Whoopal · Privacy PolicyLast updated: May 7, 2026
GDPR · EU Data Protection

Privacy Policy

This Privacy Policy explains how BeyondSky OÜ ("we", "us", "our"), operating the Whoopal service at whoopal.com, collects, uses, stores, and protects your personal data. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller & Contact

The data controller responsible for your personal data is:

BeyondSky OÜ Registration number: 16894028 Registered office: Narva mnt 5, 10117 Tallinn, Estonia Email: [email protected] Privacy queries: [email protected]

We have not appointed a Data Protection Officer (DPO) as we are not required to under Art. 37 GDPR. For all privacy-related queries, please email [email protected].

2. What Data We Collect

Data You Provide

  • Contact information: Name, email address, phone number, shipping address
  • Order information: Products purchased, order history, payment details (processed by Stripe)
  • Communication data: Messages you send us via email or contact forms
  • Newsletter subscription: Email address when you subscribe to updates

Data Collected Automatically

  • Technical data: IP address, browser type and version, operating system, device type
  • Usage data: Pages visited, time spent on pages, referring URLs, click patterns
  • Cookie data: As described in Section 8 below

WHOOP Health & Biometric Data (Art. 9 GDPR)

When you connect your WHOOP account via OAuth, we sync the following data from WHOOP's API: recovery scores, strain, sleep metrics, heart rate variability (HRV), resting heart rate (RHR), workouts, and journal entries. This information is considered health and biometric data under Art. 9 GDPR (special categories of personal data).

The legal basis for processing this data is your explicit consent (Art. 9(2)(a) GDPR), which you grant by completing the WHOOP OAuth flow. You can withdraw your consent at any time by disconnecting WHOOP from your account dashboard or by emailing [email protected]. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

3. Purposes & Legal Bases (GDPR Art. 6)

We process your personal data for the following purposes and legal bases:

  • Contract performance (Art. 6(1)(b)): Processing orders, delivering products, handling returns and refunds, customer support
  • Legal obligation (Art. 6(1)(c)): Tax compliance, accounting records, consumer protection obligations
  • Legitimate interest (Art. 6(1)(f)): Fraud prevention, website security, improving our services, analytics
  • Consent (Art. 6(1)(a)): Newsletter subscriptions, non-essential cookies, marketing communications
  • Explicit consent (Art. 9(2)(a)): Processing of WHOOP health and biometric data when you connect your WHOOP account

We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).

4. Subprocessors & Service Providers

We rely on the following third-party processors and subprocessors to deliver our services:

  • Hetzner Online GmbH (Germany, EU) — Server hosting and infrastructure. Data is stored on servers located within the European Union.
  • Cloudflare, Inc. (USA) — CDN and DDoS protection. Visitor traffic may transit Cloudflare's global network, including the United States, under Standard Contractual Clauses (SCCs).
  • WHOOP, Inc. (USA) — Source of fitness, recovery, and biometric data via OAuth, only when you actively connect your WHOOP account. See WHOOP's Privacy Policy.
  • Stripe, Inc. (USA) — Payment processing. Stripe processes your payment card information securely; we do not store card details on our servers. See Stripe's Privacy Policy.
  • Shipping carriers — To deliver your orders. We share your name and shipping address with postal/courier services.
5. Sharing Your Data

We do not sell, rent, or trade your personal data. We only share your data with:

  • Subprocessors listed in Section 4, strictly for the purposes described
  • Legal authorities, when required by law or to protect our legal rights
6. Retention

We retain your personal data only as long as necessary:

  • Order data: Retained for the duration required by tax and accounting laws (typically 7 years)
  • Customer support communications: Retained for up to 3 years after the last interaction
  • Newsletter subscriptions: Until you unsubscribe
  • WHOOP health data (recovery scores, HRV, strain, sleep, RHR, workouts): Retained while your WHOOP connection is active, and for up to 24 months thereafter. Deleted immediately upon your request.
  • Analytics data: Aggregated and anonymized after 26 months (aligned with standard analytics provider retention periods).
7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18): Request limitation of processing
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing. For WHOOP data, you can withdraw consent by disconnecting WHOOP from your account dashboard or by emailing [email protected].

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. As BeyondSky OÜ is registered in Estonia, the lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — AKI). French residents may alternatively contact the Commission Nationale de l'Informatique et des Libertés (CNIL) at cnil.fr. You may also file with the supervisory authority in your country of residence.

8. Cookies & Analytics

Our website may use cookies and similar technologies:

  • Essential cookies: Required for the website to function properly (e.g., session management). These do not require consent.
  • Analytics cookies: Help us understand how visitors use our site. Only activated with your consent.
  • Payment cookies: Set by Stripe for secure payment processing.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

9. International Transfers

As we ship worldwide and use Cloudflare, Stripe, and WHOOP (based in the United States), some of your data may be transferred outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Data Processing Agreements with all processors
10. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • SSL/TLS encryption for all data in transit
  • Secure payment processing through Stripe (PCI DSS compliant)
  • Regular security reviews
  • Access controls limiting data access to authorized personnel only
11. Children

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically. For significant changes, we will notify you by email if you are a customer or subscriber.

13. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

BeyondSky OÜ Registered office: Narva mnt 5, 10117 Tallinn, Estonia Email: [email protected] Privacy queries: [email protected]
Questions

Frequently Asked Questions

01What data does Whoopal collect?
We collect data you provide (name, email, shipping address, order details), data collected automatically (IP address, browser type, usage analytics), and — only if you connect your WHOOP account — health and biometric data such as recovery scores, HRV, strain, sleep metrics, and workouts.
02Where is my data stored?
Your data is stored on servers hosted by Hetzner Online GmbH, located within the European Union (Germany). Payment data is handled exclusively by Stripe and never stored on our servers.
03Can I delete my data? How?
Yes. Email [email protected] with a deletion request and we will process it within 30 days. To remove WHOOP health data specifically, disconnect WHOOP from your account dashboard — this triggers immediate deletion of synced health data.
04Do you sell my data?
No. We do not sell, rent, or trade your personal data to any third party, ever. We share data only with the service providers listed in Section 4 (Hetzner, Cloudflare, WHOOP, Stripe, shipping carriers) strictly to operate the service.
05Is my WHOOP data shared with WHOOP Inc.?
We read data from WHOOP's API when you authorize the connection — we do not send your data back to WHOOP. WHOOP Inc. governs the data held in your WHOOP account independently under their own privacy policy. We only store what we sync and use it solely to power Whoopal features.