Privacy Policy
Version 1.6 — beta. Last updated 18 June 2026.
This explains what data Flex the Otter collects, why, and what you can do about it. Plain English, no dark patterns. If anything's unclear, message Flex, or email flextheotter@gmail.com.
Who we are
Flex the Otter is an independently-operated product, run by a sole developer based in the United Kingdom. There's no company entity behind it during beta. Once the product moves out of beta, this notice will be updated. For any data-protection questions, or to ask who operates the service, contact flextheotter@gmail.com.
What we collect
Things you tell us
- Your messages to and from the Coach Flex bot
- Information you share during onboarding (sport, training history, goals, constraints, preferences)
- Your messaging-app first name, last name, username, and user ID — these are visible to any bot you message
- Your timezone and locale (used to schedule notifications correctly)
- If you earn a sticker and want it posted, the postal address you give us is stored only until it's sent, used for nothing else, and deleted with your account
Things connected services share with us
- intervals.icu — if you connect it (via secure OAuth sign-in), we read your activities, wellness data (HRV, resting heart rate, sleep), session notes, and your sport & training-zone settings. To coach you, Flex also writes back into your own intervals.icu account: planned workouts onto your calendar, and notes on your activities. We request only the access needed for this, and you can disconnect at any time.
- Calendar syncing (for example to Google Calendar) happens through intervals.icu's own integrations — Flex never connects to your Google account directly.
Biometric and physiological data (when you share it)
If you share documents containing biometric or physiological data (CPET reports, blood test results, body composition tests, performance test results, race results), we extract and retain structured data from them so Flex can reason from your specific physiology rather than generic averages. Specifically:
- Cardiopulmonary exercise tests (CPET): VO2max, ventilatory thresholds (VT1, VT2), substrate utilisation curves, RER values
- Lab/blood work: iron panels, hormonal markers, metabolic markers — whatever you share
- Body composition: weight, body fat percentage, lean mass, bone mineral density
- Performance tests: formal FTP tests, lactate threshold tests, time trials, with their protocols
- Race results: finish times, placings, perceived effort, notes
Source documents (the original PDFs, photos, or screenshots you share) are stored encrypted at rest. Extracted structured data is stored in your account's records. This data is used only for coaching you. It is never shared, sold, or used to train machine learning models. If you delete your account, all biometric data and source documents are removed from active systems immediately; backup copies age out in the next pruning cycle, max 90 days. You can review what's stored at any time by asking Flex, or by emailing flextheotter@gmail.com for a full export.
Things our infrastructure records automatically
- Server logs (IP address, request timestamps, error traces) for normal operation and debugging — kept for 30 days
- Database records of your conversation history, plans, and connected accounts — kept until you delete your account
Why we collect it
Everything above exists to make the product work:
- Your messages and onboarding info let Flex coach you sensibly
- Your training data lets Flex see what's actually happening rather than what you say is happening
- Your planned sessions land in your intervals.icu calendar, which you can sync on to your own calendar
- Server logs help us fix bugs
Where it lives
- Your data is stored on a server in the United Kingdom (London datacentre)
- Backups are held in encrypted cold storage in the European Union (Backblaze B2, Amsterdam region)
- OAuth tokens for connected services are encrypted at rest
- We do not sell, trade, or transfer your personal data to anyone outside the parties listed below
Who we share it with
Flex needs to talk to a few external services for the product to function. By using Flex, you accept that your messages and relevant context get sent to:
Anthropic (essential) — provides the language model that powers Flex's responses. Every message you send is forwarded to Anthropic's API along with relevant context (recent messages, your training data, your goals) so the model can generate a reply. Anthropic's data handling is governed by their Commercial Terms and Privacy Policy. Anthropic does not train its models on data sent through their API.
intervals.icu (only if you connect it) — we send authenticated requests to read your training data and to write the planned workouts and notes Flex creates for you into your own intervals.icu account. We don't disclose your data to intervals.icu beyond your own account activity.
