Privacy Policy

1. Who we are

rowa ("we", "us", "our") is a rowing coaching platform that helps coaches build training programmes and helps athletes track their training. rowa is operated by Lorenz Kissling. For questions about this policy, contact lorenz@rowapp.co.

2. Data we collect

We collect the following categories of personal data:

Account data: name, email address, and role (coach or athlete) provided during registration.

Training data: training sessions, erg results, performance metrics (split times, power, RPE), and programme plans created by coaches or generated by AI.

Wearable & activity data: when you connect a third-party service (Garmin, WHOOP, Strava, Concept2, or Apple Health), we receive activity data including heart rate variability (HRV), resting heart rate (RHR), sleep duration and quality, recovery scores, workout summaries, erg session results, and activity metrics. We only access the data scopes you explicitly authorise during the connection flow.

Wellness data: self-reported wellness check-ins (sleep quality, soreness, motivation, energy).

3. How we use your data

We use your data to:

Provide core platform functionality — displaying training plans, tracking session completion, and showing performance trends to you and your coach. Generate AI-assisted training programmes tailored to your goals and fitness data. Sync and display wearable data so coaches can monitor athlete readiness and recovery. Send notifications about training compliance, wellness flags, and plan updates.

4. AI and data processing

rowa uses AI (currently Anthropic's Claude) to generate personalised training programmes for athletes. When generating a programme, we send only anonymised training parameters to the AI provider — such as target distances, training zones, session history, and periodisation phase. We do not send personal identifiers (name, email, or account ID) to the AI provider.

Wearable data from connected services (including Garmin, WHOOP, Strava, Concept2, and Polar) may be used as input to AI-generated programme recommendations — for example, HRV trends or sleep data may inform recovery-aware scheduling. This processing happens in real time for the individual athlete only.

We do not use any wearable or user data to train, fine-tune, or otherwise improve external AI or machine-learning models. Data sent to the AI provider is used solely for generating the individual athlete's training programme and is not retained by the AI provider for model training purposes.

5. Data sharing

We do not sell your personal data. Your training and wearable data is shared only with the coach(es) on your team within rowa. We use the following third-party services to operate the platform:

Supabase (database and authentication, hosted in EU), Vercel (hosting), Anthropic (AI programme generation — anonymised training parameters only, no personal identifiers are sent), Stripe (payment processing — we never store card details), Resend (transactional emails).

6. Third-party wearable services

When you connect Garmin, WHOOP, Strava, Concept2, or Apple Health, we store OAuth tokens securely in our database to maintain your connection. We fetch data on your behalf using these tokens. You can disconnect any service at any time from your profile page, which revokes our access and deletes the stored tokens. We encourage you to also revoke access from the third-party service's own settings.

7. Data retention

We retain your data for as long as your account is active. If you delete your account, we delete all associated personal data within 30 days. Anonymised, aggregated data may be retained for analytics purposes.

8. Your rights

You have the right to access, correct, or delete your personal data. You can export your training data at any time. You can disconnect wearable services and revoke data access from your profile. To exercise any of these rights, contact lorenz@rowapp.co.

9. Security

We use industry-standard security measures including encrypted connections (TLS), row-level security policies on our database, and secure token storage. OAuth tokens are stored server-side and never exposed to the client.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of significant changes via email.