alync

Privacy Policy

Last updated: April 2026

1. Introduction

Alync ("we", "our", "us") is a relationship health platform that processes wearable health data to provide insights to paired users. This privacy policy explains what data we collect, how we use it, how we store it, and your rights regarding that data. We are committed to processing personal data in accordance with the UK GDPR and the Data Protection Act 2018.

2. Data we collect

2.1 Account data

When you create an account, we collect your email address, full name (optional), and a hashed password. We also store your timezone preference and subscription status.

2.2 Health data

With your explicit consent, we collect the following data from your connected wearable device (WHOOP or Oura Ring): recovery or readiness score, sleep score, sleep duration, sleep efficiency, heart rate variability (HRV), resting heart rate, strain or activity score, respiratory rate, blood oxygen saturation (SpO2), and body temperature deviation (Oura only). We also store the raw JSON response from your device's API for debugging purposes.

2.3 Usage data

We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. This data is used for security, debugging, and improving the service.

2.4 Payment data

Payment information is handled entirely by Stripe. We store only your Stripe Customer ID — no card numbers or payment details are stored on our servers.

3. How we use your data

  • To display your health metrics on your personal dashboard
  • To share selected metrics with your paired partner (only metrics you have enabled)
  • To generate daily AI insights using Anthropic Claude API
  • To send morning digest and notification emails (if enabled)
  • To manage your subscription via Stripe
  • To detect and prevent fraud and abuse

4. Data sharing with third parties

We share data with the following third-party processors:

  • Supabase — database hosting and authentication (EU region)
  • Anthropic — AI insight generation (health data sent for processing; not used for training)
  • Stripe — payment processing
  • Resend — transactional email delivery
  • Vercel — application hosting

We do not sell your data to any third party. We do not share your health data for advertising purposes.

5. Device data and OAuth

We access your WHOOP or Oura data via their official OAuth APIs. We store access tokens and refresh tokens encrypted in our database. These tokens are used solely to sync your health data. You may revoke access at any time by disconnecting your device in Alync or by revoking access in your WHOOP or Oura account settings.

6. Data retention

We retain your health data for as long as your account is active. If you delete your account, all your data is permanently deleted within 30 days, including health metrics, insights, and device connections. Stripe may retain transaction records for up to 7 years as required by law.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of all data we hold about you
  • Right to rectification — correct inaccurate data
  • Right to erasure — delete your account and all associated data
  • Right to portability — export your data in machine-readable format
  • Right to object — object to specific processing activities
  • Right to restrict processing — pause processing while disputes are resolved

To exercise any of these rights, email us at privacy@alync.app. We will respond within 30 days.

8. Cookies

We use only essential cookies required for authentication (Supabase session cookies). We do not use tracking or advertising cookies.

9. Security

We use TLS encryption for all data in transit. Data at rest is encrypted using Supabase's AES-256 encryption. OAuth tokens are stored encrypted. Row-level security policies ensure users can only access their own data.

10. Contact

For privacy enquiries, contact us at privacy@alync.app. For general support, contact hello@alync.app.