Privacy Policy

Effective Date: February 27, 2026 | Last Updated: February 27, 2026

1. Introduction

NAFAS ("we," "our," or "us") is a psychological safety companion application designed for endurance athletes. We are committed to protecting your privacy and ensuring transparency about how we collect, use, store, and share your personal information.

This Privacy Policy describes our practices regarding the data we collect through the NAFAS mobile application (the "App") and our associated services (collectively, the "Services"). By using our Services, you acknowledge that you have read and understood this Privacy Policy.

Our Commitment: We collect only the data necessary to provide our Services. We do not sell your personal information to third parties. Your health and wellness data remains under your control.

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account, we collect your name, email address, and profile photo through Google Sign-In authentication.
Onboarding Profile: Sport type, experience level, training goals, psychological challenges, and communication preferences you share during the onboarding process.
Conversation Data: Messages you exchange with Kona, the AI companion within the App.
Check-in Data: Mood ratings, energy levels, stress levels, and journal entries you voluntarily submit.

2.2 Information from Third-Party Services

Google Account Data: When you sign in with Google, we receive your name, email address, and profile picture. We do not access your Google contacts, calendars, or other Google services.
Garmin Connect Data: If you choose to connect your Garmin device, we access workout and activity data including: activity type, duration, distance, heart rate data, training load, stress scores, sleep data, and Body Battery metrics. We access this data solely through the official Garmin Connect API with your explicit consent.

2.3 Information Collected Automatically

Device Information: Device type, operating system version, and unique device identifiers for push notification delivery.
Usage Data: App interaction patterns, feature usage frequency, and session duration for service improvement.
Log Data: Server logs including IP addresses, request timestamps, and API endpoints accessed for security and debugging purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis
Providing personalized AI companion interactions	Performance of contract
Analyzing workout data to provide contextual psychological support	Performance of contract
Generating mental performance insights and trends	Performance of contract
Sending reminders and notifications you have opted into	Consent
Improving and developing our Services	Legitimate interest
Ensuring security and preventing abuse	Legitimate interest
Complying with legal obligations	Legal obligation

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

AI Processing: Conversation data is processed by Anthropic's Claude API to generate AI companion responses. This data is transmitted securely and is subject to Anthropic's Privacy Policy. Anthropic does not use your data to train their models when accessed via their API.
Service Providers: We use trusted service providers for hosting (DigitalOcean), authentication (Google), and wearable device integration (Garmin) who are bound by contractual obligations to protect your data.
Legal Requirements: We may disclose information if required by law, regulation, legal process, or enforceable governmental request.
Safety: We may disclose information if we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent illegal activity.

Garmin Data: Data received from Garmin Connect is used exclusively within the NAFAS App to provide contextual psychological safety insights related to your training. We do not share, sell, or transfer Garmin data to any third party except as required to provide the core functionality of our Services.

5. Data Storage and Security

5.1 Storage

Your data is stored on secure servers hosted by DigitalOcean in their data centers. Authentication tokens for third-party services (such as Garmin Connect) are encrypted at rest using AES-256 encryption.

5.2 Security Measures

We implement industry-standard security measures including:

TLS/SSL encryption for all data in transit
AES-256 encryption for sensitive data at rest
JWT-based authentication with short-lived access tokens and secure refresh token rotation
Database access restricted to authenticated and authorized services only
Regular security updates and vulnerability monitoring

5.3 Data Retention

We retain your data for as long as your account is active or as needed to provide our Services. Upon account deletion:

Your personal data, conversation history, check-in data, and workout data are permanently deleted within 30 days.
Third-party access tokens (e.g., Garmin) are immediately revoked and deleted.
Anonymized, aggregated data that cannot be linked back to you may be retained for analytical purposes.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data.
Portability: Request your data in a structured, machine-readable format.
Withdrawal of Consent: Withdraw consent for data processing at any time, without affecting the lawfulness of processing prior to withdrawal.
Objection: Object to processing based on legitimate interests.
Restriction: Request restriction of processing under certain circumstances.

To exercise any of these rights, please contact us at privacy@nafas.health.

7. Third-Party Services and Integrations

7.1 Google Sign-In

We use Google Sign-In for authentication. Google's use of your information is governed by Google's Privacy Policy. We receive only your basic profile information (name, email, profile photo) and do not request access to other Google services.

7.2 Garmin Connect

If you connect your Garmin account, we access your fitness and health data through the Garmin Connect API. You can disconnect your Garmin account at any time through the App settings, which will immediately revoke our access and delete stored Garmin tokens. Garmin's use of your data is governed by Garmin's Privacy Policy.

We comply with the Garmin Connect API Terms of Use, including:

We access only the data scopes explicitly authorized by you.
We do not store raw Garmin data longer than necessary to provide our Services.
We do not redistribute or resell Garmin data.
We provide a mechanism for you to disconnect and revoke access at any time.

7.3 Anthropic (Claude AI)

Conversation data is processed through Anthropic's Claude API to power the AI companion. API-processed data is not used by Anthropic to train their models. For more information, see Anthropic's Privacy Policy.

8. Children's Privacy

Our Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@nafas.health.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or other legally recognized transfer mechanisms, to protect your personal data in accordance with applicable data protection laws.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect, use, and disclose.
The right to request deletion of your personal information.
The right to opt out of the sale of personal information. Note: We do not sell personal information.
The right to non-discrimination for exercising your privacy rights.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) as outlined in Section 6. Our legal bases for processing your data are detailed in Section 3. You also have the right to lodge a complaint with your local supervisory authority.

12. Push Notifications

We may send push notifications for check-in reminders, insights, and motivational messages. You can opt out of push notifications at any time through your device settings or the App settings.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

Posting the updated Privacy Policy on our website with a revised "Last Updated" date.
Sending an in-app notification for significant changes.

Your continued use of our Services after such changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

NAFAS
Email: privacy@nafas.health
Website: https://nafas.health

We will respond to all legitimate requests within 30 days.