Privacy Policy

1. Who we are

Nordik Lab is the data controller for personal data processed through this platform. For GDPR purposes, the controller is reachable at nordiklabs@gmail.com. If you are in the EU or UK and want to contact us about a GDPR rights request, use this same address.

2. Data we collect

Account data

When you create an account we collect your name, email address, and role (athlete or coach). You may optionally add a profile picture and other profile details.

Training and activity data

When you connect a device or service, Nordik Lab receives the data scopes you authorize. This includes workout records, GPS tracks, pace, power, cadence, speed, elevation, duration, distance, sport type, and associated metadata from any connected provider.

Health and biometric data

Some data we receive is health or biometric data under GDPR (special category data under Article 9). This includes: heart rate data from any source used as a physiological indicator; HRV (heart rate variability); resting heart rate; sleep performance, sleep duration, and sleep stage data; recovery scores and readiness metrics (WHOOP, Garmin, Polar Nightly Recharge, Suunto); body battery (Garmin); breathing rate, tidal volume, and ventilation (Tymewear); and internal training load scores derived from physiological measurements. We process this data only where you have explicitly connected the relevant provider and only for the purposes described in this policy.

Coach–athlete relationship data

If you connect with a coach or athlete inside Nordik Lab, we record that relationship and the permissions associated with it.

Nordik Intelligence data

When you use Nordik Intelligence, we store your conversation messages, generated artifacts (workouts, training blocks, charts), remembered athlete preferences, and any context files you upload to the assistant. See Section 8 for how AI processing works.

Usage data

We collect basic usage information such as pages visited and features used to operate and improve the service. We do not use advertising trackers or sell usage data.

Uploaded files

If you upload .fit files (from COROS, Garmin, Suunto, Wahoo, Hammerhead, Tymewear, SkiSens, or any ANT+/BLE-compatible device), Nordik Lab processes the file to extract workout data and stores the parsed records in your athlete record.

3. Legal bases for processing (GDPR)

If you are in the EU or UK, we process your data under the following legal bases:

4. How we use your data

• Display your training load, recovery, readiness, and performance metrics in your athlete and coach dashboards
• Support coach–athlete planning, session review, workout scheduling, and performance analysis
• Compute training load scores, fitness trends, stress balance, session execution quality, and sport-specific analytics
• Match and deduplicate workouts from multiple sources into a unified training record
• Generate Nordik Intelligence responses, insights, and artifacts using your training data and preferences as context
• Deliver planned workouts to connected devices (Garmin, Wahoo, Hammerhead) where enabled
• Maintain integration sync state and troubleshoot failures
• Operate, secure, and improve the Nordik Lab platform

5. Sharing and disclosure

Coaches

Athletes control who can see their data. A coach can only view an athlete's training and readiness data after the athlete has accepted a coaching relationship inside Nordik Lab. Athletes can end that relationship at any time, which immediately revokes the coach's access.

Service providers

We use a small number of infrastructure providers who process data only as strictly necessary to operate the service. These include our hosting provider (Vercel) and Google (for the Gemini AI models that power Nordik Intelligence). Service providers are contractually bound to protect your data and may not use it for their own purposes.

Strava

When you use the Strava integration, personal data is disclosed to Strava pursuant to the Strava API Agreement. Strava may monitor and collect usage data related to your use of the Strava API. If you revoke Nordik Lab's access to your Strava account, we will delete your Strava-sourced data from our systems upon request.

No sale of data

Nordik Lab does not sell your personal data, training data, health data, or usage data to advertisers, data brokers, or any third party. This includes data received from Strava, WHOOP, Polar, Garmin, Suunto, Concept2, Wahoo, Hammerhead, Tymewear, and SkiSens.

Legal requirements

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Nordik Lab, our users, or the public.

6. Third-party integrations

Each integration is governed by that provider's own privacy policy. Nordik Lab only receives the scopes you authorize. Below is what we receive from each.

7. AI and automated processing

Nordik Intelligence is powered by Google Gemini (currently gemini-2.5-flash). When you send a message or request an artifact, Nordik Lab constructs a prompt that may include: your question, recent training summaries, your saved preferences, and uploaded context files. This prompt is sent to Google's Gemini API for processing.

Strava data and AI: Per Strava's API Agreement, activity data obtained via the Strava API is not used to train or fine-tune AI models. Nordik Lab does not train AI models on your Strava data.

No AI model training on your data: Nordik Lab does not train or fine-tune any AI model using your personal data, health data, or training records.

Google's data practices: Data sent to the Gemini API is subject to Google's API Terms of Service and privacy policies. We use the Gemini API under Google's standard commercial terms, which include data protection commitments. Gemini API data is not used by Google to train their general models without your separate consent to Google.

Nordik Intelligence generates editable drafts, analysis, and suggestions. Its output is not a substitute for professional coaching, medical advice, or clinical judgment. You remain responsible for all training and health decisions.

8. Data retention

Nordik Lab retains your data for as long as needed to operate your account, support coaching workflows, and comply with legal obligations. When you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to retain records by law.

When you disconnect a provider, Nordik Lab stops pulling new data from that provider. Previously synced records remain in your athlete record unless you request full deletion of those records.

If you revoke Nordik Lab's OAuth access to Strava, we will delete Strava-sourced data from our systems upon your written request to nordiklabs@gmail.com.

9. International data transfers

Nordik Lab uses infrastructure primarily based in the United States (Vercel hosting, Google Gemini API). If you are in the EU or UK, your data may be transferred to and processed in the United States. Where required by GDPR, such transfers rely on the EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms incorporated in our agreements with service providers. By using Nordik Lab, EU and UK users acknowledge this transfer.

10. Cookies

Nordik Lab uses session cookies strictly to authenticate you and maintain your login state. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. See our Cookie Policy for details.

11. Your rights

GDPR rights (EU and UK)

If you are in the EU or UK, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate personal data
• Erasure — request deletion of your personal data where it is no longer necessary, or where you withdraw consent
• Restriction — request that we limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — withdraw consent for health data processing at any time by disconnecting the relevant provider

To exercise any of these rights, contact nordiklabs@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

CCPA rights (California)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect and how they are used
• Delete your personal information
• Opt out of the sale or sharing of your personal information — Nordik Lab does not sell or share your personal information for cross-context behavioral advertising
• Non-discrimination for exercising your privacy rights

To make a California privacy request, contact nordiklabs@gmail.com.

Disconnecting integrations

You can disconnect any integration at any time from Settings → Integrations. Nordik Lab will immediately stop pulling new data from that provider. You can also revoke OAuth access directly from each provider's account settings (Strava, WHOOP, Polar, Garmin, Suunto, Concept2, Wahoo, Hammerhead) to prevent any further data sharing at the source.

12. Children

Nordik Lab is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

13. Security

Nordik Lab uses HTTPS/TLS for all data in transit. OAuth tokens and credentials are stored encrypted and are never exposed in client-side code or API responses. Access controls ensure that each user can only access their own data, and coaches can only access data for athletes who have explicitly connected with them.

No security system is perfect. If you discover a security issue, please report it to nordiklabs@gmail.com.

14. Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects when the policy was last revised. For material changes, we will notify you through the platform or by email before the change takes effect.

15. Contact

For privacy questions, data requests, account deletion, or GDPR rights requests, contact us at nordiklabs@gmail.com. We aim to respond within 30 days.

If you are reviewing this application as part of an integration partner review (Strava API review, WHOOP partner review, Garmin Health API review, etc.), this page reflects the data practices for all supported integrations.