health Sync is enabled |
EU |
| Google Gemini |
AI analysis (optional) |
Anonymized training context for AI processing |
US |
| OpenAI |
AI analysis (optional) |
Anonymized training context for AI processing |
US |
| Sentry |
Crash reporting & error monitoring |
Device info, OS version, crash data, IP address |
EU (Frankfurt) |
| RevenueCat |
Subscription & purchase management |
Anonymous user ID, purchase receipts, entitlements |
US |
| Open-Meteo |
Weather data |
Geographic coordinates only (no personal data) |
EU |
| Apple HealthKit |
Health data (iOS) |
Read-only access with your permission |
Your device |
| Google Health Connect |
Health data (Android) |
Read-only access with your permission |
Your device |
| Supabase |
Coach-athlete relationship database |
Athlete ID, display name, coach ID, invite token, connection status |
EU (Frankfurt) |
| Expo Push Service |
Remote push notifications for coaches |
Expo push token, notification title and body text |
US |
| Upstash Redis |
API rate limiting & abuse prevention |
Anonymized request identifier, request count (no personal data) |
EU |
We encourage you to review each service's privacy policy.
8. International Data Transfers
Some third-party services process data in the United States. When your data is transferred outside the European Economic Area (EEA), we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- The service provider's compliance with applicable data protection frameworks
Crash reporting data (Sentry) and coach-athlete relationship data (Supabase) are processed within the EU (Frankfurt, Germany).
9. Push Notifications
9.1 Local Notifications (Athletes)
With your permission, the app can send local push notifications to remind you of your daily training readiness. These notifications are:
- Scheduled locally on your device — no data is sent to any server
- Fully configurable (time, enable/disable) in app settings
- Can be disabled at any time through app settings or your device's notification settings
9.2 Remote Notifications (Coaches)
Coaches may receive remote push notifications when team-related events occur, such as:
- An athlete accepts an invitation and joins the team
- An athlete disconnects from the team
These notifications are delivered via the Expo Push Notification Service. Coach push tokens are stored in our database (Supabase, EU — Frankfurt) and are used solely for delivering team activity notifications. Coaches can disable push notifications at any time from the app, which removes the stored token from the server.
10. Data Sharing
We do NOT sell, rent, or share your personal data with any third parties for marketing or advertising purposes.
Your data is only shared with third-party services in the following circumstances:
- When Health Sync is enabled, selected Apple Health / Health Connect metrics are synced to your Intervals.icu wellness account via your OAuth-authorized connection
- When you explicitly request an AI analysis (training context sent to AI provider)
- When a crash occurs (anonymous error data sent to Sentry)
- When you make a purchase (transaction data processed by RevenueCat and the platform store)
- When you accept a coaching invitation, your Intervals.icu training data becomes accessible to that coach through the OAuth token you authorized. The coach can view your activities, wellness, calendar, and settings for coaching purposes only.
11. Your Rights
For All Users
- You can delete all your data by removing your account from the app settings or uninstalling the app.
- You can revoke health data permissions at any time through your device settings.
- You can revoke Intervals.icu access — the OAuth connection is automatically revoked when you delete your profile from the app. You can also manually revoke it via Intervals.icu → Settings → Apps.
- You can disconnect from a coaching team at any time. When you revoke a coach connection, the coach immediately loses access to your training data and the relationship record is marked as revoked in our database.
- You can disable push notifications at any time.
- You can use the app without providing AI keys (demo mode available).
Additional Rights Under GDPR (EU/EEA Users)
- Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): You can correct inaccurate personal data via app settings.
- Right to Erasure (Art. 17): You can request deletion of your personal data by uninstalling the app or contacting us.
- Right to Data Portability (Art. 20): Since your data is stored locally on your device, you already have full access and control over it.
- Right to Restrict Processing (Art. 18): You can disable specific features (AI, health data, notifications) independently.
- Right to Object (Art. 21): You can object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent: You can withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence. For Türkiye: KVKK (kvkk.gov.tr).
Additional Rights Under CCPA (California Users)
- You have the right to know what personal information is collected and how it is used.
- You have the right to request deletion of your personal information.
- We do not sell your personal information.
- You will not be discriminated against for exercising your rights.
12. Children's Privacy
ICU Coach is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child under 16 has provided us with personal data, please contact us so we can take appropriate action.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through an in-app notice. The latest version will always be available within the app. We recommend reviewing this policy periodically.
14. Contact
For questions, data requests, or concerns about this Privacy Policy, contact us at:
We will respond to your request within 30 days.
