Privacy Policy

Last Updated: 7 April 2026

Our Privacy Commitment

Flow Recovery processes all of your health and biometric data entirely on your device. We do not collect, transmit, store, or have access to your health data on any server. Our AI model runs locally on your device and your data never leaves your phone to be analysed.

This Privacy Policy ("Privacy Policy") describes how Flow Recovery OÜ, a company registered in the Republic of Estonia ("we," "us," "our," or the "Company"), handles information when you use the Flow Recovery mobile application and related services, including our website at https://www.flowrecovery.app (collectively, the "Services").

By accessing or using the Services, you accept and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.

What Data We Collect and What We Do Not

Health Data from Apple HealthKit (Processed On-Device Only)

With your permission, Flow Recovery reads the following data from Apple HealthKit on your device:

  • Sleep data: Sleep stages, duration, consistency, and timing
  • Heart rate data: Resting heart rate, heart rate variability (HRV), and heart rate recovery
  • Training data: Workouts, active energy, exercise minutes, and training load metrics
  • Recovery metrics: Blood oxygen saturation, respiratory rate, and cardio fitness (VO2 Max)
  • Body metrics: Height, weight, age, and biological sex

This data is accessed, processed, and stored entirely on your device. We do not collect, upload, transmit, or have access to any of your Apple HealthKit data on any external server. Flow Recovery cannot read from Apple HealthKit without your explicit consent, which you can revoke at any time through your device's Settings or the Apple Health app.

In accordance with Apple's requirements for HealthKit data:

  • We do not use your HealthKit data for advertising or marketing purposes.
  • We do not sell your HealthKit data to any third party.
  • We do not share your HealthKit data with any third party for any purpose.
  • We do not disclose your HealthKit data to any third party, including data brokers.
  • We do not use your HealthKit data for purposes unrelated to providing the core health and fitness functionality of the Services.

On-Device AI Processing

Flow Recovery uses an artificial intelligence model (running via MLX-Swift) that operates entirely on your device to analyse your health data and generate your daily training protocol (Rest Day, Active Recovery, Moderate Training, or Hard Training), along with personalised guidance on heart rate zones, duration, hydration, and supplementation.

No health data is sent to any cloud server, external API, or third-party AI provider for processing. The AI model is downloaded once to your device and runs locally thereafter. Your health data never leaves your device for AI analysis.

Apple Watch Companion App

Flow Recovery includes an Apple Watch companion app that collects health data (such as heart rate and workout metrics) through Apple's HealthKit and sensor APIs. This data is processed on-device and synced to your iPhone through Apple's built-in secure device-to-device communication. The Apple Watch companion app does not independently transmit any health data to our servers or to any third party. All data collected by the Apple Watch is subject to the same on-device-only processing described throughout this policy.

Information We Do Collect

We collect a very limited amount of information externally:

Voluntary Email Address If you choose to sign up for our newsletter or updates, we collect your email address. This is entirely voluntary and is not required to use the Services. We use your email address solely to send you product updates, offers, and information about Flow Recovery. You may unsubscribe at any time using the link provided in any email we send.

Basic Analytics Data We use lightweight analytics to understand general app usage patterns, such as which features are most used and how the app performs. This analytics data is anonymous or pseudonymous and does not include any of your health data, HealthKit data, AI-generated insights, or personally identifiable information. Analytics identifiers may reset when you reinstall the app.

App Content Downloads Certain app assets, such as images and the AI model files, are downloaded from our cloud hosting infrastructure when you first install or update the app. Standard server logs may temporarily record technical information such as your device's IP address and the files requested. These logs are used solely for maintaining the reliability and security of our hosting infrastructure and are not used to identify or track individual users.

Information We Do Not Collect

To be clear, we do not collect, store, or have access to:

  • Your sleep, heart rate, HRV, or any biometric data
  • Your workouts, training load, or recovery metrics
  • Your VO2 Max, blood oxygen, respiratory rate, or body metrics
  • Your AI-generated training protocols or personalised guidance
  • Your supplement tracking data
  • Any data stored in Apple HealthKit
  • Payment or financial information
  • Precise geolocation data
  • Contacts, photos, or other device data

How We Use Your Information

We use the limited information we collect for the following purposes only:

InformationPurpose
Email address (if voluntarily provided)To send product updates, offers, and news. You may unsubscribe at any time.
Anonymous analytics dataTo understand general usage patterns, improve app performance, and fix bugs.
Server logs from content downloadsTo maintain the reliability and security of our hosting infrastructure.

We do not use any information for targeted advertising, behavioural profiling, or sale to third parties.

Third-Party Services

We use a minimal number of third-party services to operate Flow Recovery:

Cloud Hosting Provider We use a third-party cloud hosting provider to serve app assets such as images and AI model files for download. This provider may process standard technical data (such as IP addresses) in connection with delivering these files. This provider does not receive any of your health data.

Analytics Provider We use a lightweight analytics service to collect anonymous or pseudonymous usage data. This service does not receive any health data, HealthKit data, or personally identifiable information. Analytics identifiers are randomly generated and may reset upon app reinstallation.

