Privacy Policy.

Who this policy covers

This privacy policy describes how P. Sergio Serrato (“I,” “me”) handles personal data accessed through the WHOOP API by Whoopline, a single-user personal application registered to me. Whoopline runs locally on hardware I control. It is not hosted as a public service, is not offered to any other person, and does not accept third-party sign-in. No one else's WHOOP data is collected, processed, or stored.

Data accessed from WHOOP

Through the WHOOP API, Whoopline requests the following scopes against my own WHOOP account:

• read:profile — name and email associated with my WHOOP account
• read:body_measurement — height, weight, and max heart rate
• read:cycles — physiological cycles, strain, and recovery scores
• read:recovery — daily recovery, HRV, and resting heart rate
• read:sleep — sleep stages, duration, performance, and sleep need
• read:workout — workout activity, duration, strain, and heart rate zones
• offline — refresh tokens for unattended polling of my own data

Whoopline does not write data back to WHOOP, does not modify any WHOOP records, and does not request any scope beyond those listed above.

How the data is used

1. Ingestion. Whoopline runs locally on my own machine, authenticates against WHOOP via OAuth 2.0, and pulls the scopes listed above on a regular schedule.
2. Storage. Records are written to private storage in my own AWS account (Amazon S3, queried via Amazon Athena, and/or a private database). Storage is private to my AWS organization, encrypted at rest under AWS-managed keys, and not exposed to the public internet.
3. Analysis. Subsets of the data are sent to Anthropic's Claude API for personal analysis — e.g. summarizing trends, correlating sleep with workouts, or drafting personal observations. Only my own data is sent.
4. Output. Analysis results are returned to me on the same local machine. Nothing is published, syndicated, sold, or shown to third parties.

Sub-processors and third parties

The only third parties that may temporarily process this data on my behalf are:

• Amazon Web Services — cloud storage and compute. See the AWS Privacy Notice.
• Anthropic, PBC — provider of the Claude API used for analysis. By default, Anthropic does not use Claude API inputs or outputs to train its models. See the Anthropic Privacy Policy and Commercial Terms.

No other vendors, advertisers, analytics platforms, or data brokers receive WHOOP-derived data. The data is not sold, traded, rented, or licensed under any circumstances.

Retention and deletion

Because Whoopline is a personal application, retention is at my discretion. I may keep historical WHOOP data indefinitely for longitudinal analysis. I can revoke Whoopline's access at any time from the WHOOP developer settings, after which no further data is fetched. I can also delete stored copies from my AWS account or local machine at any time.

Security

• Whoopline runs locally on my own machine; the WHOOP refresh token and OAuth client secret live on that machine and/or in AWS Secrets Manager — never committed to source control, logs, or shared documents.
• Data at rest in AWS is encrypted with AWS-managed keys (SSE-S3 / KMS).
• Data in transit uses TLS 1.2 or higher.
• Storage buckets and databases are private and access-restricted to my own IAM principals.
• API calls to Anthropic are made over TLS using credentials scoped to this project.

Children

Whoopline is not directed to children under 13 and does not knowingly process data about anyone other than me.

Changes to this policy

If the scope of Whoopline changes — for example, if it begins to process anyone else's data, share data with new vendors, or offer access to other users — this policy will be updated and the effective date above revised. Material changes will be reflected here before the change takes effect.

Contact

Questions about this policy or Whoopline can be sent to p.sergio.serrato@gmail.com.