← Back to Movement Rebels

Privacy Policy

Last updated: March 8, 2026

1. Introduction

Yogakollektivet Sverige AB, trading as Movement Rebels ("we", "us", "our"), operates the Movement Rebels web application at app.movementrebels.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including health and biometric data obtained from connected wearable devices.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), and other applicable privacy laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Information You Provide

• Account information (email address, display name, profile picture)
• Training data (workout history, personal records, benchmark times)
• Body composition data (weight, height, body fat percentage)
• Readiness check-in data (sleep quality, soreness, mood, energy self-assessments)
• Journal entries and training notes
• Custom workout creations
• Daily wellness checklist data
• Nutrition data (food logs, macro targets, dietary restrictions, custom recipes, meal plans)
• Supplement tracking data
• Feedback and support messages

3.2 Camera & Media Data

Certain features request access to your device camera or photo library with your explicit permission:

• Form Analysis: You may record or upload video of exercise movements for AI-powered technique feedback. Videos are processed in real-time and are not stored on our servers. Only the resulting analysis text (feedback, scores, recommendations) is saved to your account.
• Food Logging: You may photograph meals for AI-powered nutritional estimation. Photos are sent to Google Vertex AI for analysis and are not stored on our servers after processing. Only the resulting nutritional data (estimated calories, macros) is saved.
• Profile Pictures: Optionally uploaded and stored for display within the Service.

Camera access is always initiated by you and can be revoked at any time through your browser or device settings.

3.3 Health & Biometric Data from Wearable Devices

When you choose to connect a wearable device or health platform, we collect the following biometric and health data with your explicit consent:

• Heart Rate Variability (HRV): Resting HRV measurements (rMSSD), typically collected during sleep
• Resting Heart Rate (RHR): Daily resting heart rate in beats per minute
• Sleep Data: Total sleep duration, sleep stages (light, deep, REM), sleep efficiency, and sleep quality scores
• Recovery Scores: Device-specific recovery or readiness assessments
• Activity Data: Steps, active calories, workout sessions detected by your device
• Body Metrics: Weight, body fat percentage, SpO2 (blood oxygen), skin temperature (where provided by device)

We support direct integrations with the following platforms:

• Apple Health (HealthKit) — available on iOS. With your explicit permission, the Movement Rebels iOS app reads workout data (exercise type, duration, calories burned, heart rate) from Apple HealthKit. This data is used solely to display your training history and inform AI coaching recommendations within the app. We do not write data to HealthKit. HealthKit data is stored securely in your Firestore account and is never sold, shared with advertisers, data brokers, or used for purposes unrelated to your training. You can revoke HealthKit access at any time via iOS Settings > Privacy & Security > Health.
• Garmin Connect (via Garmin Health API) — currently available

You may also manually enter health data or import it from CSV/JSON exports from any device or platform.

3.4 Automatically Collected Information

• Usage data (features used, workout completions, session duration)
• Device information (browser type, operating system)
• Analytics data via Google Analytics (anonymized)

3.5 Payment Information

Payment processing is handled by Stripe (web) and Apple In-App Purchase via RevenueCat (iOS). We do not store, collect, or have access to your credit card numbers or banking details. Stripe's and Apple's respective privacy policies apply to payment data.

4. How We Use Your Information

• To provide, maintain, and improve the Service
• To manage your account and subscription
• To store and sync your training data across devices
• To calculate personalized readiness scores and training recommendations using your biometric data
• To power AI-based coaching features (the "Rebel Council") that analyze your health trends, training history, and athlete profile to provide personalized training guidance and generate weekly training plans
• To provide AI-powered form analysis feedback on exercise technique using video you choose to submit
• To provide AI-powered nutritional estimation from food photos you choose to submit
• To display health trend visualizations (sparklines, charts) on your dashboard
• To detect patterns in your biometric data (e.g., HRV trends, sleep quality trends) for training optimization
• To generate personalized meal plans and macro recommendations based on your profile and dietary preferences
• To process payments through Stripe
• To send service-related notifications
• To respond to feedback and support requests
• To analyze usage patterns and improve the user experience

5. Wearable Device Connections & Consent

Connecting a wearable device to Movement Rebels is entirely optional and requires your explicit consent. When you initiate a connection:

• You are redirected to the device manufacturer's authorization page (e.g., Garmin)
• You explicitly grant permission for Movement Rebels to access specific health data categories
• We only request the minimum data scopes necessary for our features (sleep, heart rate, HRV, recovery)
• We store encrypted OAuth tokens to maintain the connection on your behalf
• We do not access data beyond the scopes you authorize

Disconnecting your device: You can disconnect any wearable device at any time from your dashboard settings. Upon disconnection:

• We immediately revoke and delete all stored access/refresh tokens for that device
• No further data will be synced from that device
• Previously synced health data remains in your account unless you request its deletion
• You may also revoke access directly from the device manufacturer's app or website

6. AI-Powered Features & Data Processing

Movement Rebels uses AI (Google Vertex AI / Gemini) to power several features. Here is what data each feature processes:

6.1 Rebel Council (AI Coach)

• Data sent: Your athlete profile (age, weight, height, goals, training experience), recent training history, readiness scores, and conversation context
• Output: Personalized training advice, weekly plans, and coaching responses
• Storage: Conversation history is stored in your account. AI-generated plans are saved to your calendar.

6.2 Form Analysis

• Data sent: Video frames or images you choose to capture of your exercise form
• Output: Technique feedback, joint angle analysis, and improvement recommendations
• Storage: Videos/images are processed in real-time and not stored on our servers. Only the text-based analysis results are saved to your account.

