Effective Date: 18 May 2026 Last Updated: 18 May 2026 Version: 3.0
1. Who We Are
Flow Momentum Limited ("Flow Momentum", "we", "us", "our") is a private company limited by shares, registered in England and Wales.
- Company Number: 15513519
- Registered Office: Bartle House, 9 Oxford Court, Manchester, M2 3WQ, United Kingdom
- Director: Hartmut Hübner
- Website: https://flowmomentum.ai
- All data-protection matters: compliance@flowmomentum.ai
Flow Momentum is the data controller for all personal data processed through flowmomentum.ai, app.flowmomentum.ai, and associated services.
Because we process personal data of users in the United Kingdom and the European Economic Area, we comply with the UK GDPR (as incorporated into UK law by the Data Protection Act 2018) and the EU GDPR (Regulation (EU) 2016/679).
2. What Flow Momentum Does
Flow Momentum is an AI-powered leadership-performance platform for executives who train. The service consists of four AI Coaches:
- Performance Coach — plans and reviews your athletic training. Uses your Garmin data if connected.
- Comms Coach — drafts internal communications, emails, leadership messages.
- Team Coach — prepares 1:1s, team meetings, and analyses business data you upload.
- Nutrition Coach — fuelling strategies for training and race day. Uses your Garmin data if connected.
Flow Momentum is a coaching and performance tool. It is not a medical device, not medical advice, not psychological therapy, and not an HR or recruitment system. See §13.
3. The Personal Data We Process
3.1 Account Data
Legal basis: Art. 6(1)(b) Contract
Full name, email address, password (stored as a salted bcrypt hash, never in plaintext), account-creation and login timestamps, subscription tier, billing status, invoice history.
3.2 Profile and Preferences
Legal basis: Art. 6(1)(b) Contract
If you choose to provide them: FTP, FTHR, weight, height, age, training goals, notification preferences, language and locale.
3.3 Garmin Connect Health and Activity Data — Detailed Disclosure
This section is the canonical Garmin disclosure required under the Garmin Connect Developer Program License Agreement. The anchor https://flowmomentum.ai/privacy#garmin-data links here.
3.3.1 Legal basis. Special Category Data under Art. 9 GDPR. Processed solely on the basis of your explicit opt-in consent (Art. 9(2)(a) GDPR), given during the Garmin Connect OAuth flow.
3.3.2 How we collect Garmin data.
- OAuth 2.0 with PKCE. You initiate the connection from
app.flowmomentum.ai → Settings → Connections → Connect Garmin. You authenticate directly with Garmin; Flow Momentum never sees your Garmin password. You approve the data scopes:- HEALTH_EXPORT — daily health metrics and sleep
- WORKOUTS_EXPORT — activity files
- HISTORICAL_DATA_EXPORT — backfill of the last 14 days
- Push notifications (PING/PUSH). Garmin asynchronously pushes new data to our webhook endpoints. We do not poll Garmin beyond the initial 14-day backfill.
3.3.3 Categories of Garmin data we receive.
- Activities (cycling, running, swimming, strength, other workouts): duration, distance, pace, power, heart rate, cadence, elevation, GPS tracks if enabled on your device.
- Daily health metrics: steps, resting heart rate, sleep stages and duration, stress score, Body Battery™ energy monitoring, HRV, pulse oximetry, respiration rate.
- Body composition (only if you use Garmin Index™ scales).
- Training load, recovery time, VO2max estimate, training readiness (on supported devices).
- Device identifiers associated with each metric (model name, source device), used for attribution.
3.3.4 How we use Garmin data.
- Performance Coach uses your activity, training load and recovery data to plan and review your athletic training.
- Nutrition Coach uses workout intensity and duration to recommend fuelling.
- Comms Coach and Team Coach do not receive Garmin data unless you attach it explicitly to a session.
- The dashboard visualises your daily readiness, training metrics, weekly summary and PMC indicators (CTL/ATL/TSB).
We do not use Garmin data:
- to evaluate, score or rank you against other users;
- for any automated decision producing legal or similarly significant effects;
- for any advertising of any kind (Flow Momentum products are ad-free);
- to train any AI model — see §3.3.6 and §5.3 for the binding "no training" commitment.
3.3.5 How we process Garmin data. Activity payloads are received via webhook at api.flowmomentum.ai, validated, and persisted in our database in Germany (see §6). Derived metrics (TSS, intensity factor, CTL/ATL/TSB) are computed on our backend. Aggregated training summaries are built per user for the dashboard and for Coach context.
