Privacy Policy — Vital Intelligence Coach (VIC / VICcoach)

Effective date: 14 May 2026 (update on each published revision)

Revision note (14 May 2026): Section 7 — explicit 90-day rolling retention for persisted dashboard daily subjective check-ins in active production databases, enforced by scheduled housekeeping (deletion of records past that window). Repository: weekly automation via GitHub Actions (.github/workflows/dashboard-subjective-retention-purge.yml) calling the admin purge endpoint; backup copies may still persist for the separate backup retention window described in Section 7.

Controller: Yngwi B.V., Laan 117, 8071 JJ Nunspeet, the Netherlands (“we”, “us”, “our”).

Trademark: Vital Intelligence Coach is a registered trademark of Yngwi B.V.

Registration: Chamber of Commerce (KvK) 61200077 · VAT: NL854250487B01

Contact (privacy): info@Viccoach.app

Related: Cookie notice

1. Scope

This Privacy Policy describes how we collect, use, store, and share personal data when you use VIC (Vital Intelligence Coach, also referred to as VICcoach), including our websites, APIs, related services, and native or hybrid mobile applications we offer or may offer under the same brand (together, the “Service”).

If you do not agree with this policy, do not use the Service.

2. Roles and responsibility

For personal data processed in connection with the Service, Yngwi B.V. is typically the data controller under the UK GDPR / EU GDPR (as applicable), unless we process data strictly on behalf of another controller under a written agreement (e.g. certain enterprise deployments).

Human coaches or trainers: If we introduce features where a named coach or trainer can access your data within our platform, they act on our behalf as authorised users of the Service (not an independent controller) unless we have agreed otherwise in writing with you or your organisation.

Data Protection Officer (DPO): We have not appointed a statutory DPO under Article 37 GDPR because, based on our current assessment, our processing is not in a category that mandates DPO appointment. You can reach us for all privacy and data-protection enquiries at info@Viccoach.app. If we appoint a DPO in the future, we will publish their contact details here.

3. Data we collect

We apply data minimisation: we collect only personal data that is adequate, relevant, and limited to what is necessary to provide the Service, comply with law, and maintain security.

What we do not collect as part of the Service: we do not ask for government-issued identity document numbers (such as passport or national ID numbers), biometric identifiers used to identify you uniquely (such as fingerprint or facial recognition templates for authentication), or clinical medical records maintained by a healthcare provider. The Service is not a medical record system.

Where personal data comes from:

Directly from you — account registration, profile fields, uploads, check-ins, free text you enter, and support messages.
From your devices and files — for example activity files or exports you upload, and technical data from the browser or app you use to access the Service.
From integrations you connect — for example Intervals.icu, when you enable the integration and supply credentials or tokens so we can sync on your instructions.

3.1 Account and identity

Name, email address, and credentials used to authenticate you.
Other profile fields you choose to provide (for example date of birth, gender, sport preferences, and settings stored in your profile).

3.2 Training, performance, and files

Workout files and related uploads (for example raw activity files), merged or derived workout data, timing, power, heart rate, cadence, breathing-related metrics where available, and similar performance data extracted from your files or devices.
Location-related data if it appears in your activity files (for example GPS coordinates embedded in recordings).

3.3 Planning, calendar, and integrations

Calendar items, planned sessions, and synchronization data when you connect third-party services (for example Intervals.icu). We process such data to match plans with completed activities and to provide planning features you enable.

3.4 Wellness, subjective check-ins, and health-related context

Structured check-ins and wellness fields you submit (for example sleep, stress, motivation, readiness, subjective load, illness flags, menstrual cycle tracking if offered and used).
Free-text descriptions you provide about how a session felt, when the product collects such input.

Important: These categories can include health-related information in a broad sense. We use them only to provide coaching, planning, and analytics inside the product, not to provide medical diagnosis or treatment. See also our Terms of Service.

