Home

Privacy Policy

Last updated: February 24, 2026

Data Controller

Norvin is operated by Daniel Chabr, U Divcich hradu 343, 150 00 Praha 5, Czech Republic. IČO: 03310001. As the data controller, we are responsible for deciding how and why your personal data is processed.

1. What Data We Collect

  • Account information — name, email address, and authentication credentials when you sign up.
  • Fitness data — workout activities, power, heart rate, pace, stroke rate, and other performance metrics synced from Intervals.icu.
  • Athlete profile — physical metrics (weight, age, max heart rate), performance benchmarks (2K pace, FTP), and training preferences you provide.
  • Usage analytics — anonymized page views and feature usage collected via PostHog in cookieless mode (no tracking cookies are used).

2. How We Use Your Data

  • Generate AI-powered training plans and session analysis using Anthropic Claude. (Legal basis: Art. 6(1)(b) GDPR — performance of a contract)
  • Provide personalized coaching feedback and performance trends. (Legal basis: Art. 6(1)(b) GDPR — performance of a contract)
  • Send transactional emails (verification, notifications) via Resend. (Legal basis: Art. 6(1)(b) GDPR — performance of a contract)
  • Improve the product based on anonymized usage patterns. (Legal basis: Art. 6(1)(f) GDPR — legitimate interests in product improvement)

Where we rely on legitimate interests, you have the right to object — see Section 5.

3. Third-Party Data Sharing

  • Intervals.icu — We read your workout data via their API using credentials you provide. We do not write data back.
  • Anthropic (Claude AI) — Your workout data is sent to Anthropic for AI analysis. Data is anonymized (no name or email is included in prompts). Anthropic does not use this data for model training.
  • Resend — Your email address is shared with Resend solely for transactional email delivery.
  • PostHog — Anonymized, cookieless usage analytics. No personal identifiers are transmitted.

We do not sell your data to any third party.

3a. International Data Transfers

Anthropic (USA) and PostHog (USA) receive data outside the European Economic Area. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. You may request a copy of the applicable SCCs via our contact address.

4. Data Retention

  • Account and fitness data — retained while your account is active and deleted within 30 days of an account deletion request.
  • AI-generated analyses — retained for 12 months, then deleted.
  • Anonymized usage analytics — retained for 24 months, then deleted.
  • Security and audit logs — retained for 12 months for security purposes.

5. Your Rights

Under the GDPR, you have the following rights:

  • Access & Export — You can download all your data from Settings > Account at any time.
  • Rectification — You can correct inaccurate personal data in Settings at any time.
  • Erasure — You can request account deletion from Settings > Account. Deletion occurs after a 30-day grace period, which can be cancelled by logging in.
  • Restriction — You can ask us to restrict processing of your data in certain circumstances.
  • Portability — You can receive your data in a structured, machine-readable format.
  • Object — You can object to processing based on our legitimate interests (e.g. analytics). We will stop unless we have compelling grounds that override your interests.
  • Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Complaint to ÚOOÚ — You have the right to lodge a complaint with the Czech Data Protection Authority (ÚOOÚ) at www.uoou.cz.

To exercise any of these rights, contact us at the address in the Data Controller section above.

6. Cookies

We use a session cookie for authentication only. We do not use tracking cookies. PostHog analytics runs in cookieless (memory) mode.

7. GDPR Compliance

If you are in the European Economic Area, you have rights under the GDPR as described in Section 5. This policy is designed to comply with GDPR Articles 13 and 14. To exercise your rights, contact us at the address in the Data Controller section.

8. Contact

For privacy questions or data requests, use our contact form.

Data Controller: Daniel Chabr, U Divcich hradu 343, 150 00 Praha 5, Czech Republic.

9. Automated Decisions & Profiling

Norvin uses AI (Claude by Anthropic) to automatically generate training plans and analyze your workouts. This involves automated profiling of your fitness data. This automation helps us provide personalized coaching, but does not produce legally significant effects on you. You may request a human review of any AI-generated output by contacting us at the address above.