← Back to Movement Rebels

Privacy Policy

Last updated: February 9, 2026

1. Introduction

Yogakollektivet Sverige AB, trading as Movement Rebels ("we", "us", "our"), operates the Movement Rebels web application at app.movementrebels.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including health and biometric data obtained from connected wearable devices.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), and other applicable privacy laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Information You Provide

• Account information (email address, display name, profile picture)
• Training data (workout history, personal records, benchmark times)
• Body composition data (weight, height, body fat percentage)
• Readiness check-in data (sleep quality, soreness, mood, energy self-assessments)
• Journal entries and training notes
• Custom workout creations
• Daily wellness checklist data
• Feedback and support messages

3.2 Health & Biometric Data from Wearable Devices

When you choose to connect a wearable device or health platform, we collect the following biometric and health data with your explicit consent:

• Heart Rate Variability (HRV): Resting HRV measurements (rMSSD), typically collected during sleep
• Resting Heart Rate (RHR): Daily resting heart rate in beats per minute
• Sleep Data: Total sleep duration, sleep stages (light, deep, REM), sleep efficiency, and sleep quality scores
• Recovery Scores: Device-specific recovery or readiness assessments
• Activity Data: Steps, active calories, workout sessions detected by your device
• Body Metrics: Weight, body fat percentage, SpO2 (blood oxygen), skin temperature (where provided by device)

We support direct integrations with the following platforms:

• Garmin Connect (via Garmin Health API)
• WHOOP (via WHOOP Developer API)
• Oura Ring (via Oura API)

You may also manually enter health data or import it from CSV/JSON exports from any device or platform.

3.3 Automatically Collected Information

• Usage data (features used, workout completions, session duration)
• Device information (browser type, operating system)
• Analytics data via Google Analytics (anonymized)

3.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store, collect, or have access to your credit card numbers or banking details. Stripe's privacy policy applies to payment data.

4. How We Use Your Information

• To provide, maintain, and improve the Service
• To manage your account and subscription
• To store and sync your training data across devices
• To calculate personalized readiness scores and training recommendations using your biometric data
• To power AI-based coaching features (the "Master Coach") that analyze your health trends and provide training guidance
• To display health trend visualizations (sparklines, charts) on your dashboard
• To detect patterns in your biometric data (e.g., HRV trends, sleep quality trends) for training optimization
• To process payments through Stripe
• To send service-related notifications
• To respond to feedback and support requests
• To analyze usage patterns and improve the user experience

5. Wearable Device Connections & Consent

Connecting a wearable device to Movement Rebels is entirely optional and requires your explicit consent. When you initiate a connection:

• You are redirected to the device manufacturer's authorization page (e.g., Garmin, WHOOP, Oura)
• You explicitly grant permission for Movement Rebels to access specific health data categories
• We only request the minimum data scopes necessary for our features (sleep, heart rate, HRV, recovery)
• We store encrypted OAuth tokens to maintain the connection on your behalf
• We do not access data beyond the scopes you authorize

Disconnecting your device: You can disconnect any wearable device at any time from your dashboard settings. Upon disconnection:

• We immediately revoke and delete all stored access/refresh tokens for that device
• No further data will be synced from that device
• Previously synced health data remains in your account unless you request its deletion
• You may also revoke access directly from the device manufacturer's app or website

6. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: Processing necessary to provide the Service you signed up for
• Explicit Consent: Collection and processing of health and biometric data from wearable devices (Article 9(2)(a) GDPR). This consent is obtained through the OAuth authorization flow when you connect a device.
• Legitimate Interest: Improving our Service, analytics, and security
• Consent: Where you have given explicit consent (e.g., marketing communications)

Health data is classified as "special category data" under GDPR Article 9. We process this data solely on the basis of your explicit consent, which you may withdraw at any time by disconnecting your device or contacting us.

7. Data Storage & Security

Your data is stored securely using Google Firebase (Firestore) with encryption at rest and in transit (AES-256 and TLS 1.2+). Firebase servers comply with GDPR requirements and are SOC 2 certified.

7.1 Biometric Data Security

• Health and biometric data is encrypted at rest in Firebase Firestore
• OAuth tokens from wearable providers are stored as encrypted Firebase secrets, separate from user data
• All data transfers between your browser, our servers, and wearable APIs use HTTPS/TLS encryption
• Biometric data is associated with your user account and is not accessible to other users
• We do not store raw API responses beyond the specific data fields listed in Section 3.2
• AI coaching features process your health data in-memory during analysis and do not create additional persistent copies

8. Data Sharing

We do not sell, rent, or trade your personal data, including biometric data. We may share data with:

• Firebase/Google: Data hosting, authentication, and cloud functions
• Stripe: Payment processing only
• Google Vertex AI (Gemini): AI coaching feature processes your anonymized training and health summaries to generate personalized recommendations. No raw biometric data is stored by Google beyond the API request lifecycle.
• Google Analytics: Anonymized usage analytics (no health data)
• Garmin, WHOOP, Oura: Only the minimum data required for the OAuth connection flow. We do not send your data back to these providers.

All third-party processors are GDPR-compliant and bound by data processing agreements. We do not share your biometric or health data with advertisers, data brokers, insurance companies, employers, or any other third parties not listed above.

9. Your Rights

Under GDPR and CCPA, you have the right to:

• Access: Request a copy of your personal data, including all health and biometric data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data, including all health data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format (JSON)
• Restriction: Request restriction of processing
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw consent for biometric data processing at any time by disconnecting your device or contacting us. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at nicklas@movementrebels.com. We will respond within 30 days.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service.

10.1 Biometric Data Retention

• Health data from wearables is retained for up to 365 days of entries to enable trend analysis
• Older entries are automatically pruned on a rolling basis
• OAuth tokens are retained only while a device connection is active
• If you disconnect a device, tokens are deleted immediately
• If you delete your account, all health data, tokens, and biometric records are permanently deleted within 30 days

11. Cookies & Local Storage

We use browser local storage to cache workout data, health data, and preferences for offline use. We use essential cookies for authentication. Analytics cookies (Google Analytics) are used to understand usage patterns. You can disable non-essential cookies through your browser settings.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data or biometric data from children. If you believe a child has provided us with personal data, please contact us immediately.

13. CCPA Specific Rights (California Residents)

If you are a California resident, you have the additional right to:

• Know what personal information is collected and how it is used
• Request deletion of personal information, including biometric data
• Opt out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

14. Illinois BIPA Notice

If you are an Illinois resident, the Illinois Biometric Information Privacy Act (BIPA) may apply to certain biometric data we collect. We provide the following notice:

• We collect biometric data (HRV, resting heart rate) solely for the purpose of providing personalized training recommendations
• Biometric data is stored for a maximum of 365 days or until account deletion, whichever comes first
• We do not sell, lease, trade, or otherwise profit from biometric data
• Biometric data is encrypted and stored with the same protections described in Section 7

15. Medical Disclaimer

Movement Rebels is a fitness and wellness application. The Service, including all AI-powered coaching features, is intended for educational and informational purposes only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional before starting any new exercise program, especially if you have pre-existing health conditions.

Biometric data displayed in the Service (HRV, heart rate, sleep data) is sourced from consumer-grade wearable devices and should not be used for medical decision-making.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on the Service and updating the "Last updated" date. Material changes to biometric data handling will be communicated via email to all users with connected devices. Your continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact

For privacy-related questions, data access requests, or to exercise your rights, contact:

© 2026 Yogakollektivet Sverige AB, trading as Movement Rebels. All rights reserved.