Privacy Policy
Last updated: 2026-06-24 Effective date: 2026-06-11
This Privacy Policy explains how Velapp ("we", "our", "us") collects, uses, stores, and shares personal data when you use the Velapp mobile application ("the App"). We are committed to transparency and to compliance with the EU General Data Protection Regulation (GDPR), Polish data-protection law, and the privacy laws of any other jurisdiction where the App is available.
If you have questions about this policy, contact us at velapp.contact@gmail.com.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
- Name: Overrly
- NIP (Polish tax ID): 5080100981
- Email: velapp.contact@gmail.com
We do not have a dedicated Data Protection Officer (DPO) because we do not meet the GDPR Article 37 thresholds, but you can address any data-protection question to the email above.
2. What data we collect
2.1 Data you provide directly
- Account data: email address, password (stored hashed, never in plain text), display name.
- Profile data: age, gender, weight, height, running experience, available training days, target events, target finish times, injury notes you choose to share.
- Run history (manual entries): distance, duration, pace, heart rate, cadence, elevation, perceived exertion, free-form notes.
- AI conversation history: messages you send to "Veli" (the in-app AI coach) and Veli's replies — required so the coach can refer back to earlier exchanges within and across sessions.
- Daily check-ins: sleep, legs, stress scores (1-5) and optional notes.
2.2 Data collected automatically
- Device data: approximate location (only when you grant the permission, used for weather), platform (iOS / Android), app version. We do NOT collect precise GPS tracks of runs ourselves — those come from third-party providers (see §2.3) only if you connect them.
- Push-notification token: an Expo / OS-generated identifier so we can deliver workout reminders and coaching nudges.
- Advertising identifier (free tier only): if you use the ad-supported free tier, an advertising identifier may be processed by our ads SDK (Google AdMob) to serve ads. This is subject to your consent: on iOS we ask via Apple's App Tracking Transparency (ATT) prompt, and we use Google's User Messaging Platform (UMP) consent form for EEA/UK users. Pro (paid) subscribers do not see ads and no advertising identifier is processed for them.
- Usage logs: error reports and performance metrics, retained for up to 30 days for debugging.
2.3 Data we receive from third parties (only after you opt in)
- Strava: with your explicit OAuth consent, we receive your past and future runs (date, distance, duration, pace, heart-rate, laps, splits, device name, perceived exertion). We hold a refresh token so we can pull new runs in the background. Your Strava data is shown only to you within the App, is never disclosed to other users, and is never sold. Like your other activity data, a summary of your Strava runs may be sent to our AI provider (Anthropic) solely to generate coaching for you; it is not used to train AI models and is not shared with any other third party. You can revoke this at any time in the Profile screen or in strava.com/settings/apps. When you disconnect Strava or delete your account, we revoke our access at Strava (deauthorize) and delete the runs we imported from Strava.
- Apple HealthKit: when you grant permission, we read health and fitness data such as workouts and heart rate from Apple Health to enrich your training history. This is strictly opt-in and you can revoke access at any time in iOS Settings. HealthKit data is never used for advertising and is processed only to provide the coaching features you have asked for.
- Google Health Connect (Android): when you grant permission, we read, on a read-only basis, your running workouts and related metrics — exercise/workout sessions, distance, heart rate, and calories burned — from Health Connect to enrich your training history. We never write data back to Health Connect. This is strictly opt-in; you can revoke access at any time in your device's Health Connect settings. Health Connect data is never used for advertising, is never sold, and is processed only to provide the coaching features you have asked for, consistent with the Google Health Connect Permissions policy, including its limited-use requirements.
- Garmin Connect: when this integration launches, the same opt-in principle will apply and this policy will be updated.
We never receive your Strava (or other provider) password.
2.4 Subscriptions and purchases
If you buy a Pro subscription, your purchase and subscription status (for example: whether the subscription is active, its renewal date, and the product purchased) is processed via RevenueCat and the Apple App Store or Google Play. Payment itself is handled entirely by the relevant app store — we do not receive or store your card or payment-card details. We use this information only to unlock Pro features and to validate that your entitlement is current.
