Health Data

Health Data Policy

Effective date: April 22, 2026

This policy explains in detail how STRV collects, processes, shares, and protects health, fitness, and wellness data. It supplements our Privacy Policy, Terms of Service, and Health Disclaimer.

1. Scope and classification

This policy applies to data that can describe your physical activity, recovery, nutrition, biometric trends, and related wellness information. It applies whether data is entered manually, captured in-app, or imported from connected services.

In Australia, this data may constitute sensitive information or health information under applicable privacy law. We handle it with heightened protections and purpose limitation.

2. Health data we may process

  • Workout and activity data (sessions, duration, sets, reps, load, pace, distance).
  • Recovery and wellness data (sleep metrics, readiness signals, fatigue notes).
  • Nutrition-related records (foods, calories, macro totals).
  • User-entered body and progress records (for example weight, notes, progress logs).
  • Connected-service activity summaries and metadata when you explicitly authorize a provider.
  • Derived insights generated by analytics or AI from the above data.

3. Legal bases and why we process health data

  • Provide core app functionality and track your progress over time.
  • Generate personalized dashboards, trends, reminders, and recommendations.
  • Support AI features that summarize patterns and suggest practical next steps.
  • Diagnose reliability and safety issues in data pipelines and integrations.
  • Comply with legal obligations and enforce platform safety controls.

Where required, we rely on your consent, contractual necessity, legitimate interests, or legal obligations.

4. Strict limits on use and disclosure

  • We do not sell health data.
  • We do not broker health data to advertisers or data resellers.
  • We do not use health data for cross-app behavioral advertising.
  • We do not disclose your identifiable health data to third parties without a valid legal basis or your explicit authorization.

5. Recommendation and safety disclaimer

STRV may provide workout, nutrition, and recovery recommendations, including AI-generated suggestions. These recommendations are informational only, may be inaccurate or unsuitable, and are not medical advice.

You remain responsible for verifying recommendations and deciding whether to act. See our Health Disclaimer for important risk and safety terms.

6. Provider-specific processing disclosures

OpenAI (AI processing)

We use OpenAI APIs to generate AI features in STRV. We design prompts to reduce unnecessary personal detail and to process only data needed for requested outputs. We configure business/API usage under OpenAI platform data controls and do not rely on OpenAI consumer services for this processing path.

AWS (infrastructure)

STRV services run on AWS infrastructure for compute, storage, and networking. AWS infrastructure protections apply to security of the cloud, while STRV remains responsible for security in the cloud (access controls, data modeling, and application logic).

Supabase (database and backend tooling)

Supabase supports database and backend capabilities. STRV controls schema design, access policies (including row-level access controls where used), and secret management.

Apple Push Notification service (APNs)

We use APNs to deliver push notifications to your Apple devices. We process notification tokens and delivery metadata. We avoid including sensitive health details in notification payload text where feasible.

Google (authentication)

If you choose Google sign-in, we process the identity information needed to authenticate your account (for example profile identifier, name, and email). We request only permissions needed for authentication and account continuity.

7. Strava integration policy (specific terms)

Strava integration is optional and only active if you explicitly connect your Strava account through OAuth consent.

  • We collect only data covered by scopes you approve during the Strava connection flow.
  • Strava-sourced data in STRV is shown only to the authenticated STRV account holder who authorized the connection.
  • We do not disclose your Strava activity data to other users or unrelated third parties without explicit consent or legal requirement.
  • We retain Strava access tokens only as needed to maintain sync and you may disconnect at any time.
  • If Strava authorization is revoked (in STRV or in Strava account settings), STRV stops new Strava data sync and invalidates local connection tokens.
  • STRV use of Strava data is additionally subject to the Strava API Agreement and related Strava platform rules.

8. HealthKit and Apple platform constraints

Where HealthKit access is used, permissions are requested at the data-type level and controlled by you in iOS settings. STRV follows Apple platform requirements that HealthKit data is for health and fitness functionality, not advertising profiling.

9. Security controls for health data

  • Encryption in transit for app-to-service and service-to-service communication.
  • Role-based access controls and least-privilege operational access.
  • Audit logs, anomaly detection, and incident-response workflows.
  • Credential, token, and secret management with rotation practices.
  • Segregation between production and non-production environments.

If a data breach is likely to result in serious harm, we follow applicable notification laws, including the Australian Notifiable Data Breaches scheme where required.

10. Data minimization, retention, and deletion

We retain health data while your account is active and as needed for service continuity. You can request account deletion and data erasure subject to legal and operational retention requirements.

  • Active account data supports core product history and analytics features.
  • After deletion requests, data is deleted or de-identified within operational timelines except where legal obligations require retention.
  • Backups are retained for limited security and disaster-recovery windows.

11. Your rights and controls

  • Access and export: request a copy of your data where required by law.
  • Correction: update inaccurate profile or wellness entries.
  • Deletion: request account and data deletion.
  • Integration control: connect or disconnect Google and Strava at any time.
  • Consent withdrawal: withdraw optional permissions through app and provider settings.

For Australian users, we support access and correction requests consistent with APP 12 and APP 13.

12. HIPAA and regulated health information

STRV is a wellness and fitness application. Unless explicitly stated in a separate signed agreement, STRV is not offered as a HIPAA-covered service and should not be used as your sole system of record for clinical care operations.

If your organization needs HIPAA or similar regulated handling guarantees, contact us before using STRV for that purpose.

13. International processing and cross-border disclosure

Health data may be processed in multiple jurisdictions depending on hosting and vendor operations. We use contractual and technical safeguards where legally required.

For Australian users, where APP 8 applies, we take reasonable steps to ensure overseas recipients handle personal information consistently with applicable privacy obligations.

14. Changes to this policy

We may update this Health Data Policy as our product, integrations, or legal obligations change. Material changes will be communicated with appropriate notice.

15. Contact

Health data and privacy questions: [email protected]