3.3.6 Third-party processing — including AI services. When you ask the Performance Coach or Nutrition Coach a question that requires reasoning about your training context, a minimal, transient summary of your relevant Garmin data may be transmitted to a third-party AI inference provider. The provider depends on the model selected for the task:
| AI Service | Inference Location | What it receives | Retention | Training on this data? |
|---|---|---|---|---|
| Mistral AI SAS | France (EU) | Training summary text (e.g. "CTL 45, ATL 60, last activity: 35-min Z2 run") | Not stored after the response | No — API "no training" terms |
| DeepSeek R1 via Requesty Ltd | EU routing (Frankfurt endpoint) | Same as above, for complex periodisation reasoning and annual-plan generation | Not stored after the response | No — Requesty "no retention, no training" terms |
| OpenAI Ireland Limited | EU (Ireland; onward inference may transit to US under SCCs + EU–US DPF) | Same as above, used (a) for voice transcription via Whisper, and (b) as failsafe when Mistral and DeepSeek are unavailable | Not stored after the response | No — API "no training" terms |
These are the only AI services that ever process Garmin data, on a transient, request-by-request basis. Garmin data is never sold, shared with brokers, used for advertising, or used to enrich third-party datasets.
The choice of model per Coach role is configurable by the Flow Momentum administrator. Changes that affect which AI services receive Garmin data are subject to prior written approval by Garmin, per the Garmin Connect Developer Program License Agreement.
3.3.7 Where Garmin data is stored. All Garmin data is stored exclusively in the European Economic Area on our database in Germany (see §6 for the infrastructure provider). No Garmin data is at rest on US-based infrastructure. The only cross-border transit is the transient AI API call described in §3.3.6, covered by SCCs and the EU–US Data Privacy Framework where applicable.
3.3.8 Retention and deletion.
- Active connection: 24-month rolling retention. Data older than 24 months is automatically purged.
- Disconnect (UI or revocation in your Garmin account): all stored Garmin data linked to your account is deleted within 30 days. We also call Garmin's
DELETE /user/registrationendpoint to revoke our access immediately. - Account deletion (GDPR Art. 17): all Garmin data is deleted with your account within 30 days.
- User permission change pushed by Garmin: our endpoint receives the permission-change webhook and stops processing the affected data type immediately.
3.3.9 Your rights regarding Garmin data. In addition to all rights in §8:
- Withdraw consent at any time by disconnecting Garmin in
Settings → Connections(one click). - Export your Garmin data in a machine-readable format via
Settings → Privacy → Export My Data(Art. 20). - Object to specific processing by emailing
compliance@flowmomentum.ai.
3.3.10 Attribution within Flow Momentum. Throughout the interface, all Garmin device-sourced data is attributed in compliance with Garmin's API Brand Guidelines (v6.30.2025). We display the device model where Garmin provides it (e.g. "Garmin Forerunner® 965"), or "Garmin Connect™" when no model is available, on each dashboard card, activity entry and Coach response that references Garmin data.
3.3.11 Changes to this section. Any change to this section, to how Garmin data is processed, or to the third-party recipients listed in §3.3.6, will be submitted to the Garmin Connect Developer Program team for written approval before it takes effect, in accordance with our Garmin Developer Program License Agreement.
3.4 Coach Session Content
Legal basis: Art. 6(1)(b) Contract
Text, documents, notes or audio you paste, type, upload or record into Coach sessions. Excel files (financial reports, KPIs, team data) you upload for analysis by the Team Coach. Voice recordings you submit for transcription.
Roadmap clarification: Some features described above (voice transcription, Excel upload and analysis, audio recording) are being progressively rolled out. Processing begins only when a feature is activated for you. We provide 30 days' written notice before any newly activated processing affects data we already hold.
Third parties in your content. When you write about colleagues or team members, you may process their personal data. You are responsible for ensuring you have an appropriate lawful basis. See §13.
3.5 Private Wiki Content
Legal basis: Art. 6(1)(b) Contract
Personal notes, structured knowledge and uploaded source files that you persist in your private Wiki layer.
Roadmap clarification: The private Wiki layer is under active development and will be activated for users progressively. Existing accounts will receive 30 days' written notice before the feature becomes active for them.
Isolation. Wiki content is stored in a dedicated database schema with Row-Level Security. Other users cannot access your Wiki content. For Flow Momentum's own administrative access to user-generated content, see §3.7.
3.6 Usage and Telemetry
Legal basis: Art. 6(1)(f) Legitimate Interest
Coach interaction metadata: which Coach was used, message length, latency, model used (for cost monitoring). Sanitised error logs. We do not deploy advertising trackers or marketing pixels.
3.7 Administrative Access to User Data
Flow Momentum operates on self-hosted infrastructure (see §6). Technical administrative access to the database is restricted to the Founder and is required for operating the service.
We commit to the following strict policy:
- We do not access user-generated content (Coach conversations, Wiki entries, uploaded files, Garmin data) in the normal course of business.
