Privacy Policy

1. Introduction

Vici Performance Inc. ("Vici," "we," "us," or "our"), a Delaware corporation, operates the Vici mobile application and related services (the "Service"). This Privacy Policy explains how we collect, use, protect, and share your personal information when you use the Service.

By creating an account or using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

2. Data Controller

Vici Performance Inc. is the data controller for personal data processed through the Service. For privacy-related inquiries:

• Email: support@vici.run

3. Information We Collect

3a. Account Information

When you create an account, we collect:

• Identity: Name, email address, date of birth, sex
• Profile: Profile picture, city, country
• Authentication: Encrypted password hash or Apple Sign-In identifier
• Fitness Profile: Experience level, fitness level, training preferences, goal race distance and date

3b. Training & Activity Data

From your connected fitness platforms, we collect:

• Activity Details: Distance, duration, pace (average and max), elapsed time, moving time
• Heart Rate: Average and max heart rate during activities
• GPS Routes: Encoded route polylines and map thumbnails for activity visualization
• Elevation: Elevation gain and altitude data
• Performance: Personal bests, Vici Score calculations, pace zones, training load metrics (ATL, CTL, TSB)
• Activity Metadata: Activity type, device name, location (city, country), photos

3c. Health & Wellness Data

From connected devices and your self-reported check-ins, we collect:

• Heart Rate & HRV: Resting heart rate, heart rate variability, max heart rate
• Sleep: Duration, stages (light, deep, REM), quality, efficiency, consistency, respiratory rate
• Recovery: Recovery scores, daily strain, blood oxygen (SpO2), skin temperature
• Daily Wellness (Self-Reported): Sleep quality rating, stress level, mood, fatigue, motivation — submitted through in-app wellness check-ins

3d. Coaching Interaction Data

• Journal Entries: Your written reflections on training activities
• Ask Vici Conversations: Messages you send to our AI coach and the responses generated
• Coaching Feedback: Your ratings and feedback on AI-generated coaching content

3e. Connected Platform Data

You choose which platforms to connect. Each requires your explicit authorization (via OAuth 2.0 or HealthKit permissions, depending on the platform). The specific data we receive from each platform:

• Strava: Activity records (date, time, type), distance, duration, splits, average and per-segment pace, average and maximum heart rate, GPS routes and elevation profiles, calories, athlete profile (name, location, profile photo if shared), race history, and personal records
• Apple Health (HealthKit) — beta: Specifically, the data types you authorize through HealthKit permissions, which may include workouts (type, distance, duration, calories, heart rate samples), heart rate, heart rate variability (SDNN), VO2 max, resting heart rate, sleep analysis (in-bed time, sleep stages), active and resting energy, height, body mass, and date of birth. We do not request access to data unrelated to running and recovery coaching. Apple Health integration is currently available to select users in beta release.
• WHOOP — beta: Recovery score, sleep performance and stages, HRV, resting heart rate, daily strain, workout records, and cycles. WHOOP integration is currently available to select users in beta release.
• Other Providers: We may add support for additional fitness platforms (e.g., Garmin, COROS, Polar, Suunto) in the future. Each will require explicit authorization before any data is shared, and we will update this Policy to enumerate the data fields received

You can disconnect any integration at any time from your account settings, or revoke access directly through the Connected Platform (e.g., your Strava account settings, your iPhone Settings → Privacy & Security → Health). Disconnecting immediately stops all data syncing from that platform; we will delete data we received from that platform within a reasonable period (typically thirty (30) days), except where retention is required by law.

If a Connected Platform user deletes data from that platform, we will remove the corresponding data from our active systems within forty-eight (48) hours.

Scope changes: If we expand the categories of data we collect from a Connected Platform, we will notify you and obtain your renewed consent before doing so.

