Privacy Policy

The Data Controller responsible for the Processing of your Personal Data in connection with the Service is:

• Name: Alexander Milekhin
• Operating under: GHURT
• Country of establishment: France
• Contact: [email protected]

For all data protection enquiries, including requests to exercise your rights under the GDPR, please contact us at the email address above. We will acknowledge receipt within five (5) business days and respond substantively within the timeframes prescribed in Section 13.

This Policy applies to all individuals who: (i) create an account with the Service; (ii) connect a fitness device or wearable platform to the Service via the authorisation mechanism required by that provider; (iii) subscribe to any paid tier of the Service; or (iv) otherwise interact with GHURT in any capacity. It applies to Personal Data collected through the GHURT website, application programming interfaces, and all interfaces through which the Service is accessed, including MCP server connections from compatible AI assistant environments.

This Policy does not apply to the independent data practices of third-party fitness platforms (Garmin, Whoop, Oura) or to Paddle's processing of payment information. Those parties operate as independent Data Controllers under their own privacy policies, which are linked in Section 9.

We collect and Process the following categories of Personal Data in connection with the operation of the Service:

• Identity and account data: email address, date and time of account creation, and any display name or profile information you voluntarily provide.
• Authentication credentials: Access tokens, refresh tokens, or other authentication material required by each third-party fitness provider (Garmin, Whoop, Oura), which may include credentials you provide during the connection process where the provider's integration flow requires it. These credentials are encrypted at rest and used solely to retrieve fitness data on your behalf and at your direction.
• Health and fitness metrics: data retrieved from your connected devices exclusively in response to your explicit, user-initiated queries, including sleep duration and quality scores, heart rate variability (HRV), resting heart rate, activity and workout records, and recovery or readiness indicators. By default, no background polling or continuous synchronisation of health data occurs. Health data is retrieved only in response to explicit, user-initiated queries.
• Subscription and billing data: subscription status, plan tier, and Paddle transaction identifiers. We do not receive or store payment card numbers, bank account details, or other sensitive financial instrument data.
• Technical and usage data: IP address, browser type and version, operating system, request timestamps, HTTP response codes, and error trace information, collected automatically for security monitoring and service maintenance.

Health and fitness metrics obtained from wearable devices — including sleep data, heart rate variability, and physiological readiness indicators — constitute Special Category Personal Data within the meaning of Article 9 of the GDPR by virtue of being data concerning health.

We Process such data exclusively on the basis of your explicit consent, provided when you actively connect a fitness provider to your GHURT account using the authorisation flow required by that provider (Article 9(2)(a) GDPR). Consent is granular and provider-specific: connecting Garmin does not authorise us to retrieve data from Whoop or Oura, and vice versa.

You may withdraw consent at any time by disconnecting the relevant provider in your account settings or by contacting [email protected]. Withdrawal does not affect the lawfulness of Processing that occurred prior to withdrawal. The absolute restrictions on further use of health data are set out separately in Section 5.

Given the sensitive nature of wearable-derived health data, GHURT imposes the following absolute restrictions on the purposes for which health data may be used. These restrictions cannot be overridden by user consent, operator configuration, or contract. They govern what health data may be used for, and are independent of retention settings, which users may configure separately within the limits of Section 11.

Health data is retrieved solely to fulfil the specific, user-initiated query submitted to the Service at the time of request. It is not retained beyond what the user explicitly configures and is not made available to any party other than the user who owns the underlying device account.

The Service is designed to be accessed via MCP (Model Context Protocol) server interfaces, which allow compatible AI assistant environments — such as Claude Desktop — to query your fitness data through natural language. This section describes how that integration works and the data protection implications.

How health data flows through an MCP session: When you submit a query through an AI assistant connected to GHURT via MCP, the following occurs: (i) the AI assistant sends a structured request to the GHURT MCP server; (ii) the GHURT server authenticates the request using your stored access credentials for that provider; (iii) the relevant fitness data is fetched from the provider API and returned to the AI assistant as a response to your query; (iv) the AI assistant presents the result to you. GHURT acts as a data retrieval layer in this flow — we do not participate in or control the AI assistant's own processing of data once it is returned.

Third-party AI providers: GHURT does not itself operate a large language model. When you use the Service via an AI assistant (e.g. Claude Desktop), the AI provider's own privacy policy governs how the AI processes the data within your conversation context. GHURT transmits health data only in response to your explicit query, in the same manner as any API call you would make directly. We do not send health data to any AI provider speculatively, in bulk, or for any purpose other than fulfilling your immediate query.

