WHOOP Privacy Policy

1. Introduction

Application: Inwardly

Purpose: Body awareness training through personalized, AI-powered insights correlated with your wearable biometric data.

Contact Email: support@goinwardly.com

2. Beta Program Scope

Inwardly is currently operating as a closed beta program with a maximum of 100 active users. During the beta phase, this Privacy Policy may be updated with 7 days notice to users via email or in-app notification.

Your continued use of Inwardly after a policy update constitutes acceptance of the updated terms. We encourage you to review this policy periodically for changes.

3. Data We Collect from WHOOP

When you authorize Inwardly to access your WHOOP account, we collect the following biometric and profile data:

Recovery Data

Recovery score
Heart Rate Variability (HRV)
Resting Heart Rate

Sleep Data

Sleep duration
Sleep stages (light, deep, REM)
Sleep quality score

Workout Data

Strain score
Workout duration
Workout type/activity classification

Cycle Data

Physiological cycle information (if applicable to your profile)

Profile Data

Name from WHOOP profile
Email address from WHOOP profile

Important: We do not collect any health condition information, medical history, or sensitive health data beyond what WHOOP provides through our authorized scopes.

4. How We Access Your Data

Inwardly uses the OAuth 2.0 authorization framework with PKCE (Proof Key for Public Clients) to securely access your WHOOP data. This means:

You authorize Inwardly directly through WHOOP's official consent screen
You maintain full control over which data scopes we can access
WHOOP does not share your password with us; we receive a secure access token instead

Requested Scopes

When you authorize Inwardly, WHOOP will ask for permission to access the following scopes:

read:recovery - Recovery score, HRV, and resting heart rate
read:sleep - Sleep metrics and sleep stage data
read:workout - Workout strain and activity data
read:cycles - Physiological cycle data
read:profile - Your name and email address

You authorize these scopes by confirming on the WHOOP consent screen. You can revoke access at any time through your WHOOP account settings.

5. How We Use Your Data

Your WHOOP data is used exclusively for the following purposes:

Personalization

We correlate your reported body awareness (tension, energy, focus) with your objective biometric data from WHOOP to deliver personalized insights and recommendations tailored to your physiology and patterns.

AI-Powered Insights

Your aggregated data is processed by our AI engine to generate actionable insights about your recovery, sleep quality, training load, and performance trends. These insights are provided exclusively to you and are not shared with third parties.

Dashboard Display

Your WHOOP metrics are displayed on your personal Inwardly dashboard, allowing you to view your data in one unified location.

Coach Dashboard (If Connected)

If you have connected a coach to your account, your WHOOP data will be visible to that coach on their coaching dashboard so they can provide informed guidance based on your complete biometric picture.

Product Improvement

We may use anonymized and aggregated data (data that cannot identify you) for:

Analyzing product usage patterns
Improving algorithm accuracy
Identifying common user behaviors
Conducting research to enhance the Inwardly experience

We do NOT use your data for:

Advertising or marketing purposes
Selling to third parties
Building profiles for external purposes
Discrimination or risk assessment

6. Data Storage

Your WHOOP data is stored in our secure backend infrastructure:

Storage Infrastructure: Firebase/Firestore

Encryption: All data is encrypted at rest using industry-standard encryption protocols

Location: Data is stored on US-based servers

Access Control: Access to your data is restricted to authorized Inwardly systems and your connected coach (if applicable)

7. Data Sharing

We are committed to protecting your privacy. Your WHOOP data is shared only in the following circumstances:

Your Connected Coach

If you have authorized a coach to access your Inwardly account, your WHOOP data will be visible to that coach on their coaching dashboard. You can disconnect your coach at any time in Settings, which will immediately revoke their access.

Firebase Infrastructure

Your data is stored on Google Firebase/Firestore infrastructure. Google is our data processor and has agreed to handle your data in accordance with our privacy commitments.

Anonymized and Aggregated Data

We may share anonymized, aggregated insights with researchers, partners, or public audiences for product research and improvement purposes. This data cannot be used to identify you or any individual user.

What We Do NOT Do

We do NOT sell your data to advertisers, brokers, or third-party marketers
We do NOT share your data with insurance companies, employers, or any entity for purposes of risk assessment or discrimination
We do NOT allow third parties to build profiles using your WHOOP data

8. Data Retention

Your WHOOP data is retained for the following periods:

During Beta: Your data is retained while you are an active beta user
Post-Exit: If you exit the beta program or delete your account, your data will be retained for an additional 30 days before being permanently deleted
User Request: You may request deletion of your data at any time by contacting support@goinwardly.com, and we will delete it within 30 days

9. Your Rights

You have the following rights regarding your data:

Access

You can view all data we store about you within the Inwardly app (Settings > Account > Data Access). You can also request a complete export of your data.

Correction

You can correct your profile information (name, email) within the Inwardly app under Settings > Account.

Deletion

You can request deletion of your account and all associated data at any time. Submit a deletion request to support@goinwardly.com, and we will delete your data within 30 days.

Data Export

You can request a complete export of your data in machine-readable format. Go to Settings > Account > Request Data Export, and we will provide your data within 14 days.

Disconnect WHOOP

You can revoke Inwardly's access to your WHOOP data at any time (see Section 10: How to Disconnect).

10. How to Disconnect WHOOP

You can disconnect your WHOOP account from Inwardly at any time. This will immediately revoke our access token and prevent us from collecting any new data.

Steps to Disconnect:

Open the Inwardly app
Go to Settings
Select Wearable Devices
Tap WHOOP
Tap Disconnect
Confirm the disconnection

What Happens When You Disconnect:

Our access token is immediately revoked
We can no longer fetch new data from WHOOP
Your previously stored WHOOP data remains in Inwardly (you can request deletion separately)
Your coach can no longer see new WHOOP updates (but can still see historical data you previously authorized)

You can also revoke access through your WHOOP account settings at https://www.whoop.com/settings/connected-apps.

11. Security

We implement industry-standard security measures to protect your data:

Transport Security

All data transmitted between your device and our servers is encrypted using HTTPS with TLS 1.2 or higher. This prevents interception of your data in transit.

OAuth Token Security

Your WHOOP access tokens are stored securely in Firebase with encryption at rest. Tokens are treated as sensitive credentials and are never logged or exposed.

Client Secret Management

Our OAuth client secret is stored in Firebase Secret Manager with restricted access. Only authorized backend services can access it.

Access Control

Only authorized Inwardly systems can access your stored WHOOP data. Your coach (if connected) can access your data through role-based access controls, and you can revoke their access at any time.

Regular Security Audits

We conduct regular security reviews of our infrastructure and data handling practices to identify and address vulnerabilities.

12. Children

Inwardly is not intended for users under the age of 18. We do not knowingly collect or retain data from minors. If we become aware that a user is under 18, we will take steps to delete their account and data.

Parents or guardians who believe a minor has used Inwardly should contact us immediately at support@goinwardly.com.

13. Changes to This Policy

During the beta program, we may update this Privacy Policy. When we do, we will provide 7 days notice to all users via email and in-app notification before the new policy takes effect.

Your continued use of Inwardly after a policy update constitutes acceptance of the updated terms. We encourage you to review this policy regularly to stay informed about how we protect your data.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@goinwardly.com

Subject Line: "WHOOP Privacy Policy Question" or "Data Request"

We will respond to your inquiry within 14 days.