Privacy Policy

1. Who We Are

NØRVE is a Belgian startup building a decision layer between coaches and athletes in endurance sport. The platform takes into account how you respond to the demands of daily life — physical and mental — and estimates the impact on your actual athletic performance. It does this by integrating physiological data, subjective check-ins, and contextual factors, and translating them into a daily readiness report.

Data controller:
Name: Tobias Wijckmans · Trade name: NØRVE · Email: wijckmanstobias@gmail.com · Website: norve.be

2. What Data We Process

NØRVE processes two categories of personal data.

2.1 Ordinary Personal Data

Identification data: name, email address, date of birth, gender. Professional data (coaches only): club or organisation name, number of athletes supervised. Technical data: IP address, device information, login credentials. Usage data: features used, timing of check-ins, report output.

2.2 Special Categories of Personal Data (Article 9 GDPR)

NØRVE processes health data. This includes:
Physiological data: heart rate variability (HRV), sleep data, resting heart rate, readiness scores from wearables (Garmin, WHOOP, Polar, Oura, Intervals.icu). Subjective health data: self-reported sleep quality, stress level, fatigue, muscle soreness, cognitive load, recovery feeling. Mental health data: mental readiness profile, cognitive test scores, emotional state, motivation, pressure sensitivity. Contextual health data: open responses about factors influencing training (stress, illness, alcohol, travel fatigue, emotional load).

We process these special categories solely on the basis of your explicit, freely given, and informed consent. You provide this consent during registration via a dedicated consent screen. You may withdraw this consent at any time via your profile settings.

3. Why We Use Your Data

3.1 Service Delivery

Generating daily readiness reports and training recommendations. Building your personal Mental Readiness Profile. Managing the coach dashboard and athlete monitoring. Detecting patterns and trends in your training and recovery data. Producing weekly Cognitive Drift Reports.
Legal basis: performance of contract (Article 6.1.b GDPR) + explicit consent for health data (Article 9.2.a GDPR).

3.2 System Improvement

Analysing anonymised and aggregated usage data to improve report quality and recommendations. Testing and refining scoring logic.
Legal basis: legitimate interest (Article 6.1.f GDPR). We use only anonymised data that cannot be traced back to an individual.

3.3 Communication

Responding to questions and providing support. Sending notifications about your daily report (functional only — no marketing).
Legal basis: performance of contract (Article 6.1.b GDPR).

3.4 Scientific Research (Optional)

Anonymised data may, following separate explicit consent, be used for scientific research in collaboration with academic partners.
Legal basis: explicit consent (Article 6.1.a GDPR + Article 9.2.j GDPR). This is a separate consent that you can grant or refuse independently.

4. How Long We Retain Your Data

We do not retain your data longer than necessary for the purpose for which it was collected.

Account data: duration of active account + 2 years after deletion. Daily check-in data and reports: 1 year from date of entry. Wearable data (via Intervals.icu API): 1 year rolling. Cognitive test results: 3 years from date of assessment. Coach dashboard data: duration of active coaching relationship + 1 year. Anonymised research data: indefinite (not traceable to an individual).

After the retention period expires, your data is securely deleted or anonymised.

5. Who We Share Your Data With

NØRVE never sells your data to third parties. We share data only in the following circumstances.

5.1 Coach–Athlete Relationship

If you are linked to a coach via the NØRVE platform, that coach has access to your readiness reports, scores, and key drivers. This is a core function of the platform, for which you provide consent at registration. You can terminate the link with a coach at any time via your account settings.

5.2 Technical Processors

Google Firebase (Firestore database, Cloud Functions) — data storage and backend processing, EU servers. Vercel — web hosting, EU/US servers covered by Standard Contractual Clauses. Anthropic — AI processing of reports; prompt content is not used for AI model training. Intervals.icu — integration of wearable wellness data, initiated solely by you using your own API key. We have a Data Processing Agreement in place with all processors in accordance with Article 28 GDPR.

5.3 Legal Obligations

We may be required to share data with competent authorities where required by law.

6. International Data Transfers

We aim to process all data within the European Economic Area (EEA). Where transfers outside the EEA occur: Vercel uses infrastructure in the United States, covered by Standard Contractual Clauses (SCCs) approved by the European Commission. Anthropic is a US-based company. We have contractually established that input data is not used for model training.

7. How We Protect Your Data

NØRVE implements appropriate technical and organisational measures to protect your data: encryption of data in transit (HTTPS/TLS) and at rest, access controls ensuring only authorised persons can access personal data, Firebase Security Rules for database-level access control, anonymisation of data used for system improvement and research, regular review of security measures. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you as soon as possible and within 72 hours.

8. Your Rights

As a data subject, you have the following rights under the GDPR:
Right of access — request a copy of all data we hold about you. Right to rectification — have inaccurate data corrected. Right to erasure — 'right to be forgotten'. Right to restriction of processing. Right to data portability — request your data in a structured format. Right to object — to processing based on legitimate interest. Right to withdraw consent — at any time, without giving reasons, without retroactive effect.

Send your request to tobias@norve.be. We will respond within 30 days.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (GBA / APD):
Website: www.gegevensbeschermingsautoriteit.be · Email: contact@apd-gba.be · Address: Drukpersstraat 35, 1000 Brussels.

9. Cookies and Tracking

NØRVE uses only functional cookies that are strictly necessary for the operation of the platform (session authentication, preference settings). We do not use tracking cookies for advertising purposes. We do not sell data to advertisers and do not work with advertising networks.

10. Minors

NØRVE is not intended for persons under the age of 16. We do not knowingly collect data from minors. If you become aware that a minor has provided data, please contact us at tobias@norve.be so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via a notification in the platform. The current policy is always available at norve.be/privacy.

12. Contact

For questions, requests, or complaints regarding this Privacy Policy or the processing of your data:
Email: tobias@norve.be (or wijckmanstobias@gmail.com) · Website: norve.be · Data controller: Tobias Wijckmans, NØRVE.

We aim to respond to every inquiry within 5 business days.