Privacy Policy

1. Who we are

Team Kabir RAAM 2026 (“we”, “us”) is a private operations app built for the crew supporting cyclist Kabir Rachure in the Race Across America 2026. The app is operated by Vishal Behal (Zer0.ai, Toronto, Canada). This policy covers the web app hosted at raam-2026.vercel.app.

2. Scope of users

Access is limited to named crew members of Team Kabir. There is no public sign-up. All accounts are invite-only via email magic link. Crew members are identified by name, role, email, phone, and optional emergency contact.

3. Data collected from Whoop

When a crew member authorizes Whoop via OAuth, we store:

• OAuth access and refresh tokens, token expiry timestamp, and Whoop user ID.
• Daily recovery score, resting heart rate, heart rate variability (HRV RMSSD), SpO2, and skin temperature.
• Sleep events: start/end, total/REM/SWS minutes, efficiency, respiratory rate, disturbance count.

Whoop data is used solely to inform race-day decisions (fatigue warnings, sleep-plan triggers). It is never sold, advertised against, or shared outside the crew roster.

4. Other data collected

• GPS pings from the rider’s tracker (lat/lng, speed, mile marker, timestamp).
• Crew-logged events: nutrition entries, rest/sleep logs, penalty notes, Discord messages forwarded via webhook.
• Rule-engine evaluations (timestamp, rule code, severity, whether a Discord alert was sent).

5. Storage & security

Data is stored in a private Supabase (PostgreSQL) project in the US region with row-level security policies limiting access to authenticated crew members. All connections use TLS 1.2+. Tokens and secrets are stored encrypted at rest by Supabase.

Hosting: Vercel (application), Supabase (database + auth), GitHub Actions (scheduled jobs). We do not use analytics or advertising trackers.

6. Retention

Race-operational data is retained through the 2026 RAAM season plus 12 months for post-race debrief. Crew members may request deletion of their account and associated Whoop data at any time (see Section 9). On request, OAuth tokens are revoked and all associated rows are hard-deleted within 7 days.

7. Third-party services

• Whoop— wearable recovery & sleep data, via OAuth 2.0.
• Supabase — auth and database.
• Vercel — web hosting, edge functions.
• Discord — alert channel for crew (outbound webhooks only).
• Mapbox / Google Maps — map tiles for the GPS view.

We share only the minimum data needed for each service to function (e.g., the GPS ping is sent to the mapping provider to render tiles; no crew identity is disclosed).

8. Cookies

We set only strictly-necessary session cookies from Supabase Auth (magic-link authentication) and a short-lived OAuth state/nonce cookie during the Whoop connection flow. We do not use advertising or analytics cookies.

9. Your rights

You may at any time:

• Request a copy of all data we hold about you.
• Disconnect Whoop (revokes tokens within our system).
• Request deletion of your account and Whoop history.
• Revoke the app’s Whoop access directly via whoop.com/account/permissions.

10. Contact

Data controller: Vishal Behal
Email: vishal@zer0.ai
Alternate: hello@vega.agency