Optional and under your control: Wellness and subjective fields are optional; you choose what to enter and can skip or clear inputs where the product allows.

Retention (dashboard check-in): When you use the persisted daily dashboard subjective check-in, we keep that server-side data only for the rolling period described in Section 7 (currently 90 calendar days in active production databases, plus backup caveats).

3.5 Technical and security data

IP address, device and browser type, approximate timestamps, and diagnostic logs needed for security, abuse prevention, and reliability.
Cookies, local storage, and similar technologies as described in our Cookie notice (strictly necessary and preference-type uses). We do not use cookies or similar technologies for third-party advertising or profiling for advertising, or for cross-context behavioural advertising.

3.6 Support and communications

Information you send when you contact support or correspond with us.

3.7 Workout environmental context (weather proxy)

When you use coaching features that explain training in context of weather and ground conditions, we may:

Derive an approximate location from GPS in your activity files (outdoor sessions), or from an optional training-location anchor you set in profile settings (indoor sessions).
Request model weather and soil-moisture data from our weather provider (Open-Meteo, ERA5 / ERA5-Land) for that location and session time window. We store aggregated values (for example temperature, humidity, wind, wetness bucket) linked to the workout — not a full weather archive tied to your identity beyond what is needed for coaching.
Optional IP-based coarse location (approximately city level, never stored as a raw IP address in workout context) may be used when you have no GPS in the activity and no manual weather anchor, and when the feature is enabled for your account. On upload we may resolve your connection to coarse coordinates and keep a short-lived anchor on your profile (typically refreshed on activity upload, TTL about seven days). You can turn this off at any time under Settings → Profile (“IP-locatie voor weercontext”). Outdoor sessions with route GPS do not need this fallback.

We do not use workout environmental context for advertising or profiling outside the Service. See also our Terms of Service (Section 4.5).

4. How we use personal data (purposes)

We use personal data to:

Provide and operate the Service — ingest and analyse workouts, build sessions, run models, show dashboards, planning, and integrations you enable.
Improve and secure the Service — troubleshooting, quality assurance, product analytics in aggregated or pseudonymised form where possible, and protection against fraud or misuse.
Communicate with you — service messages, security notices, and (where permitted) product updates.
Comply with law — respond to lawful requests and meet record-keeping obligations.

No unrelated combining: We do not combine your personal data with third-party datasets (for example data brokers or unrelated advertising networks) for purposes unrelated to providing and securing the Service.

No decisions with legal or similarly significant effect (UK / EEA): We do not carry out solely automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you in the meaning of Article 22(1) UK GDPR / EU GDPR. In supervisory terms: there is no automated pipeline that binds you with respect to rights in contract or law, eligibility for essential services, or comparable outcomes without meaningful human review where Article 22 would require it. The Service does use automated analysis, scoring, classifiers, and suggestions for training, coaching, wellness context, and scheduling support; any material change to your calendar or plan follows the product’s confirmation, validation, and gate rules (including explicit user confirmation where the product requires it). That processing supports your decisions; it does not replace professional medical advice or your own judgment.

5. Legal bases (UK / EEA users)

Where UK GDPR / EU GDPR applies, we rely on one or more of the following:

Contract — processing necessary to provide the Service you request (account, core features, integrations you activate).
Legitimate interests — securing the Service, limited analytics, and product improvement, balanced against your rights (you may object where applicable).
Consent — where we ask for consent (for example certain optional analytics or marketing emails, if offered). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legal obligation — where we must retain or disclose data to comply with law.

Health-related data (Article 9): Where local law treats certain wellness or performance data as special category data, we rely primarily on Article 9(2)(a) (explicit consent), including where the product asks you to affirm processing of sensitive fields. Where Member State law permits and your use of the Service falls within a covered preventive or occupational-health context, we may also rely on Article 9(2)(h) (for example employer- or federation-run occupational programmes). The Service does not provide clinical diagnosis or treatment; see our Terms.

