Contents
1. Overview
okataoo.io ("okataoo," "we," "us") operates a consumer wellness application and website (together, the "Service") that integrates with Garmin Ltd.'s Health API to help individual Garmin device users better understand their own health and training data through AI-generated insights.
We take privacy seriously. We collect only the data needed to deliver the features you enable, we do not sell your data, and we give you clear controls to disconnect and delete at any time.
2. Information we collect
2.1 Information you provide directly
- Account information: name, email address, password (stored hashed), and optional profile information like age range, sex, height, weight, and fitness goals.
- Communications: messages you send us through the contact form, support email, or in-app feedback.
- Preferences: notification settings, feature toggles, and units (metric/imperial).
2.2 Information collected automatically
- Device & usage data: IP address, browser or mobile device type, operating system, app version, crash logs, and in-app events (such as which screens you open).
- Cookies and similar technologies: used for authentication, session management, and aggregated analytics. See Section 6.
2.3 Information from Garmin
If you choose to connect a Garmin account, we receive health and activity data from Garmin's Health API, described in detail in Section 3.
3. Garmin Health API data
okataoo.io integrates with Garmin's Health API under the Garmin Developer Program. We never see or store your Garmin username or password. Authorization is handled exclusively through Garmin's OAuth flow; you remain in control and can revoke access at any time.
3.1 What data types we may access
We request only the data types necessary to power the features you use. Typical data types include:
| Data category | Examples | Why we use it |
|---|---|---|
| Daily Summaries | Steps, calories, intensity minutes, floors climbed | Activity trends and daily readiness |
| Heart Rate | Resting HR, continuous HR, max HR | Cardiovascular trends, recovery scoring |
| Heart Rate Variability | HRV status, overnight HRV | Recovery and nervous-system load |
| Sleep | Sleep stages, duration, awake time, respiration | Sleep quality coaching |
| Stress & Body Battery | Daily stress, energy score | Stress management guidance |
| Activities | Workout type, duration, distance, HR zones, pace, power | Training load and workout review |
| Training metrics | VO₂ max, fitness age, training status, acute/chronic load | Long-term fitness trajectory |
| User profile | Height, weight, birth year, gender (as provided to Garmin) | Personalizing calorie, HR-zone, and pace calculations |
You can see the exact scopes okataoo.io has been granted at any time inside the app's Connections settings, and at your Garmin Connect account.
3.2 How this data reaches us
When you authorize the integration, Garmin delivers data to us in two ways, both over encrypted HTTPS:
- Summary endpoints — we request recent summaries on your behalf when you open the app.
- Webhook "ping" notifications — Garmin notifies our servers when new data is available, and we fetch it using your user access token. We do not poll indiscriminately.
3.3 What we do NOT do with Garmin data
- We do not sell Garmin data, in whole or in part, to any third party.
- We do not use Garmin data for advertising or marketing profiling.
- We do not share Garmin data with data brokers or resellers.
- We do not use Garmin data to train publicly released foundation AI models. See Section 7 for details on the AI features that operate only on your own data to generate your own insights.
- We do not combine your Garmin data with data purchased from third parties about you.
3.4 Revoking Garmin access
You can revoke okataoo.io's access to your Garmin data at any time:
- Inside okataoo.io → Settings → Connections → Disconnect Garmin, or
- At Garmin Connect → Account → Connected Apps.
Once access is revoked, we stop receiving new data immediately. You may additionally request deletion of the historical data we already hold (see Section 10).
4. How we use your information
We use the information described above only for the following purposes:
- Deliver the Service: render your dashboards, trends, daily readiness, and workout reviews.
- Generate AI recommendations: produce your personalized insights, weekly reviews, and answers to your own questions about your data (see Section 7).
- Account management: authenticate you, keep your settings in sync, and communicate service notices.
- Product improvement: debug crashes, measure feature usage in aggregate, and improve reliability. Where possible, we use de-identified or aggregated data for this purpose.
