Privacy Notice

Last updated: 31 March 2026

1. Who we are and scope

  • Controller: VIGILANT FRONT, S.L., Calle Serrano Anguita, 13, 28004, Madrid, Spain, ES VAT (NIF): B22983811, Registration: registered in "Registro Mercantil de Madrid" in volume 0; book 0; folio 0; section GNE; page 864596
  • Contact (privacy): privacy@gonorth.it
  • Scope:This notice explains how we process personal data in our web and mobile application ("North") that tracks habits, goals, and longevity metrics, integrates with third-party health devices and services (Garmin, Strava, Apple Health), and provides AI-powered insights. It applies to all users regardless of location, though specific rights sections address GDPR (EEA/UK) requirements.

2. What we collect and why

We only collect data necessary for the app's functionality (data minimisation). We process the following categories:

Account and profile data

  • Data: Name, email address, authentication identifiers, profile image URL, timezone, date of birth (optional), gender (optional), basic preferences (stored as JSON settings).
  • Purpose: Create and manage your account; secure access; personalise your experience and longevity scoring.
  • Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests: security and fraud prevention).
  • Note: Name and email are encrypted at rest using AES-256-GCM (see Section 11).

Habits, completions, and streaks

  • Data: Habit names, descriptions, daily/weekly cadences, completion logs (dates, times, source), computed streaks and adherence statistics.
  • Purpose: Habit tracking, analytics, and progress visualisation.
  • Legal basis: Art. 6(1)(b) GDPR (contract).

Goals and milestones

  • Data: Goal titles, target metrics and values, deadlines, status, linked habits; milestone titles, due dates, and completion status.
  • Purpose: Goal management, automatic progression tracking, and milestone notifications.
  • Legal basis: Art. 6(1)(b) GDPR (contract).

Challenges

  • Data: Challenge participation records, check-in progress, leaderboard positions.
  • Purpose: Optional motivational features you choose to participate in.
  • Legal basis: Art. 6(1)(b) GDPR (contract).

Longevity and health-derived scores

  • Data: Computed longevity scores across six dimensions (cardiorespiratory fitness, strength, stability, sleep quality, body composition, movement), weekly targets, training load metrics (ACWR, TRIMP), capacity modelling outputs, recovery context, and statistical associations.
  • Purpose: Provide personalised longevity insights and progress tracking. These are derived metrics computed from your connected data sources — we do not collect additional raw data for this purpose.
  • Legal basis: Art. 6(1)(b) GDPR (contract); where derived from health data, Art. 9(2)(a) GDPR (explicit consent).
  • Important: Longevity scores and training analytics are informational tools, not medical advice. They do not constitute a diagnosis, treatment recommendation, or health assessment. See Section 14.

AI-generated insights

  • Data: Aggregated, non-identifying metrics assembled from your account (see Section 4 for details on what is sent to our AI provider); generated outputs (weekly summaries, training context, habit patterns, observations); interaction metadata (timestamps, token counts, model version).
  • Purpose: Provide personalised weekly synthesis reports and contextual insights.
  • Legal basis: Art. 6(1)(b) GDPR (contract) for core functionality; Art. 6(1)(f) GDPR (legitimate interests) for service quality and safety monitoring.

Connected device and service data

  • Data: Connected account identifiers, OAuth tokens (encrypted), connection status, device information; and — if you authorise — activity, health, sleep, and body composition metrics from Garmin, Strava, and/or Apple Health (see Section 3).
  • Purpose: Import data from services you elect to connect.
  • Legal basis: Art. 6(1)(b) GDPR (contract) to provide requested features; Art. 6(1)(a) and Art. 9(2)(a) GDPR (explicit consent) for health data.

Sharing and referral data

  • Data: Share tokens (containing frozen snapshots of summary metrics and optional first name), referral codes, referral status, invited email addresses (for invite deduplication only, retained for 24 hours).
  • Purpose: Enable you to share achievements and refer friends.
  • Legal basis: Art. 6(1)(b) GDPR (contract); Art. 6(1)(a) GDPR (consent) for optional sharing of your name on shared content.
  • Note: Shared content is anonymous by default ("A North user"). You must explicitly opt in to display your first name. Shared content never includes your surname, email, user ID, date of birth, raw biometrics, or body composition data. Share tokens expire automatically and can be revoked at any time.

