Privacy Policy

Last updated: 6 February 2026

ScoreVitals ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal and health information when you use the ScoreVitals mobile application ("App") and website ("Website").

By using ScoreVitals, you consent to the data practices described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Account Information

When you create an account via Google Sign-In or Apple Sign-In, we collect:

  • Identity data: Name, surname, email address
  • Profile data: Date of birth, gender
  • Authentication data: Firebase Authentication user ID (we do not store your Google or Apple password)

1.2 Health and Fitness Data

With your explicit permission, we read the following data from Apple HealthKit (iOS) or Google Health Connect (Android):

  • Workout data: Activity type, duration, distance, elevation, calories burned, and heart rate data (average, minimum, maximum, and per-minute samples) for 25+ workout types including running, cycling, swimming, strength training, HIIT, and yoga
  • Heart rate data: Resting heart rate, walking heart rate, heart rate zones (zone 1–5 durations), and heart rate time-series samples during workouts
  • Heart rate variability (HRV): SDNN standard deviation measurements used for recovery assessment
  • Sleep data: Sleep duration, sleep efficiency, and sleep stage breakdown (light sleep, deep sleep, REM sleep, awake time)
  • Body measurements: Weight, height, body fat percentage, and BMI
  • Activity metrics: Steps, active calories, and basal calories
  • Advanced metrics (where available): Running speed, power, stride length, ground contact time, cycling power, cadence, and FTP
  • Vitals (where available): Blood oxygen saturation and respiratory rate

1.3 Profile Configuration

You may optionally provide:

  • Resting heart rate and maximum heart rate (used for score calculations)
  • Custom heart rate zones
  • Cycling Functional Threshold Power (FTP) and power zones
  • Unit preferences (metric or imperial)

1.4 Device and Technical Data

  • Push notification token: Firebase Cloud Messaging (FCM) device token for delivering notifications
  • Timezone: Your device's timezone offset, used to schedule notifications and score calculations at appropriate local times
  • App version: The version of ScoreVitals you are using
  • Platform: iOS or Android

1.5 Notification Data

We store a record of notifications sent to you (type, title, body, read/unread status) to support in-app notification history and badge counts.

2. How We Use Your Information

We use the information we collect to:

  • Calculate your Daily Score (0–100): Combining cardio (40%), sleep (30%), recovery (20%), and body composition (10%) data using research-validated algorithms
  • Determine Readiness to Train: Assessing recovery, sleep quality, and training load to provide a personalised training recommendation
  • Monitor injury risk: Calculating your Acute-to-Chronic Workload Ratio (ACWR) using exponentially weighted moving averages over 7-day and 28-day periods
  • Estimate VO2max and fitness age: Using ACSM-validated formulas from your running data or heart rate metrics
  • Score individual workouts: Calculating TRIMP (Training Impulse) using Edwards' formula and efficiency metrics
  • Send notifications: Delivering morning score briefs (7 AM), post-workout scores, evening activity reminders (8 PM), ACWR injury risk alerts, and weekly summaries (Sunday 9 AM) — all at your local time
  • Display your health feed: Presenting a chronological feed of workouts, sleep sessions, vitals, and weight entries
  • Improve the service: Understanding usage patterns to enhance features and fix bugs (aggregated, not individually identifying)

3. How We Store Your Data

3.1 Infrastructure

Your data is stored in Google Firebase (Cloud Firestore), which provides:

  • Encryption at rest (AES-256) for all stored data
  • Encryption in transit (TLS) for all data transfers
  • Geographic hosting in Google Cloud data centres

3.2 Data Isolation

Your data is isolated at the account level. Firestore security rules enforce that:

  • You can only read and write your own data
  • No other user can access your health information
  • Server-side processing (Cloud Functions) operates only on data belonging to the triggered user

3.3 Data Structure

Your data is organised per day (using date keys) in individual documents. Heart rate time-series data from workouts is stored separately from workout summaries for efficient processing.

4. Data Sharing

We do not sell, rent, or share your personal or health data with third parties for marketing or advertising purposes.

Your data may be accessed by:

  • Google Firebase / Google Cloud: As our infrastructure provider, Google processes your data in accordance with the Google Cloud Data Processing Terms
  • Firebase Cloud Messaging (FCM): Device push tokens are used by Google's FCM service to deliver notifications to your device

We may disclose your information if required by law, regulation, legal process, or governmental request.

5. Data Retention

  • Active accounts: We retain your data for as long as your account is active to provide continuous score tracking and historical trends
  • Deleted accounts: If you request account deletion, we will delete your personal data and health records within 30 days. Some aggregated, anonymised data may be retained for service improvement
  • Backup retention: Firebase automatic backups may retain data for up to 30 days after deletion

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a machine-readable format
  • Withdrawal of consent: Revoke health data permissions at any time through your device settings (Settings > Health / Health Connect)
  • Objection: Object to processing of your data for specific purposes

To exercise any of these rights, contact us at support@scorevitals.com.

South African Users (POPIA)

If you are located in South Africa, you have additional rights under the Protection of Personal Information Act (POPIA), including the right to:

  • Be notified that personal information is being collected
  • Request access to your personal information
  • Request correction or deletion of your personal information
  • Object to the processing of your personal information
  • Lodge a complaint with the Information Regulator

7. Health Data Permissions

ScoreVitals accesses health data through Apple HealthKit or Google Health Connect. These platforms provide you with granular control over which data types the App can read.

  • You can revoke any or all health data permissions at any time through your device settings
  • Revoking permissions will prevent the App from syncing new data of that type, which may affect score accuracy
  • Previously synced data will remain in your account unless you request deletion

Apple HealthKit compliance: In accordance with Apple's requirements, health data accessed through HealthKit is not used for advertising or marketing purposes and is not sold to data brokers or third parties.

8. Push Notifications

ScoreVitals sends the following notification types (all optional and configurable):

  • Morning Brief (7 AM local time): Your daily score summary with motivational message
  • Post-Workout (after workout sync): Your session score and TRIMP
  • Evening Reminder (8 PM local time): Gentle nudge if no workout was logged that day
  • ACWR Alert (when triggered): Warning when your training load ratio exceeds safe thresholds
  • Weekly Summary (Sunday 9 AM local time): Your week's workout count, total minutes, and average scores

You can enable or disable each notification type individually in the App settings. ACWR alerts are limited to one per 24-hour period.

9. Children's Privacy

ScoreVitals is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

10. Security

We implement appropriate technical and organisational measures to protect your personal and health data, including:

  • Firebase Authentication with secure sign-in providers (Google, Apple)
  • Firestore security rules that enforce per-user data isolation
  • Encryption at rest and in transit
  • Firebase App Check to prevent unauthorised API access
  • Server-side validation of all data writes via Cloud Functions

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

Your data is processed and stored on Google Cloud infrastructure, which may involve transfer to servers located outside your country of residence. Google Cloud provides appropriate safeguards for international data transfers in compliance with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page
  • Sending an in-app notification for significant changes

Your continued use of ScoreVitals after changes are posted constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: support@scorevitals.com

For complaints regarding the processing of personal information in South Africa, you may contact the Information Regulator at inforegulator.org.za.