No caching by GHURT: GHURT does not cache or persistently store the health data returned to an AI assistant beyond the request-response cycle, unless you have explicitly enabled historical data retention in your account settings.

No cross-user inference: GHURT does not combine or correlate health data across different user accounts for any purpose, including to improve query handling or for any other purpose.

User responsibility and health data warning: When you submit a query through an AI assistant connected to GHURT, GHURT returns raw health metrics (e.g. HRV values, sleep scores, activity records) directly into your AI conversation context. Those metrics are then processed by the AI provider in accordance with that provider's own privacy policy and data retention practices, which are outside GHURT's control. You should not use GHURT via an AI assistant unless you have reviewed and accept that AI provider's data handling terms, including how they process and retain health data within conversation context. Example privacy policies for AI providers that support MCP integrations (non-exhaustive): Anthropic (Claude).

We Process your Personal Data only for specified, explicit, and legitimate purposes. The following table sets out each purpose, the data involved, and the applicable legal basis under the GDPR.

We do not engage in automated decision-making or profiling producing legal or similarly significant effects within the meaning of Article 22 GDPR. We do not sell, rent, or otherwise transfer your Personal Data to third parties for their own commercial purposes.

GHURT operates as an independent Data Controller with respect to the Personal Data it Processes in connection with the Service. GHURT is not a data processor or sub-processor of Garmin, Whoop, or Oura.

The relationship between GHURT and each fitness data provider is as follows: you, the user, grant GHURT delegated access to your fitness provider account by completing the authorisation flow required by that provider. This authorisation enables GHURT to make API calls to the provider on your behalf. GHURT determines the purposes and means of its own Processing of the data retrieved via those API calls independently of the provider.

Each fitness data provider (Garmin, Whoop, Oura) independently determines the purposes and means of Processing your data on its own platform and is therefore an independent Data Controller with respect to that processing. Neither GHURT nor any fitness provider acts as a joint controller with the other within the meaning of Article 26 GDPR in respect of the API data flows described in this Policy.

In the event that a fitness data provider terminates GHURT's API access or revokes the authorisation you have granted, GHURT will cease retrieving data from that provider without undue delay and will delete any stored access credentials associated with that provider immediately and in any event within seven (7) days.

This section distinguishes between two categories of third party involved in the operation of the Service, which have materially different legal relationships to GHURT and to your Personal Data.

Part A — Fitness Data Sources (Independent Data Controllers)

The following fitness platform providers are independent Data Controllers. They determine the purposes and means of processing your data on their own platforms independently of GHURT. GHURT accesses data held by these providers only via the authorisation mechanism required by each provider, acting on your explicit instruction and authorisation. GHURT is not a processor or sub-processor of these providers, and they are not processors of GHURT. As described in Section 8, neither GHURT nor any fitness provider acts as a joint controller with the other in respect of these API data flows.

Part B — Service Processors (Sub-processors Acting on GHURT's Behalf)

The following providers act as data processors or sub-processors, processing Personal Data strictly on GHURT's behalf and pursuant to contractual data-protection terms (including Data Processing Agreements where available) that require them to protect Personal Data to standards consistent with this Policy.

GHURT will provide reasonable notice to affected users in the event of material changes to the sub-processors listed in Part B. We will not disclose your Personal Data to any other third party except: (i) with your prior written consent; (ii) to comply with a legal obligation, court order, or enforceable governmental request; (iii) to establish, exercise, or defend legal claims; or (iv) to protect the vital interests of any person.

GHURT hosts its own infrastructure entirely within the European Union (Frankfurt, Germany) via Neon and Railway. Personal Data stored and processed by GHURT's own systems therefore remains within the EEA. When GHURT calls third-party fitness provider APIs (Garmin, Whoop, Oura) on your behalf, those providers may process data outside the EEA on their own infrastructure. Such processing occurs under those providers' own transfer mechanisms and is outside GHURT's control.

However, the fitness data providers integrated with the Service — Garmin, Whoop, and Oura — are incorporated in the United States. When you authorise GHURT to access your data via these providers' APIs, the authorisation exchange and API calls are made to those providers' endpoints, which may be hosted on infrastructure located outside the EEA. Such transfers occur under those providers' own transfer mechanisms, which may include Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR or European Commission adequacy decisions pursuant to Article 45 GDPR. We recommend consulting each provider's privacy policy (linked in Section 9) for details of their international transfer mechanisms.

Similarly, if you access the Service via an AI assistant provided by a non-EEA entity (such as Anthropic), data within your conversation context — including health data returned by GHURT — may be processed outside the EEA by that AI provider under their own transfer mechanisms. GHURT is not responsible for the AI provider's processing once data has been returned to the AI assistant interface in response to your query.

