Privacy Policy
This Privacy Policy explains how Matthew Carter, a sole trader trading as HyCo (“HyCo”, “we”, “us”) collects, uses, shares and protects your personal data when you use our website, our mobile application and related services (together, the “Service”). We are committed to protecting your privacy and handling your data transparently and lawfully under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are (data controller)
The data controller responsible for your personal data is:
- Sole trader: Matthew Carter, trading as HyCo (a sole trader; not a registered company)
- Contact for privacy matters: carterm20@icloud.com
2. The data we collect
| Category | Examples |
|---|---|
| Account & identity | Name, email address, password (stored hashed), account settings, units preference. |
| Profile & training inputs | Age/date of birth, sex, height, body weight, body-fat %, one-rep maxes, weekly volume, goal race and date, methodology, availability. |
| Health & fitness data (special category) | Logged runs and lifts, heart rate and HR variability (HRV), resting heart rate, sleep, VO₂max, recovery and fatigue inputs, and similar metrics — entered by you or synced from connected services/wearables. |
| Payment data | Subscription status and history. Card/payment details are processed by the relevant app store or payment processor — we do not store full card numbers. |
| Technical & usage | Device type and OS, app version, IP address, crash logs, diagnostics, and how you interact with features. |
| Communications | Waitlist sign-ups, support messages and your contact preferences. |
Some health and fitness data is “special category” data under UK GDPR and receives extra protection (see section 4).
3. How we collect it
- Directly from you — when you create an account, complete setup, log workouts, or contact us.
- From connected services you authorise — e.g. Apple Health, a wearable provider (such as Garmin) or a data aggregator, only after you grant permission, and only the data types needed to run the Service.
- Automatically — limited technical and usage data when you use the app or site.
4. Why we use it, and our lawful bases
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Create and manage your account; provide the core Service (plans, paces, recovery, nutrition, race tools). | Performance of a contract (Art. 6(1)(b)). |
| Process health & fitness (special category) data to generate your training, recovery and nutrition outputs. | Your explicit consent (Art. 9(2)(a)), which you can withdraw at any time. |
| Take payment and manage subscriptions. | Performance of a contract; legal obligation (tax/accounting). |
| Improve, secure and debug the Service; prevent fraud and abuse. | Legitimate interests (Art. 6(1)(f)), balanced against your rights. |
| Send launch, service and (if you opt in) marketing emails. | Consent for marketing; legitimate interests for essential service messages. |
| Comply with legal and regulatory obligations. | Legal obligation (Art. 6(1)(c)). |
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
5. Apple Health & connected health data
If you connect Apple Health, a wearable, or another health service, we access only the data you permit. Health data obtained through Apple HealthKit (and equivalent platforms) is used solely to provide app features to you. We will never use this data for advertising or marketing, sell it, or share it with data brokers, and we will not disclose it to third parties except as needed to run the Service for you or where required by law. You can revoke access at any time in your device settings.
6. Who we share data with
We do not sell your personal data. We share it only with service providers (“processors”) who help us run the Service under written data-processing agreements, including:
- Hosting & database — Supabase and Vercel (account and app data storage and delivery).
- Wearable/health data aggregator — a third-party aggregator such as Terra, ROOK or Thryve (added only when device sync launches) (to connect and normalise device data).
- Payments & subscriptions — the Apple App Store, and a subscription manager such as RevenueCat once paid plans launch.
- Analytics & crash reporting — an analytics and crash-reporting provider, if enabled.
- Email — an email delivery provider.
We may also disclose data to comply with the law, enforce our terms, or protect the rights, safety and property of our users or others, and to a buyer in connection with a business sale or reorganisation (subject to this policy).
7. International transfers
Some providers may process data outside the UK. Where they do, we put in place an appropriate safeguard — such as UK ‘adequacy’ regulations or the International Data Transfer Agreement (IDTA)/Addendum to the EU Standard Contractual Clauses — so your data receives an equivalent level of protection.
8. How long we keep it
We keep your personal data for as long as your account is active and as needed to provide the Service. If you delete your account, we delete or anonymise your personal data within 30 days, except where we must retain limited records to meet legal, tax or security obligations. Waitlist emails are kept until launch and then until you unsubscribe.
9. Your rights
Under UK data-protection law you have the right to: access your data; correct inaccurate data; erase data (“right to be forgotten”); restrict or object to processing; data portability; and withdraw consent. The app provides in-product tools to export and delete your data; you can also contact us at carterm20@icloud.com. We will respond within one month.
If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk — though we’d appreciate the chance to put things right first.
10. Security
We use appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and hashed passwords. No system is perfectly secure, but we work to protect your information and will notify you and the ICO of a serious breach where legally required.
11. Children
HyCo is not intended for, and may not be used by, anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
12. Cookies & similar technologies
Our website uses only the cookies/technologies needed to operate it and, where applicable, optional analytics with your consent. See this policy for details. The app itself does not use advertising cookies.
13. Changes to this policy
We may update this policy from time to time. We will post the new version here with a revised date and, for material changes, notify you in the app or by email.
14. Contact us
Questions about this policy or your data? Email carterm20@icloud.com.