Email communications

  • Data: Email address, email delivery metadata, per-category preferences.
  • Purpose: Transactional emails (welcome, streak milestones, goal completions, challenge invites, weekly digest, referral updates).
  • Legal basis: Art. 6(1)(b) GDPR (contract) for transactional; Art. 6(1)(a) GDPR (consent) for optional categories.
  • Control: You can manage preferences in-app or unsubscribe via one-click links in every email (RFC 8058 compliant).

Technical and usage data

  • Data: IP address, device/browser information, timestamps, referrer URLs; limited diagnostic logs; audit trail records (for data export, account deletion, and connection changes).
  • Purpose: Ensure security, prevent abuse, operate the service, comply with legal obligations, and maintain audit trail for GDPR accountability.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests: secure, functional service); Art. 6(1)(c) GDPR (legal obligation) for audit records.

3. Connected data sources: Garmin, Strava, and Apple Health

You may optionally connect one or more of the following data sources. Each connection is independent — connecting one does not require connecting others. All health and activity data from these sources constitutes special category data under GDPR and is processed only with your explicit consent.

3.1 Garmin

  • Connection method: OAuth 2.0 with Garmin Connect.
  • Data imported: Daily health summaries (steps, distance, active calories, resting heart rate, stress levels, Body Battery); sleep data (duration, sleep stages, sleep score); body composition (weight, body fat percentage, BMI); user metrics (VO2 Max, fitness age); activities (type, duration, distance, heart rate zones, elevation, pace, device name); heart rate samples for zone derivation.
  • Encryption: All health, sleep, body composition, and user metrics data is encrypted at rest using AES-256-GCM with authenticated additional data (AAD) bound to your user ID (see Section 11).
  • Sync: Real-time via webhooks; initial backfill covers 21 days of health data and 30 days of activities.
  • Disconnection: You can disconnect at any time in-app. OAuth tokens are immediately invalidated. Previously imported data remains until you request deletion.
  • Garmin's role: Garmin is a separate, independent data controller for data within its ecosystem. We act as an independent controller for the data we import at your request.

3.2 Strava

  • Connection method: OAuth 2.0 with Strava.
  • Data imported: Activities (sport type, name, start date, elapsed time, distance, average/max speed, average/max heart rate, calories, elevation gain, device name, manual/upload flags). We request read-only access (read,activity:read_all scopes).
  • Data NOT imported: Social data, followers, clubs, comments, kudos, photos, route/GPS coordinates, gear details.
  • Sync: Real-time via webhooks; initial backfill covers 30 days of activities.
  • Disconnection: You can disconnect at any time in-app or revoke access from Strava's settings. We honour Strava deauthorization webhooks after server-side verification.
  • Strava attribution: Activity data imported from Strava is provided in compliance with the Strava API Agreement. Strava is a registered trademark of Strava, Inc.
  • Strava's role: Strava is a separate, independent data controller. We act as an independent controller for the activity data we import at your request.

3.3 Apple Health

  • Connection method: Apple HealthKit framework on your iOS device.
  • Data imported: Workouts (activity type, duration, distance, energy burned, heart rate); sleep analysis (sleep stages and duration); quantity samples (steps, resting heart rate, body weight) as you authorise via iOS Health permissions.
  • On-device processing: Apple Health data is read locally on your device. It is only transmitted to our servers when you explicitly initiate a sync from the mobile app.
  • Data NOT imported: We do not access medical records, medications, reproductive health, or any Apple Health categories beyond those listed above.
  • Disconnection: You can revoke North's access at any time in iOS Settings → Health → Data Access & Devices.
  • Apple's requirements: We comply with Apple's HealthKit guidelines. Health data is never used for advertising, is not sold, and is not disclosed to third parties for purposes unrelated to providing the service.

