← Back to home

Privacy Policy

Effective date:

Users of beta versions accept that this is a draft policy under legal review.

1. Who We Are

Zorv Technologies LLC (“Zorv,” “we,” “our,” or “us”) respects the privacy of your information. This Privacy Policy explains how we collect, use, store, and protect information when you use the Zorv platform, including our websites, mobile applications, and any related services (collectively, the “Services”).

From time to time, we may update this Privacy Policy. If we make material changes, we will notify you by posting a revised version with a new effective date on our website or by sending you a notification through the Services. We encourage you to review this policy periodically.

2. What Data We Collect

Account data

  • Name and email address
  • Profile information you choose to provide (e.g., age, weight, height, sport preferences)
  • Authentication credentials (passwords are stored in hashed form)

Athletic and health data

When you connect supported devices, applications, or services through our platform, we may receive athletic and health-related data, including but not limited to:

  • Heart rate and heart rate variability (HRV) and other cardiovascular metrics
  • Sleep data (duration, stages, quality scores)
  • Recovery and readiness scores
  • GPS routes and activity location data
  • Power, cadence, pace and other workout performance metrics
  • Biometric data from continuous monitoring devices (e.g., glucose levels), where you choose to connect them

The specific data we receive depends on which third-party services and devices you choose to connect and the permissions you grant. A current list of supported integrations is maintained at zorv.ai/integrations.

Device identifiers

We receive device identifiers from connected wearables and applications as necessary to associate data with your account and to support synchronization.

App usage data

We collect anonymized usage data to improve our Services. We use Sentry for error reporting. We do not use advertising SDKs and do not track you for advertising purposes.

Map and location services

We use Mapbox GL JS to display activity routes and maps within the app. Map tiles and requests are used for visualization only; we do not use Mapbox for persistent location tracking. See Mapbox's Privacy Policy for their practices.

Payment data

Payments are processed by Stripe. We do not store your full card number or card verification details. We retain only billing-related identifiers (e.g., Stripe customer ID) as needed to provide the Services.

3. How We Collect It

  • Directly from you — When you create an account, update your profile, or input information.
  • Via authorized connections to third-party services — When you authorize a connection (e.g., via OAuth) to a third-party device, application, or platform, we receive data in accordance with that provider's API terms and the permissions you grant.
  • Via background sync — When you enable background sync, our applications may periodically retrieve data from linked services to provide up-to-date coaching and metrics.
  • Automatically via tracking technologies — Through cookies and server-side analytics as described in Section 8.

4. How We Use Your Data

We use your data to:

  • Provide personalized coaching recommendations based on your activity, recovery, and goals.
  • Calculate training load metrics and display performance insights in your dashboard.
  • Generate your daily briefings, trend analyses, and other in-app insights.
  • Improve, develop, and personalize the Services.
  • Communicate with you about your account, the Services, and support requests.
  • Comply with applicable legal obligations and protect our legal rights.

We do not sell your personal or health data to third parties. We do not share your health or fitness data with advertising networks or for advertising purposes.

We may use anonymized, aggregated data (e.g., population trends and benchmarks) for product improvement, research, and service development. Such data cannot be used to identify you.

5. How We Share Your Data

We may share your data in the following circumstances:

  • Service Providers — We share data with third-party service providers who perform services on our behalf, such as cloud hosting, payment processing, error monitoring, analytics, and map display. These providers are contractually obligated to use your data only for the purposes we specify.
  • Third-Party Integration Partners — When you connect a third-party device, application, or platform, data may be exchanged between Zorv and that partner in accordance with the permissions you grant and that partner's terms of service. We do not share data with integration partners unless you have actively connected that service.
  • Your Coach or Team — If you are connected to a coach or team within Zorv, your athletic data may be visible to authorized coaches and team administrators as part of the coaching relationship.
  • Legal Obligations — We may disclose data when required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Zorv, our users, or the public.
  • Corporate Transactions — In connection with a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction.

6. Third-Party Integration Partners

Zorv is designed to integrate with a variety of third-party devices, applications, and platforms. When you connect a third-party service to your Zorv account:

  • Data obtained from that service is used only to provide and improve the Zorv coaching experience for you.
  • We practice data minimization — we collect only the data necessary for the features you use.
  • We do not sell, license, or share integration partner data with unrelated third parties for their own marketing or commercial purposes.
  • We comply with the applicable API terms, developer agreements, and data protection requirements of each integration partner.
  • You may disconnect any integration and revoke Zorv's access at any time via your account settings or through the partner's own authorization management.
  • Upon disconnection or account deletion, we delete data received from that integration in accordance with our data retention schedule (see Section 9).

Where specific integration partners impose additional privacy requirements (e.g., restrictions on using health data for advertising or profiling), we comply with those requirements. For a current list of supported integrations and any partner-specific data handling notes, visit zorv.ai/integrations.