3. Legal basis for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and maintaining your account | Performance of a contract (Art. 6(1)(b)) |
| Generating your training plan and coaching advice | Performance of a contract (Art. 6(1)(b)) |
| Importing runs from connected providers | Your explicit consent (Art. 6(1)(a)), revocable any time |
| Reading Apple HealthKit data | Your explicit consent (Art. 6(1)(a)), revocable any time |
| AI coaching via Claude | Performance of a contract + your consent for sending health-adjacent data to a sub-processor (Art. 6(1)(a)/(b)) |
| Managing your Pro subscription | Performance of a contract (Art. 6(1)(b)) |
| Serving ads on the free tier | Your consent for personalised ads (Art. 6(1)(a)) via ATT/UMP; otherwise non-personalised ads on the basis of legitimate interest (Art. 6(1)(f)) to fund the free tier |
| Crash diagnostics | Legitimate interest (Art. 6(1)(f)) — keeping the App reliable |
| Push notifications | Your in-app preference toggles (Art. 6(1)(a)) |
| Responding to support requests | Legitimate interest |
4. How we use your data
We process your data to:
- Generate and adapt your training plan based on your profile, targets, and recent runs.
- Provide AI coaching — Veli reads a summary of your profile, recent activities, and the current chat history so its replies are contextual.
- Show progress and statistics in the Stats and Plan tabs.
- Send notifications you have enabled (morning greeting, workout reminders, weekly recap, milestone congratulations).
- Detect and prevent abuse of the AI service (rate-limiting, anomaly detection).
- Improve the App — aggregated, non-identifying usage signals help us prioritize features.
The free tier is supported by ads served via Google AdMob. With your consent (collected through Apple's App Tracking Transparency on iOS and Google's UMP consent form), the ads you see may be personalised; if you do not consent, you are shown non-personalised ads instead. You can change your ads consent at any time in your device settings (and, on iOS, in the system Tracking settings). Pro (paid) subscribers do not see ads.
We do not sell your personal data. We never use your health or fitness data (including Apple HealthKit data and heart-rate data) for advertising.
5. Third-party processors
We use the following sub-processors. Each handles your data only under contracts that reflect GDPR Art. 28 obligations:
| Sub-processor | What they do | Location | Privacy info |
|---|---|---|---|
| Supabase (hosted Postgres + Edge Functions + Auth) | Stores your account, profile, runs, AI conversations | EU (eu-west-1) | supabase.com/privacy |
| Anthropic (Claude API) | Powers the AI coach "Veli" | USA | anthropic.com/legal/privacy |
| Strava | Provider of run history (only if connected) | USA | strava.com/legal/privacy |
| Apple HealthKit | On-device source of health/fitness data (only if you opt in); data stays under Apple's Health permissions | On-device (Apple) | apple.com/legal/privacy |
| Google Health Connect | On-device source of health/fitness data on Android (only if you opt in); read-only, stays under Health Connect permissions | On-device (Google) | policies.google.com/privacy |
| Google AdMob | Advertising — serves ads on the free tier | USA | policies.google.com/privacy |
| RevenueCat | Subscription management and receipt validation | USA | revenuecat.com/privacy |
| Resend | Transactional email delivery (e.g. password reset) | USA / EU | resend.com/legal/privacy-policy |
| OpenWeatherMap | Provides weather forecasts for the run-conditions feature | Global | openweather.co.uk/privacy-policy |
| Expo (push notifications) | Delivers OS push to your device | USA | expo.dev/privacy |
| Apple / Google (app distribution + OS push) | App delivery and OS-level notifications | Global | Apple / Google standard policies |
For transfers outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism. We send only the data each sub-processor needs for its specific job (data minimisation).
AI-specific note: when you chat with Veli, the contents of the chat — including your run data summary — are sent to Anthropic for inference. Anthropic does not train its models on your data per their API terms.
6. Data retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Profile + run history | Until you delete your account or the specific entries |
| AI conversations | Until you delete them via "Forget" in chat, or your account |
| Daily check-ins | Until you delete your account |
| Strava refresh tokens | Deleted when you disconnect Strava or delete your account; we also revoke the token at Strava |
| Runs imported from Strava | Deleted when you disconnect Strava or delete your account |
| Subscription status (via RevenueCat) | While your subscription is active and as required for receipt validation and accounting |
| Crash logs | 30 days, then deleted |
| Database backups | Up to 30 days, then overwritten |
When you delete your account we erase your personal data within 30 days, except where we are legally required to keep records (e.g. accounting). Anonymised, aggregated statistics may remain.