6. Sharing with processors and third parties

We do not sell your personal data (including as “sale” may be defined under US state privacy laws). We do not disclose personal information for cross-context behavioural advertising (targeted advertising based on tracking across unaffiliated businesses or sites). We share data only as follows:

6.1 Service providers (processors)

Hosting, database, storage, email delivery, monitoring, and similar vendors process data on our instructions under contracts that require appropriate security and confidentiality. Our standard processing agreements require processors to notify us before engaging or changing sub-processors that affect personal data, so we can object or update disclosures where contract and law allow.

Sub-processor transparency: We maintain an overview of categories of sub-processors (see also Section 8). Material changes are reflected in this Policy or an annex where we use one. You may request a current sub-processor list for your deployment at info@Viccoach.app.

6.2 Integrations you enable

When you connect a third-party account (for example Intervals.icu), we exchange data with that provider as needed for the integration. Their use of data is governed by their privacy policy and terms. We encourage you to read them.

6.3 AI and language-model providers

Depending on configuration, the Service calls OpenAI (api.openai.com), Anthropic (api.anthropic.com), and/or Google AI / Gemini (Google’s AI API endpoints) only for inference (generating an output for a specific request). We do not upload your complete raw activity binary files as bulk archives for model training.

What is sent (minimisation in practice):

Feature area	What leaves our systems toward the model provider	What we do not send for that call
Planner (structured plan suggestions)	A JSON “planner input” package built server-side: planning window, plan version, summarised calendar items, constraints, gate / wellness summaries, goals and impact-style fields, and related structured coaching/planning context required to propose a bounded `PlanDelta`. A mode-specific system prompt from our application.	Full FIT/GPX/zip archives, unrelated historical workouts outside the active planning window, and unrelated third-party accounts.
Dashboard — richer day-advice prose	System instructions (rewrite-only, no new medical claims or plan mutations) plus a small JSON user message: your existing headline and body text and a trimmed subjective snapshot (e.g. schema version, interpretation id/path, summary, signals, conflicts).	Broad exports of your entire account.
Dashboard — subjective interpretation backstop (when enabled)	Fixed JSON-classifier system prompt plus a JSON user message containing: existing rules-based signals/conflicts, selected structured check-in fields (e.g. sleep, stress, motivation, hydration, DOMS, menstruation flags as implemented), and a truncated preview of free-text “coach context” (up to 800 characters; longer text is not fully replicated in the LLM payload).	Full-length diary entries beyond that preview cap for this path.
Authenticated coach completion (server API used by our clients)	System and user strings sent to the provider only within a server-enforced maximum combined prompt length; intended for coach-copy features tied to an athlete account.	Oversized prompts are rejected by the API; we do not stream entire account exports through this path.

Pseudonymisation: Where feasible, we pseudonymise prompts or strip direct identifiers (for example by using internal numeric IDs and structured summaries rather than full name or email inside model-bound payloads) before sending content to model providers, in addition to the field-level minimisation described above.

Model training: We configure provider account/API options so that customer content sent for these API calls is not used to train or improve the vendor’s general or foundation models, to the extent the vendor offers an enforceable “no training” / “do not use for training” (or equivalent) control for the tier we use. Short-lived processing, fraud/abuse safeguards, or operational logging may still apply per the vendor’s DPA and trust documentation. See Section 8 for transfers.

6.4 Legal and safety

We may disclose information if we believe in good faith that disclosure is required by law, legal process, or government request, or to protect the rights, safety, or integrity of users, the public, or the Service.

6.5 Business transfers

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction, subject to appropriate safeguards and notice where required.

7. Retention

Retention is limited to what we need for the Service, security, and legal compliance. Exact backup windows depend on your deployment’s hosting configuration.

