Privacy Policy
Last updated: 6 July 2026
1. Who We Are
Frontier Performance ("we", "us") is a human-performance monitoring and coaching platform, accessible at app.frontierperformance.org and through the Frontier Performance mobile apps. The data controller is Frontier Performance Limited, a company registered in England and Wales (company no. 17269518), registered office 18 Fair Leas, Saffron Walden, Essex CB10 2DR. For any privacy question or to exercise your rights, contact [email protected].
2. What We Collect
- Account and profile: name, email, and authentication credentials (managed by Google Firebase Authentication – we never see or store plaintext passwords); and your athlete profile: date of birth, sex, height, weight, maximum and resting heart rate, heart-rate zones, and baseline SpO₂.
- Physiological and session data from wearable sensors connected through our apps (for example OxiWear, Polar, Viatom/Wellue, Nonin): SpO₂, heart rate and beat-to-beat (RR) intervals, heart-rate variability, skin temperature, perfusion index, signal quality, and sensor battery. Per session: start/end times, duration, activity type, barometric altitude, simulated-altitude / inspired-oxygen (FiO₂) or hypoxic-generator settings, and derived metrics such as hypoxic dose, desaturation statistics, and calories.
- Location data, where a session is recorded outdoors with GPS enabled: route, speed, and elevation, used to relate physiological responses to terrain and altitude.
- Things you write: session effort ratings (RPE) and free-text session notes, in an app or on the web dashboard. Free-text notes are stored as written.
- Assessments, where used in your project: Acute Mountain Sickness (Lake Louise) questionnaire responses, CPET results, blood markers, and similar structured assessments.
- Technical data: essential session cookies for sign-in and standard security logs. Public pre-screening forms are protected by Cloudflare Turnstile. We use no advertising or tracking cookies and no third-party analytics.
3. Where It Comes From
- The Frontier Performance and OxiTracker mobile apps, when you record a session and it is uploaded (per session or via an auto-upload setting you control).
- Watch data fields (for example Garmin), where you install them.
- Third-party services you explicitly connect via OAuth – Oura, Polar, Strava, and Garmin. You can disconnect these at any time, which removes our stored access tokens.
- Manual entry by you, your coach, or research staff (for example CPET results or blood markers, where your project includes them).
4. Why, and Our Lawful Bases
- Providing the service (storing, displaying, and analysing your training and physiological data for you and your coach): performance of a contract, UK GDPR Article 6(1)(b), and your explicit consent for health data, Article 9(2)(a), collected when you join and withdrawable at any time.
- Research (for example the IHT Twin Study): separate, explicit, study-specific consent. Declining research does not affect the coaching service.
- Security and service improvement: legitimate interests, Article 6(1)(f), limited to technical logs and aggregate usage.
Withdrawing consent stops future processing but does not affect the lawfulness of processing already carried out.
5. Who Can See Your Data
- You, through the dashboard and apps.
- Your coach and the authorised staff of your project – access is enforced per project, so coaches see only the athletes assigned to their project.
- Platform administrators, for technical maintenance only.
- Nobody else. We do not sell data. Anonymised, aggregated research results may be shared with academic collaborators only where your study-specific consent covers it. Identifiable data is never shared without your permission.
6. Where It Lives, and Our Processors
Data is stored in Google Cloud Firestore in London (europe-west2); the platform runs on Google Cloud Run in Belgium (europe-west1). Data is encrypted in transit (TLS) and at rest (AES-256, Google-managed). Our processors, each under GDPR data-processing terms, are Google Cloud (hosting and database), Google Firebase (authentication), and Cloudflare (bot protection on public forms). Sessions recorded in the mobile apps are also stored locally on your own device, under your control, until you delete them there.
7. How Long We Keep It
Your data is retained while your account or project participation is active. On a deletion request we remove identifiable data within 30 days. Research datasets already anonymised for publication integrity are retained in anonymised form. Sessions uploaded from an app remain on the platform even if you delete the app or its local copies, until you delete them on the dashboard or ask us to remove them.
8. Your Rights
Under UK GDPR you can access and export your data, correct it, have it erased, restrict or object to processing, and withdraw consent at any time. In the platform you can delete an individual session yourself and disconnect any linked third-party account. A CSV export of your session/workout data is available in the dashboard; for a full copy of all your personal data, contact us and we will provide it in a structured, commonly-used format. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).
9. Age
The platform is intended for adults (18+). Athletes under 18 may participate only through a project and with the consent of a parent or guardian, who must agree to this policy on their behalf.
10. If Something Goes Wrong
If a personal-data breach puts your rights at risk, we will notify you and the Information Commissioner's Office without undue delay, as UK GDPR requires.
11. Contact
For any privacy-related question or to exercise your rights, contact [email protected].
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the platform. The "Last updated" date at the top reflects the most recent revision.