Privacy Notice — Hardmax AI Training Coach (pre-launch)

Last updated: 25 October 2025

As of the date above, Hardmax does not process Garmin data yet. This notice describes how your data will be processed after you explicitly connect your Garmin account and consent.

  1. Scope & Controller

    This notice applies to the Hardmax AI Training Coach mobile/web app.

    Controller: Hardmax AS, Brinken 19 A, 0654 Oslo, Norway.

    Contact: hello@hardmax.no

  2. Data we will process (after consent)

    From Garmin (via the Garmin Connect Developer Program):

    • Activity API (core): per-workout details and activity files (FIT/TCX/GPX), including GPS tracks, laps/intervals and recorded sensor data (device-dependent).
    • Health API (optional): selected wellness metrics (e.g., sleep, heart rate, stress, Pulse Ox, Body Battery). We will request and process these only if you opt-in and where licensing permits.

    From you:

    • Journal inputs (mood/RPE/free text), tags (e.g., illness, travel, leg day), settings (language, context window), and support communications.

  3. Purpose

    Provide a training journal and AI coach that analyzes your workouts, labels sessions (e.g., easy/tempo/intervals), and generates adaptive assessments that can update when you add context (e.g., “felt sick 5 days ago”).

    Show trends (e.g., training load, monotony/strain, efficiency/decoupling) and “last similar session” comparisons.

  4. Legal basis

    Explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a) for special-category/health data). You may withdraw consent at any time in the app or by contacting us.

  5. AI and model usage

    Numeric metrics are computed deterministically; the AI generates summaries/explanations based on those numbers.

    We do not sell your data or use your personal Garmin data to train general models. Processing is solely to provide the app’s features to you.

  6. Sharing & processors

    We do not sell personal data or share Garmin data with third parties without your direction. We may use processors (hosting, observability, error monitoring, secure model providers) under data processing agreements.

  7. International transfers & residency

    We aim to host and process data in the EU/EEA. If a processor is outside the EEA, we use appropriate safeguards (e.g., SCCs). Details are available on request.

  8. Retention

    • Raw activity files (FIT/TCX/GPX): stored for as long as your account is active, unless you delete them.
    • Per-second streams: retained in full for [90–120 days]; older data may be downsampled (e.g., per-lap or 5-second aggregates).
    • Aggregates/labels/assessments: retained while your account is active.

    You may export or delete your data at any time (see “Your rights”).

  9. Your rights

    You can request access, export, correction, deletion, restriction, portability, or object to processing. Contact hello@hardmax.no. You may complain to Datatilsynet.

  10. Security

    TLS encryption in transit; encryption at rest where supported; least-privilege access; audit logs; token-based access for APIs; idempotent ingestion.

  11. Children

    This app is not intended for children under 16.

  12. Changes

    We will update this notice as features evolve. Material changes will be highlighted with a new “Last updated” date.