We retain Personal Data only for as long as necessary for the purposes set out in this Policy, or as required by law. The following retention periods apply:

• Account and identity data: retained for the duration of your account and permanently deleted within thirty (30) days of account deletion, unless retention is required by law.
• Provider access credentials: deleted immediately upon disconnection of the relevant provider or deletion of your account, and in any event within seven (7) days of such event.
• Health and fitness metrics: not persistently stored beyond the request-response cycle unless you explicitly configure the Service to retain historical data, in which case the retention period is governed by your account settings and is subject to the absolute restrictions in Section 5.
• Server logs (HTTP request metadata: timestamps, IP addresses, HTTP method, endpoint path, response codes, latency): automatically purged after thirty (30) days. Server logs are designed not to contain health metric payloads. We take steps to prevent API response bodies containing health data from being written to logs. In rare cases, limited payload data may be captured in error traces when required to diagnose incidents; such traces are purged as soon as practicable.
• Audit logs (records of administrative access, authentication events, and credential operations): retained for a minimum of ninety (90) days for security monitoring purposes. Audit logs do not contain health metric payloads.
• Billing and transaction records: retained for ten (10) years from the date of the relevant transaction as required under French accounting law (Code de commerce, Article L. 123-22).

Upon expiry of the applicable retention period, Personal Data is securely deleted or anonymised such that it can no longer be attributed to any identifiable individual.

We implement technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption at rest: Provider access credentials and other sensitive data are encrypted at rest using industry-standard encryption (AES-256). Encryption keys are stored and managed separately from encrypted data where feasible.
• Encryption in transit: all communications are protected by TLS 1.2 or higher. Database connections require SSL/TLS and are accessible only through authenticated, encrypted channels.
• Access control: access to production systems is restricted to authorised personnel and subject to audit logging. We require multi-factor authentication for administrative access where supported by the relevant provider or platform.
• Credential lifecycle management: Provider access credentials are rotated or refreshed as required by each provider. Revoked or expired credentials are deleted promptly from our systems.
• Dependency management: third-party dependencies are monitored for known vulnerabilities as part of our development lifecycle.

In the event of a Personal Data Breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach (Article 33 GDPR), and will notify affected Data Subjects without undue delay where required by Article 34 GDPR.

Security contact: To report a suspected security vulnerability or incident, contact [email protected] with the subject line "Security Incident". We will acknowledge receipt within 24 hours and provide a substantive response within 72 hours.

Data Processing Agreements: GHURT maintains Data Processing Agreements with its infrastructure sub-processors (Neon, Railway). API partners and enterprise users may request a copy of applicable data-protection terms by contacting [email protected]. GHURT will provide reasonable prior notice to affected users before adding or replacing any sub-processor listed in Section 9 Part B.

Access and audit: Production system access is reviewed periodically. Administrative credentials are subject to rotation. Access events are recorded in audit logs as described in Section 11.

Under Chapters III and IV of the GDPR and applicable French data protection law, you have the following rights with respect to your Personal Data. To exercise any of these rights, submit a written request to [email protected]. We will respond within one (1) month; this period may be extended by a further two (2) months in cases of complexity, with prior notice to you.

We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, with written notice of our reasoning.

The Service uses session cookies strictly necessary for maintaining authenticated user sessions. We do not use persistent tracking cookies, advertising cookies, or cross-site tracking technologies. No Personal Data collected through cookies is shared with third parties for advertising or analytics purposes.

Refusing cookies in your browser settings will prevent the Service from maintaining an authenticated session and will render the Service non-functional for logged-in users.

The Service is not directed at, and is not intended for use by, individuals under the age of sixteen (16). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child, we will delete such data promptly. If you believe a child has provided us with Personal Data, please contact [email protected]. Note: we apply a threshold of sixteen (16) as a conservative standard; the applicable French digital consent age under Article 8 GDPR as implemented in French law is fifteen (15).

We reserve the right to amend this Policy to reflect changes in our data practices, applicable law, or features of the Service. Where amendments are material — meaning they affect how we collect, use, or disclose Personal Data in ways that may be unfavourable to you — we will provide at least fourteen (14) days' prior notice by email to the address associated with your account, or by prominent notice within the Service, before the amended Policy takes effect.

Your continued use of the Service following the effective date of any amendment constitutes your acceptance of the amended Policy. The effective date of the current version is stated at the top of this document. Previous versions are available upon request.