3.4 Multi-source deduplication

If you connect multiple data sources, the same activity may be reported by more than one source. We use fingerprint-based deduplication (matching on start time and duration) to create a single canonical record per activity. Source provenance is tracked internally. This is an automated technical process that does not involve profiling or decision-making about you.

3.5 Lawful basis for health data

Health and activity data from all connected sources constitutes special category data under Art. 9 GDPR. We rely on your explicit consent under Art. 9(2)(a) and Art. 6(1)(a) GDPR to process this data. You may withdraw consent at any time by disconnecting the relevant source in-app. Withdrawal does not affect the lawfulness of processing before withdrawal.

4. AI-powered insights and Anthropic

4.1 What we send to our AI provider

Our weekly AI synthesis feature (available to Premium subscribers) uses Anthropic's Claude API to generate personalised insights. We send only pre-aggregated, non-identifying metrics — never raw data, never your name, email, or other directly identifying information. Specifically, we send:

  • 7-day averages of health metrics (steps, distance, resting heart rate, sleep duration, VO2 Max, weight)
  • Habit names, adherence rates, and streak counts
  • Pre-computed training load indicators (ACWR, monotony, strain)
  • Pre-computed recovery context score
  • Longevity dimension aggregates (zone 2 minutes, strength sessions, high-intensity minutes)
  • Goal titles, statuses, and milestone counts
  • Pre-computed statistical associations between metrics
  • Weekly target progress

4.2 What we do NOT send

  • Your name, email, user ID, or any directly identifying information
  • Raw daily health data records
  • OAuth tokens or credentials
  • Date of birth or gender
  • GPS coordinates, location data, or device identifiers

4.3 Anthropic's data handling

  • Anthropic acts as a data processor under a Data Processing Agreement (DPA).
  • Under Anthropic's API terms, data sent via their API is not used to train their models.
  • Prompts and responses are retained by Anthropic for up to 30 days for safety and abuse monitoring, then deleted.
  • We cache AI outputs locally (in Redis for 7 days, and in our database) to minimise repeated processing.

4.4 Your control

AI synthesis is a Premium feature requiring separate consent. If you do not subscribe to Premium or have not granted AI processing consent, no data is sent to Anthropic. You can withdraw AI processing consent at any time in Privacy settings. AI prompts are encrypted at rest and automatically deleted after 30 days; AI outputs are encrypted and retained for 6 months. When you disconnect a data source, you can choose to also delete AI insights generated from that source.

5. Purposes of processing and legal bases (summary)

PurposeLegal basis
Provide the service (habit/goal tracking, longevity scores, insights)Art. 6(1)(b) — contract
Process health/activity data from connected sourcesArt. 6(1)(a) + Art. 9(2)(a) — explicit consent
Generate AI-powered weekly synthesisArt. 6(1)(b) — contract (Premium feature)
Send transactional emailsArt. 6(1)(b) — contract
Enable optional sharing and referralsArt. 6(1)(b) — contract; Art. 6(1)(a) — consent (name display)
Secure and maintain the serviceArt. 6(1)(f) — legitimate interests
Audit logging for GDPR accountabilityArt. 6(1)(c) — legal obligation
Comply with legal obligationsArt. 6(1)(c) — legal obligation

6. Cookies and similar technologies

  • Strictly necessary: We use session cookies (via our authentication provider, Clerk) to maintain your login session and protect against CSRF attacks. These cannot be disabled.
  • Analytics (if enabled): We may use privacy-focused analytics to understand aggregate usage patterns. If deployed, analytics cookies require your opt-in consent via a compliant consent mechanism.
  • We do not use advertising cookies or tracking pixels.

