Privacy Policy

1. Overview

Chiron Performance Systems (“we,” “us,” or “our”) operates the Chiron platform, a multi-tenant performance intelligence system that aggregates health, training, sleep, and biometric data to provide AI-powered coaching for athletes and their care teams. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to it.

By using Chiron at https://chiron.life, you agree to the practices described here.

2. Data We Collect

We collect data in two ways:

2.1 Data you provide directly

Account credentials (name, email, password hash)
Health profile information (age, weight, height, training goals)
Journal entries, notes, and coach conversations
Supplement logs, nutrition entries, and manual health metrics
Clarity module entries (substance use and craving logs)

2.2 Data from connected integrations

When you authorize a third-party integration, we receive and store data from that service on your behalf, including:

WHOOP — recovery scores, HRV, resting heart rate, sleep stages, strain, workouts
Garmin — workouts, GPS data, heart rate, training metrics
Strava — activities, GPS routes, performance data
Eight Sleep — sleep stages, bed temperature, HRV
Oura Ring — readiness, sleep, activity, biometrics
Dexcom CGM — continuous glucose readings
Google Calendar — calendar events (for scheduling context only)
RescueTime — productivity and screen time data

We only request the minimum scopes necessary. You can revoke access at any time from the Connections page or directly within the third-party app.

2.3 Integration Data — Detail

When you connect Garmin Connect, Chiron retrieves workout activities, GPS tracks, heart rate streams, training load metrics (ATL/CTL), VO₂ max estimates, and sleep data via the Garmin Health API. This data is used exclusively to:

Calculate your Acute Training Load (ATL), Chronic Training Load (CTL), and daily readiness score
Model metabolic demand and recovery curves for AI coaching context
Display historical workout trends, HR zone distributions, and performance analytics within your Chiron dashboard

Data Sovereignty: Garmin integration requires your explicit OAuth authorization. Chiron does not store your raw Garmin account password. OAuth tokens are encrypted at rest using AES-256-GCM and are only decrypted on-server during a sync operation. You can revoke access at any time from the Connections page or from your Garmin Connect account settings, which immediately invalidates our stored tokens.

Garmin data is never shared with third parties, used for advertising, or included in any aggregate data product.

3. How We Use Your Data

To generate personalized training, nutrition, and recovery recommendations
To power the AI coaching system using your historical health context
To track trends, streaks, and performance over time
To send you notifications or alerts you have opted into
To display your data back to you and any practitioners you have explicitly granted access

We do not sell your data, share it with advertisers, or use it for purposes unrelated to your personal performance. Chiron maintains a strict non-marketing commitment. Biometric data retrieved via the Garmin Health API is never used for advertising, user profiling, or any purpose other than providing the performance insights described in these terms.

4. AI Processing

Chiron uses large language models (including Anthropic Claude and Google Gemini) to generate coaching responses. When you interact with the AI coach, relevant portions of your health data are included in the model context to generate personalized responses.

These requests are processed by Anthropic and Google under their respective API terms. Data is sent over encrypted connections and is not used to train their models under standard API usage terms.

5. Data Storage & Security

All data is stored in an encrypted SQLite database on a private, dedicated server
All third-party OAuth tokens and API credentials are encrypted at rest using AES-256-GCM before storage — they are only decrypted in memory during active sync operations
All data in transit is protected via TLS 1.2+ (HTTPS) — plaintext connections are not accepted
Session tokens are stored as httpOnly, Secure cookies and expire after 30 days of inactivity
No raw integration passwords are stored; only the encrypted OAuth session tokens issued after authorization

No system is perfectly secure. In the event of a confirmed breach affecting personal health data, we will notify affected users promptly and disclose the nature of the compromise.

6. Practitioner Access

Chiron supports a practitioner model where you can grant a coach, doctor, or trainer access to your data. This access is:

Explicitly authorized by you via an access code
Scoped to read-only viewing and the ability to send you directives
Revocable at any time from your settings

Practitioners cannot access your clarity module logs or journal entries without your explicit additional consent.

7. Data Retention & Deletion

Your data is retained for as long as your account is active. You may request deletion of your account and all associated data by emailing james@chiron.life. We will process deletion requests within 30 days.

You can disconnect individual integrations at any time from the Connections page, which removes the associated OAuth tokens from our system.

8. Children

Chiron is not intended for users under 18 years of age. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this policy as the product evolves. Material changes will be communicated via email or an in-app notice. The effective date at the top of this page will always reflect the most recent version.

10. Contact

Questions, requests, or concerns about this policy:

Chiron Performance Systems LLC
James Sternlicht, Founder
james@chiron.life

11. Your Rights

You have the following rights with respect to your personal data. To exercise any of them, email james@chiron.life with your request. We will respond within 30 days.

Right to Access

You may request a complete copy of all personal data we hold about you, including your health metrics, workout history, AI conversation logs, and integration data. We will provide this in a structured, machine-readable format (JSON).

Right to Portability

You may request an export of your data in a portable format. Exported data includes all workout records, biometric timeseries, journal entries, supplement logs, and AI coaching history tied to your account.

Right to Erasure

You may request deletion of your account and all associated data at any time. Upon verification, we will permanently delete your profile, health data, integration tokens, conversation history, and any other data linked to your account within 30 days. Users may also request the permanent deletion of all historical data synced from a specific integration (e.g., Garmin) at any time without terminating their entire Chiron account. Note: data already processed into anonymized aggregates (if any) cannot be individually recalled.

Right to Correction

If any data we hold about you is inaccurate, you may request correction. Most profile data can be updated directly from your Settings page.

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the GDPR and UK GDPR, including the right to lodge a complaint with your local supervisory authority.