OzzieOzzie← Back

Privacy Policy

Last updated: 12 April 2026

1. Who we are

Ozzie (“Ozzie”, “we”, “us”, “our”) is a personal health intelligence platform operated by an individual developer based in the United Kingdom. Ozzie is accessible at ozzie.health.

For privacy enquiries, contact us at privacy@ozzie.health.

2. What data we collect

2.1 Account data

When you create an account we collect your email address and, optionally, your name. You may also provide your age, weight, sport, and training goal to personalise your experience. This information is stored in our database and used solely to operate your account.

2.2 Health and fitness data

Ozzie's core function is to analyse your health and fitness data. We store the following categories of data, all of which is linked to your account and provided by you or your connected devices:

  • Daily wellness metrics — heart rate variability (HRV), resting heart rate (RHR), recovery score, strain score, sleep duration and stages (deep, REM, light, awake), sleep score, SpO₂, steps, stress score, body battery, and body weight.
  • Activity data — workout type, duration, distance, heart rate, power output, training load (TSS/TRIMP), HR zones, elevation, cadence, and GPS route data (latitude/longitude track points, where provided by your device and integration). GPS data can reveal training locations, routes, and patterns. It is used solely to power activity analysis within Ozzie and is never shared with third parties for any other purpose. You can request deletion of GPS data at any time.
  • Blood biomarker results — laboratory test results you manually enter or upload, such as ferritin, vitamin D, testosterone, cortisol, and other markers. This is sensitive health data and is treated with additional care (see section 5).
  • Journal entries — daily subjective scores (energy, sleep quality, motivation, stress, soreness) and behaviour tags you log (supplements, alcohol, sleep habits, etc.), plus optional free-text notes.
  • Planned workouts — upcoming training events synced from Intervals.icu.

2.3 Third-party integration credentials

To pull your data from connected services, we store:

  • Intervals.icu — your API key and athlete ID, used to retrieve wellness and activity data on your behalf.
  • Strava — OAuth access and refresh tokens, used to retrieve activity data. We do not store your Strava username or password.
  • Garmin Connect — OAuth session tokens, used to pull daily health metrics (HRV, sleep, stress, body battery, SpO₂). We do not store your Garmin password.
  • Withings — OAuth access and refresh tokens, used to retrieve body composition data (weight, body fat). We do not store your Withings username or password.

All credentials are stored encrypted using AES-256-GCM and used only to perform data sync on your behalf. You can revoke access at any time from Settings.

2.4 Usage data

We do not use third-party analytics trackers or advertising cookies. Standard server logs (request timestamps, error logs) are retained by our hosting provider (Vercel) in line with their own retention policies and are not used for user profiling.

3. How we use your data

We use your data exclusively to provide and improve the Ozzie service:

  • Computing your daily recovery score, strain score, and sleep score.
  • Analysing correlations between your behaviour tags, blood biomarkers, and wellness metrics over time.
  • Generating AI-powered daily insights and coaching responses. Your data is sent to Anthropic's Claude API for this purpose (see section 4).
  • Sending weekly digest emails if you have enabled that feature.
  • Building personalised recovery models from your historical data once sufficient history is available.
  • Displaying your data back to you through the Ozzie interface.

We do not sell your data, use it for advertising, share it with third parties for their own purposes, or use it for any purpose unrelated to providing the Ozzie service to you.

4. Third-party processors

To operate the service, we share data with the following sub-processors. All are subject to data processing agreements:

ProcessorPurposeData sharedLocation
VercelHosting and deploymentEncrypted server-side data, request logsUS / EU
NeonDatabase (PostgreSQL)All user and health data (encrypted at rest)AWS us-east-1
AnthropicAI insights and coach responsesYour wellness metrics, anonymised context snippetsUS
ResendTransactional email (digests, alerts)Your email address, digest contentUS
Intervals.icuFitness data source (user-initiated sync)API requests using your own API keyEU
StravaActivity data source (user-initiated)OAuth token exchange; activity data pulled to our DBUS
GarminHealth metrics source (user-initiated)OAuth token exchange; HRV, sleep, stress data pulled to our DBUS
WithingsBody composition source (user-initiated)OAuth token exchange; weight and body-fat data pulled to our DBEU
OpenAIBlood document parsing (user-initiated, consent required)Lab report images/PDFs you upload for biomarker extractionUS
StripePayment processingEmail address, subscription plan — no card details stored by OzzieUS / EU

When data is transferred outside the UK or EU, we rely on Standard Contractual Clauses or equivalent adequacy mechanisms as required by UK GDPR / EU GDPR.

5. Special category data (health information)

Blood biomarker results, HRV, medical-adjacent wellness data, and other information relating to your physical health constitute “special category” personal data under UK GDPR Article 9. We process this data on the basis of your explicit consent, given when you connect your data sources and use the service, and solely for the purpose of providing you with personalised health intelligence.

This data is never used for automated decision-making with legal or similarly significant effects, and is never shared with third parties except as described in section 4.

Ozzie is a personal intelligence tool, not a medical device. Nothing in the service constitutes medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for medical decisions.

6. Legal basis for processing

Under UK GDPR, we process your data on the following lawful bases:

  • Contract — processing necessary to provide the service you have signed up for (account data, sync, scoring, insights).
  • Explicit consent — processing of special category health data, and sending marketing/digest emails.
  • Legitimate interests — service reliability, security monitoring, and fraud prevention, where these do not override your rights.

7. Data retention

We retain your data for as long as your account is active. If you delete your account, all personal data — including wellness records, activities, journal entries, blood test results, and integration credentials — is permanently deleted from our database within 30 days. Backups are purged on their normal rotation schedule (within 90 days).

You can request deletion at any time by contacting privacy@ozzie.health.

8. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of all data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to pause processing while a complaint is resolved.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — withdraw consent for health data processing at any time (this will prevent the service from functioning).

To exercise any of these rights, email privacy@ozzie.health. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We implement appropriate technical and organisational measures to protect your data:

  • All data is encrypted in transit (TLS 1.2+) and at rest in our database.
  • Integration credentials (API keys, OAuth tokens) are stored encrypted.
  • Each user's data is isolated by user ID with no cross-user data access.
  • Our infrastructure runs on Vercel (SOC 2 Type II certified) and Neon (hosted on AWS with encryption at rest).
  • Access to production systems is restricted to the minimum necessary.

No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@ozzie.health.

10. Cookies

Ozzie uses only the cookies necessary to maintain your login session (a secure, HTTP-only session cookie). We do not use advertising cookies, tracking pixels, or any third-party analytics cookies. You can clear cookies at any time through your browser settings, which will sign you out of the service.

11. Children

Ozzie is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email (if you have notifications enabled) and update the “last updated” date above. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, data access requests, or complaints:

Ozzie — Data Controller

Email: privacy@ozzie.health

Website: ozzie.health

Country: United Kingdom