Healthing — Privacy Policy

Last updated: 2 July 2026. Controller: Healthing (DarkPixel). Contact: privacy@koding.it.

This policy explains what data Healthing collects, how we use it, and who we share it with. The section below describes our handling of data obtained from the Garmin Connect Developer Program.

Garmin data

What we collect. If you choose to connect your Garmin account, we access the following data from the Garmin Health API, with your explicit OAuth consent: daily wellness summaries (steps, active and resting calories), sleep summaries and stages, resting heart rate, heart-rate variability (HRV), blood oxygen (SpO₂), respiration rate, skin temperature, VO₂ max and fitness age, and activity/exercise summaries (type, duration, distance, calories, average and maximum heart rate, heart-rate zones, steps). We do not collect your Garmin password — authentication is handled by Garmin via OAuth 2.0.

How it is collected. After you authorize Healthing, Garmin sends this data to our servers through the Garmin Health API push (webhook) and backfill mechanisms. We only ingest Garmin data while Garmin is your selected, active data source.

How we use it. We use Garmin data solely to provide the app's features to you: showing your activity, sleep, vitals and wellness scores; powering challenges, streaks and leaderboards you join; and generating personalised training guidance. We do not sell your data and we do not use it for advertising.

How it is stored. Garmin data is stored in our access-controlled database (hosted on Railway, EU/US region) and transmitted over encrypted connections (HTTPS/TLS). OAuth access and refresh tokens are encrypted at rest. We retain Garmin data only while your account exists and your Garmin connection is active.

Third parties and AI processing. To generate training recommendations and coaching feedback, Healthing sends a derived summary of your training metrics — which may include metrics originating from Garmin — to Anthropic, PBC (the "Claude" AI service), acting as a data processor on our behalf, under Anthropic's commercial terms (no training on your data). We do not share Garmin data with any other third parties, and we do not share it for advertising or sale.

Your control. You can disconnect Garmin at any time from within the app (Health source → Garmin → Disconnect). On disconnect we call Garmin's deregistration endpoint and delete your stored Garmin OAuth tokens; new Garmin data stops flowing immediately. You may request deletion of previously stored Garmin data by contacting privacy@koding.it.

Apple Health data

If you instead connect your phone's Apple Health store (iOS), the same categories of data are read on-device with your permission and synced to our servers. Only one source is active at a time.

Google Health / Google Fit data

What we access. If you choose to connect Google, we request read-only access, with your explicit OAuth consent, to the following Google health & fitness data via the Google Health/Fitness APIs: daily steps and active energy (calories), sleep duration and stages, resting heart rate, heart-rate variability, blood oxygen (SpO₂), respiratory rate, VO₂max, and activity/exercise summaries (type, duration, distance, calories, heart rate). We never receive your Google password — authentication is handled by Google via OAuth 2.0.

How we use it. We use Google data solely to provide the app's user-facing features to you: showing your health and activity dashboards, sleep and recovery insights, workout history, and challenges you join. To generate personalised coaching text, a derived summary of your metrics may be sent to Anthropic, PBC (the "Claude" AI service) strictly to produce that response; it is not used to train models. We do not use Google user data for advertising, and we do not sell it.

How it is stored and deleted. Google data is stored in our access-controlled database; OAuth tokens are encrypted at rest. We retain it only while your account exists and Google is a connected source. You can disconnect Google at any time in the app (Health source → Google → Disconnect), which deletes your stored Google OAuth tokens and stops new data immediately, and you may request deletion of previously stored data by emailing privacy@koding.it.

Limited Use disclosure. Healthing's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer or disclose Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger or acquisition; and no humans read this data except with your consent, for security or to comply with law.

Contact

Questions about this policy or your data: privacy@koding.it.