Health & Wearables Data Consent

1. What Health Data We Collect

When you connect a wearable or health platform, ShapeUp may receive and store the following categories of data depending on the permissions you grant:

• Activity data — steps, distance, active minutes, calories burned
• Heart rate — resting, active, and heart-rate-variability (HRV) where available
• Sleep data — duration, sleep stages, sleep quality scores
• Workout sessions — type, duration, intensity, route (if GPS-enabled)
• Body metrics — weight, body composition, BMI (where provided by the device)
• Oxygen saturation (SpO₂) and respiratory rate where supported
• Stress and recovery scores where provided by the device manufacturer

We only import data types you explicitly authorise during the device connection flow. You can review and adjust the scope of data access at any time under Profile → Connected Devices.

2. Supported Platforms

ShapeUp currently supports connection with the following platforms (availability may vary by region):

• Fitbit
• Google Fit / Health Connect
• Garmin Connect
• WHOOP
• Oura Ring
• Apple Health (HealthKit) — mobile app only
• Samsung Health — mobile app only

Each platform has its own privacy policy and data-sharing terms. We encourage you to review those policies before connecting your device.

3. How We Use Your Health Data

We use your health data solely to:

• Display and track your progress — show trends, streaks, and personal records on your dashboard.
• Personalise recommendations — suggest classes, trainers, and nutrition plans based on your activity patterns.
• Enable trainer and coach access (with your explicit consent) — allow a trainer you have connected with on ShapeUp to view your activity summary to inform session planning.
• Power gamification and challenges — count steps, calories, or workout minutes toward challenge progress where you have opted in.
• Improve our services — in aggregate and de-identified form only, to understand how users engage with health features.

We do not sell, license, or share your health data with advertisers, insurers, employers, or any third party outside the scope described in this page.

4. Legal Basis for Processing

Health data is classified as a special category under the GDPR and equivalent privacy laws. We process it only on the basis of your explicit consent (Article 9(2)(a) GDPR), which you grant when you connect a wearable device and authorise specific data types during the OAuth connection flow.

You may withdraw this consent at any time without affecting any other aspect of your ShapeUp account (see Section 7).

5. Data Storage and Security

Your health data is stored encrypted at rest and in transit. We apply the following safeguards:

• AES-256 encryption at rest in our database.
• TLS 1.2+ for all data in transit between your device, the wearable platform, and ShapeUp servers.
• Access controls that restrict health data to your account and, where you have authorised, your linked trainer.
• Audit logging of all access to health records by ShapeUp staff — access is limited to essential technical operations.

Health data is retained for as long as you maintain an active ShapeUp account. If you disconnect a device (Section 7), future syncs stop immediately. Historical data already synced is retained until you delete it or request account deletion.

6. Sharing with Trainers and Coaches

By default, your health data is private to you. You may optionally grant a trainer or coach access to an activity summary (step counts, workout minutes, recent sessions) to help them plan your programming. This sharing is:

• Opt-in only — you must actively enable it under Profile → Connected Devices → Share with Trainer.
• Revocable at any time from the same settings screen.
• Limited to summary-level data — raw heart-rate streams, sleep stages, and medical-grade metrics are never shared with trainers.

7. How to Manage or Withdraw Consent

You have full control over your health data:

• Disconnect a device — go to Profile → Connected Devices, tap the device, and choose Disconnect. This immediately revokes ShapeUp's access token and stops future syncs.
• Delete synced health data — after disconnecting, you can remove all previously synced data for that provider from the same screen by choosing Delete Imported Data.
• Adjust data types — reconnect the device and re-authorise only the data types you wish to share.
• Export your data — request a copy of all health data ShapeUp holds about you via Profile → Privacy → Export My Data.
• Delete your account — deletes all health data along with your account via Profile → Privacy → Delete Account.

Withdrawing consent for health data processing does not affect the lawfulness of processing carried out before withdrawal.

8. Data Minimisation and Purpose Limitation

We request only the data types you choose to authorise. We do not request access to contacts, location (beyond opt-in facility check-in), financial information held by a wearable platform, or any other data unrelated to fitness activity. Health data is never used for advertising targeting, credit scoring, or insurance purposes.

9. Children's Health Data

ShapeUp accounts for users under 18 require a linked guardian account. Health data for minor users may be viewed by their registered guardian within the guardian dashboard. Wearable connections for minor accounts must be authorised by the guardian. We do not collect health data from children under 13 under any circumstances.

10. Changes to This Policy

If we materially change how we collect or use health data, we will notify you by email and in-app at least 30 days before the change takes effect. Continued use of connected wearable features after that date constitutes acceptance of the updated terms. You may disconnect your devices at any time if you do not agree.

11. Contact & Data Subject Rights

To exercise your rights (access, rectification, erasure, portability, restriction, or objection) regarding health data, or to raise a concern:

• Email our Data Protection Officer: privacy@shapeup.app
• Use the in-app privacy controls under Profile → Privacy

You also have the right to lodge a complaint with your national data-protection authority if you believe your health data has been processed unlawfully.