6.3 Food Photo Analysis

• Data sent: Photos of meals you choose to capture
• Output: Estimated nutritional content (calories, protein, carbs, fat)
• Storage: Photos are processed and not stored on our servers. Only the nutritional estimates are saved to your food log.

6.4 AI Content Disclaimer

All AI-generated content (training plans, form feedback, nutritional estimates, coaching advice) is produced by machine learning models and may contain inaccuracies. This content is for informational purposes only and does not constitute professional coaching, medical, physiotherapy, or dietetic advice. You should always use your own judgment and consult qualified professionals for specific health or training concerns.

7. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: Processing necessary to provide the Service you signed up for
• Explicit Consent: Collection and processing of health and biometric data from wearable devices (Article 9(2)(a) GDPR). This consent is obtained through the OAuth authorization flow when you connect a device.
• Legitimate Interest: Improving our Service, analytics, and security
• Consent: Where you have given explicit consent (e.g., marketing communications)

Health data is classified as "special category data" under GDPR Article 9. We process this data solely on the basis of your explicit consent, which you may withdraw at any time by disconnecting your device or contacting us.

8. Data Storage & Security

Your data is stored securely using Google Firebase (Firestore) with encryption at rest and in transit (AES-256 and TLS 1.2+). Firebase servers comply with GDPR requirements and are SOC 2 certified.

8.1 Biometric Data Security

• Health and biometric data is encrypted at rest in Firebase Firestore
• OAuth tokens from wearable providers are stored as encrypted Firebase secrets, separate from user data
• All data transfers between your browser, our servers, and wearable APIs use HTTPS/TLS encryption
• Biometric data is associated with your user account and is not accessible to other users
• We do not store raw API responses beyond the specific data fields listed in Section 3.2
• AI coaching features process your health data in-memory during analysis and do not create additional persistent copies
• Exercise videos and food photos submitted for AI analysis are transmitted via HTTPS and are not retained after processing

9. Data Sharing

We do not sell, rent, or trade your personal data, including biometric data. We may share data with:

• Firebase/Google: Data hosting, authentication, and cloud functions
• Stripe: Payment processing only
• Google Vertex AI (Gemini): Powers multiple AI features including the Rebel Council coach, form analysis, food photo analysis, and training plan generation. Your training history, readiness data, athlete profile, and any media you submit (exercise video, food photos) are sent to Google's API for processing. Google does not retain this data beyond the API request lifecycle per their Cloud data processing terms. No raw biometric data from wearable devices is sent to this service.
• Google Analytics: Anonymized usage analytics (no health data)
• Garmin: Only the minimum data required for the OAuth connection flow. We do not send your data back to Garmin.

All third-party processors are GDPR-compliant and bound by data processing agreements. We do not share your biometric or health data with advertisers, data brokers, insurance companies, employers, or any other third parties not listed above.

10. Your Rights

Under GDPR and CCPA, you have the right to:

• Access: Request a copy of your personal data, including all health and biometric data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data, including all health data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format (JSON)
• Restriction: Request restriction of processing
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw consent for biometric data processing at any time by disconnecting your device or contacting us. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@movementrebels.com. We will respond within 30 days.

11. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service.

11.1 Biometric Data Retention

• Health data from wearables is retained for up to 365 days of entries to enable trend analysis
• Older entries are automatically pruned on a rolling basis
• OAuth tokens are retained only while a device connection is active
• If you disconnect a device, tokens are deleted immediately
• If you delete your account, all health data, tokens, and biometric records are permanently deleted within 30 days

12. Cookies & Local Storage

We use browser local storage to cache workout data, health data, and preferences for offline use. We use essential cookies for authentication. Analytics cookies (Google Analytics) are used to understand usage patterns. You can disable non-essential cookies through your browser settings.

13. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data or biometric data from children. If you believe a child has provided us with personal data, please contact us immediately.

14. CCPA Specific Rights (California Residents)

If you are a California resident, you have the additional right to:

• Know what personal information is collected and how it is used
• Request deletion of personal information, including biometric data
• Opt out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

15. Illinois BIPA Notice

If you are an Illinois resident, the Illinois Biometric Information Privacy Act (BIPA) may apply to certain biometric data we collect. We provide the following notice:

• We collect biometric data (HRV, resting heart rate) solely for the purpose of providing personalized training recommendations
• Biometric data is stored for a maximum of 365 days or until account deletion, whichever comes first
• We do not sell, lease, trade, or otherwise profit from biometric data
• Biometric data is encrypted and stored with the same protections described in Section 8

16. Medical Disclaimer

Movement Rebels is a fitness and wellness application. The Service, including all AI-powered features (coaching, form analysis, nutritional estimation, training plan generation), is intended for educational and informational purposes only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional before starting any new exercise program, especially if you have pre-existing health conditions.

AI-generated form analysis is not a substitute for professional coaching or physiotherapy. AI-generated nutritional estimates are approximations and should not replace consultation with a registered dietitian for specific dietary needs.

Biometric data displayed in the Service (HRV, heart rate, sleep data) is sourced from consumer-grade wearable devices and should not be used for medical decision-making.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on the Service and updating the "Last updated" date. Material changes to biometric data handling will be communicated via email to all users with connected devices. Your continued use of the Service after changes constitutes acceptance of the updated policy.

18. Contact

For privacy-related questions, data access requests, or to exercise your rights, contact:

© 2026 Yogakollektivet Sverige AB, trading as Movement Rebels. All rights reserved.