Stripe (only if you subscribe) — payment is processed by Stripe. Your card details go directly to Stripe — we never see or store them. Stripe's privacy policy applies to the payment data they hold. We keep records of subscriptions (who subscribed, when, amounts) as required for financial record-keeping, and these are retained even if you delete your account, as the law requires.
Your messaging app (always, while you use the bot) — your conversation with Flex happens via your messaging app's infrastructure (currently Telegram). That provider has access to the messages between you and the bot, and their privacy policy applies. There's no way around this — it's how chat bots work.
Improving Flex
As part of running and improving the service, we use pseudonymised versions of conversations and training data — your name, messaging details, email, and account IDs are stripped or replaced before the data is used for this. We use it to improve Flex's coaching responses, to refine our planning logic from aggregate patterns, and occasionally to quote pseudonymised, paraphrased examples in product documentation. This is part of using Flex rather than a separate sign-up step. It is never sold, and never used to train third-party AI models.
You can opt out at any time — tell Flex or email flextheotter@gmail.com, and we'll stop using your data to improve the product from then on. Data already used can't be unwoven, but nothing new will be, and opting out doesn't change how the product works for you.
Where this would involve health or biometric data (special-category data under UK GDPR), we rely on the explicit consent you give when you start sharing health information, the same opt-out applies, and wherever practical we fully anonymise that data for improvement so it is no longer personal data at all.
How long we keep it
- Conversation history: until you delete your account
- Connected service tokens: until you disconnect or delete your account
- Backups: rolling 90 days for nightly snapshots
- Server logs: 30 days, then deleted
Once you delete your account, your personal data is removed from active systems within 7 days. Backup copies are removed in the next backup pruning cycle, max 90 days.
Your rights (UK / EU GDPR)
- Access — request a copy of all your personal data. Message Flex or email flextheotter@gmail.com and you'll receive a JSON export within 7 days.
- Delete — request permanent deletion. Message the bot with /delete. Confirmation required. Removal from active systems is immediate; backup copies age out within 90 days.
- Rectify — correct inaccurate data. Most personal data lives in your conversation with the bot, so just tell Flex what's wrong and ask for it to be updated.
- Restrict — pause processing of your data without deleting. Message Flex or email us and we'll pause processing while we resolve your request.
- Object — to specific processing (like product improvement). Tell Flex or email us.
- Portability — receive your data in a machine-readable format. The export we provide is JSON.
- Withdraw consent — at any time, for any consent you've given. Tell Flex, email us, or delete your account with /delete.
- Complain — to the Information Commissioner's Office (ICO) if you believe we're handling your data unlawfully.
Lawful basis for processing
Under UK GDPR, we process your data on these bases:
- Explicit consent — for health and biometric data (special category data under UK GDPR). Flex asks for this in the bot before collecting any health information, and you can withdraw it at any time by deleting your account with /delete. For users under 18, this consent is given by a parent or guardian on their behalf.
- Contract — to provide the coaching service you signed up for
- Legitimate interests — for server logging, security monitoring, and improving the product using pseudonymised data, which you can opt out of (and only where this doesn't override your rights)
Cookies
This page sets no cookies and uses no analytics. It loads a web font from Google Fonts, which means your browser makes a request to Google to fetch the font; no cookies are set by us. The bot conversation happens in your messaging app and uses no cookies of ours.
Children
Flex the Otter is intended for adults. Anyone under 18 may use it only with the approval of a parent or guardian, who accepts this policy on their behalf and remains responsible for their use of the product. We handle any personal data belonging to under-18 users with particular care.
Security
We take reasonable precautions: encryption in transit (TLS), encryption at rest for connected service tokens, role-based access (only the developer can access the database), nightly off-site backups, and minimal logging. No system is perfectly secure. If something goes wrong and your data is exposed, we'll tell you within 72 hours of becoming aware, as required by UK GDPR.
Changes to this policy
If we update this policy in a way that materially affects your rights, we'll notify you in the bot before the changes take effect, and we'll re-ask for consent where required. The version number at the top of this page changes when the policy does.
Contact
Questions, complaints, or requests — message Coach Flex, or email flextheotter@gmail.com.