Privacy Policy

What data we collect

When you use Freddy, we collect:

• Email address — used for authentication via 6-digit sign-in code and account identification.
• Provider OAuth tokens or API keys — used to sync data from your connected health data sources (e.g., Polar, Oura, WHOOP, Withings, Dexcom, Intervals.icu, Hevy, Suunto, Strava, Concept2, Garmin). These credentials grant read-only access to your account with each provider.
• Health metrics — sleep, heart rate, HRV, activity, workouts, recovery, body measurements, glucose data, and other metrics synced from your connected providers. Stored as structured rows in our database.
• MCP request audit log — when you make a request to your personal MCP URL, we record the request method, path, tool name, a redacted summary of the tool arguments (encrypted at rest), HTTP status, duration, your IP address, and your user-agent string. This audit log is shown to you on your dashboard so you can detect unauthorized use of your MCP token. We retain audit-log entries for 90 days, then permanently delete them. Lawful basis: legitimate interest under Article 6(1)(f) UK GDPR / EU GDPR (security audit). You can download a CSV copy at any time from your dashboard.
• Server-side page-view analytics — when you visit a page on freddy.coach (marketing site, dashboard, articles, guides, help, changelog, or any other non-MCP surface), our server records the request path, HTTP status, response size, response time, referrer, IP address, and user-agent string. This is used in aggregate to understand which pages people visit and which referrers send traffic. We do not use cookies, beacons, or any client-side tracker for this. IP addresses are retained for 30 days and then truncated. Lawful basis: Article 6(1)(f) UK GDPR / EU GDPR (legitimate interest in operating the service and measuring its reach).

We do not collect data beyond what is needed to provide the Service. We do not track you across websites or use cookies for advertising.

How we use your data

Your data is used exclusively to power your personal MCP endpoint. When an AI client you have connected queries your Freddy endpoint, we read your stored health metrics and return them in the response.

Children and minors

Freddy is not intended for, and not directed at, individuals under 18 years of age. We do not knowingly collect data from anyone under 18. If you become aware that a person under 18 has created a Freddy account, please contact us at privacy@freddy.coach and we will delete the account and all associated data.

Data sources

Health data in Freddy comes from third-party providers that you choose to connect. Each provider's data is labeled with its source. Currently supported providers include Polar, Oura, WHOOP, Withings, Dexcom, Intervals.icu, Hevy, Suunto, Strava, Concept2, and Garmin. Your use of each provider is governed by that provider's own privacy policy and terms of service.

When you connect a provider, you authorize Freddy to access your data from that provider. You can review your connected providers and disconnect any of them at any time from your dashboard.

Data storage and security

Your data is stored in a PostgreSQL database hosted on Railway, on infrastructure located in the United States. The underlying storage volume is encrypted at rest. All connections to the database use TLS encryption. MCP endpoints are served over HTTPS only.

Your health metrics (sleep, workouts, recovery, raw payloads), as well as the OAuth tokens and API keys for your connected providers, are additionally encrypted at the application layer using AES-256-GCM before being written to the database. The encryption key is held in our deployment environment, separately from the database credentials, so a leaked database backup or storage-layer compromise yields ciphertext rather than usable values. Provider credentials are never exposed through the MCP endpoint.

Our error-monitoring sub-processor (Sentry) is configured to drop request bodies, breadcrumb payload data, and third-party API response bodies attached as error context before transmission. Sentry receives stack traces, request URLs (with MCP tokens redacted), HTTP status codes, and operational metadata — not the contents of your health metrics. This is enforced by code, not by policy alone (see the beforeSend hook in our Sentry initialization).

Application-layer encryption protects against scenarios where data leaves the database boundary (such as backup leaks). It does not by itself defend a compromise of the running application, which would have access to both the data and the key in memory. This is the standard tradeoff for any hosted service that performs server-side processing. We comply with the New York SHIELD Act's data-security program requirements and analogous state requirements through these technical and administrative measures.

Security incidents and breach notification

Freddy is a "vendor of personal health records" under the FTC Health Breach Notification Rule (16 CFR Part 318). We are not a HIPAA-covered entity.

