Last updated: 17 June 2026
This policy explains what data Cadora ("Cadora", "we", "us") collects, why, who it is shared with, and the choices and rights you have. Cadora is a fitness coaching assistant for macOS.
Cadora is a coaching app. It reads fitness data you choose to give it, and lets you chat with an AI coach about your training and recovery. Some processing happens on your device; some requires sending data to services we operate or rely on, described below.
When this policy says data is "sent to" a service, it means it is transmitted over an encrypted (HTTPS/TLS) connection for the specific purpose described, and not for any other purpose.
When you sign in with Sign in with Apple, we receive an identifier and, if you allow it, your name and email address (which may be Apple's private relay address). We use this only to create and identify your Cadora account. If you choose to continue without an account, no account information is collected.
With your explicit permission, Cadora reads health and fitness data from Apple Health, which may include: workouts, heart rate and heart-rate variability (HRV), resting heart rate, active energy, distances, running speed, VO₂ max, cycling power/cadence, and sleep analysis.
If you choose to connect a third-party service, you authorise it through that service's own login (OAuth). Cadora's backend securely custodies the resulting access on your behalf and reads the data you've authorised — for example activities, workouts, recovery scores, HRV, resting heart rate, sleep, and training-load metrics. We request read access only and do not modify your data on those services. You can disconnect a service at any time in Settings, which removes Cadora's stored access for it.
You may import your own data export files (for example a Strava or Garmin export). These are processed and stored locally on your Mac. Imported files are not uploaded to us.
You may enter profile details (such as display name, birth year, sex, height, weight, FTP, max heart rate), training goals, personal bests, and notes (such as niggles or injuries). This is stored locally on your device and, where relevant, included in the fitness context sent to the AI coach so its advice is personalised.
Your conversations with the AI coach are stored locally on your Mac. The text of each message you send, together with relevant fitness context (see section 4), is sent to our backend and AI provider to generate a response.
If you enable spoken replies (a premium feature), the text of the coach's reply is sent to our backend and on to our text-to-speech provider to generate audio. Your fitness data is not sent for this purpose — only the reply text.
We do not use analytics, telemetry, advertising, or tracking SDKs. We do not collect an advertising identifier (IDFA), and Cadora does not request App Tracking Transparency permission because it does not track you. We do not build advertising profiles.
| Data | Sent to | Purpose | When |
|---|---|---|---|
| Account identifier, name, email | Apple; our backend (Supabase) | Create/identify your account | At sign-in |
| Your message text + a summary of relevant fitness context (recent workouts, personal bests, recovery metrics, profile) | Our backend → AI provider (OpenRouter) | Generate a coaching reply | Each time you message the coach |
| Coach reply text | Our backend → text-to-speech provider (ElevenLabs) | Generate spoken audio | Only if you enable voice (premium) |
| Authorisation to a connected service | The service (Strava / WHOOP / Intervals.icu) via OAuth; tokens custodied by our backend | Read the fitness data you authorised | When you connect, and on refresh |
Everything else — your imported files, full workout history, and chat history — is stored locally on your Mac and is not uploaded to us.
We rely on the following providers to operate Cadora. They process data only as needed to provide their service to us, under their own terms and security practices:
Some of these providers are located in, or process data in, the United States. Where data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the providers' standard contractual clauses.
We do not sell your personal data, and we do not share it with third parties for their own marketing.
You can:
Under UK GDPR you also have the right to access, correct, delete, restrict, or object to processing of your personal data, and the right to data portability. To exercise these rights, contact us at [email protected]. You have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
Connections to our backend and to all providers use encryption in transit (HTTPS/TLS). Connected-service access tokens are stored encrypted on our backend. Sensitive credentials on your device are stored in the macOS Keychain. No method of storage or transmission is 100% secure, but we take reasonable measures to protect your data.
Cadora is not directed at children and is not intended for use by anyone under 16. We do not knowingly collect data from children.
We may update this policy from time to time. We will revise the "Last updated" date above and, for significant changes, provide notice in the app or on getcadora.app.
Questions about this policy or your data:
[[LEGAL_ENTITY]], [[POSTAL_ADDRESS]], United Kingdom
Email: [email protected]