This Privacy Policy explains how VO2 Labs, LLC ("VO2 Labs," "we," "us," or "our") collects, uses, shares, and protects information when you use Harlen, our mobile application, our website at harlen.ai, and related services (collectively, the "Service").
Harlen is an AI-powered sports performance coaching platform that helps independent coaches analyze athlete training and recovery data from wearable devices. This Policy applies to both coaches (who hold accounts and direct the use of the Service) and athletes (whose biometric data is processed at the direction of their coach).
If you do not agree with this Policy, do not use the Service.
1. Who is the data controller?
VO2 Labs, LLC is the data controller for information collected directly from coaches and from coach-and-athlete account interactions with our Service. For athlete biometric data ingested from wearable devices, VO2 Labs acts as the data processor on behalf of the coach, who serves as the controller of their athletes' data relationship.
Contact:
VO2 Labs, LLC
Email: hello@harlen.ai
2. Information we collect
2.1 Information you provide directly
- Account information for coaches and athletes: name, email address, password (hashed), and profile details.
- Coach-provided athlete information: athlete name, contact information, and any notes, programs, or assessments a coach adds to an athlete's profile.
- Payment and billing information (for paid plans), processed by our payment processor; we do not store full card numbers.
- Support communications: messages you send us, including their contents.
2.2 Wearable and biometric data (via Terra API)
When you (or your coach, on your behalf with your consent) connect a wearable device, we receive data from that device through our integration partner, Terra. Depending on the device, this may include:
- Heart rate, heart rate variability (HRV), and resting heart rate
- Sleep duration, sleep stages, and sleep quality metrics
- Activity, workout, and exercise data, including duration, intensity, GPS routes (if recorded by the device), and calorie estimates
- Recovery, readiness, and strain metrics produced by the wearable provider
- Body metrics such as weight, body composition, and respiratory rate (if recorded)
- Menstrual cycle data (if recorded by the device and the user has opted to share it)
Supported devices at launch include WHOOP, Garmin, Oura, Apple Watch, and Polar. Connection of any wearable requires your explicit in-app consent in Harlen before the first connection.
When you connect a wearable, Terra Enabling Developers, Inc. ("Terra") processes data on our behalf as a sub-processor. By connecting a wearable, you acknowledge and agree to Terra's End User Privacy Policy, available at https://tryterra.co/end-user-privacy, and consent to Terra's processing of your data as part of using the Service.
2.3 Information collected automatically
- Device and usage data: device type, operating system, app version, IP address, time zone, crash reports, and feature usage patterns.
- Cookies and similar technologies on our website. See our Cookie Policy for details.
2.4 Information from third parties
- Authentication providers (e.g., Sign in with Apple, Google) provide us with your name and email if you sign up that way.
- Wearable providers, via Terra, as described above.
We do not purchase data from data brokers, and we do not receive advertising profiles about you from third parties.
3. How we use information
We use information for the following purposes:
- To provide the Service, including ingesting wearable data, computing performance metrics, and presenting analyses to your coach.
- To power the AI coaching assistant, which generates training insights for coaches based on athlete data and a curated library of sports science research.
- To improve the Service, including diagnosing bugs, monitoring performance, and developing new features.
- To communicate with you about your account, service changes, and (if you opt in) product updates.
- To enforce our terms and prevent abuse, fraud, and security incidents.
- To comply with legal obligations.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use your data to train third-party AI models — see Section 5 for details on our AI processing.
4. Legal bases (for users in the EU/UK)
If you are in the EU, UK, or another jurisdiction with a similar legal regime, we process your personal data on the following bases:
- Contract: to provide the Service you or your coach signed up for.
- Consent: for connecting wearables, processing biometric data, and any optional marketing communications. You may withdraw consent at any time.
- Legitimate interests: for service improvement, security, and fraud prevention, where these interests are not overridden by your rights.
- Legal obligation: to comply with applicable law.
Biometric and health-adjacent data is treated as a special category of personal data and is processed only with your explicit consent.
5. Who we share information with
We share information only with the following categories of recipients, and only to the extent necessary:
| Category | Purpose | Examples |
|---|---|---|
| Cloud infrastructure providers | Hosting, database storage, app delivery | Storage of your account and metric data on encrypted servers |
| Wearable data aggregator | Ingestion of wearable device data | Terra (tryterra.co/privacy) |
| AI model providers | Generating coaching insights | Processing of pseudonymized analytics data |
| Authentication providers | Account sign-in | Apple, Google (only if you use them) |
| Payment processors | Billing and subscription management | Card processing for paid plans |
| Analytics providers | Service usage analysis (aggregated, no advertising) | App performance and feature usage |
| Customer support tools | Responding to your requests | Ticketing and email systems |
| Legal and professional advisors | Legal compliance, audits | Lawyers, accountants under confidentiality |
Before sending athlete data to AI model providers, we pseudonymize the data: athlete names are replaced with a one-way cryptographic hash so that the AI provider does not receive identifiable names. Our AI processing is configured with zero data retention — prompts and responses are not retained by the AI provider for training or any other purpose.