7. AI and Automated Processing

Zorv uses artificial intelligence and machine learning to provide personalized coaching, training recommendations, and performance insights. Specifically:

  • AI models analyze your athletic and health data to generate coaching recommendations, training load calculations, and recovery guidance.
  • No legally or similarly significant decisions are made solely by automated processing without human oversight.
  • You may request information about the logic involved in automated processing by contacting privacy@zorv.ai.
  • AI-generated recommendations are informational and are not a substitute for professional medical or coaching advice.

8. Cookies and Tracking Technologies

  • Session cookies — We use a session cookie required for authentication. This is essential for the Services to function.
  • Server-side analytics — We use Axiom for server-side operational analytics. We do not use browser-side analytics SDKs.
  • We do not use Facebook Pixel, Google Analytics, or other advertising or tracking cookies.

Opt-out preference signals

We recognize the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as a valid opt-out request under applicable privacy laws. We do not currently respond to Do Not Track browser signals as there is no uniform industry standard for this.

9. Data Retention

  • Active account — We retain your data while your account is active and as needed to provide the Services.
  • Deleted account — After you request account deletion, we apply a 30-day grace period during which you may recover your account. After that, we permanently delete your data within 60 days of the deletion request.
  • Backups — Backups that may contain your data are removed within 90 days of account deletion.

10. Data Storage & Security

  • Cloud infrastructure — We use Amazon Web Services (AWS) for our infrastructure, hosted in the United States (us-east-2).
  • Encryption in transit — All traffic is encrypted using TLS 1.3.
  • Encryption at rest — Data stored in our databases is encrypted at rest using AES-256.
  • OAuth tokens — Stored encrypted in AWS Secrets Manager; we do not log OAuth tokens.
  • Access controls — We implement role-based access controls and the principle of least privilege for internal access to user data.

We take commercially reasonable measures to protect your data. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. International Data Transfers

Our Services operate from infrastructure located in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States, which may have data protection laws different from those of your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), Switzerland, or the United Kingdom, we use appropriate safeguards, including, where applicable, Standard Contractual Clauses approved by the European Commission. To request a copy of these safeguards, contact us at privacy@zorv.ai.

12. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Right to access — Request a copy of the personal data we hold about you. Contact us at privacy@zorv.ai or use the in-app account settings to request a data export.
  • Right to erasure — Request deletion of your account and associated personal data. Account deletion can be initiated via settings or by contacting privacy@zorv.ai.
  • Right to data portability — Receive your data in a portable format (e.g., JSON export). Contact us at privacy@zorv.ai to request an export.
  • Right to rectification — Update or correct your personal data in your account settings.
  • Right to restrict processing — Request that we restrict how we process your data in certain circumstances.
  • Right to object — Object to our processing of your data, including for marketing purposes.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@zorv.ai or use the relevant options in your account settings.

Legal basis for processing (EEA/UK)

Where applicable under the GDPR, our legal bases for processing your personal data include:

  • Performance of a contract — to provide the Services to you.
  • Legitimate interests — to improve and secure the Services, provided these do not override your rights.
  • Consent — where you explicitly opt in, e.g., connecting a third-party integration.
  • Legal obligation — where required by applicable law.

California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of any “sale” or “sharing” of your personal information as defined under the CCPA. We do not sell your personal information. To exercise your rights, visit our Do Not Sell My Data page or contact us at privacy@zorv.ai.

Other US state privacy rights

Residents of states with applicable privacy laws (including Colorado, Connecticut, Virginia, and others) may have similar rights to access, correct, delete, and opt out of certain processing of their personal data. To exercise these rights, contact us at privacy@zorv.ai.

13. Children's Privacy

The Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 without parental or guardian consent. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us at privacy@zorv.ai.

15. Third-Party Services

We use the following third-party services to operate Zorv. Each processes data as described below:

  • Sentry — Error reporting and performance monitoring. We send anonymized error logs and stack traces to help us fix bugs. Sentry Privacy Policy
  • Stripe — Payment processing. Stripe handles card transactions; we do not store full card numbers. Stripe Privacy Policy
  • Axiom — Server-side analytics. We use Axiom for operational metrics and logs; no browser-side tracking. Axiom Privacy Policy
  • Mapbox — Map display for activity routes and course visualization. Map tiles and requests; no persistent location tracking. Mapbox Privacy Policy
  • Supabase — Authentication and database infrastructure. User accounts and app data are stored in Supabase, hosted on AWS in East US (Ohio), us-east-2. Supabase Privacy Policy

16. Contact & Privacy Inquiries

  • Data Controller — Zorv Technologies LLC
  • Privacy contactprivacy@zorv.ai
  • EU/UK Representative (if applicable): To be designated

For any request related to your personal data or this policy, please contact us at privacy@zorv.ai.