Privacy Policy

Last updated: March 18, 2026 · Aiclysm

1. Data Controller

The controller of your personal data is Aiclysm, a company registered in the Czech Republic (IČO: 73408280), with its registered office in Prague (hereinafter "we", "us", "Aiclysm").

Contact for privacy inquiries: info@aiclysm.com

Supervisory authority: UOOU (Office for Personal Data Protection), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic · uoou.gov.cz

2. What Data We Collect

2.1 Account Data

Email address, password (stored as a secure hash), language preference, and subscription status. Authentication is handled via password-based login. Email verification codes are used during registration and password recovery. We do not collect your name, phone number, or physical address unless you provide it voluntarily.

2.2 Health & Wearable Data

When you connect a wearable platform (Polar, Strava, Withings, Fitbit, and Garmin once available), we retrieve health-related data through their official APIs using OAuth 2.0. We never access or store your login credentials for these platforms.

Category	Examples	Source
Heart Rate & HRV	Resting HR, HRV (RMSSD/SDNN), max HR	Garmin (coming soon), Polar, Fitbit (HRV+RHR); Withings (RHR only)
Sleep	Sleep stages (deep, REM, light, awake), duration, sleep score	Garmin (coming soon), Polar, Fitbit, Withings
Activity	Steps, active minutes, workouts, calories, distance	Garmin (coming soon), Polar, Strava, Fitbit, Withings
Stress & Recovery	Stress score, body battery	Garmin (coming soon)
Respiratory	Respiratory rate, SpO2	Garmin (coming soon), Fitbit, Withings (SpO2); Polar (breathing rate)
Body Composition	Weight, body fat %, muscle mass, BMI	Withings, Fitbit, Garmin (coming soon)
Blood Pressure	Systolic, diastolic, heart pulse	Withings
Body Temperature	Skin temperature, body temperature deviation	Withings, Fitbit

2.3 Derived Health Indices

From the raw data above, our algorithms compute 12 proprietary health indices: Immunity, Recovery, Stress Load, Sleep Debt, Circadian Rhythm, ANS Balance, Illness Risk, Overtraining, Respiratory, Morning Energy, Sleep Quality, Cardiac Efficiency — plus Body Status, Biological Age across 8 domains, and Training Load analysis. These are algorithmic estimates, not clinical measurements.

2.4 Billing Data

MyBodyAI is free for all users. If you choose to support us with a voluntary subscription, payments are processed securely by Stripe (stripe.com). We store only your subscription status and Stripe customer ID. We never see or store your credit card number. For Stripe’s privacy practices, see stripe.com/privacy.

2.5 Technical Data

IP address, browser type, device information, and server access logs. These are used for security, debugging, and service improvement. We do not use advertising or tracking cookies. For anonymous usage statistics, we use Umami — a self-hosted, cookie-free analytics tool that collects no personal data (see Section 13).

3. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Contract performance (Art. 6(1)(b)) — to provide the MyBodyAI service, manage your account, and process your subscription.
Explicit consent (Art. 9(2)(a)) — for processing health data (special category data). You grant this consent when connecting a wearable platform. You can withdraw consent at any time.
Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and service improvement.
Legal obligation (Art. 6(1)(c)) — for tax records, accounting obligations, and compliance with Czech law.

4. How We Use Your Data

To compute and display your health indices on the MyBodyAI dashboard
To manage your account and subscription
To send essential service notifications (e.g., subscription expiry, security alerts)
To improve our algorithms using anonymized and aggregated data
To comply with legal obligations
To ensure security and prevent abuse of our services

We never sell your personal data. We do not share your health data with advertisers, insurance companies, employers, or any third parties for commercial purposes.

5. Data Sharing & Third Parties

We share your data only with the following categories of recipients, all bound by data processing agreements (DPAs):

Hosting provider — server infrastructure located in the EU
Wearable platform APIs — data flows are user-initiated via OAuth; each platform's privacy policy governs their data handling
Stripe — payment processing (if you choose to support us). Stripe processes payment data under their own privacy policy. We receive only subscription status.
Open Wearables API — our own middleware service that securely connects to wearable platforms via OAuth 2.0. Hosted on the same EU server.
Health Connect (Android) — if you use our Android app, health data may be read from Google Health Connect with your explicit permission. This data stays on our servers and is not shared.
Sentry — error monitoring service (hosted in EU Frankfurt). Captures technical error reports (stack traces, browser type, URL) to help us fix bugs. No health data or personal identifiers are included in error reports. Sentry Privacy Policy.

