Privacy Policy

maett.com (“maett”, “we”) is the controller for the personal data we process about you in connection with the Service. You can reach us at andreas.enemyr@gmail.com.

Account information

• Your email address and any authentication identifiers needed to sign you in.
• Account settings, plan, and preferences you configure in the app.
• API keys you create, stored only as a secure hash so we cannot read them after creation.

Connected provider data

When you connect a provider such as Garmin, Oura, or Strava, we receive and store the data that provider exposes, which may include:

• activities and workouts, including GPS routes and timestamps;
• heart rate, heart rate variability, and other biometric signals;
• sleep stages and sleep summaries;
• daily metrics such as steps, calories, and readiness scores;
• OAuth tokens needed to keep the connection active.

This data is considered sensitive (and, in some jurisdictions, health-related personal data). We treat it accordingly.

Operational data

• Server logs and request metadata needed to run and secure the Service.
• Sync logs that record when a provider was synced and whether it succeeded.
• Limited diagnostics from errors. We do not bundle your account identifier and your pseudonymized data identifier together in logs or error reports.

• Provide the Service: sync data from connected providers, render it back to you in the app, and fulfill requests you make through our API or integrations.
• Operate and secure the Service: rate-limit abuse, debug failures, prevent fraud, and keep the system available.
• Communicate with you: send transactional messages such as login links, security notices, billing receipts, and announcements that materially affect your account.
• Comply with the law: respond to legitimate legal requests and enforce our Terms.

We do not sell your personal data. We do not use the contents of your fitness data to train third-party AI models.

If you are in the EEA or UK, we rely on the following legal bases under GDPR / UK GDPR:

• Contract— to provide the Service you signed up for.
• Explicit consent— for processing health-related data from connected providers. You can withdraw consent at any time by disconnecting the provider or deleting your account.
• Legitimate interests— to keep the Service secure and reliable, where those interests are not overridden by your rights.
• Legal obligation— where we are required by law to retain or disclose data.

We’ve designed the system so that obtaining a copy of our database alone is not enough to link a person to their fitness data. In particular:

• Pseudonymization. Fitness data is keyed on a pseudonymous subject identifier derived from your account ID using a keyed hash. The key (a server-side pepper) is never stored in the database. Without it, the rows cannot be tied back to a user account.
• Envelope encryption of sensitive payloads. Provider tokens, raw fitness payloads, sync error messages, and similar sensitive fields are encrypted with a per-account data-encryption key that is itself wrapped by a separate key-encryption key. Both keys live outside the database.
• Encryption in transit. All traffic between you, our servers, and connected providers uses TLS.
• Least-privilege access. Internal access to production data is limited to what is necessary to operate the Service, and sync paths run without access to your account email or identifiers.
• Hashed API keys. Personal API keys are stored as irreversible hashes; the original value is shown to you only once.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

We rely on a small set of trusted vendors to run the Service. These include:

• cloud hosting and managed Postgres for the application database;
• Trigger.dev for orchestrating background sync jobs (jobs are tagged only with pseudonymous subject identifiers, never your account ID);
• email delivery for transactional messages;
• providers you choose to connect, such as Garmin, Oura, and Strava.

These sub-processors receive only the data they need and are bound by contractual obligations to handle it appropriately. Some of them may process data outside your country of residence; where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

We keep your account data for as long as your account is active. Synced fitness data is kept for as long as the connection is active so the app and your integrations can continue to query historical data.

When you disconnect a provider, we stop syncing new data and remove the stored payloads from that provider within 30 days. When you delete your account, we delete or irreversibly anonymize your personal data within 30 days, except where we are legally required to retain it (for example, certain billing and tax records).

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• delete your data (“right to be forgotten”);
• export a copy of your data in a portable format;
• object to or restrict certain processing, and withdraw consent for processing based on consent;
• lodge a complaint with your local data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY).

You can exercise most of these rights from inside the app by disconnecting providers, downloading your data, or deleting your account. For anything you can’t self-serve, email andreas.enemyr@gmail.com.

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

We use a small number of strictly-necessary cookies to keep you signed in and to protect the Service from abuse. We do not use third-party advertising cookies or cross-site tracking.

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or in-app notice.

For privacy questions or to exercise your rights, email andreas.enemyr@gmail.com.