Privacy Policy

Last updated: June 2026

1. Who we are

SomaAlly is operated by Stefan Stere, an independent developer. You can reach us at contact@somaally.com.

2. What data we collect

We collect only the data necessary to provide the service:

• Account information: your email address, used to identify your account and send you reports.
• Garmin health metrics: daily summaries (steps, stress score, Body Battery, calories), sleep data (stages, score, SpO2), HRV summaries, pulse ox readings, user metrics (VO2 Max), and workout history. This data is fetched from Garmin Connect via the official Garmin Connect Developer API, with your explicit authorisation.
• Usage data: basic access logs (timestamps, endpoints) for debugging and security purposes. No behavioural tracking or analytics.

3. How we use your data

• To compute health trends and anomaly scores from your Garmin metrics.
• To generate personalised wellness reports using AI (Gemini or Claude). Your data is passed to the AI model transiently to generate the report — it is not stored by the AI provider and is not used to train any AI model.
• To send you your reports by email if you opt in to email delivery.

We do not use your data for advertising, profiling, or any purpose other than providing the service you signed up for.

4. How we store your data

• Health metrics and account data are stored in an encrypted database hosted on Cloudflare's infrastructure within the EU.
• Your Garmin OAuth tokens (which authorise us to fetch your data) are encrypted at rest using AES-256-GCM before being stored.
• Backups are retained for 30 days and then permanently deleted.

5. Who we share data with

We do not sell, rent, or share your personal data with third parties, with the following narrow exceptions:

• Garmin: we communicate with the Garmin Connect API to fetch your health data on your behalf. Garmin's privacy policy governs data held in your Garmin account.
• AI providers (Google Gemini / Anthropic Claude): your trend data is sent to an AI model transiently to generate your report. This data is processed under the provider's API terms and is not retained or used for model training.
• Cloudflare: our infrastructure provider. Data is stored and processed on Cloudflare servers. Cloudflare does not have access to your health data.
• Legal requirements: we may disclose data if required by law, court order, or to protect our legal rights.

6. Your rights

You have the following rights over your data:

• Access: you can export all your data at any time from your account settings.
• Deletion: you can permanently delete your account and all associated data at any time. We will process deletion requests within 72 hours.
• Disconnection: you can revoke SomaAlly's access to your Garmin account at any time from within the app or directly from your Garmin Connect account settings.
• Correction: if any account information is incorrect, contact us and we will correct it.

To exercise any of these rights, email contact@somaally.com.

7. Data retention

We retain your health data for as long as your account is active. If you delete your account, all data is permanently erased within 72 hours. Inactive accounts (no login for 12 months) are flagged for deletion and their owners notified by email before any data is removed.

8. Cookies

SomaAlly uses a single, strictly necessary session cookie to keep you logged in. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Children

SomaAlly is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

10. Changes to this policy

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The current version is always available at somaally.com/privacy/.

11. Contact

For any privacy-related questions or requests: contact@somaally.com