Consumer Health Data Privacy Policy

This is a separate, dedicated privacy notice for U.S. consumer health data, provided under Washington's My Health My Data Act (MHMDA, RCW 19.373), Nevada SB370, and the Connecticut consumer-health-data amendments. It supplements — and does not replace — our main Privacy Policy. Brevet Cycling is not a HIPAA covered entity and this is not medical advice; Brevet is a wellness / training-coaching platform.

Last updated: 2 June 2026.

1. Who we are

Brevet Cycling Club ("Brevet", "we", "us") operates a browser-based virtual cycling and training-coaching platform with a companion mobile app. Contact for any request under this policy: privacy@brevetcycling.club.

2. What we mean by "consumer health data"

Under MHMDA, "consumer health data" is broadly defined. The data we may process that falls in this category includes:

Category	Examples
Cardio / vitals	Heart rate, heart-rate variability (HRV), resting heart rate, SpO2, respiratory rate, body temperature
Body measurements	Weight, height, body-fat percentage, lean body mass, body-water percentage, basal metabolic rate, VO2max
Sleep & recovery	Sleep phases and quality scores, recovery/readiness indicators
Activity	Cycling power, cadence, distance, duration; training load
Reproductive	If you choose to log it: derived menstrual cycle phase (the raw flow dates stay on your device)
Derived / inferred	Readiness scores and coaching inferences our system or our AI coach derives from the above

3. Where it comes from (sources)

Your device's health hub that you connect: Apple Health (iOS) or Google Health Connect (Android).
Data you enter directly in the app (e.g. weight, life events).
Connected services you authorize (e.g. Strava).
Data our platform derives from the above (readiness, training load, coaching context).

4. Why we collect it (purposes)

To provide the coaching features you ask for: readiness scoring, training-load management, recovery analysis, and personalized training recommendations.
To operate, secure, and support the platform.

We do not use consumer health data for advertising, targeted advertising, or to build profiles for third-party purposes.

5. Who we share it with

We share consumer health data only with service providers / processors acting on our instructions, and only as needed to run the features above:

Recipient	Category shared	Purpose
Google Cloud — Vertex AI (Gemini), EU region	Pseudonymized derived metrics (no name, email, or user ID) when you use AI coaching	AI coaching inference. Google acts as our processor under the Google Cloud Data Processing Addendum and is contractually barred from training its models on the data.
EU hosting / infrastructure providers	Stored data	Running the platform

6. We do NOT sell your consumer health data

Brevet does not "sell" consumer health data and does not "share" it for cross-context targeted advertising. Because we do not sell it, we do not collect the separate written authorization that MHMDA requires for a sale. If this ever changes, we will obtain your valid authorization first and update this policy.

7. Your rights

You have the right to:

Confirm and access the consumer health data we hold about you;
Withdraw consent to our collection and processing of it;
Delete it.

How to exercise them:

In the app: revoke health-sync consent and AI consent in Settings; export your data; or delete your account (which deletes your data).
By email: privacy@brevetcycling.club. We respond within the time the law requires (generally 45 days, extendable once). We may need to verify your identity first.
If you use an authorized agent, we will accept a request accompanied by written permission.

You may appeal a denied request by replying to our decision email. Washington residents may also contact the Washington State Attorney General.

8. Data security & retention

Consumer health data is stored in the EU with encryption at rest, accessible only to authorized personnel, and retained until you delete it or your account. Pseudonymized AI conversation data is deleted on a rolling 30-day cycle.

Main Privacy Policy · U.S. State Privacy Notice · Back to Brevet Cycling