Backups: Backup copies of databases and file storage may persist for up to 90 days within normal backup rotation before older snapshots are overwritten or retired, unless your hosting or backup product uses a shorter or longer configured period — your operator runbook or infrastructure owner can confirm the value in use.

Persisted dashboard subjective check-ins (automation): For the daily dashboard check-in we store on our servers (structured fields such as sleep/stress/motivation and related signals, optional free-text coach context, and conflict-resolution choices tied to a calendar day), we apply scheduled housekeeping in production that deletes rows in active databases when they are older than 90 calendar days on a rolling basis (measured from each record’s calendar day relative to our server’s purge reference date). This is not the same schedule as workout ingest from integrations; it exists to enforce data minimisation for this category. Full athlete/account deletion removes these records earlier when you complete an authorised deletion workflow. Deleted rows may still appear in encrypted backups until those backups age out as described above.

Category	Retention logic
Account & profile (name, email, credentials, profile fields)	For the lifetime of your account. After closure or a full athlete/account deletion request handled in the product, removed from production databases and primary file storage in line with that workflow, except where law requires a longer hold.
Training files & merged artefacts (uploads, raw files, merged outputs)	Until deleted via the product’s deletion or delete-all flows tied to your athlete; may persist in encrypted backups only for the backup retention period configured for the environment, then aged out.
Derived training data (sessions, metrics, analyses, planner state tied to your athlete)	Same tie as the underlying athlete record: retained while the account/athlete exists; removed or anonymised when a full deletion for that athlete completes (subject to legal exceptions).
Wellness & subjective check-ins — persisted dashboard daily check-in	Active production databases: no longer than 90 calendar days on a rolling basis from the calendar day the check-in applies to, then automatically deleted by scheduled housekeeping (see paragraph above). Earlier removal on full athlete/account deletion. Backups: may persist only for the backup retention period above.
Wellness & subjective context in other product surfaces	Retained with the athlete record and the feature rules in effect when you use that feature; removed or anonymised on full athlete/account deletion unless this Policy states a shorter retention for that category (for example the dashboard check-in row above).
Integration tokens & sync state (e.g. Intervals.icu)	Retained while the integration is active; removed or invalidated when you disconnect the integration or delete the athlete/account, according to product behaviour.
Technical & security logs (IP, request metadata, application logs)	Typically a rolling short period (days to weeks) for operations and abuse prevention; may be kept longer if needed to establish, exercise, or defend legal claims or to meet lawful obligations.
Support correspondence	For as long as needed to resolve the request and a limited period afterwards for quality and legal defence, unless a longer period is required by law.

Where the product offers a full account or athlete deletion workflow, we delete or irreversibly anonymise your data in our systems and associated primary file storage in line with that feature’s documentation, subject to legal exceptions (for example minimal security logs).

Third parties: Deletion in our systems does not automatically delete copies held by integrations (for example Intervals.icu) or AI providers under their own retention rules. You may need to take separate steps with those services.

8. International transfers

Yngwi B.V. is established in the Netherlands (EEA). Depending on how the Service is hosted and which features you use, personal data may be processed in the EEA and/or transferred to processors in the United States or other countries that may not be deemed adequate by the European Commission.

Typical processors and mechanisms (as used in our documented production-style deployments):

Processor / service	Role	Transfer mechanism (EEA/UK → third country)
Fly.io (or comparable IaaS)	Application servers, workers, attached volumes where configured	EU Standard Contractual Clauses (2021/914, Module Two, controller–processor) and/or the UK International Data Transfer Addendum to the SCCs, together with the vendor’s Data Processing Agreement and security documentation.
Vercel (or comparable front-end host)	Hosting of the Next.js web application	Same pattern: SCCs + UK Addendum under the vendor’s DPA for business customers.
OpenAI	LLM inference (`api.openai.com`)	OpenAI’s data processing addendum / enterprise terms incorporating SCCs (and UK equivalent) for API/business processing, plus no-training settings as described in Section 6.3.
Anthropic	LLM inference (`api.anthropic.com`)	Anthropic’s commercial DPA / terms incorporating SCCs (and UK equivalent) for business use, plus no-training settings as described in Section 6.3.
Google (Gemini / Google AI)	LLM inference via Google AI APIs	Google Cloud / AI terms and DPA (including SCCs and UK mechanisms) applicable to the Google services in use.
Intervals.icu	Optional integration	Governed by Intervals.icu’s terms and privacy policy; may involve transfers outside the EEA according to their documentation.
Open-Meteo	Weather and soil-moisture model data for workout context	Public API; we send approximate coordinates and time windows only — no account linkage on their side. Governed by Open-Meteo terms; see Section 3.7.