In the event of a breach of security involving unsecured personal-health-record-identifiable health information — including unauthorized acquisition or disclosure, not only external intrusion — we will:

• Notify each affected individual without unreasonable delay, and in no event later than 60 calendar days after discovery of the breach, with the content required by 16 CFR § 318.6 (a description of the incident, the categories of information involved, the steps individuals can take to protect themselves, the steps we are taking to investigate and mitigate, and contact information).
• Notify the Federal Trade Commission as soon as possible and in no case later than 10 business days following the date of discovery if the breach affects 500 or more individuals; otherwise, as part of our annual notification submission.
• Notify prominent media outlets serving the relevant state if the breach affects 500 or more residents of that state.

Notice channel. Because you create your Freddy account using only an email address, and because all communications between us and you (sign-in codes, account notifications, billing receipts) occur by email, we treat email as your "primary method of communication" within the meaning of 16 CFR § 318.5(a)(1), and individual breach notices will be delivered by email to the address associated with your account. If you would prefer to receive breach notices by first-class mail, please email privacy@freddy.coach with a postal address and we will use that channel for future notices.

For consumers in jurisdictions with additional or more protective breach-notification requirements (for example, UK GDPR Article 33–34, EU GDPR Article 33–34, California Civil Code § 1798.82, or analogous state laws), we will additionally comply with those requirements.

Data location and international transfers

Freddy is operated by reThrive Labs LLC, a company incorporated in the State of Wyoming, United States. All your data — your account, your provider credentials, and your synced health metrics — is stored and processed on infrastructure located in the United States.

If you are accessing the Service from the United Kingdom, the European Economic Area, or another jurisdiction with data protection laws different from those in the United States, please be aware that:

• The United States has not been determined by the UK or the EU to provide a level of data protection equivalent to UK GDPR or EU GDPR.
• You may have fewer or different enforceable rights against us under US law than you would have against a UK- or EU-based service.

By creating an account and accepting these Terms and this Privacy Policy at signup, you give your explicit informed consent to the storage and processing of your data — including health data, which UK and EU law classifies as special-category personal data — in the United States. This is the lawful basis on which we transfer your data internationally, under Article 49(1)(a) of UK GDPR and EU GDPR.

You can withdraw this consent at any time by deleting your account. When you do, your account record, all stored health metrics, all provider connections, and your MCP token are permanently deleted from our systems. We are working toward UK-US Data Bridge self-certification under the EU-US Data Privacy Framework, which will provide an additional Article 46 transfer mechanism. When that is in place, this Policy will be updated to reflect it.

Lawful bases for processing

For users in the UK and the EEA, we rely on the following lawful bases under Article 6 and Article 9 UK GDPR / EU GDPR:

• Article 6(1)(b) — performance of a contract: for processing necessary to deliver the Service you have signed up for (account management, syncing data from providers you have connected, serving your MCP endpoint).
• Article 9(2)(a) — explicit consent: for processing your health data, which is special-category personal data. Your acceptance of these Terms and this Privacy Policy at signup constitutes that explicit consent. You can withdraw it by disconnecting individual providers (which deletes that provider's data) or by deleting your account (which deletes everything).
• Article 49(1)(a) — explicit consent for international transfers: as described in the section above.

California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know what categories of personal information we collect, the purposes, the sources, and the categories of recipients. These are set out in the sections above.
• Right to access and obtain a copy of the personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to delete personal information we have collected.
• Right to portability — receive your personal information in a portable, readily usable format (CSV export from your dashboard).
• Right to non-discrimination for exercising any of these rights.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the preceding 12 months and we have no plans to do so.

Sensitive personal information. Health data is "sensitive personal information" under the CCPA. We use sensitive personal information solely to provide the service you have requested and to operate the Freddy MCP endpoint at your direction, and for the purposes of ensuring the security and integrity of the service (CCPA Regulations § 7027(m)(2)). We do not use sensitive personal information for any purpose that would require us to offer a "Limit the Use of My Sensitive Personal Information" mechanism under the CCPA.

To exercise any of these rights, email privacy@freddy.coach. We will verify your request by confirming control of the email address associated with your account and respond within 45 days of receipt (extendable by an additional 45 days where reasonably necessary, with notice to you within the original window). You may also use an authorized agent; we require written authorization and verification of the agent's identity before processing the request.

