VETTRA

Privacy Policy

Last updated: 2026-04-18

1. Who We Are

Vettra is operated by Nomad Music v/ Jakob Wredstrom(Norwegian organisation number 925 940 224), based in Bryne, Norway ("Vettra", "we", "our", "us"). We are the data controller for personal data processed through the Vettra mobile app, web app, and this website. If you have questions about this policy or want to exercise any of your rights, contact us at privacy@vettra.run.

2. What This Policy Covers

This policy explains what personal data we collect, why we collect it, how we share it with the service providers that help us run Vettra, how long we keep it, and the rights you have over it. It applies to the Vettra iOS app, the Vettra web app, and the public website at vettra.run.

3. Information We Collect

3.1 Information you provide

  • Account information: email address and display name.
  • Training inputs: personal records, race goals, training preferences, morning check-ins (energy, sleep, soreness).
  • Messages you send to the AI coaching feature.
  • Subscription records created when you purchase a paid tier through Apple.

3.2 Health and activity data

With your explicit permission, we read activity and health data from Apple Health via the Open Wearables integration: runs and other workouts, heart rate, heart rate variability (HRV), sleep data, and workout routes. Health data is used only to power training insights and AI coaching. It is never sold, shared with advertisers, or used for advertising or profiling outside the app.

3.3 Automatically collected data

  • Device type, operating system version, app version.
  • App usage events (screens viewed, features used) for product analytics.
  • Crash reports and performance traces.
  • IP address and approximate location derived from it, collected in server logs for security and abuse prevention.

4. How We Use Your Information

  • Provide core features: generate personalised training plans, calculate training load, recovery, and injury-risk indicators.
  • Power the AI coach with context about your training history.
  • Deliver Knowledge Hub content relevant to your training.
  • Track shoe deals and price alerts on your watchlist.
  • Operate, maintain, and improve the service and develop new features.
  • Send transactional communications (account, subscription, security).
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

5. Legal Bases (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR) — processing necessary to deliver the Vettra service you signed up for: account creation, training plan generation, AI coaching, subscription management, syncing your activities.
  • Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — reading health and fitness data from Apple Health. You grant this in iOS Settings and can revoke it at any time; doing so stops new data from reaching Vettra.
  • Legitimate interests (Art. 6(1)(f) GDPR) — product analytics, crash reporting, service security, fraud prevention, and improving our training models. Where we rely on legitimate interests, we have balanced them against your rights and freedoms and you can object at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — keeping records required by Norwegian bookkeeping law and responding to lawful requests from public authorities.

6. Third-Party Processors

We use the following service providers to operate Vettra. Each is bound by a data processing agreement and is only permitted to process your data on our instructions:

  • Google Cloud Platform (Google Ireland Limited / Google LLC) — application hosting on Cloud Run, logging, monitoring. Region: europe-west1 (Belgium).
  • Firebase (Google LLC) — Authentication (account management and JWTs), Firestore (primary application database), Cloud Messaging (push notifications), Crashlytics (crash reporting), Firebase Analytics (product analytics), Cloud Storage (user-generated content and exports).
  • DeepSeek (DeepSeek, Hangzhou, China) — large-language-model inference used by the AI coach. We send the minimum context needed to produce a coaching response; direct identifiers such as your email and authentication credentials are stripped before the request leaves our servers. Do not share information in AI chat that you would not want sent to a third-party LLM provider.
  • Apple (Apple Inc. and Apple Distribution International Ltd.) — App Store distribution, StoreKit for in-app subscriptions and billing, HealthKit for on-device access to health and activity data via the Open Wearables integration.
  • Open Wearables — bridge library used on-device to read Apple HealthKit data and forward the subset you have authorised to Vettra. Data stays on your device until it is transmitted to our servers for training insight generation.
  • Linode / Akamai Technologies — hosting for the Vettra web client static build.

Some of these processors are located outside the EEA (notably DeepSeek in China, and Google LLC / Apple Inc. in the United States). Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) or, for US-based Google and Apple entities, the EU-US Data Privacy Framework where applicable, together with supplementary technical measures (encryption in transit and at rest).

7. Apple Health and HealthKit Data

Data read from Apple HealthKit is handled with special care as required by Apple's guidelines:

  • HealthKit data is never used for advertising, marketing, or profiling.
  • HealthKit data is never sold to data brokers or third parties.
  • HealthKit data is only disclosed to the processors listed above and only insofar as it is required to deliver the app.
  • You can revoke HealthKit access at any time in iOS Settings > Privacy & Security > Health > Vettra. Existing data already synced to Vettra can be deleted by requesting account deletion.

