Privacy Policy

Effective July 3, 2026

Notch ("the app") is a personal fitness planner. This policy explains what the app does with your data and what we, the developer, can and cannot see.

The short version

Invite-only access

Notch is currently invite-only. To request access, you enter your email address on the opening screen. We use it only to grant and recognize your access — we don't email you, and we never use it for marketing.

What the app reads (with your permission)

Apple Health. With your permission, Notch reads — but does not write — workouts, calories burned, sleep, heart-rate variability, and resting heart rate to compute your weekly progress, your training load, and your Freshness score. Health data is read on-device and is not transmitted to anyone other than Apple's own iCloud (if you have Health iCloud sync enabled).

Apple Calendar. With your permission, Notch reads your calendars to find open time for workouts, and writes the workouts you schedule as events to a calendar you choose. The app respects your "Check for conflicts" selection in Settings — it only reads calendars you've opted in to.

Notifications. If you enable notifications, Notch schedules local reminders for upcoming workouts. These are delivered by your device; nothing leaves the device.

Connected services

Notch can connect to third-party fitness platforms to read your training and recovery data, and to write your planned workouts back to their calendars. Connections are opt-in per provider, authorized over OAuth in a system-managed browser sheet, and revocable at any time from Notch's Settings → Connections or from the provider's own "Connected apps" page.

Whoop. With your authorization, Notch reads your recovery score, heart-rate variability, resting heart rate, sleep stages, and recorded workouts. Read frequency is on app launch and on manual refresh. Notch does not write data to Whoop.

intervals.icu. With your authorization, Notch reads your activities, wellness data (HRV, resting heart rate, sleep, fitness/fatigue/form scores), and athlete profile. Notch may also write planned workouts to your intervals.icu calendar as calendar events so the two stay in sync. Authorization uses OAuth 2.0 with granular scopes — you see and approve each scope at connect time.

Oura. With your authorization, Notch reads your readiness and sleep data — sleep stages, heart-rate variability, resting heart rate — and recent activity. Authorization uses OAuth 2.0; data is read on app launch and on manual refresh. Notch does not write data to Oura.

Google Health. With your authorization, Notch reads exercise sessions, sleep, body weight, heart rate, calories, and steps from Google Health. Because Google requires it, the OAuth sign-in and token exchange pass through a small function on our Vercel server, which relays Google's response back to your device; your Google health data itself flows directly to your device and is not stored on that server. Data is read on app launch and on manual refresh. Notch does not write data to Google Health.

How connection credentials are stored. OAuth access and refresh tokens for connected services are stored in the iOS Keychain on your device, protected by your device passcode. They never leave the device except as bearer tokens in API requests to the issuing provider.

Diagnostics and product analytics

To find bugs and understand which features actually get used, Notch sends anonymous diagnostic and usage data to a small number of third-party providers:

Each install gets one anonymous UUID, stored on your device, that both providers use to group events from the same install. This identifier is not tied to your Apple ID, email, name, IP-based location, or anything from your connected services. No health data, calendar contents, workout notes, or content from Whoop / intervals.icu is ever sent to either provider.

You can disable analytics entirely in Settings → Diagnostics. Both providers honor the opt-out at runtime, no app restart needed.

What we do not do with analytics

Our webhook relay

If you have intervals.icu connected and webhooks are enabled, intervals.icu will send "new data available" pings to a small server we operate. That server (a stateless function hosted on Vercel) forwards each ping to your device via Apple Push Notification service, then discards it. The relay does not store the underlying fitness data; it only passes a small notification through. Standard operational logs (HTTP status codes, error messages, timestamps) are retained briefly by Vercel for debugging and are not associated with your identity or health data.

You can disable this by disconnecting intervals.icu from Notch or by turning off "Background updates" in Settings → Connections.

What the app stores

Your plan, profile, goal, weekly composition, completed workouts, time windows, and similar information are stored in SwiftData on your device. If you have iCloud Drive / iCloud sign-in enabled, this data is also kept in your private iCloud database, which is encrypted and accessible only to you across your Apple devices. We do not have a copy of this data and cannot see it.

What we do not do

Your choices and rights

Children

The app is not directed at children under 13 and we do not knowingly collect data from them.

Changes

If this policy ever changes, we'll update this document and note the effective date above. Material changes will be surfaced in-app.

Contact

Questions or concerns? Reach us through our contact form.