1. Introduction
Ground App ("we," "our," or "the App") is a mobile application designed to guide users through personalized breathing exercises for nervous system regulation. This Privacy Policy describes how we collect, use, store, and protect your information, including health and biometric data obtained from wearable devices and health platforms.
By using the App, you consent to the practices described in this policy. If you do not agree, please discontinue use of the App.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address (when creating an account)
- Onboarding preferences: Breathwork goals, experience level
- Session feedback: Mood ratings, session notes
- Session preferences: Preferred techniques, instructor selection, audio settings
2.2 Health and Biometric Data
With your explicit consent, we access the following data from connected devices and platforms:
Apple Health (HealthKit):
- Heart rate and resting heart rate
- Heart rate variability (HRV)
- Respiratory rate
- Sleep analysis (duration, stages, efficiency)
- Blood oxygen saturation (SpO2)
- Wrist temperature
- Active energy burned and step count
- Mindful session records
Oura Ring (via Oura Cloud API):
- Daily readiness scores and contributors
- Sleep scores, staging, and duration
- Daily stress levels and recovery metrics
- Resilience scores
- Heart rate data
Whoop (via Whoop API):
- Recovery scores and metrics
- Sleep performance (duration, stages, efficiency, respiratory rate)
- Strain and cycle data
- Heart rate variability (HRV)
- Resting heart rate
- Blood oxygen saturation (SpO2)
Garmin (via Garmin Health API / HealthKit):
- Stress scores
- Body Battery energy levels
- Respiration rate
- Pulse oximetry
- Activity and sleep data
2.3 Automatically Collected Information
- Usage data: Session history, techniques used, session duration, app feature usage
- Device information: Device model, operating system version (used for compatibility and debugging)
Oura Usage Data Disclosure: When you connect your Oura Ring to Ground App, Oura may collect certain Usage Data related to your use of the Oura API and platform. Oura may use this Usage Data for its own business purposes as described in Oura's Privacy Policy.
2.4 Information We Do NOT Collect
- Precise geolocation
- Contacts or address book data
- Browsing history
- Financial or payment information (handled entirely by Apple)
- Advertising identifiers
3. How We Use Your Information
We use your data exclusively to provide and improve the App's core functionality:
| Purpose | Data Used |
|---|---|
| Personalized breathwork recommendations | HRV, resting heart rate, sleep data, readiness scores, stress levels, recovery scores |
| Nervous system state assessment | Aggregated biometric data from connected devices |
| Proactive wellness notifications | Biometric trends and anomaly detection |
| Session history and progress tracking | Session records, mood ratings, technique usage |
| Voice-guided sessions | Instructor preference, audio settings |
| App improvement | Anonymized, aggregated usage patterns |
We do not use your health data for advertising, marketing to third parties, or any purpose unrelated to providing you personalized breathwork guidance.
4. How We Store and Protect Your Data
4.1 On-Device Storage
- Health and biometric data is processed and stored on your device by default
- Personal baselines and nervous system assessments are computed locally
- Sensitive credentials (API tokens for Oura, Whoop, Garmin) are stored in the iOS Keychain
- Health data files are excluded from iCloud backup
4.2 Cloud Storage (Optional)
If you create an account and enable cloud sync:
- Session history and preferences are stored on our servers (hosted via Supabase with PostgreSQL)
- All data in transit is encrypted using TLS 1.2+
- All data at rest is encrypted using AES-256
- Row-level security ensures you can only access your own data
- Cloud sync of health/biometric data is opt-in and disabled by default
4.3 Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Apple HealthKit | Read/write health metrics | Accessed on-device only; never transmitted to our servers without consent |
| Oura Cloud API | Retrieve readiness, sleep, and stress data | OAuth token stored in Keychain; data fetched directly to your device |
| Whoop API | Retrieve recovery, sleep, and strain data | OAuth token stored in Keychain; data fetched directly to your device |
| Garmin Health API | Retrieve stress, Body Battery, and respiration data | OAuth token stored in Keychain; data fetched directly to your device |
| Anthropic (Claude API) | Generate personalized session recommendations | Anonymized nervous system state summary (no raw biometric values); no personally identifiable information |
| Mistral (Voxtral) | Text-to-speech for voice-guided sessions | Session narration text only; no personally identifiable information |
| Supabase | Account authentication and optional cloud sync | Account info, session history (if sync enabled) |
Important: Raw biometric data (heart rate values, HRV readings, sleep staging) is never sent to Anthropic, Mistral, or any AI service. Only computed, anonymized summaries (e.g., "nervous system state: mildly stressed") are used for generating recommendations.