Where transfers occur without an adequacy decision, we rely on the mechanisms above and supplementary measures (for example encryption in transit, access controls, and minimised payloads to model providers) appropriate to the risk. A sub-processor overview for your specific deployment may be provided on request at info@Viccoach.app.

Transfer impact assessments (TIAs): Where required by EEA or UK law or by our own risk assessment for a specific transfer tool or vendor change, we conduct transfer impact assessments to evaluate legal and practical risks of transfers to third countries and to document supplementary measures.

9. Security

We implement technical and organisational measures appropriate to the risk, including:

Role-based access controls and least-privilege access to systems containing personal data;
Logging of access to administrative and sensitive operations where technically proportionate;
Encryption in transit for production traffic where configured (for example HTTPS/TLS between clients and our services, and TLS to external APIs);
Separation of environments (for example production vs non-production) where our architecture supports it;
Periodic security testing (including vulnerability scanning and, where appropriate, penetration tests on internet-facing components);
Secure development practices (code review, dependency management, and change control as part of our engineering process); and
Limiting access to personal data to personnel and sub-processors with a legitimate operational need and confidentiality obligations.

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Your rights

Depending on your location, you may have the right to:

Access a copy of your personal data.
Rectify inaccurate or incomplete data.
Erase data in certain circumstances.
Restrict processing in certain circumstances.
Object to processing based on legitimate interests (including profiling in some cases).
Data portability for data you provided, where technically feasible.
Withdraw consent where processing is consent-based.
Lodge a complaint with a supervisory authority (in the EEA, your local authority; in the UK, the ICO).

To exercise these rights, contact info@Viccoach.app. We may need to verify your identity before responding.

Response times (EEA / UK): We will respond to requests within one month of receipt. That period may be extended by up to two further months where necessary, taking into account the complexity and number of requests; if extended, we will inform you of the reasons within the first month.

11. Children

The Service is intended for competent users who can enter into the Terms of Service. Minimum ages:

EEA, UK, or Switzerland: you must be at least 16 years old.
United States: you must be at least 13 years old, unless the law of your state of residence sets a higher age for creating an account or consenting to the processing we describe, in which case that higher age applies.

We do not knowingly collect personal data from anyone below the applicable minimum. If you believe we have, contact info@Viccoach.app and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Effective date”. Where changes are material and we have your contact details, we may also notify you by email or in-product notice as required by law.

If changes materially reduce your rights or expand processing in a way that requires a new lawful basis, we will obtain renewed consent or another valid basis where required by law before applying those changes to you.

13. Regional notices

United States — no “sale,” no “sharing” for cross-context behavioural advertising: We do not sell personal information. We do not “share” personal information for cross-context behavioural advertising as those concepts are used in the California CPRA and similar state laws. We do not use personal information for targeted advertising based on tracking across unrelated websites or apps.

California (CCPA/CPRA): California residents may have rights to know, delete, and correct personal information, and to limit certain uses of sensitive personal information, subject to verification and exceptions under law. We do not sell or share personal information for cross-context behavioural advertising as defined in the CPRA. To exercise rights, contact info@Viccoach.app.

Cookies and similar technologies: See our Cookie notice for categories in use and how to control them.