Privacy Policy

Last updated: 19 April 2026

This privacy policy explains how ARRC Health Ltd ("ARRC", "we", "us", "our") collects, uses, stores, and protects personal data when you use the ARRC service (the "Service"). ARRC Health Ltd is the data controller for personal data processed through the Service.

1. Who we are

ARRC Health Ltd is a company registered in the United Kingdom. ARRC is an AI-assisted fitness programming service that generates personalised training programmes and adapts them over time based on the information you provide and data imported from connected wearable devices. ARRC is not affiliated with, endorsed by, or sponsored by WHOOP, Inc., Garmin Ltd., or Ōura Health Oy. These companies provide data to ARRC only via their official APIs and only with your express authorisation. Privacy contact: privacy@arrc.health

2. Scope

This policy applies to personal data processed by ARRC through arrc.health, the ARRC web application, and any connected wearable integrations. It does not cover the privacy practices of WHOOP, Garmin, Ōura, or any other third-party service you use separately. When you connect a wearable, that provider's own privacy policy continues to govern their processing of your data on their systems.

3. Data we collect

3.1 Account data

  • Email address and hashed password

  • Name (if provided)

  • Authentication and session tokens

3.2 Profile and training context (you provide)

  • Goals, training history, available equipment, and schedule

  • Injury history and current physical limitations (special category health data)

  • Optional lifestyle context (age, sleep patterns, job type)

  • Voice and text inputs you submit during onboarding, check-ins, and logging

3.3 Workout data

  • Training programmes and sessions generated for you

  • Session logs (exercises, sets, reps, weights, notes) you submit

  • Pre-workout check-in inputs

3.4 Data from connected wearables (only if you connect one)

If you authorise ARRC to connect to your WHOOP, Garmin, or Ōura account via OAuth, we access the data you approve through each provider's consent screen. You can revoke access at any time (see Section 11). Any data you submit to ARRC through these integrations is submitted to ARRC and not to the wearable provider; the wearable provider has no responsibility or liability for data once it has been transferred to ARRC.

WHOOP: profile information (name, email), body measurements (height, weight, max heart rate), physiological cycles, recovery scores, sleep data, and workout data.

Garmin: activities and workouts, heart rate, daily activity summaries (steps, calories, intensity minutes), sleep data, stress and body battery, and body composition — in each case only to the extent permitted by the scopes you approve.

Ōura: personal information, daily activity, sleep stages and scores, readiness score, heart rate, heart rate variability, and workout data — in each case only to the extent permitted by the scopes you approve.

3.5 Technical and usage data

  • Device type, browser, IP address, and timestamps

  • Application logs and error traces

  • Feature usage events

WHOOP, Garmin, and Ōura may each collect usage data relating to ARRC's use of their APIs (for example, number of API calls and endpoints accessed). This collection is governed by each provider's own privacy policy.

4. Legal bases for processing (UK GDPR / GDPR)

  • Contract (Art. 6(1)(b)): processing necessary to provide the Service you signed up for — account management, programme generation, session logging, and wearable data sync.

  • Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): processing of special category health data (injury history, wearable biometrics such as heart rate, recovery, and sleep) is performed only with your explicit consent. You may withdraw consent at any time.

  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, and keeping the Service reliable — balanced against your rights and freedoms.

  • Legal obligation (Art. 6(1)(c)): retention or disclosure where required by law.

5. How we use your data

  • Generate and deliver personalised training programmes

  • Adapt programmes weekly based on your logs and wearable data

  • Modify individual sessions in response to your pre-workout check-ins

  • Show you progress over time

  • Communicate with you about the Service

  • Keep the Service secure and reliable We do not sell your personal data.

We do not use your data for advertising, marketing profiling, or to build any product unrelated to the Service you signed up for.

6. AI transparency

ARRC is an AI-assisted service. Your data is processed by large language models to generate and adapt your programmes. Specifically:

  • We send relevant portions of your profile, workout logs, check-ins, and wearable data to Anthropic's Claude API to generate programme recommendations, session modifications, and responses in the coach feed.

  • We send audio and/or transcripts to Deepgram for speech-to-text when you use voice input. Audio is not retained once transcribed; only the text transcript is stored.

  • We do not use your personal data to train AI models. Under Anthropic's and Deepgram's commercial API terms, content you submit via ARRC is not used by them to train their models.

If this changes, we will update this policy and notify you before the new processing takes effect.

