Privacy Policy

Body-OS is a wellness and lifestyle service that analyzes user-authorized data (including WHOOP data) to provide personalized guidance for recovery, sleep, training load, and daily routines.

Body-OS is not a medical device and does not provide medical services.

For privacy law purposes, Body-OS acts as the controller of account data and user-authorized imported data.

Privacy contact: privacy@body-os.fit.

Body-OS is designed for wellness and lifestyle use only.

Body-OS does not diagnose, treat, cure, or prevent disease and does not replace professional medical advice.

WHOOP data is used only for wellness purposes and not in a clinical context.

When you choose Connect WHOOP, you complete WHOOP OAuth 2.0 authorization and explicitly consent to importing data within authorized scopes.

We request only the minimum scopes required for service features:

• read:profile
• read:body_measurement
• read:sleep
• read:recovery
• read:cycle
• read:workout
• offline (to continue sync without repeated sign-in)

You can revoke WHOOP access at any time in Body-OS settings and/or WHOOP account settings. After revocation, new sync operations are stopped.

Body-OS is not affiliated with or endorsed by WHOOP, Inc. WHOOP is a trademark of WHOOP, Inc.

A. Account data:

• email
• password hash
• language
• timezone
• internal identifiers

B. Wellness and usage data:

• authorized WHOOP data
• onboarding goals and user settings
• progress in missions, contracts, and protocols
• feature usage events

C. Technical and security data:

• device/app metadata
• session and security logs
• diagnostics and stability data

D. AI interaction data:

• messages sent to AI features
• metadata needed to generate and secure responses

We use data only to provide, maintain, and secure the service:

• account operations, authentication, and abuse prevention
• sync and analysis of authorized WHOOP data
• personalized wellness insights and AI guidance
• subscription and access lifecycle
• customer support
• quality, anti-fraud, and reliability

We do not sell personal data.

We do not use health/wellness data for targeted advertising.

Depending on purpose, processing is based on:

• contract performance
• consent
• legitimate interests
• legal obligations

Where health-related processing applies, we rely on explicit consent and additional safeguards.

Body-OS uses AI to generate wellness insights and text guidance.

AI output is informational and not medical advice.

Body-OS does not rely on solely automated decisions that produce legal or similarly significant effects.

AI providers are governed by contractual and technical safeguards. Service configuration is intended to prevent public model training on user data where supported by provider terms.

We use a limited set of providers strictly for service operations:

• WHOOP (OAuth and API data source)
• cloud infrastructure and hosting
• AI infrastructure
• transactional email providers
• payment and subscription providers
• privacy-safe attribution/analytics providers

We do not share personal data with data brokers for sale.

Data may be processed outside your country of residence.

Where required, we use recognized transfer mechanisms such as SCCs and equivalent EU/UK safeguards (including UK Addendum/IDTA where applicable).

We retain data only as long as needed for stated purposes.

• account data: while account is active
• security logs: typically up to 90 days
• support/investigation records: operational and legal necessity
• backups: removed on rolling retention cycles

After account deletion requests, primary systems are generally cleared within up to 30 days; backup copies are removed on normal backup rotation schedules.

You may request:

• machine-readable data export
• full account deletion
• WHOOP disconnection and sync stop

Requests: privacy@body-os.fit.

Depending on jurisdiction, you may have rights of access, correction, deletion, restriction, objection, portability, and consent withdrawal.

To exercise rights, contact privacy@body-os.fit. Identity verification may be required.

We use cookies/SDKs/local storage for authentication, security, preferences, subscriptions, and limited analytics/attribution.

We do not send health/wellness data to ad networks for ad personalization.

We apply reasonable technical and organizational safeguards including encryption in transit, access controls, logging, and incident monitoring.

No security system is perfect, but we continuously improve protection measures.

Body-OS is not intended for children. If you believe a child has provided personal data, contact us at privacy@body-os.fit.

California residents may have additional rights (including rights to know, delete, and correct data, and non-discrimination when exercising privacy rights).

Body-OS does not sell personal data.

We maintain disclosures required by Apple App Privacy and Google Play Data Safety and update them when SDKs or features change.

We may update this policy from time to time. The current version is always posted on this page.

For privacy requests, account deletion, data export, and WHOOP consent revocation: privacy@body-os.fit.