7. Your rights (GDPR Art. 12-23)
You have the right to:
- Access the personal data we hold about you.
- Rectify data that is incorrect or out of date.
- Erase ("right to be forgotten") your data — see §8.
- Restrict processing while we look into an issue.
- Data portability — request your data in a machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time for processing based on consent (e.g. disconnect Strava, revoke HealthKit access, withdraw ads consent, turn off notifications).
- Lodge a complaint with a supervisory authority — in Poland this is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych — UODO, uodo.gov.pl).
To exercise any of these rights, email velapp.contact@gmail.com. We respond within 30 days.
8. How to delete your data
- In-app: Profile → Account → "Delete account". This erases your account, profile, runs, AI conversations, and notification tokens.
- By email: request to velapp.contact@gmail.com with the subject "Delete my account". We verify the request and erase within 30 days.
You can also delete specific items at any time:
- Disconnect Strava (Profile → Connected accounts) — we revoke our access at Strava (deauthorize) and delete the runs we imported from Strava.
- Delete individual runs from the activity history.
- Delete individual coaching notes ("Veli, zapomnij że…").
9. Children
The App is not directed at children under 16 years of age. If you are under 16, please do not register. If we learn that we have collected data from someone under 16 without verified parental consent, we delete it. In some jurisdictions the minimum age may be 13; the higher local age limit always applies.
10. Security
We protect your data with:
- TLS 1.2+ for every connection to our servers.
- Row-Level Security in Postgres so no user can read another user's data, even if our application code has a bug.
- Hashed passwords (bcrypt or equivalent) — we never store plain passwords and cannot recover them; you reset them through email if forgotten.
- Server-side secrets (Strava client secret, Anthropic API key, Supabase service role) stored only in Supabase Edge Function environment variables, never in the mobile binary.
- Logged access for our administrative actions.
No system is perfectly secure. If we discover a personal-data breach that is likely to result in risk to your rights, we notify you and the supervisory authority within 72 hours, as required by GDPR Art. 33-34.
11. Health-related data — special category
Some of the data we process (heart rate, training load, recovery notes) is health-adjacent. We do not consider it sensitive "category of personal data" under GDPR Art. 9 because it does not reveal a specific medical condition — but we treat it with the same care nonetheless. Veli explicitly refuses to diagnose injuries or recommend medication and always points users to a clinician for medical issues.
12. Cookies and similar technologies
The mobile App does not use HTTP cookies. We use local on-device storage (AsyncStorage on iOS/Android) to remember your language preference, your auth session, and your last-known location for weather. On the free tier, the App embeds the Google AdMob SDK, which may use an advertising identifier to serve ads, subject to your consent (Apple App Tracking Transparency on iOS and Google's UMP consent form in the EEA/UK). Pro (paid) subscribers see no ads and no advertising SDK identifier is used for them.
13. International transfers
Some sub-processors (Anthropic, Strava, Google AdMob, RevenueCat, Resend, Expo) are located outside the EEA. We rely on:
- The European Commission's Standard Contractual Clauses (SCCs), or
- The provider's adequacy decision where applicable, or
- Your explicit consent for any transfer not covered by the above.
You can request copies of the relevant SCCs by emailing us.
14. Changes to this policy
When we change this policy materially, we:
- Bump the "Last updated" date at the top.
- Show an in-app notice the first time you open the App after the change.
- For changes affecting legal basis or sub-processors, ask you to re-confirm consent.
Continuing to use the App after a material change means you accept the new policy. If you do not accept, delete your account.
15. Contact
For any privacy question, GDPR request, or breach report:
Email: velapp.contact@gmail.com NIP: 5080100981
If we do not resolve your concern, you can lodge a complaint with the President of UODO (Office for Personal Data Protection), ul. Stawki 2, 00-193 Warszawa, Poland — or the supervisory authority in your EU member state.