- Security & fraud prevention: detect abuse, prevent unauthorized access, and protect the integrity of the Service.
- Legal compliance: meet our obligations under applicable law and respond to lawful requests.
5. Legal basis for processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:
- Your explicit consent for processing special-category health data (including Garmin data).
- Performance of a contract to provide you the Service you requested.
- Our legitimate interests in improving and securing the Service, where those interests are not overridden by your rights.
- Legal obligation where we must process data to comply with the law.
6. How we share information
We do not sell your personal data. We share personal data only in these limited situations:
- Service providers / processors: cloud hosting (e.g., AWS), database hosting, error-tracking, email delivery, and AI inference providers that operate under strict contractual obligations to process data only on our instructions. A current list is available on request to info@okatoo.io.
- Legal compliance: when required by law, subpoena, or to protect rights, property, or safety.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections and notice to you.
- With your explicit direction: for example, if you ask us to export your data to another service.
We do not share Garmin-sourced data with any advertising, analytics, or marketing networks.
7. Use of AI and automated processing
okataoo.io uses AI models to turn your Garmin data into natural-language insights, weekly summaries, and conversational answers about your own data. Here is how this works:
- Purpose: generate recommendations and explanations tailored to you.
- Inputs: the subset of your Garmin and profile data that is relevant to the feature you're using at that moment.
- Providers: we use commercial AI model providers under data-processing agreements that prohibit using our inputs to train their models, and that require deletion of inputs after inference.
- Human review: we do not publicly publish or review your individualized AI outputs. A limited internal team may review automatically-flagged outputs (e.g., unsafe responses) to improve safety.
- No medical decisions: okataoo's outputs are informational. They are not medical advice, diagnosis, or treatment and should not be used as a substitute for professional care.
- Your rights: you can object to AI processing and still use basic dashboards, where technically feasible.
8. Data retention
- Active accounts: we retain your data for as long as your account is active, so we can show you historical trends.
- Disconnected Garmin: if you disconnect Garmin, we stop ingesting new data immediately. Existing Garmin data is retained so you can still view past trends unless you request deletion.
- Account deletion: when you delete your account or submit a deletion request, we delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, or security reasons.
- Backups: residual copies in encrypted backups are purged on a rolling schedule (up to 90 days).
9. Security
- All data is transmitted over TLS 1.2 or higher.
- Data is encrypted at rest using industry-standard AES-256.
- OAuth tokens and secrets are stored in a dedicated key management service with strict access controls.
- Access to production systems requires multi-factor authentication and is restricted to authorized personnel on a need-to-know basis.
- We run ongoing vulnerability scanning and respond promptly to reports submitted to info@okatoo.io.
No internet-based service can be 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.
10. Your rights & choices
Depending on where you live, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — update inaccurate data in your profile.
- Deletion — request that we delete your personal data.
- Portability — request an export of your data in a machine-readable format.
- Objection / restriction — object to certain processing, including AI-based profiling.
- Withdraw consent — at any time, for any processing based on your consent.
- Complaint — lodge a complaint with your local data-protection authority.
To exercise any of these rights, email info@okatoo.io. We will respond within 30 days. We do not discriminate against users for exercising their rights.
California residents: you have additional rights under the CCPA/CPRA, including the right to know, the right to delete, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA.
11. International transfers
We are based in the United States. If you access the Service from outside the U.S., you understand that your data may be transferred to and processed in the U.S. and in other countries where our service providers operate. Where required, we use appropriate safeguards such as the EU Standard Contractual Clauses.
12. Children's privacy
The Service is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a notice inside the app before the changes take effect. The "Last updated" date at the top of this page will also change.
14. Contact us
Questions, concerns, or requests about this policy or your data?
- Email: info@okatoo.io
- Mail: okataoo.io — Privacy, c/o the operator (address available on request)
You can also visit our contact page to reach us through our support form.