Overrly
Velapp

Privacy Policy

Last updated: 2026-06-24 Effective date: 2026-06-11

This Privacy Policy explains how Velapp ("we", "our", "us") collects, uses, stores, and shares personal data when you use the Velapp mobile application ("the App"). We are committed to transparency and to compliance with the EU General Data Protection Regulation (GDPR), Polish data-protection law, and the privacy laws of any other jurisdiction where the App is available.

If you have questions about this policy, contact us at velapp.contact@gmail.com.


1. Who we are (Data Controller)

The data controller responsible for your personal data is:

We do not have a dedicated Data Protection Officer (DPO) because we do not meet the GDPR Article 37 thresholds, but you can address any data-protection question to the email above.


2. What data we collect

2.1 Data you provide directly

  • Account data: email address, password (stored hashed, never in plain text), display name.
  • Profile data: age, gender, weight, height, running experience, available training days, target events, target finish times, injury notes you choose to share.
  • Run history (manual entries): distance, duration, pace, heart rate, cadence, elevation, perceived exertion, free-form notes.
  • AI conversation history: messages you send to "Veli" (the in-app AI coach) and Veli's replies — required so the coach can refer back to earlier exchanges within and across sessions.
  • Daily check-ins: sleep, legs, stress scores (1-5) and optional notes.

2.2 Data collected automatically

  • Device data: approximate location (only when you grant the permission, used for weather), platform (iOS / Android), app version. We do NOT collect precise GPS tracks of runs ourselves — those come from third-party providers (see §2.3) only if you connect them.
  • Push-notification token: an Expo / OS-generated identifier so we can deliver workout reminders and coaching nudges.
  • Advertising identifier (free tier only): if you use the ad-supported free tier, an advertising identifier may be processed by our ads SDK (Google AdMob) to serve ads. This is subject to your consent: on iOS we ask via Apple's App Tracking Transparency (ATT) prompt, and we use Google's User Messaging Platform (UMP) consent form for EEA/UK users. Pro (paid) subscribers do not see ads and no advertising identifier is processed for them.
  • Usage logs: error reports and performance metrics, retained for up to 30 days for debugging.

2.3 Data we receive from third parties (only after you opt in)

  • Strava: with your explicit OAuth consent, we receive your past and future runs (date, distance, duration, pace, heart-rate, laps, splits, device name, perceived exertion). We hold a refresh token so we can pull new runs in the background. Your Strava data is shown only to you within the App, is never disclosed to other users, and is never sold. Like your other activity data, a summary of your Strava runs may be sent to our AI provider (Anthropic) solely to generate coaching for you; it is not used to train AI models and is not shared with any other third party. You can revoke this at any time in the Profile screen or in strava.com/settings/apps. When you disconnect Strava or delete your account, we revoke our access at Strava (deauthorize) and delete the runs we imported from Strava.
  • Apple HealthKit: when you grant permission, we read health and fitness data such as workouts and heart rate from Apple Health to enrich your training history. This is strictly opt-in and you can revoke access at any time in iOS Settings. HealthKit data is never used for advertising and is processed only to provide the coaching features you have asked for.
  • Google Health Connect (Android): when you grant permission, we read, on a read-only basis, your running workouts and related metrics — exercise/workout sessions, distance, heart rate, and calories burned — from Health Connect to enrich your training history. We never write data back to Health Connect. This is strictly opt-in; you can revoke access at any time in your device's Health Connect settings. Health Connect data is never used for advertising, is never sold, and is processed only to provide the coaching features you have asked for, consistent with the Google Health Connect Permissions policy, including its limited-use requirements.
  • Garmin Connect: when this integration launches, the same opt-in principle will apply and this policy will be updated.

We never receive your Strava (or other provider) password.

2.4 Subscriptions and purchases

If you buy a Pro subscription, your purchase and subscription status (for example: whether the subscription is active, its renewal date, and the product purchased) is processed via RevenueCat and the Apple App Store or Google Play. Payment itself is handled entirely by the relevant app store — we do not receive or store your card or payment-card details. We use this information only to unlock Pro features and to validate that your entitlement is current.


