Privacy Policy

Overview

whoop-sync (“the App”) is a personal data tool that lets a user authorize access to their own Whoop account via OAuth and mirror their physiological data into a database they control. The App is operated by Neeraj Chembrolu (“we”, “us”) and is not affiliated with Whoop, Inc.

Data we access

With your explicit authorization via Whoop's OAuth flow, the App requests access to the following scopes from your Whoop account:

• read:recovery — recovery score, HRV, resting heart rate
• read:cycles — daily strain and average heart rate
• read:sleep — sleep duration, stages, score
• read:workout — workouts, sport, strain
• read:profile — name and email
• read:body_measurement — height, weight, max heart rate

The App does not request any write scopes and cannot modify your Whoop account.

How we store data

Authorized data is stored in a private Supabase Postgres database owned by the operator. OAuth access and refresh tokens are stored server-side and never exposed to the browser. Data is used solely for the user's own analysis and personal use.

How we share data

We do not sell, rent, or share your data with third parties. The App is single-user and operated for personal use. The only third-party services involved in storage and operation are:

• Whoop — source of the data via their official API
• Vercel — application hosting
• Supabase — Postgres database storage

Your controls

You can revoke this app's access at any time from your Whoop account settings, which will immediately invalidate the App's tokens. To request deletion of any cached data, contact nchemb@gmail.com.

Cookies

The App uses a single HTTP-only session cookie to maintain your authenticated session after Whoop OAuth completes. No analytics, advertising, or tracking cookies are used.

Contact

Questions or concerns? Email nchemb@gmail.com.