5. Apple HealthKit Compliance
In accordance with Apple's HealthKit guidelines:
- We do not use HealthKit data for advertising or similar services
- We do not sell HealthKit data to third parties, including advertising platforms, data brokers, or information resellers
- We do not use HealthKit data for any purpose other than providing health and wellness services directly to the user
- We do not disclose HealthKit data to third parties without explicit user consent
- HealthKit data is not stored in iCloud or any unsecured storage mechanism
- Users can revoke HealthKit access at any time through iOS Settings
6. Oura Data Usage Compliance
In accordance with the Oura API Agreement:
- Oura data is accessed only with your explicit authorization via OAuth 2.0
- We request only the minimum scopes necessary for our functionality (daily readiness, sleep, heart rate, stress, SpO2, resilience)
- Oura data is used exclusively to assess your nervous system state and provide personalized breathwork recommendations
- Cached Oura data is retained for a maximum of 60 days and refreshed regularly; stale data is removed promptly
- You can disconnect your Oura Ring at any time from the App's Settings, which revokes our access and deletes locally stored Oura data
- We do not sell, license, lease, market, or share your Oura data with any third party, including advertisers or data brokers
- In the event of a data security incident involving Oura data, we will notify Oura within 24 hours of discovery
7. Whoop Data Usage Compliance
In accordance with the Whoop API Terms of Use:
- Whoop data is accessed only with your explicit authorization via OAuth 2.0
- We request only the minimum scopes necessary for our functionality (recovery, sleep, cycles, workout data)
- Whoop data is used exclusively to assess your nervous system state and provide personalized breathwork recommendations
- Cached Whoop data is retained only as long as permitted by the applicable cache headers and is refreshed regularly
- All Whoop data is encrypted both in transit (TLS 1.2+) and at rest (AES-256)
- You can disconnect your Whoop device at any time from the App's Settings, which revokes our access and deletes locally stored Whoop data
- We do not sell, license, lease, market, or share your Whoop data with any third party, including advertisers or data brokers
- We do not create permanent database copies of Whoop data beyond what is necessary for the App's active functionality
- You may request access to the Whoop data we hold about you at any time by contacting us
- In the event of a data security incident involving Whoop data, we will notify Whoop at apisupport@whoop.com without undue delay
8. Garmin Data Usage Compliance
In accordance with Garmin's Health API Terms:
- Garmin data is accessed only with your explicit authorization
- Data is used exclusively for providing personalized breathwork and wellness recommendations
- You can disconnect your Garmin device at any time from the App's Settings
- We do not sell, license, or share your Garmin data with any third party
9. Your Rights and Controls
You have full control over your data:
| Action | How |
|---|---|
| Disconnect a device | Settings > Connected Devices > Toggle off |
| Revoke HealthKit access | iOS Settings > Privacy & Security > Health > Ground App |
| Revoke Oura access | App Settings or cloud.ouraring.com > Connected Apps |
| Revoke Whoop access | App Settings or app.whoop.com > Profile > Connected Apps |
| Revoke Garmin access | App Settings or Garmin Connect > Account > Connected Apps |
| Delete session history | Settings > Delete Account / Reset Data |
| Delete all data | Settings > Delete Account (removes all cloud-stored data) |
| Export your data | Settings > Export My Data (downloads all your data as CSV and JSON) |
| Access your data | Settings > Export My Data, or contact privacy@groundapp.live |
Upon account deletion, all associated data is permanently removed from our servers within 30 days. On-device data is removed immediately. All cached wearable data (Oura, Whoop, Garmin) is deleted immediately upon disconnection or account deletion.