3f. Device & Technical Data

• Device Information: Device type, operating system version, app version
• Push Notification Tokens: Device tokens for delivering notifications (stored securely, never shared)
• Email Delivery Data: Whether emails we send are delivered and opened (via our email service provider)

3g. Usage Analytics

• In-App Analytics: Screen views and feature usage within the iOS app to help us understand which features are valuable and where users encounter issues
• Website Analytics: We use Vercel Analytics on our website (vici.run) which collects page views, referrers, and anonymous visitor data. No cookies are used for tracking; analytics are privacy-focused and do not track individual users across sites

4. How We Use Your Data

• AI Coaching: Generate personalized training plans, coaching insights, and performance analysis
• Performance Tracking: Calculate your Vici Score, pace zones, training load, and fitness progression
• Recovery Assessment: Use HRV, sleep, and wellness data to assess training readiness and adjust recommendations
• Workout Delivery: With your permission, send structured workouts to connected devices when supported by an integration
• Service Communications: Send coaching notifications, training reminders, and important service updates
• Service Improvement: Analyze aggregated and de-identified usage patterns (e.g., feature engagement, error rates) to improve the user experience. We do not use Connected Platform data — including data from Strava, Apple Health, or WHOOP, in any form, including aggregated or de-identified — to train, fine-tune, or develop AI models.
• Safety & Security: Detect and prevent abuse, fraud, and unauthorized access

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your data based on the following legal grounds:

6. AI Processing & Automated Decision-Making

How AI Processes Your Data

Vici uses artificial intelligence to generate your training plans, coaching insights, and performance analysis. When generating coaching content, we send relevant context about your training to our AI providers, including:

• Your recent activity data (distances, paces, heart rate)
• Your fitness profile (experience level, goals, current fitness metrics)
• Your training plan structure and progress
• Wellness and recovery data when available
• Your coaching conversation history (for Ask Vici)

This data is sent with your first name for personalized coaching language. We do not send your email address, date of birth, or other account credentials to AI providers.

AI Service Providers

We use the following AI providers to generate coaching content:

• Google (Gemini): Primary provider for training plan generation and coaching insights
• Anthropic (Claude): Used for coaching content and conversational responses

Each provider processes data under their respective data processing agreements. AI-generated prompts and responses are logged temporarily for quality assurance and debugging purposes.

Inference Only — No AI Model Training

We use AI for inference only. When we send your data to an AI provider, it is used solely to generate the coaching response, plan, or analysis for your individual account at the time of the request. We do not, and our AI providers do not on our behalf, use your personal data — including data from Connected Platforms (Strava, Apple Health, WHOOP), your activities, your wellness check-ins, your journal entries, or your conversations with Ask Vici — to train, fine-tune, or develop artificial intelligence or machine-learning models. Our agreements with AI providers prohibit training on customer inputs.

Purpose Limitation

Data we collect for one purpose is not repurposed for another without your consent, except where explicitly permitted by law.

Automated Decision-Making (GDPR Article 22)

Vici uses AI to generate training recommendations that directly affect your training experience. These are automated suggestions, not binding directives. You always have the right to:

• Disregard any AI-generated recommendation
• Modify your training plan through Ask Vici
• Request a human review of any AI decision by contacting support@vici.run

7. Third-Party Services & Data Sharing

We do not sell, rent, or share your personal data with third parties for their marketing purposes. Data is shared only in these limited circumstances:

• AI Providers: Training context sent to Google and/or Anthropic for coaching generation, on an inference-only basis under data processing agreements (see Section 6)
• Connected Fitness Platforms: When you choose to send workouts to a connected device, only the workout structure is shared
• Email Service (SendGrid): Your email address and communication content are processed by our email service provider for delivery. SendGrid tracks delivery status (sent, delivered, bounced) for reliability
• Error Monitoring (Sentry): Technical error data (no personal data) is sent to our error monitoring service for debugging
• Website Analytics (Vercel): Anonymous page view data on vici.run is collected by Vercel Analytics (no cookies, no cross-site tracking)
• Legal Requirements: If required by law, regulation, or valid legal process
• Business Transfer: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity

Third-Party Protection Standards

Any third party with whom we share user data — including AI providers, our email service, error monitoring, analytics, and any successor entity in a business transfer — is contractually required to provide the same or equal protection of user data as set out in this Privacy Policy and as required by applicable law.

Strava API — Disclosure

If you connect Strava, you acknowledge that Strava may monitor and collect certain usage data and information related to your use of the Strava API, including the data we receive from your Strava account on your behalf, as described in Strava's Privacy Policy. Where Strava's Privacy Policy and this Privacy Policy conflict with respect to data sourced from Strava, Strava's Privacy Policy controls.