7. Sub-processors and sharing

We do not sell, license, or exchange your personal data. We do not share your data with other ARRC users or make your data visible to anyone other than you without your explicit opt-in consent. We rely on the following sub-processors to operate the Service:

  • Supabase — database, authentication, and file storage. Your primary data is stored in the EU (Ireland, eu-west-1).

  • Anthropic (Claude API) — AI processing of programme inputs. Data is transmitted to the United States under Anthropic's commercial terms and is not used to train models.

  • Deepgram — speech-to-text transcription of voice inputs. Data is transmitted to the United States under Deepgram's commercial terms.

  • Vercel — application hosting and content delivery.

  • WHOOP, Inc., Garmin Ltd., and Ōura Health Oy — we retrieve your data from these providers only at your direction. Each may receive API-usage data (not your workout/wearable data) from ARRC's interactions with their servers, governed by their own privacy policies.

Each sub-processor is bound by a data processing agreement requiring them to protect your data to at least the standard of UK GDPR / GDPR. A current list of sub-processors is available on request.

8. International transfers

Your primary database is hosted in the EU (Ireland). Some sub-processors (Anthropic, Deepgram, Vercel) process data in the United States. Transfers outside the UK/EEA are made under appropriate safeguards, specifically the UK International Data Transfer Agreement (IDTA), the UK Addendum, or the EU Standard Contractual Clauses (SCCs), as applicable.

9. Storage and retention

We retain your data only as long as necessary to provide the Service, or as required by law.

  • Account and profile data: retained while your account is active; deleted within 30 days of account closure.

  • Workout logs and programmes: retained for the life of your account so that you can see your progression; deleted within 30 days of account closure.

  • Wearable data (WHOOP, Garmin, Ōura): retained only for as long as necessary to provide personalised programming and progression tracking, and in line with each provider's API terms — including Ōura's sixty-day cache limit on data that has not been refreshed.

  • Voice recordings: audio is not retained — only the text transcript is stored.

  • OAuth tokens: stored encrypted at rest; deleted within 24 hours of revocation.

  • Application logs and error traces: retained for up to 90 days.

10. Your rights

Under UK GDPR and GDPR you have the right to:

  • Access the personal data we hold about you

  • Correct inaccurate or incomplete data

  • Request deletion of your data ("right to be forgotten")

  • Restrict or object to processing

  • Receive your data in a portable, machine-readable format

  • Withdraw consent at any time (without affecting the lawfulness of processing carried out beforehand)

  • Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk, or with your local EU supervisory authority

To exercise any of these rights, email privacy@arrc.health. We respond within one month.

11. Revoking wearable access and deletion

You can disconnect any wearable integration at any time from the Profile screen in ARRC, or from the connected-apps / security settings in your WHOOP, Garmin, or Ōura account.

When you revoke a wearable integration:

  • ARRC immediately stops making API calls to that provider on your behalf.

  • Stored OAuth tokens for that provider are deleted within 24 hours.

  • All personal data retrieved from that provider is deleted from ARRC's systems within 30 days, unless you expressly ask us to retain it (for example, so your historical workout log remains intact). Upon revocation without such a request, deletion is complete and irreversible.

  • If you delete your ARRC account, all of your personal data — including all wearable data we hold — is deleted from our systems within 30 days, except for anonymised aggregates that can no longer be linked to you and any records we are legally required to retain.

12. Security

We implement appropriate technical and organisational measures in line with Article 32 of the UK GDPR / GDPR, including:

  • Encryption in transit (TLS/HTTPS) and at rest

  • OAuth 2.0 for all third-party connections — we never see your wearable account passwords

  • Role-based access controls and row-level security on user data

  • Regular dependency and vulnerability monitoring

  • Audit logging of administrative actions

  • Principle of least privilege for staff access

In the event of a personal data breach likely to result in a risk to users' rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and affected users without undue delay, as required by law. Where a wearable provider's developer agreement requires it, we will notify that provider within 24 hours of discovering a breach affecting their data.

13. Children

ARRC is not directed at children. We do not knowingly collect personal data from anyone under the age of 16 in the UK/EEA, or under 13 elsewhere. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified to you by email and via the Service before they take effect. The "Last updated" date at the top of this page always reflects the latest revision.

15. Contact

For any questions about this policy or how we handle your data, contact:

ARRC Health Ltd

privacy@arrc.health