We may disclose personal data to law enforcement or regulatory authorities only when required by law. We will notify you of such requests where legally permitted.

6. Provider-Specific Data Handling

Each wearable data provider has specific requirements for how we handle your data. We comply with all provider terms and policies:

Provider	Data Caching	Deletion on Revocation	Attribution
Garmin (coming soon)	Integration pending	N/A	Integration not yet active
Polar	As needed for service	Tokens revoked, data deleted	Data sourced from Polar
Strava	Max 7 days	Within 48 hours	—
Withings	As needed for service	Prompt deletion	—
Fitbit	As needed for service	Prompt deletion	—

Important: We never sell, license, or lease your health data to third parties, advertisers, data brokers, or resellers — even in anonymized or aggregated form. We do not use your data for advertising, credit assessment, insurance evaluation, or employment decisions. Your health data is not used to train general-purpose AI models or shared datasets. All processing is performed by proprietary algorithms solely for your personal health dashboard.

Strava data is shown only to the user who authorized the connection. We do not display one user's Strava activity data to other users. Strava data that becomes unavailable is immediately removed from our cache.

In addition to GDPR breach notification requirements (72 hours to supervisory authority), we will notify affected data providers within 24 hours of discovering a security breach, as required by their respective terms.

7. International Data Transfers

Your data is primarily stored on servers within the European Union. When data is transferred outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) or adequacy decisions to ensure an adequate level of protection.

8. Data Retention

Data Type	Retention Period
Account data	Until account deletion + 30 days
Health & wearable data	Until account deletion or integration disconnection
Computed health indices	Until account deletion
Billing records	10 years (Czech tax law)
Server logs	90 days

After account deletion, all personal data is permanently erased within 30 days, including backups. Anonymized and aggregated data (which can no longer identify you) may be retained indefinitely for statistical purposes.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit (TLS 1.2+)
Password-based authentication with secure hashing, and time-limited email verification codes for registration and password recovery
OAuth 2.0 for wearable integrations — we never store your third-party credentials
Regular security reviews and updates
Breach notification to UOOU within 72 hours per GDPR Article 33, and to affected data providers within 24 hours
OAuth tokens and API credentials encrypted at rest

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access (Art. 15) — obtain a copy of your personal data
Rectification (Art. 16) — correct inaccurate data
Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
Restriction (Art. 18) — restrict processing in certain circumstances
Portability (Art. 20) — receive your data in a structured, machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest
Withdraw consent (Art. 7(3)) — withdraw consent for health data processing at any time, without affecting prior processing
Complaint — lodge a complaint with UOOU or the supervisory authority of your EU member state

To exercise any of these rights, contact us at info@aiclysm.com. We will respond within 30 days.

You can also exercise these rights directly in the app: go to your Dashboard and use Export My Data to download all your data in JSON format, or Delete Account to permanently erase your account and all associated data.

11. Automated Decision-Making & Profiling

MyBodyAI uses automated processing to compute health indices (such as Recovery, Stress Load, Illness Risk, Biological Age) from your wearable data. These scores are generated algorithmically based on published research and personalized to your historical data. No decisions with legal or similarly significant effects are made solely based on automated processing. All outputs are informational wellness insights, not medical diagnoses. You have the right to request human review of any automated assessment by contacting us.

12. Children's Data

MyBodyAI is not intended for users under 15 years of age (in accordance with Czech law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Cookies

We use only essential cookies necessary for the functioning of the service (session cookies, language preference). We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive.

We use Umami, a privacy-focused, self-hosted web analytics tool, to understand website usage. Umami does not use cookies, does not collect personally identifiable information (PII), and does not track users across websites. All analytics data is stored on our own servers within the EU. No data is shared with third parties.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top of this page will be revised accordingly.

15. Contact

Aiclysm
Prague, Czech Republic
Email: info@aiclysm.com
Web: aiclysm.com