Other US state residents

If you are a resident of a US state with a comprehensive consumer privacy law (including but not limited to Texas, Colorado, Virginia, Connecticut, Utah, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, or Minnesota), you have rights that may include the right to access, correct, delete, port, and (where applicable) opt out of the sale, sharing, profiling, or processing of your sensitive personal data including health data. We do not sell or share your data, and we do not engage in profiling that produces legal or similarly significant effects. To exercise any state-law right, email privacy@freddy.coach and we will respond within the timeframe required by your state's law (typically 45 days). You have the right to appeal any denial; if we deny your appeal, you may file a complaint with the consumer-protection authority in your state.

Washington, Nevada, and Connecticut consumers have additional rights specific to "consumer health data" set out in our separate Consumer Health Data Privacy Policy, which is incorporated into this Privacy Policy by reference.

Sub-processors

We use the following sub-processors to deliver the Service. Each is bound by their standard data processing terms:

• Railway — application hosting and database infrastructure (United States).
• Resend — transactional email delivery (United States).
• Stripe — payment processing for PRO subscriptions (United States, with Stripe's UK and EU entities for European users).
• Sentry — application error monitoring (United States). Sentry receives error metadata; it does not receive your health data.
• Connected wearable providers — Polar, Oura, WHOOP, Withings, Dexcom, Intervals.icu, Hevy, Suunto, Strava, Concept2, Garmin, and any others you elect to connect. Each provider is the source of your data and is governed by that provider's own privacy policy.

Data retention and deletion

We retain personal data only as long as needed for the purposes for which we collected it. Retention by category:

• Account record (user row, email, account identifier) — retained while your account is active; deleted within 30 days of account deletion.
• Health metrics (from connected providers) — retained while the relevant provider is connected. Disconnecting a provider deletes its data immediately. Deleting your account deletes all health metrics within 30 days.
• Provider credentials (OAuth tokens, API keys) — retained while the provider is connected; deleted immediately on disconnect.
• MCP request audit log — retained for 90 days, then deleted by a daily cleanup job. Account deletion removes audit-log entries immediately.
• Server-side page-view analytics — IP addresses retained for 30 days, then truncated. Path/referrer/UA retained indefinitely in aggregated form only (no per-user link).
• Billing records (Stripe subscription identifiers, plan history) — retained for 7 years to satisfy US tax and accounting requirements, even after account deletion.
• Transactional email metadata (delivery receipts, bounces, opens) — retained at our email provider (Resend) per their default retention; we do not maintain a long-term copy.
• UserConsent rows (acceptance timestamps + IP/UA) — retained for the lifetime of the account as the legal basis evidence; deleted on account deletion.

You can disconnect providers from your dashboard or delete your account at any time.

Your rights

You have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you, including your synced health metrics, via your MCP endpoint, the dashboard data viewer, the CSV export tool, or by emailing us.
• Rectification — request correction of inaccurate personal data.
• Erasure — delete data by disconnecting individual providers (immediately deletes that provider's metrics) or by deleting your account (deletes everything within 30 days).
• Restriction — request that we restrict processing of your data in specific circumstances.
• Portability — receive your personal data in a structured, commonly used, machine-readable format (CSV export from your dashboard).
• Objection — object to processing that relies on legitimate interest as a lawful basis.
• Withdraw consent — by disconnecting a provider (stops processing of and deletes data from that provider) or by deleting your account.
• Appeal — appeal any denial of a rights request by emailing privacy@freddy.coach with the word "appeal" in the subject; we respond in writing with reasons within 45 days.
• Complain to a supervisory authority — UK residents may complain to the Information Commissioner's Office (ico.org.uk); EU/EEA residents may complain to their national data-protection authority; Washington residents may file with the WA Attorney General (atg.wa.gov/file-complaint); California residents may file with the California Privacy Protection Agency (cppa.ca.gov).

To exercise any of these rights, email privacy@freddy.coach. We respond within 45 days of receipt of a verifiable request. We may extend this by up to a further 45 days where the request is complex or numerous, and will notify you of the extension within the original 45-day window. We do not charge for these requests except where they are manifestly unfounded or excessive.