10. Data Retention
- On-device data: Retained until you delete the App or clear data in Settings
- Cloud-synced data: Retained while your account is active; deleted within 30 days of account deletion
- Oura data cache: Maximum 60 days; refreshed on each app session
- Whoop data cache: Per applicable cache headers; refreshed on each app session
- Oura/Whoop/Garmin tokens: Deleted immediately when you disconnect the device
- Upon subscription cancellation or account deletion: All user data is deleted in accordance with our retention schedule and third-party API requirements
- Upon access revocation by user or platform: We immediately stop storing, processing, and displaying the affected data
11. Data Security and Breach Notification
11.1 Security Measures
We employ commercially reasonable administrative, technical, and physical security measures to protect your data, consistent with GDPR Article 32 standards. These include:
- Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
- iOS Keychain storage for all authentication tokens
- Row-level security for cloud-stored data
- Regular security reviews of third-party integrations
- Access controls limited to authorized personnel
11.2 Breach Notification
In the event of a security breach affecting your personal or health data:
- We will notify affected users within 60 days of discovery, or sooner as required by applicable law
- We will notify Oura within 24 hours of discovery (per Oura API Agreement)
- We will notify Whoop without undue delay (per Whoop API Terms)
- We will notify the FTC and applicable state regulators as required by the FTC Health Breach Notification Rule and state law
- Notifications will describe the nature of the breach, the types of data involved, the steps we are taking, and how you can protect yourself
12. Children's Privacy
The App is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.
13. State-Specific Privacy Rights
13.1 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: Health and biometric data from wearable integrations is classified as sensitive personal information. We use this data only to provide the App's core services as described in Section 3.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@groundapp.live. We will respond within 45 days.
13.2 Washington Residents (My Health My Data Act)
If you are a Washington state resident, the following applies under the Washington My Health My Data Act (RCW 19.373):
- Categories of Health Data Collected: Heart rate, HRV, resting heart rate, respiratory rate, sleep analysis, blood oxygen saturation, stress levels, readiness scores, recovery scores, wrist temperature, and related biometric data from connected wearable devices.
- Purpose of Collection: To assess your nervous system state and provide personalized breathwork recommendations, proactive wellness notifications, and session tracking.
- Sources of Health Data: Apple HealthKit, Oura Ring (Oura Cloud API), Whoop (Whoop API), Garmin (Garmin Health API).
- Third Parties: We share anonymized, non-identifiable nervous system state summaries with Anthropic (Claude API) for recommendation generation. We share session narration text with Mistral (Voxtral) for text-to-speech generation. We do not share identifiable health data with any other third party.
- Your Rights: You have the right to access, delete, and withdraw consent for the collection and sharing of your health data. To exercise these rights, contact privacy@groundapp.live.
- Consent: We collect health data only after obtaining your affirmative consent. We will not collect, use, or share additional categories or purposes of health data beyond what is disclosed here without obtaining fresh consent.
13.3 Other U.S. States
We comply with applicable state privacy laws, including but not limited to the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, and other state laws that provide consumer privacy rights. If you are a resident of a state with applicable privacy legislation, you may exercise your rights by contacting privacy@groundapp.live.
14. International Users and GDPR
14.1 Legal Basis for Processing (EEA/UK Users)
For users in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:
- Explicit Consent (Article 6(1)(a) and Article 9(2)(a) GDPR): For health and biometric data and wearable device integrations. You provide this consent during onboarding and device connection.
- Contract Performance (Article 6(1)(b) GDPR): For account management, session delivery, and core app functionality.
- Legitimate Interest (Article 6(1)(f) GDPR): For app improvement using anonymized, aggregated usage patterns.
14.2 Your GDPR Rights
- Right of access to your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
14.3 Data Transfers
Your data is processed in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses and your explicit consent for health data.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the App and updating the "Last Updated" date. For material changes affecting health data practices, we will provide prominent notice and, where required by law, obtain fresh consent. Continued use of the App after changes constitutes acceptance of the revised policy.
16. Contact Us
If you have questions about this Privacy Policy or your data, contact us at:
Privacy Inquiries: privacy@groundapp.live
Legal Inquiries: legal@groundapp.live
End User Support: info@groundapp.live
Website: https://groundapp.live/privacy
This Privacy Policy was last reviewed and updated on April 14, 2026.