3. Legal basis for processing (GDPR Art. 6)

PurposeLegal basis
Creating and maintaining your accountPerformance of a contract (Art. 6(1)(b))
Generating your training plan and coaching advicePerformance of a contract (Art. 6(1)(b))
Importing runs from connected providersYour explicit consent (Art. 6(1)(a)), revocable any time
Reading Apple HealthKit dataYour explicit consent (Art. 6(1)(a)), revocable any time
AI coaching via ClaudePerformance of a contract + your consent for sending health-adjacent data to a sub-processor (Art. 6(1)(a)/(b))
Managing your Pro subscriptionPerformance of a contract (Art. 6(1)(b))
Serving ads on the free tierYour consent for personalised ads (Art. 6(1)(a)) via ATT/UMP; otherwise non-personalised ads on the basis of legitimate interest (Art. 6(1)(f)) to fund the free tier
Crash diagnosticsLegitimate interest (Art. 6(1)(f)) — keeping the App reliable
Push notificationsYour in-app preference toggles (Art. 6(1)(a))
Responding to support requestsLegitimate interest

4. How we use your data

We process your data to:

  1. Generate and adapt your training plan based on your profile, targets, and recent runs.
  2. Provide AI coaching — Veli reads a summary of your profile, recent activities, and the current chat history so its replies are contextual.
  3. Show progress and statistics in the Stats and Plan tabs.
  4. Send notifications you have enabled (morning greeting, workout reminders, weekly recap, milestone congratulations).
  5. Detect and prevent abuse of the AI service (rate-limiting, anomaly detection).
  6. Improve the App — aggregated, non-identifying usage signals help us prioritize features.

The free tier is supported by ads served via Google AdMob. With your consent (collected through Apple's App Tracking Transparency on iOS and Google's UMP consent form), the ads you see may be personalised; if you do not consent, you are shown non-personalised ads instead. You can change your ads consent at any time in your device settings (and, on iOS, in the system Tracking settings). Pro (paid) subscribers do not see ads.

We do not sell your personal data. We never use your health or fitness data (including Apple HealthKit data and heart-rate data) for advertising.


5. Third-party processors

We use the following sub-processors. Each handles your data only under contracts that reflect GDPR Art. 28 obligations:

Sub-processorWhat they doLocationPrivacy info
Supabase (hosted Postgres + Edge Functions + Auth)Stores your account, profile, runs, AI conversationsEU (eu-west-1)supabase.com/privacy
Anthropic (Claude API)Powers the AI coach "Veli"USAanthropic.com/legal/privacy
StravaProvider of run history (only if connected)USAstrava.com/legal/privacy
Apple HealthKitOn-device source of health/fitness data (only if you opt in); data stays under Apple's Health permissionsOn-device (Apple)apple.com/legal/privacy
Google Health ConnectOn-device source of health/fitness data on Android (only if you opt in); read-only, stays under Health Connect permissionsOn-device (Google)policies.google.com/privacy
Google AdMobAdvertising — serves ads on the free tierUSApolicies.google.com/privacy
RevenueCatSubscription management and receipt validationUSArevenuecat.com/privacy
ResendTransactional email delivery (e.g. password reset)USA / EUresend.com/legal/privacy-policy
OpenWeatherMapProvides weather forecasts for the run-conditions featureGlobalopenweather.co.uk/privacy-policy
Expo (push notifications)Delivers OS push to your deviceUSAexpo.dev/privacy
Apple / Google (app distribution + OS push)App delivery and OS-level notificationsGlobalApple / Google standard policies

For transfers outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism. We send only the data each sub-processor needs for its specific job (data minimisation).

AI-specific note: when you chat with Veli, the contents of the chat — including your run data summary — are sent to Anthropic for inference. Anthropic does not train its models on your data per their API terms.


6. Data retention

DataRetention
Account dataUntil you delete your account
Profile + run historyUntil you delete your account or the specific entries
AI conversationsUntil you delete them via "Forget" in chat, or your account
Daily check-insUntil you delete your account
Strava refresh tokensDeleted when you disconnect Strava or delete your account; we also revoke the token at Strava
Runs imported from StravaDeleted when you disconnect Strava or delete your account
Subscription status (via RevenueCat)While your subscription is active and as required for receipt validation and accounting
Crash logs30 days, then deleted
Database backupsUp to 30 days, then overwritten

When you delete your account we erase your personal data within 30 days, except where we are legally required to keep records (e.g. accounting). Anonymised, aggregated statistics may remain.