7. Disclosures, recipients, and processors

We use the following categories of service providers (processors) to operate North. Each is bound by a Data Processing Agreement (DPA) and acts only on our documented instructions:

ProviderPurposeData processedLocation
ClerkAuthenticationEmail, name, session tokensUS
NeonDatabaseAll application data (encrypted at rest)EU (Frankfurt)
UpstashCache & rate limitingSession keys, cache entries (no PII)EU
VercelHosting & deploymentApplication runtime, request logsUS/EU
AnthropicAI synthesisAggregated metrics only (no PII)US
ResendEmail deliveryEmail address, email contentUS
  • Garmin, Strava, and Apple are independent data controllers for data in their own ecosystems. They provide data to us after you authorise access. We do not share your personal data back to these providers except as necessary for the connection you initiate.
  • We do not sell personal data to any third party.
  • We do not use your data for advertising purposes.
  • We will disclose data to competent authorities only when lawfully required (e.g., court order, regulatory obligation).

8. International data transfers

Our primary database is hosted in the EU (Frankfurt). Some processors operate in the United States (Clerk, Vercel, Anthropic, Resend). When we transfer personal data outside the EEA/UK, we implement appropriate safeguards:

  • European Commission Standard Contractual Clauses (SCCs) with each US-based processor.
  • UK International Data Transfer Agreement/Addendum where applicable.
  • EU-US Data Privacy Framework certification where available from the processor.
  • Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest.

9. Data retention

Data categoryRetention period
Account and profile dataDuration of account; deleted on account deletion
Habits, goals, milestones, challengesUntil you delete them or your account
Health/activity data (Garmin, Strava, Apple Health)While connected; retained after disconnect until you request deletion or delete your account
Longevity scores and derived metricsDuration of account; deleted on account deletion
AI synthesis prompts30 days (encrypted at rest), then automatically deleted
AI synthesis outputs6 months (encrypted at rest), then automatically deleted
AI prompts (at Anthropic)Up to 30 days per Anthropic's safety policy, then deleted
Association insights3 months (recomputed weekly; snapshots not surfaced in UI)
Share tokensAuto-expire after 90 days; revocable at any time
Referral records90 days (pending referrals); completed referrals retained for reward tracking
Invited email addresses24 hours (for deduplication only)
Audit logs1 year (GDPR accountability)
Technical/diagnostic logsShort rolling window (typically 30 days)
Email preferences and unsubscribe tokensDuration of account

Account deletion is permanent and cascading — all associated data (habits, goals, health data, scores, share tokens, referrals) is irrevocably deleted from our database. Limited data may persist in encrypted backups for a short period before rotation.

10. Your GDPR rights

  • Access (Art. 15): Obtain a copy of all personal data we process about you. Available in-app via data export (JSON format) or by request.
  • Rectification (Art. 16): Correct inaccurate personal data via your profile settings or by contacting us.
  • Erasure (Art. 17): Request deletion of your data, including all imported health data. Available in-app via account deletion or by contacting us.
  • Restriction (Art. 18): Limit processing in certain circumstances (e.g., while we verify accuracy).
  • Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON export with full decryption of your encrypted fields; CSV export for activity data with formula injection protection).
  • Objection (Art. 21): Object to processing based on legitimate interests. We will honour your objection unless we demonstrate compelling legitimate grounds. Note: audit logging for GDPR accountability (data exports, account deletions, connection changes) is processed under Art. 6(1)(c) (legal obligation), not legitimate interests, and therefore continues regardless of an Art. 21 objection.
  • Withdraw consent (Art. 7(3)): For any processing relying on consent (including health data from connected sources and AI synthesis), withdraw at any time by disconnecting the relevant source, cancelling Premium, or contacting us. When you withdraw consent for health data processing, source sync is immediately suspended and incoming data is discarded. Withdrawal does not affect prior lawful processing.
  • Restriction of processing (Art. 18): Request restriction of specific processing activities (e.g., pause AI synthesis while keeping longevity scoring active) via your Privacy settings. Restricted data is preserved but not processed until you lift the restriction.
  • Complaint: Lodge a complaint with your local supervisory authority. Our lead authority is the Spanish Data Protection Agency (AEPD), but you may also contact your local EEA/UK authority.
  • How to exercise: Use in-app controls (Settings → Data Export, Settings → Delete Account, disconnect data sources) or contact us at privacy@gonorth.it. We verify your identity before fulfilling requests and respond within 30 days.