8. International Data Transfers

Your data is primarily stored in the European Union (Google Cloud, europe-west4 region). However, when AI providers process your data for coaching generation, it may be transferred to servers in the United States. These transfers are governed by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with each provider
• The provider's own data protection certifications and commitments

9. How We Protect Your Data

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
• Secure Infrastructure: Enterprise-grade cloud hosting in the EU with access controls and audit logging
• Authentication: Secure JWT-based authentication with cryptographically generated secrets
• Minimal Access: We only request the specific data scopes needed for coaching from connected platforms
• On-Device Data: Apple Health data is read directly on your device and only synced to our servers with your explicit permission
• Regular Audits: Security vulnerability scanning and dependency auditing

10. Data Retention

• Training & Activity Data: 3 years from collection (for AI coaching continuity and long-term training analysis)
• Health & Wellness Data: 1 year (sleep, HRV, recovery metrics, daily wellness logs)
• AI Prompt Logs: 90 days (for quality assurance and debugging, then permanently deleted)
• Training Plans: 2 years after plan completion
• Personal Bests: Indefinite (unless you request deletion)
• Account Data: Retained while your account is active, plus 30 days after deletion request
• Analytics Data: 1 year
• Privacy Audit Logs: 7 years (for regulatory compliance)

11. Cookies & Tracking Technologies

Website (vici.run)

Our website uses Vercel Analytics, a privacy-focused analytics service that does not use cookies and does not track users across websites. It collects anonymous page view data (pages visited, referrer, country-level geolocation) to help us understand website traffic.

Email Communications

Emails sent through our service provider (SendGrid) may include a tracking pixel that records whether the email was opened and delivery status. This helps us ensure our communications are being delivered. You can disable image loading in your email client to prevent open tracking.

Mobile App

The Vici iOS app does not use cookies. Authentication is handled through secure token-based sessions. In-app analytics (screen views and feature usage) are collected to improve the Service, as described in Section 3g.

12. Your Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under data protection law:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (30-day grace period, then permanent deletion)
• Right to Data Portability: Export your data in a machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent at any time for health data and connected device integrations
• Right Regarding Automated Decisions: Request human review of AI-generated training recommendations

To exercise any of these rights, use the in-app settings (Profile → Settings → Privacy) or email support@vici.run. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

13. Your Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your rights, email support@vici.run or use the in-app privacy settings.

14. Apple HealthKit

If you choose to grant Vici access to data through Apple HealthKit, the following commitments apply, in addition to the rest of this Privacy Policy. Where this section conflicts with anything else in this Privacy Policy with respect to HealthKit data, this section controls.

• Specific data only: We only request access to HealthKit data types relevant to running and recovery coaching (see Section 3e for the enumerated list). We do not request access to HealthKit data unrelated to those purposes
• Personal coaching only: HealthKit data is used solely to provide personalized coaching and display health metrics within the app for your individual account
• No advertising or marketing: We do not use HealthKit data — in any form, including aggregated or de-identified — for advertising, marketing, or use-based data mining, whether by us or by any third party
• No selling or trading: We do not sell, license, lease, or otherwise transfer HealthKit data to data brokers, advertisers, or any other third party in exchange for monetary or other consideration
• No AI/ML training: We do not use HealthKit data to train, fine-tune, or develop artificial intelligence or machine-learning models. AI providers we work with process HealthKit-derived inputs on an inference-only basis under data processing agreements that prohibit training on customer inputs
• No iCloud storage: We do not store HealthKit data in iCloud
• No false data writes: Where Vici writes data to HealthKit (e.g., logging a run), we write only data that is accurate and reflective of your actual activity. We do not write false or inaccurate data into HealthKit
• No profile-building from anonymized data: We do not attempt to build, reconstruct, or de-anonymize user profiles from HealthKit data. We do not combine HealthKit data with other data sources for profile-building purposes
• Purpose limitation: HealthKit data we collect for one purpose (e.g., recovery assessment) is not repurposed for another without your renewed consent
• Withdrawal of consent: You can revoke HealthKit access at any time via your iPhone Settings → Privacy & Security → Health, or via the Vici app. Revoking access immediately stops further data sync, and we will delete the corresponding HealthKit data we hold within a reasonable period (typically thirty (30) days) except where retention is required by law

15. Children's Privacy

Vici is not directed to or intended for use by individuals under the age of 16. We do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us at support@vici.run and we will delete the information within 30 days.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or via email at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

17. Contact Us