Privacy Policy

Effective date: 1 June 2026

This Privacy Policy explains how HealthHub collects, uses, shares, and protects your personal information when you use the dashboard at health-hub.xyz (the "Service"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR). HealthHub is a multi-platform health and fitness dashboard: you connect one or more third-party services (such as Garmin Connect, with support for additional platforms planned) and HealthHub brings that data together with a nutrition diary in one private account.

1. Who we are (Data Controller)

The Service is operated by a registered self-employed business (autónomo) under Spanish law. This business, not a private individual acting privately, is the data controller responsible for your personal data:

Aleksandr Andrienko — operating as a self-employed business (autónomo)
NIE: Z0502310H
Barcelona, Spain
Privacy contact: privacy@health-hub.xyz
Support: support@health-hub.xyz

Given the scale of the Service, we are not legally required to appoint a Data Protection Officer (GDPR Art. 37) and have not done so; privacy requests are handled directly at the address above.

2. Information we collect

Information you provide

Account data: your email address and an encrypted authentication credential, used to create and secure your account.
Nutrition data: food log entries, ingredients, portions, and nutrition goals you enter yourself.
Manual entries: any weight, body metrics, or settings you input directly.

Information from connected services

When you choose to connect a third-party health or fitness platform (currently Garmin Connect; other platforms such as Fitbit, Apple Health, or Whoop may be supported in future), we collect the data you authorize that service to share, which may include:

Activities and workouts (heart rate, duration, distance, calories, training load);
Sleep stages, resting heart rate, daily summaries (steps, calories, stress, body battery);
Body weight;
Basic profile attributes (height, gender, year of birth) used for metabolic calculations.

Information we derive

We compute metrics from the above to power your dashboard — for example heart-rate training load (Banister TRIMP), basal metabolic rate, a daily energy budget, and macronutrient targets. These derived values are stored in your account alongside the source data.

Information collected automatically

An authentication token stored in your browser to keep you signed in. We do not use advertising or third-party tracking cookies, analytics SDKs, tracking pixels, or Google Analytics, and we do not build a browsing profile of you.

Health data — special category. Much of the connected-service and nutrition data above is health data (GDPR Article 9). We process it only with your explicit consent and only to provide the Service to you. We never sell it, never use it for advertising or marketing profiling, never use it to train AI models, and never disclose it to third parties except the infrastructure providers needed to run the Service (Section 5). You can delete it at any time.

3. How we use your information

To provide the Service: authenticate you, display your health/activity/sleep/weight history, and compute derived metrics (training load, basal metabolic rate, daily energy budget, macros).
To let you track nutrition against your goals.
To keep the Service secure and prevent unauthorized access to your account.
To comply with the law where we are legally required to.

We do not use your data for advertising, marketing, marketing profiling, or sponsored content.

4. Legal bases (GDPR)

Contract (Art. 6(1)(b)) — to operate your account and provide the Service.
Explicit consent (Art. 6(1)(a) & Art. 9(2)(a)) — to process your health and fitness data.
Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with the law.

5. How we share your information

We do not sell or rent your personal data, do not share it with advertisers, and do not license or share aggregated or de-identified versions of it with anyone. We rely on a small number of infrastructure sub-processors strictly to operate the Service, each bound by GDPR-compliant terms and acting only on our instructions:

Supabase — database, authentication, and storage (hosted in the EU).
Hetzner — server hosting (Germany, EU).

We may also disclose data where strictly necessary to comply with a legal obligation (such as a court order, warrant, or subpoena), or to prevent death, serious bodily injury, or other significant harm.

6. International data transfers

Your data is stored and processed within the European Union (Supabase EU region; Hetzner, Germany). We do not transfer your personal data outside the EU/EEA in the normal operation of the Service. Connected platforms from which you sync data operate under their own privacy terms; when you authorize a connection, data may flow from that platform's own infrastructure, which may be outside the EU and is governed by that platform's policy.

7. Your rights

Under GDPR you have the right to:

access your data and obtain a copy;
rectify inaccurate data;
erase your data ("right to be forgotten");
restrict or object to processing;
data portability — receive your data in a portable form;
withdraw consent at any time (Section 8).

Many of these you can exercise directly in the app (view, edit, export, or delete entries; delete your account). For anything else, contact privacy@health-hub.xyz and we will respond within 30 days. You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD).

8. Withdrawing consent

You can withdraw your consent to health-data processing at any time by disconnecting the source platform, deleting the data in the app, or closing your account. Withdrawal stops future processing but does not affect the lawfulness of processing already carried out before withdrawal.

9. Automated decision-making

HealthHub computes metrics automatically (e.g. your energy budget), but we do not use automated decision-making or profiling that produces legal or similarly significant effects on you. The computed values are informational and under your control.

10. Data retention & account deletion

We keep your data for as long as your account is active. You can delete your account at any time. On deletion (or an erasure request), we remove your personal data from our active systems within 30 days; residual copies in encrypted backups are purged on the normal backup-rotation cycle. Deletion is permanent and cannot be reversed.

11. Accessing and exporting your data

You can view all your data in the dashboard. To obtain a full export or a machine-readable copy, contact privacy@health-hub.xyz and we will provide it.

12. Security

We apply administrative and technical safeguards appropriate to the data: encrypted transport (TLS/HTTPS), per-user authentication with signed tokens, database row-level security so each user can access only their own records, and EU-based hosting. No system is perfectly secure, but we work to protect your data against unauthorized access, loss, or misuse.

13. Data breaches

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours where required (GDPR Art. 33) and inform affected users without undue delay where the breach is likely to result in a high risk (Art. 34).

14. Children

The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

15. Changes to this policy

We may update this policy; material changes will be reflected by the "Effective date" above. Continued use of the Service after an update constitutes acceptance of the revised policy.

16. Contact

Privacy questions or to exercise your rights: privacy@health-hub.xyz.
General support: support@health-hub.xyz.