Your privacy matters to us. This policy explains how healthycod.in ("we", "us", "our") collects, uses, and protects your data when you use Zwoop. We are committed to GDPR compliance and transparent data practices.
1 Data Controller
The data controller responsible for your personal data is:
healthycod.in
Daniel Hartmann
Ettenfeldstrasse 2
8052 Zürich, Switzerland
2 Data We Collect
We collect data from the following sources:
| Source | Data Types |
|---|---|
| Account | Email address, password (hashed), account creation date, terms acceptance timestamp |
| Profile | FTP (Functional Threshold Power), max heart rate, weight |
| Whoop | Recovery score, HRV, resting heart rate, daily strain, workout data |
| Strava | Activities, power data, athlete ID, activity streams for power curve analysis |
| Generated | Workouts, workout-activity matches, compliance analysis, power curves |
3 How We Use Your Data
We use your data for the following purposes:
- Workout Generation: Creating personalized workouts based on your recovery score and training history
- Power Analysis: Calculating your power curve from Strava activities to optimize workout intensity
- Training Load: Analyzing CTL (Chronic Training Load), ATL (Acute Training Load), and TSB (Training Stress Balance)
- Compliance Tracking: Matching generated workouts to completed Strava activities
- Service Improvement: Understanding usage patterns to improve the service (aggregated, anonymized data only)
We do not: Sell your data, share it with advertisers, use it for targeted advertising, or share it with third parties except as required to provide the service.
4 Public Workout Sharing
When you choose to share a workout publicly:
- We create a unique, unguessable link for that workout
- Only workout structure is shared: segments, power targets (% of FTP), and description
- Power targets are shown as percentages - anyone can use the workout at their own FTP
- Coaching messages and text events are removed to protect privacy
- Excluded from shares: Recovery scores, strain targets, Strava/Whoop links, AI decision metadata, and any personal identifiers
- Shared workouts are anonymous - not linked to your profile
- You can revoke sharing at any time to remove public access
- We track view counts for your information
- Shares are permanent until you revoke them
5 Data Storage & Security
We implement industry-standard security measures:
- Encryption: All data transmitted via HTTPS; OAuth tokens encrypted at rest
- Password Security: Passwords are hashed using secure algorithms; we never store plaintext passwords
- Database: Data stored in MongoDB with appropriate access controls
- Infrastructure: Hosted with security-compliant cloud providers
Data is processed and stored in compliance with Swiss data protection standards, which provide strong privacy protections equivalent to GDPR requirements.
6 Third-Party Integrations
Zwoop integrates with the following third-party services via OAuth:
- Whoop: We access recovery, strain, and workout data with your explicit authorization. See Whoop's Privacy Policy.
- Strava: We access activity and power data with your explicit authorization. See Strava's Privacy Policy.
We only request the minimum scopes necessary to provide our service. You can revoke access at any time through your Profile settings in Zwoop, or directly through Whoop/Strava's connected apps settings.
7 Your Rights (GDPR)
Under GDPR and Swiss data protection law, you have the following rights:
Right to Access
Download all your data via Profile → Account Management → Download My Data
Right to Rectification
Update your profile information at any time via your Profile settings
Right to Erasure
Delete your account and all associated data via Profile → Account Management → Delete Account
Right to Data Portability
Export your data in JSON format using the download feature
Right to Withdraw Consent
Disconnect Whoop or Strava integrations at any time via your Profile
8 Data Retention
- Active accounts: Data retained while your account is active
- Deleted accounts: All data permanently removed immediately upon account deletion
- Strava data: Removed within 48 hours if deleted from Strava (per API requirements)
- Cached data: Power curves cached for 24 hours; activity lists cached for 10 minutes
9 Cookies
Zwoop uses minimal cookies strictly necessary for the service:
| Cookie | Purpose | Duration |
|---|---|---|
| auth | Access token (JWT) to keep you logged in | 60 minutes |
| refresh | Refresh token for seamless session renewal | 7 days |
| oauth_state | CSRF protection during OAuth flow | 10 minutes |
We do not use: Tracking cookies, analytics cookies, advertising cookies, or any third-party cookies.
10 International Data Transfers
Your data is processed in Switzerland, which is recognized by the EU as providing an adequate level of data protection. When interacting with Whoop or Strava APIs, data may be transferred to servers in the United States according to their respective privacy policies.
11 Children's Privacy
Zwoop is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
12 Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the service or via email. The "Last updated" date at the top indicates when changes were last made.
13 Contact & Complaints
For privacy-related inquiries or to exercise your data rights, contact us at:
If you are in the EU/EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.