We may also disclose information:
- In response to legal process (subpoenas, court orders, government requests), where we are legally required to do so.
- To protect rights and safety, including investigating suspected fraud, abuse, or harm.
- In a business transfer, such as a merger, acquisition, financing, or sale of assets — in which case we will notify affected users and ensure any successor entity honors this Policy.
We do not sell or rent your information, and we do not share it for advertising purposes.
6. Wearable provider terms
When you connect a wearable device, your data is also subject to the terms of the device's manufacturer. By connecting a device, you authorize that provider to share your data with VO2 Labs via Terra.
Athletes may revoke authorization and delete all associated data at any time by opening the Harlen app, scrolling to the bottom of the account screen, and selecting Delete Account. Athletes may alternatively revoke authorization directly with the wearable provider.
Coaches may disconnect a wearable for any Athlete they manage at any time via the Harlen web app (Clients → Connected Devices). Coaches may also delete their own account, which deletes their data as described in Section 7.
Revoking authorization stops further data ingestion. Deletion proceeds as described in Section 7.
7. Data retention
We retain your information for as long as your account is active and as needed to provide the Service. Specifically:
- Account and profile data: retained while your account is active, deleted within 30 days of account deletion.
- Wearable and biometric data: retained while the wearable is connected and your account is active; deleted within 30 days of account deletion or device disconnection (whichever you request).
- AI assistant conversation history: retained for the life of the account so you can refer back to it; deleted with account deletion.
- Backups: deleted in the normal course of our backup rotation, generally within 90 days.
- Logs and security records: retained up to 12 months for security and abuse-prevention purposes.
- Records required by law (e.g., tax records, dispute records): retained as required by applicable law, even after account deletion.
8. Your rights and choices
Depending on where you live, you may have the following rights:
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to correct inaccurate information.
- Deletion: ask us to delete your account and associated data.
- Portability: request a machine-readable copy of your data.
- Restriction or objection: limit or object to certain processing.
- Withdraw consent: for processing based on consent (including wearable data), at any time.
- Non-discrimination: we will not deny service, charge different prices, or provide a lesser experience because you exercised your rights.
To exercise any of these rights, email hello@harlen.ai or use the in-app deletion controls. We will respond within the time period required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling a request.
For California residents: You have rights under the California Consumer Privacy Act (CCPA), including the right to know, the right to delete, the right to correct, and the right to opt out of sale or sharing of personal information. As stated, we do not sell or share personal information for cross-context behavioral advertising.
For Washington residents: We comply with the Washington My Health My Data Act. Consumer health data is processed only with your consent and is not sold. You may request access, deletion, or withdrawal of consent at hello@harlen.ai.
For EU/UK residents: You have the right to lodge a complaint with your local data protection authority.
9. Children's privacy
The Service is intended for users 18 years of age and older. We do not knowingly collect, process, or store personal information from anyone under 18.
If you are a Coach, you may not add any Athlete under the age of 18 to your account or process any minor's data through the Service. If you are an Athlete, you must be at least 18 to create an account or connect a wearable device.
If we learn that we have collected personal information from anyone under 18, we will terminate the account and delete the associated data. If you are a parent or guardian and believe your minor child has been added to the Service in violation of this policy, please contact us immediately at hello@harlen.ai.
10. Security
We protect your information using:
- Encryption in transit (HTTPS/TLS) for all data flowing between your device, our servers, and our service providers.
- Encryption at rest (AES-256) for stored data.
- Access controls including row-level security in our database, restricting data access to authorized personnel and to coaches authorized for each athlete.
- Pseudonymization of identifiers before sending data to AI providers.
- Audit logging of access to sensitive data.
No system is perfectly secure. If we discover a security incident affecting your data, we will notify you and the relevant authorities as required by applicable law.
11. International data transfers
VO2 Labs is based in the United States, and our service providers may be located in the United States, the European Union, the United Kingdom, and other countries. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions, which may have data protection laws different from those of your country.
Where required by law, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) for international transfers.
12. Third-party links and services
The Service may contain links to third-party websites or services (including wearable provider apps). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.
13. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or through the Service and update the "Effective Date" above. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
14. Contact us
For questions, requests, or complaints regarding this Policy or our handling of your data:
VO2 Labs, LLC
Email: hello@harlen.ai
Web: harlen.ai