Privacy Policy

• Account & Contact: email address, name, profile photo (if you choose to add one), login identifiers, and settings. Authentication information: when you sign in with Google, we receive your email address and name from Google.
• Profile Information: age, height, weight, fitness goals, training history (all optional).
• Fitness/Wellness Data (if you connect a device/service): examples include sleep, recovery/strain, HRV, heart rate, steps, workouts, cycles, body metrics. Exact fields depend on what you authorize.
• Workout Data: exercises performed, sets, reps, weights, duration, perceived effort.
• Nutrition Data: meals logged, calories, macronutrients (if you use the nutrition features).
• Communications: any messages you send us via email or in-app support.
• Payment Information: if you subscribe to a paid plan, payment information is collected and processed by our payment processor (Stripe). We do not store full payment card details on our servers.
• Usage & Device: device type, operating system, browser type, IP address, pages visited, features used, time spent in the app, and app crashes. Aggregated and pseudonymized usage patterns are collected via PostHog (product analytics) and Plausible (privacy-respectful web analytics).
• Workspace Data (if enabled): limited Microsoft 365 or Google Workspace data you explicitly configure for reminders/automation (e.g., spreadsheet/task rows, calendar event titles/times).

You are in control: we only access data from third-party services after you consent via OAuth or system prompts. You can disconnect at any time, which stops future syncing.

When you connect a wearable or health platform, we receive data with your explicit consent and use it to provide training, recovery, and readiness features.

WHOOP

• Possible data: strain, recovery score, sleep performance and stages, heart rate variability (HRV), resting heart rate, respiratory rate (as authorized).
• Use: to display your metrics and generate training insights.
• Control: disconnect WHOOP in our app or via WHOOP’s account settings; request deletion from us at legal@nodaysoff.fitness.

Oura

• Possible data: heart rate variability (HRV), resting heart rate, sleep duration and quality, readiness score, body temperature trends (as authorized).
• Use: personalized readiness and recovery guidance.
• Control: revoke access in Oura or in our app; request deletion anytime.

Apple Health (HealthKit)

• Possible data: heart rate variability (HRV), resting heart rate, sleep data, workout history, heart rate during workouts, and body weight (if you log it to Apple Health).
• Use: strictly to provide or improve health and fitness features in the app.
• Special terms: We do not use HealthKit data for marketing, advertising, or data brokers; we do not sell HealthKit data; we do not use it for profiling unrelated to health/fitness.
• Control: manage permissions in iOS Settings → Health → Data Access & Devices; you can delete Health data from our systems by emailing legal@nodaysoff.fitness.

Google (Sign-In & Workspace)

• Possible data: basic profile (name, email, photo) for sign-in; optionally calendar titles/times or spreadsheet rows if you connect them for reminders/automation.
• Use: authentication, and (optionally) schedule-aware training reminders you enable.
• Control: revoke at Google Account → Security → Third-party access and/or in our app; request deletion anytime.

Microsoft 365 (O365)

• Possible data: limited spreadsheet/task/calendaring data you explicitly configure (e.g., job schedules or reminders stored in your tenant).
• Use: to trigger reminders or surface upcoming tasks you ask us to track.
• Control: revoke in Microsoft Entra (Azure AD) enterprise apps and/or in our app; request deletion anytime.

Webhooks: If enabled, partners may push updates to us (e.g., completed workout). We process only the fields you authorized and apply the same protections described below.

Wearable Health Data: Storage, Access, and Deletion

• How it is stored: wearable and health data is stored with encryption in transit (TLS 1.2+) and encryption at rest.
• Who can access it: access is limited to authorized personnel and contracted service providers who need access to operate NDO.
• How deletion works: you can request deletion at any time via account settings or by emailing legal@nodaysoff.fitness. Full deletion requests are processed within 30 days, and encrypted backups containing your data are purged within 60 days.

• Provide core features: login, dashboards, workout logs, recommendations, reminders.
• Personalize training plans using your authorized metrics and preferences.
• Process payments and manage subscriptions.
• Maintain, secure, debug, and improve the Services (fraud/abuse prevention, troubleshooting, analytics).
• Communicate about updates, security notices, and support.
• Comply with law, enforce terms, and protect our users and Services.

We do not sell your personal information to third parties. We do not share your health data with advertisers. We do not use your data to train AI models for sale to third parties.

• No selling or “sharing” for cross-context behavioral advertising.
• Service providers (processors): trusted vendors that host, process, or support our Services. They are bound by confidentiality and data-processing terms and may only use data as instructed. Current service providers include: Amazon Web Services (cloud hosting and storage), Stripe (payment processing), Beehiiv (email delivery), PostHog (product analytics), Plausible Analytics (web analytics), Sentry (error monitoring), Apple (App Store and HealthKit), Google (OAuth sign-in), Oura Health (Oura integration), and WHOOP (WHOOP integration).
• Authorized connections: we share with third-party services only when you connect them and only as needed for the feature to work.
• Legal/Compliance: if required by law or to protect rights, safety, or the integrity of the Services.
• Business transfers: if we undergo a merger, acquisition, or asset sale, your data may transfer under the same protections. You will be notified.

We use industry-standard technical and organizational safeguards, including encryption in transit (TLS 1.2+), encryption at rest, access controls limiting which personnel can access user data, and regular security reviews. No method is 100% secure; please use strong passwords and keep your devices updated. If we become aware of a data breach that affects you, we will notify you and the appropriate authorities as required by law.

• Account information: retained while your account is active, plus up to 90 days after account closure for backup and recovery purposes.
• Health, wearable, and workout data: retained while your account is active. Deleted within 30 days of account closure or upon request.
• Payment records: retained as required by tax and accounting law (typically 7 years).
• Support communications: retained for 3 years after the last interaction.
• Analytics data: aggregated and pseudonymized data may be retained indefinitely for product improvement.

Full deletion on request: you can request complete deletion at any time by emailing legal@nodaysoff.fitness or through account settings. Requests are processed within 30 days. Encrypted backups containing your data are purged within 60 days of deletion.

• Disconnect integrations: in our app or the third-party’s settings (WHOOP, Oura, Apple Health, Google, Microsoft).
• Access, correction, deletion: email legal@nodaysoff.fitness. We will respond within 30 days. We may need to verify your identity before processing your request.
• Portability: request your data in a portable format (typically JSON or CSV).
• Withdrawal of consent: withdraw consent to specific data processing at any time without affecting prior processing.
• Marketing preferences: opt out of non-essential emails via unsubscribe links.
• CCPA/CPRA (California): we do not “sell” or “share” your personal information as defined by California law. You may request access or deletion at any time.
• GDPR (EEA/UK): where applicable, legal bases include consent (when you connect integrations or for marketing communications), contract (to provide the Services), legitimate interests (security, improvement, fraud prevention), and legal obligations (when required by law). You may also have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights.

Our Services are not intended for users under 18. We do not knowingly collect personal information from children under 18. If you believe we collected information from a child under 18, contact us and we will delete it.

We may process and store information in the United States and other countries. Where required, we use appropriate safeguards (e.g., standard contractual clauses) for cross-border transfers.

We may update this policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the website at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

Email: legal@nodaysoff.fitness
Mailing Address (optional): Relentless Training, 663 N 132nd St Omaha, NE 68154