Privacy Policy

Last Updated: December 9, 2025

arii/hrm ("the Project," "we") is an open-source web application. This Privacy Policy explains how we handle your data, specifically regarding our planned integrations with Strava and active integrations with Spotify.

1. Introduction

arii/hrm is designed to prioritize your privacy. We process your health data locally on your device in real-time. We do not store your personal health information on our servers.

2. Data Collection & Usage

Health Data

We read real-time Heart Rate (HR) data from your connected Bluetooth Low Energy (BLE) devices. This data includes:

• Current heart rate (beats per minute)
• Heart rate zone information

Important: All heart rate data is streamed via Bluetooth for real-time visualization. This data is processed in your browser's memory and is not stored on our servers. When you close the application or end your session, this data is immediately discarded.

Workout Session Data

If you choose to save workout summaries (duration, average heart rate, zones), this data is stored locally on your device only. We never transmit or store this information on external servers.

3. Third-Party Services & Attribution

Our service integrates with the following platforms. Your use of these integrations is subject to their respective privacy policies:

Strava Integration (In Development)

Note: This feature is currently in development. When active:

When you connect your Strava account, we request access to:

• Strava Profile: We access your profile solely to display your avatar and name on your personal dashboard
• Activity Data: We access your playback state (current activity) to visualize and synchronize with your workout timer

Strava Attribution: Some activity data displayed in this application may originate from Garmin devices. We acknowledge that this data is sourced from Garmin via Strava. Garmin is a trademark of Garmin Ltd or its subsidiaries.

Spotify Integration

When you authorize Spotify, we access:

• Playback Control: We use the Spotify Web API to display current track information and provide playback controls
• Music Metadata: Album art, track name, and artist information are displayed using the Spotify integration

Our Spotify integration uses the Spotify Platform. By using our Spotify integration, you agree to be bound by the Spotify Developer Agreement and Spotify Privacy Policy.

Key Terms:

• Non-Commercial Use: The Spotify service accessed through our app is for personal, non-commercial use only
• Distribution Restrictions: Users may not sell or redistribute any Spotify data. Upon disconnection, we will delete your Spotify-related data
• Prohibited Uses: You may not use this integration for prohibited purposes such as training AI models, creating ringtones, or synchronizing audio with visual media without Spotify's written approval
• Attribution: All Spotify content, including visual names and cover art, is attributed to Spotify

Garmin Data

We use the Strava API to sync and display activity data. In compliance with Strava API Brand Guidelines:

• We do not use Strava data for any purpose other than providing the arii/hrm functionality to you
• We acknowledge that data may be sourced from Garmin via Strava
• Garmin is a trademark of Garmin Ltd or its subsidiaries

4. Data Retention and Deletion

All heart rate and workout data is processed in real-time on your device or our application when you close the application or end the session. This data is discarded immediately after your workout session ends unless you explicitly choose to upload it to a connected third-party service.

Account Disconnection

You may disconnect your Strava or Spotify accounts at any time via the "Settings" menu in the app. Upon disconnection, all authentication tokens are immediately permanently deleted from our system. You may also revoke access directly via the Strava Apps Settings pages or Spotify Apps Settings pages.

5. Data Security

We implement appropriate technical measures to protect your information:

• All data transmission occurs over HTTPS encrypted connections
• OAuth 2.0 authentication for third-party service connections
• No server-side storage of personal health data
• Bluetooth Low Energy secure pairing for device connections

6. Your Rights and Control

You maintain full control of your data:

• Access: You can view all data displayed in the application in real-time
• Deletion: Close the app to immediately discard all session data
• Disconnect: Revoke third-party integrations at any time through app settings or directly through Strava/Spotify
• Data Portability: Any data you choose to save locally can be exported from your device

7. Children's Privacy

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date at the top of this policy. Continued use of the service after changes constitutes acceptance of the modified terms.

9. Third-Party Links

Our application may contain links to third-party websites and services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

10. International Users

This application processes data locally on your device. If you use our service from outside the United States, please be aware that any information processed will be in accordance with this Privacy Policy.

© 2025 arii/hrm. All rights reserved.