UltraFlow

Privacy Policy

Last updated: 30 May 2026

UltraFlow is an AI-powered daily training report service for mountain ultra runners. We take privacy seriously — especially because we handle sensitive health data. This policy explains what we collect, why, and how you stay in control.

1. Data Controller

Tomasz Zuchlke — Founder, UltraFlow
Katowice, Silesia, Poland
Email: tomek@ultraflow.run
Website: ultraflow.run

2. What Data We Collect

Category	Data	Source
Account data	Email address, Telegram username	You provide at registration
Health data (sensitive)	HRV (overnight, trend), resting heart rate, sleep (duration, stages, score)	Garmin Connect API, Coros, Suunto — via Runalyze API
Training data	Training load (ATL, CTL, TSB, A:C ratio), activities (type, duration, distance, HR, power), VO₂max	Garmin Connect API, Coros, Suunto — via Runalyze API
Body composition	Body weight (optional)	Runalyze API
Athlete profile	Upcoming races, injury history, dietary notes (e.g. IBS/FODMAP), current training phase	You provide during onboarding
Subjective data	Energy, motivation, soreness (1–10, evening check-in)	You provide via Telegram reply

3. Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR) — generating and delivering your personalised training report
• Explicit consent (Art. 9(2)(a) GDPR) — processing health data (HRV, sleep, heart rate). You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f) GDPR) — system security and service stability

4. How We Use Your Data

• Generate a daily personalised AI training report at 06:00 local time
• Deliver the report to your Telegram or email
• Build a health history needed for accurate personalisation (HRV baseline, recovery patterns)
• Improve report quality based on your feedback

We do not use your data for advertising, commercial profiling, or sell it to any third party — ever.

5. Device Integrations & Data Sources

UltraFlow connects to your training data through Runalyze as the primary data hub:

Device	Integration	What We Access
Garmin	Garmin Connect → Runalyze → UltraFlow	HRV, sleep, training load, activities, VO₂max
Coros	Coros → Runalyze → UltraFlow	Training load, activities, sleep (where available)
Suunto	Suunto → Runalyze → UltraFlow	Training load, activities
Any device	Manual .FIT file upload	Activity data from the uploaded file only

We never store your Garmin, Coros, or Runalyze passwords. Access is granted via Runalyze Personal API token that you generate in your Runalyze account and can revoke at any time.

6. Sub-Processors

Provider	Role	Region
Anthropic, PBC	AI analysis via Claude API — data is processed transiently and not retained by Anthropic	USA
Neon, Inc.	PostgreSQL database (encrypted at rest, AES-256)	EU (Frankfurt)
Fly.io	Backend application hosting	EU
Telegram Messenger	Report delivery to your phone	Dubai
Resend	Email delivery (fallback)	USA
Cloudflare	DNS, CDN, static site hosting	EU / USA

For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) as per Art. 46 GDPR.

7. Security

• Health and training data encrypted at rest (AES-256) in Neon PostgreSQL
• All communication between components over HTTPS/TLS 1.3
• API tokens stored encrypted — we never store your passwords
• Access to raw data restricted to the system administrator only
• Regular automated database backups

8. Retention

• Account data and athlete profile: until you delete your account
• Health and training data: up to 12 months rolling — older data deleted automatically
• AI reports: up to 90 days, then automatically deleted
• After account deletion: all data permanently erased within 30 days

9. Your Rights

Right	What it means
Access	Request a copy of all data we hold about you
Erasure	Delete all your data — no questions asked
Portability	Receive your data in JSON format for use elsewhere
Rectification	Correct any inaccurate data we hold
Withdraw consent	Stop health data processing at any time
Object	Object to processing based on legitimate interest

To exercise any right, email tomek@ultraflow.run. We respond within 30 days. You may also lodge a complaint with the Polish data protection authority (UODO), ul. Stawki 2, Warsaw, Poland, or with the supervisory authority in your country of residence.

10. Cookies

UltraFlow does not use tracking or advertising cookies. Session cookies may be used solely to keep you logged into the web interface and are never shared with third parties.

11. Changes to This Policy

We will notify you of material changes via Telegram or email with at least 14 days' notice before they take effect. Continued use of UltraFlow after that date constitutes acceptance.

12. Contact

Privacy questions: tomek@ultraflow.run
We aim to respond within 2 business days.