11. Security measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption at rest: Sensitive health data (daily summaries, sleep, body composition, user metrics) and PII (name, email) are encrypted using AES-256-GCM with authenticated additional data (AAD) that binds each ciphertext to a specific user and data type, preventing cross-user substitution attacks.
  • Encryption in transit: All data transmitted between your device, our servers, and third-party services uses TLS 1.2 or higher.
  • OAuth token security: Third-party OAuth tokens are stored encrypted and are invalidated immediately upon disconnection.
  • Access control: Least-privilege access; all database queries are scoped to the authenticated user's data.
  • Audit logging: Security-relevant events (data exports, account deletions, connection changes) are logged with correlation IDs for GDPR accountability.
  • Key management: Encryption keys are managed securely and support rotation.
  • Breach notification: In case of a personal data breach, we assess risk and, where required, notify the supervisory authority (AEPD) within 72 hours and affected individuals without undue delay.

12. Children's privacy

North is not directed to children under 16. We do not knowingly collect personal data from children under the age of digital consent in their jurisdiction (13–16 depending on country). If we become aware that we have inadvertently collected data from a child without valid parental consent, we will promptly delete it. If you believe a child has provided us with personal data, contact us at privacy@gonorth.it.

13. Automated decision-making and profiling

We compute progress analytics, longevity scores, training load indicators, and AI-generated summaries. These are informational outputs designed to help you understand your data. They do not produce legal or similarly significant effects on you and do not constitute automated decision-making within the meaning of Art. 22 GDPR. You always retain full control over your goals, habits, and data source connections.

14. Health and fitness disclaimer

North is a personal informational tool. It is not a medical device, and the longevity scores, training analytics, AI summaries, and other outputs provided by the service:

  • Do not constitute medical advice, diagnosis, or treatment recommendations.
  • Are not substitutes for professional medical advice from a qualified healthcare provider.
  • Are based on heuristic models and statistical derivations that may not reflect your individual health status.
  • Should not be relied upon for any medical decision.

Always consult a qualified healthcare professional before making changes to your exercise, diet, or health regimen. If you experience a medical emergency, contact your local emergency services immediately.

15. Limitation of liability

To the fullest extent permitted by applicable law, VIGILANT FRONT, S.L. shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the service, reliance on any health-related data, scores, or AI-generated content, or any interruption or loss of data. Our total liability for any claim arising from or relating to the service shall not exceed the amounts you have paid us in the twelve (12) months preceding the claim. Nothing in this section limits our liability for fraud, gross negligence, or any liability that cannot be excluded under applicable law.

16. Changes to this notice

We may update this notice as our product or legal requirements evolve. We will post changes here with an updated "Last updated" date. For material changes that affect how we process your data, we will notify you in-app or by email at least 14 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated notice.

17. Governing law and jurisdiction

This privacy notice and any disputes arising from it are governed by the laws of Spain. Any disputes shall be submitted to the courts of Madrid, Spain, without prejudice to your right to lodge a complaint with your local data protection authority or to bring proceedings in the courts of your habitual residence as permitted by applicable law.

Summary of key points

  • We process only what is needed to run your longevity and habit platform. You control your data at all times.
  • Health data from Garmin, Strava, and Apple Health is imported only with your explicit consent and can be withdrawn at any time.
  • Sensitive health data and PII are encrypted at rest using AES-256-GCM.
  • AI insights (powered by Anthropic Claude) receive only aggregated, non-identifying metrics — never your name, email, or raw health records. Anthropic does not train on your data.
  • Shared content is anonymous by default and never includes surnames, emails, raw biometrics, or body composition.
  • We do not sell your data or use it for advertising.
  • You have full GDPR rights: access, deletion, portability, objection, and more — exercisable in-app or by contacting privacy@gonorth.it.
  • North is not medical advice. Always consult a healthcare professional for medical decisions.

Contact

For any privacy-related questions, requests, or complaints, contact us at privacy@gonorth.it.

VIGILANT FRONT, S.L.
Calle Serrano Anguita, 13, 28004, Madrid, Spain
ES VAT (NIF): B22983811