Legal & Privacy

This Privacy Policy explains how we collect, use, store, process, and disclose personal data and athletic activity data uploaded to our performance analytics platform. By using the platform, you agree to the practices described in this policy.

We collect the following categories of data:

• Account Information: Name, email address, login credentials, and contact details.
• Training Data: Activity files (e.g., .FIT, .TCX, .GPX), power, heart rate, cadence, speed, session logs, gym records, and manually entered performance metrics.
• Health & Wellness Data: Menstrual cycle tracking, sleep, fatigue, mood, soreness, and recovery indicators.
• Body Composition Data: Weight, body fat percentage, and muscle mass synced from Withings devices.
• Timing Data: Split times, effort types, and environmental conditions (wind speed, direction, temperature) from GBCT.io.
• Device Data: Device identifiers, browser type, IP address, and usage logs.
• Communications: Messages sent to coaches or support services through the platform.

Your data is used to:

• Generate dashboards, visualizations, performance analytics, and predictive insights.
• Identify trends and correlations between training load and health metrics.
• Provide coach-facing analytics where applicable.
• Improve platform features, algorithms, and user experience.
• Ensure system security and prevent misuse.

We do not sell your personal or activity data to third parties.

Uploaded data may be processed by automated systems to generate performance insights, forecasts (including menstrual cycle predictions), and training recommendations. These outputs are informational tools and do not constitute medical advice.

We may disclose data:

• To your designated coach, if you grant access.
• To service providers who assist in hosting, analytics, and infrastructure.
• If required by law, regulation, or legal process.
• In connection with a business transfer, merger, or acquisition.

All third-party processors are required to maintain appropriate data protection safeguards.

Third-Party Integrations

The platform connects to the following services when you authorise them. Data is only exchanged with services you explicitly connect:

• Strava: Activity data, routes, and segment efforts.
• Wahoo: Workout sync and workout push to devices.
• Withings: Body composition (weight, body fat, muscle mass), sleep data, and activity data.
• Dropbox: File sync and sleep data imports.
• GBCT.io: Timing data (split times, effort types) and environmental data (wind, temperature).
• Garmin: Activity sync.
• Apple Health (HealthKit) — iOS app only: Read-only access to heart rate, heart-rate variability (HRV), resting heart rate, sleep analysis, body mass, basal body temperature, and menstrual cycle data. The iOS operating system requires explicit per-category consent the first time you connect. Data flows one way only — BH Performance never writes to Apple Health, and never requests write permission. You may revoke any or all categories at any time from Settings → Privacy & Security → Health → BH Performance on your device.

You may disconnect any integration at any time from your Profile settings.

Integration Consent & Data Responsibility

By connecting a third-party integration, you explicitly consent to the transfer of your data from that service into the BH Performance Innovation platform. Once imported, your data is stored and protected under this privacy policy, including encryption at rest (LUKS2 AES-XTS-512bit), UK-hosted servers, and role-based access controls.

Important: Third-party services have their own privacy policies and data protection practices, which are outside our control. We recommend reviewing each service's privacy policy before connecting. In particular:

• Some third-party services may not have published privacy policies or may not be fully GDPR-compliant.
• Data transferred from third parties may have originally been processed under different legal jurisdictions or standards.
• We do not control how third-party services store or process your data on their own platforms.
• Once your data is imported into our platform, it is subject exclusively to our privacy policy and UK GDPR protections.

You may revoke consent for any integration at any time by disconnecting it from your Profile settings. Upon disconnection, no further data will be imported. You may also request deletion of previously imported data by using the self-service data deletion feature in your Profile, or by contacting us directly.

Apple Health (HealthKit) — Specific Notice

Our use of the Apple HealthKit framework on iOS is governed by Apple's HealthKit policies and the following commitments:

• Read-only access. The BH Performance Innovation iOS app requests read access only. It does not request, and will not use, write access to Apple Health.
• Explicit purpose. HealthKit data (heart rate, HRV, resting HR, sleep, body mass, basal body temperature, menstrual cycle) is used exclusively to personalise your training plan, generate recovery and readiness insights, and support cycle-aware coaching for female athletes.
• No advertising. HealthKit data is never used for advertising, marketing, or other use-based data-mining purposes.
• No sale or disclosure. HealthKit data is never sold to third parties, rented, or disclosed to data brokers, insurers, employers, or credit agencies under any circumstances.
• No sharing without coach link. HealthKit data is visible only to you and to coaches you have explicitly linked to your athlete profile. It is never shared with other users of the platform.
• Storage. HealthKit data imported into BH Performance Innovation is stored on our UK-hosted servers under the same encryption, access control, and retention rules as all other personal data (see Section 6).
• Revocation. You can revoke access at any time from iOS Settings → Privacy & Security → Health → BH Performance. Disconnecting Apple Health from within the app stops further syncing. Previously synced data can be deleted via the self-service data deletion feature on your Profile page or by contacting us.

Data is stored on secure, UK-hosted servers. No data is transferred transatlantically. We retain your data only as long as necessary to provide services or comply with legal obligations. The following technical safeguards are in place:

• Encryption at rest: LUKS2 AES-XTS-512bit full-disk encryption on all stored data.
• Encryption in transit: HTTPS/TLS encryption on all connections.
• Access control: Role-based access control with 7 distinct roles governing data visibility and permissions.
• Containerisation: Docker containerisation running as a non-root user for process isolation.
• Reverse proxy: Nginx reverse proxy with security headers (HSTS, CSP, X-Frame-Options).
• Backups: Automated database backups with encrypted storage.
• Data residency: All data hosted in the United Kingdom with no transatlantic transfers.

Depending on your jurisdiction, you may have rights to:

• Access your data.
• Correct inaccurate data.
• Request deletion of your data.
• Restrict or object to certain processing activities.
• Export your data in a structured format.

Data export and account deletion are available as instant self-service actions from your Profile page. For other requests, please use the contact information below.

All data is hosted on UK-based servers. We do not make transatlantic data transfers. If data is transferred outside the UK in the future, appropriate safeguards such as contractual protections or equivalent measures will be applied.

The platform is not intended for individuals under the age of 16 without parental or guardian consent.

We may update this Privacy Policy from time to time. Updated versions will be posted within the platform with a revised effective date.

For privacy-related inquiries, data access requests, or complaints, please contact:

BH Performance Innovation
dataprivacy@trackcyclingcoach.com