Email Service Provider If you subscribe to our newsletter, your email address is processed by our email service provider for the sole purpose of delivering communications from us. You may unsubscribe at any time.

We do not integrate with any third-party advertising networks, ad exchanges, data brokers, or social media tracking pixels. We do not use any third-party AI or machine learning cloud services to process your data.

Data Sharing

We do not sell, rent, or trade your personal information. We do not share your health data with anyone because we do not have access to it.

The limited data we do handle may be shared only as follows:

  • With service providers: We share information with the third-party service providers described above solely to the extent necessary for them to perform their functions on our behalf (hosting, analytics, email delivery). These providers are contractually bound to use your data only as instructed by us and to maintain appropriate security measures.

  • As required by law: We may disclose information if required by applicable law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

  • In corporate transactions: In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Data Storage and Transfers

Health data is stored exclusively on your device. We have no access to it and do not transfer it anywhere.

Email addresses (if provided) and analytics data may be stored and processed by our third-party service providers, whose infrastructure may be located in various jurisdictions, including the European Union, the United States, and other countries. Where data is transferred outside of the European Economic Area ("EEA"), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your data in accordance with applicable data protection laws.

Flow Recovery OÜ is based in Estonia, a member state of the European Union.

Data Retention

  • Health data: Stored on your device only. You may delete it at any time by removing the app or managing your data within Apple Health settings.
  • Email addresses: Retained until you unsubscribe or request deletion, after which they are removed from our active mailing lists and deleted from our email service provider's systems within 30 days.
  • Analytics data: Retained in anonymous or pseudonymous form for as long as reasonably necessary to fulfil the purposes described in this policy. Because this data is anonymous or pseudonymous, it generally cannot be linked back to you.
  • Server logs: Retained for a limited period necessary for security and operational purposes, after which they are automatically deleted.

Legal Bases for Processing

Health and biometric data that Flow Recovery processes on your device is not transmitted to our servers for that processing, and we do not access it. We are not the data controller for that on-device processing under applicable data protection law. The table below sets out the legal bases that apply only to the limited processing where we do receive or process personal data, as described elsewhere in this policy.

ProcessingLegal basis
Newsletters (voluntary email address for product updates, offers, and news)Consent
Analytics (anonymous or pseudonymous usage data)Legitimate interests
Server logs (technical data from app asset downloads, e.g. IP address and files requested)Legitimate interests

Your Rights

All Users

You have the right to:

  • Opt out of email communications at any time by clicking the unsubscribe link in any email or contacting us at support@flowrecovery.com.
  • Control your health data entirely through your device. You can revoke Flow Recovery's access to Apple HealthKit at any time in your device's Settings or the Apple Health app. You can delete the app to remove all locally stored data.
  • Request information about any personal data we hold about you (such as your email address).
  • Request deletion of any personal data we hold about you.

European Economic Area, United Kingdom, and Swiss Residents

If you reside in the EEA, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation ("GDPR") and the UK GDPR, including:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data.
  • Restriction: Request that we restrict processing of your personal data in certain circumstances.
  • Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format, where technically feasible.
  • Object: Object to processing of your personal data where we rely on legitimate interests, subject to applicable law.
  • Withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: You may lodge a complaint with a data protection supervisory authority. A full list of supervisory authorities in the EEA is available from the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO).

To exercise any of these rights, please contact us at support@flowrecovery.com.

Children's Privacy

Flow Recovery is intended for users aged 16 and above. We do not knowingly collect personal information from children under the age of 16.

Since health data is processed entirely on-device and we do not require registration or accounts, there is minimal risk of collecting children's data. The only personal information we may collect externally is a voluntarily provided email address.

If we learn that we have collected personal information from a child under the age of 16 without appropriate parental or guardian consent, we will promptly delete that information. If a parent or guardian believes that a child under 16 has provided us with an email address or other personal information, please contact us at support@flowrecovery.com and we will take immediate steps to remove it.

If you are under the age of 16, please do not provide us with your email address or any personal information. You may still use the core features of the app, as all health data processing occurs entirely on your device without any data being collected by us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app or on our website and updating the "Last Updated" date at the top.

We will not change this policy to permit the collection, transmission, or sharing of your health data without providing you clear notice and obtaining your explicit consent.

Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

Summary: Where Your Data Lives

Data TypeWhere It LivesDo We Have Access?
Sleep, HRV, heart rate, training, recovery metricsYour device onlyNo
AI-generated training protocols and guidanceYour device onlyNo
Supplement tracking dataYour device onlyNo
VO2 Max and cardio fitness trendsYour device onlyNo
Email address (if voluntarily provided)Our email service providerYes (only your email)
Anonymous analyticsAnalytics providerLimited (anonymous/pseudonymous)
AI model and image filesDownloaded to your device from cloud hostingNo (after download)

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Flow Recovery OÜ
Email: support@flowrecovery.com
Website: https://www.flowrecovery.app

For data protection inquiries from EU residents, you may also contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at https://www.aki.ee.

Privacy Policy | Flow Recovery