7. Your rights (GDPR Art. 12-23)

You have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is incorrect or out of date.
  • Erase ("right to be forgotten") your data — see §8.
  • Restrict processing while we look into an issue.
  • Data portability — request your data in a machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time for processing based on consent (e.g. disconnect Strava, revoke HealthKit access, withdraw ads consent, turn off notifications).
  • Lodge a complaint with a supervisory authority — in Poland this is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych — UODO, uodo.gov.pl).

To exercise any of these rights, email velapp.contact@gmail.com. We respond within 30 days.


8. How to delete your data

  • In-app: Profile → Account → "Delete account". This erases your account, profile, runs, AI conversations, and notification tokens.
  • By email: request to velapp.contact@gmail.com with the subject "Delete my account". We verify the request and erase within 30 days.

You can also delete specific items at any time:

  • Disconnect Strava (Profile → Connected accounts) — we revoke our access at Strava (deauthorize) and delete the runs we imported from Strava.
  • Delete individual runs from the activity history.
  • Delete individual coaching notes ("Veli, zapomnij że…").

9. Children

The App is not directed at children under 16 years of age. If you are under 16, please do not register. If we learn that we have collected data from someone under 16 without verified parental consent, we delete it. In some jurisdictions the minimum age may be 13; the higher local age limit always applies.


10. Security

We protect your data with:

  • TLS 1.2+ for every connection to our servers.
  • Row-Level Security in Postgres so no user can read another user's data, even if our application code has a bug.
  • Hashed passwords (bcrypt or equivalent) — we never store plain passwords and cannot recover them; you reset them through email if forgotten.
  • Server-side secrets (Strava client secret, Anthropic API key, Supabase service role) stored only in Supabase Edge Function environment variables, never in the mobile binary.
  • Logged access for our administrative actions.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in risk to your rights, we notify you and the supervisory authority within 72 hours, as required by GDPR Art. 33-34.


11. Health-related data — special category

Some of the data we process (heart rate, training load, recovery notes) is health-adjacent. We do not consider it sensitive "category of personal data" under GDPR Art. 9 because it does not reveal a specific medical condition — but we treat it with the same care nonetheless. Veli explicitly refuses to diagnose injuries or recommend medication and always points users to a clinician for medical issues.


12. Cookies and similar technologies

The mobile App does not use HTTP cookies. We use local on-device storage (AsyncStorage on iOS/Android) to remember your language preference, your auth session, and your last-known location for weather. On the free tier, the App embeds the Google AdMob SDK, which may use an advertising identifier to serve ads, subject to your consent (Apple App Tracking Transparency on iOS and Google's UMP consent form in the EEA/UK). Pro (paid) subscribers see no ads and no advertising SDK identifier is used for them.


13. International transfers

Some sub-processors (Anthropic, Strava, Google AdMob, RevenueCat, Resend, Expo) are located outside the EEA. We rely on:

  • The European Commission's Standard Contractual Clauses (SCCs), or
  • The provider's adequacy decision where applicable, or
  • Your explicit consent for any transfer not covered by the above.

You can request copies of the relevant SCCs by emailing us.


14. Changes to this policy

When we change this policy materially, we:

  1. Bump the "Last updated" date at the top.
  2. Show an in-app notice the first time you open the App after the change.
  3. For changes affecting legal basis or sub-processors, ask you to re-confirm consent.

Continuing to use the App after a material change means you accept the new policy. If you do not accept, delete your account.


15. Contact

For any privacy question, GDPR request, or breach report:

Email: velapp.contact@gmail.com NIP: 5080100981

If we do not resolve your concern, you can lodge a complaint with the President of UODO (Office for Personal Data Protection), ul. Stawki 2, 00-193 Warszawa, Poland — or the supervisory authority in your EU member state.