8. How We Share Information

We do not sell your personal information and we do not share it for cross-context behavioural advertising. We disclose personal data only:

  • To the processors listed in Section 6, under data processing agreements.
  • To comply with applicable law, lawful requests, court orders, or to protect the rights, property, or safety of Vettra, our users, or others.
  • In connection with a merger, acquisition, or sale of assets — in which case the successor entity will be bound by this policy or an equivalent one.

9. Data Storage and Security

Application data is stored in Firestore in the europe-west1 region. We apply:

  • TLS 1.2 or higher for all data in transit.
  • Encryption at rest managed by Google Cloud.
  • Firebase Authentication with secure token management and short-lived JWTs.
  • Role-based access controls limiting internal access to authorised services and personnel.
  • Regular review of logs, rules, and infrastructure configuration.

No system is perfectly secure. If we become aware of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority (Datatilsynet in Norway) within 72 hours and inform you without undue delay where required by Art. 33 and 34 GDPR.

10. Data Retention

  • Account and training data: retained while your account is active. If you delete your account, your personal data is removed from live systems within 30 days.
  • AI chat history and conversation summaries: retained for the life of the account to provide continuity of coaching. Deleted with the account.
  • Apple Health / activity data: retained while your account is active and while HealthKit permission is granted; deleted with the account.
  • Backups: encrypted backups may persist for up to 90 days after deletion before they are rotated out.
  • Server logs (IP addresses, request metadata): retained for up to 90 days for security and abuse investigation.
  • Billing and subscription records: retained for five (5) years after the last transaction to comply with Norwegian bookkeeping law (Bokføringsloven §13).
  • Anonymised, aggregated analytics: may be retained indefinitely; this data cannot be linked back to you.

11. Your Rights (GDPR)

If the GDPR applies to you, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your data — the "right to be forgotten" (Art. 17). You can delete your account from within the app, which erases personal data from live systems within 30 days.
  • Restrict or object to processing based on legitimate interests (Art. 18 and 21).
  • Data portability: request a structured, machine-readable copy of your data (Art. 20). Vettra offers a self-service data export through the app (or by calling GET /api/data/export with your authentication token). The export is a JSON bundle containing your athlete profile, activities, training metrics, health metrics, morning check-ins, training plans, race entries, AI chat history, and squad data. Rate-limited to 3 exports per hour.
  • Withdraw consent at any time where processing is based on consent (Art. 7(3)). You can revoke HealthKit access in iOS Settings without deleting your account.
  • Lodge a complaint with your local supervisory authority. Ours is Datatilsynet (datatilsynet.no).

To exercise any of these rights, email privacy@vettra.run. We will respond within one (1) month and may ask you to verify your identity before acting on the request.

12. Your Rights (CCPA — California Residents)

Although Vettra is operated from Norway, users in California have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

  • Right to know what categories of personal information we collect, the sources, the purposes, and with whom we share it. Those details are in Sections 3, 4, 6, and 8 above.
  • Right to delete personal information we have collected (subject to legal retention requirements).
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. Vettra does not sell your personal information and does not share it for cross-context behavioural advertising. There is nothing to opt out of.
  • Right to limit use of sensitive personal information. Health data is sensitive personal information under the CPRA. We use it only to deliver the service features you requested; we do not infer characteristics about you from it for purposes beyond those.
  • Right to non-discrimination for exercising these rights.

To exercise CCPA rights, email privacy@vettra.runwith "CCPA request" in the subject line.

13. Children's Privacy

Vettra is not directed at children under 16 and we do not knowingly collect personal data from children under 16. If we learn we have collected data from a child under 16 without verified parental consent, we will delete it. Parents or guardians can contact us at privacy@vettra.run.

14. International Data Transfers

Vettra's primary infrastructure is hosted in the European Union (Google Cloud europe-west1, Belgium). Some processors — notably Apple, Google LLC, and DeepSeek — may process your data in the United States or China. Where applicable, we rely on Standard Contractual Clauses and, for US transfers, the EU-US Data Privacy Framework, together with technical measures including encryption in transit and at rest.

15. Automated Decision-Making

Vettra uses algorithms and AI to generate training recommendations, insights, and coaching responses. These are advisory: you make the final decision about how and when to train. The AI coach does not make decisions that produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Training plans should be reviewed with a qualified coach or healthcare provider before implementation.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in-app or by email before they take effect, and we will update the "Last updated" date at the top of this page. Continued use of Vettra after an update means you accept the revised policy.

17. Contact

Data controller: Nomad Music v/ Jakob Wredstrom
Organisation number: 925 940 224
Bryne, Norway

Privacy enquiries: privacy@vettra.run
General support: support@vettra.run

For the purposes of GDPR, Jakob Wredstrom also acts as the privacy contact. We have not appointed a separate Data Protection Officer because we are not required to under Art. 37(1) GDPR; you can reach the privacy contact at the address above.

See also: Terms of Service.