- Administrative access to user-generated content occurs only in two documented situations:
- Security incident response where investigation is required to protect the platform and other users.
- Customer support, with your explicit prior consent obtained per ticket.
- Every administrative access event is automatically logged (timestamp, actor, accessed resource, justification) in an internal audit log retained for 12 months. The audit log is available to you on request for accesses relating to your account.
- User-generated content is never accessed for product development, marketing, profile enrichment, model training, or any commercial purpose.
If you are uncomfortable with the access boundaries above, please contact compliance@flowmomentum.ai before subscribing.
4. Legal Bases for Processing
| Processing activity | Legal basis (Art. 6) | Additional basis (Art. 9) |
|---|---|---|
| Account creation, login, billing | Art. 6(1)(b) Contract | — |
| Profile preferences and goals | Art. 6(1)(b) Contract | — |
| Processing Garmin health data | Art. 6(1)(b) Contract | Art. 9(2)(a) Explicit Consent |
| Coach sessions and Wiki content | Art. 6(1)(b) Contract | — |
| Newsletter delivery (where active) | Art. 6(1)(a) Consent | — |
| Aggregated, anonymous product analytics | Art. 6(1)(f) Legitimate Interest | — |
| Stripe payment processing | Art. 6(1)(b) Contract + Art. 6(1)(c) Legal Obligation (tax) | — |
5. How Your Data Is Used by AI Systems
5.1 Which AI models we use
We route AI inference through a self-hosted proxy. The current model assignment is:
| Role | Model | Provider | Inference Location |
|---|---|---|---|
| Dispatcher (route to Coach) | Mistral Small | Mistral AI SAS | France (EU) |
| Coach responses (Performance, Comms, Team, Nutrition) | Mistral Large 3 | Mistral AI SAS | France (EU) |
| Reasoning (annual plan, complex analysis) | DeepSeek R1 (routed) | DeepSeek via Requesty Ltd | EU endpoint (Frankfurt) |
| Embeddings (Wiki search) | Mistral Embed | Mistral AI SAS | France (EU) |
| Voice transcription | Whisper Large v3 | OpenAI Ireland Limited | Ireland (EU); onward to US under SCCs + DPF if required |
| Failsafe (only if all above unavailable) | OpenAI GPT model | OpenAI Ireland Limited | Ireland (EU); onward to US under SCCs + DPF if required |
The administrator may adjust this assignment per Coach role over time. Material changes affecting data flow are reflected in this Policy under the change procedure in §14. Changes affecting Garmin-data processing require prior Garmin approval (§3.3.11).
5.2 Cross-border data transfers
Where transfers occur, they are based on:
- Within EU/EEA — no further safeguard required.
- Within UK — covered by the UK–EU adequacy decision.
- Onward transfers to the US (e.g. OpenAI failsafe, Resend, Stripe US operations) — covered by Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. The recipients are listed in §6.
5.3 No training on user data
Flow Momentum does not use your conversations, profile, Wiki, Garmin data or any other personal data to train, fine-tune or improve any AI model — neither ours nor any third party's. API calls to all AI providers are made under contractual "no training" terms.
5.4 EU AI Act classification
Flow Momentum is a Limited Risk AI system under Art. 50 EU AI Act. The transparency obligations apply:
- You are always informed you are interacting with an AI Coach, not a human.
- Each Coach response is labelled with the model that generated it (e.g. "Mistral Large 3" or "DeepSeek R1 — Reasoning Mode").
- AI-generated content is identifiable.
- Sources used to inform responses (your Wiki, Flow Momentum's brand knowledge, your uploaded data, your Garmin data) are cited.
Flow Momentum is not a High-Risk system under Annex III. It is not used for HR decisions, recruitment, employment performance evaluation, access to essential services, credit scoring, insurance, law enforcement, border control, migration, justice administration, or medical diagnosis. See §13.
6. Subprocessors
We use the following subprocessors (data processors under Art. 28 GDPR). A signed Data Processing Agreement (DPA) is in place with each.
| Subprocessor | Legal entity and registered office | Purpose | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Industriestr. 25, 91710 Gunzenhausen, Germany. HRB 6089 Ansbach. | Self-hosted server infrastructure (Nürnberg, Germany) — runs frontend, backend API, database. | Within EU/EEA |
| Lovable Labs AB (operational EU subsidiary of Lovable Labs Inc., Delaware US) | Regeringsgatan 25, 111 53 Stockholm, Sweden | Hosting of the landing page (flowmomentum.ai only — not the app) and Stripe checkout components. | Within EU/EEA; US-parent disclosed for transparency. Lovable DPA in place. |
| Stripe Payments UK Ltd | 9th Floor, 107 Cheapside, London EC2V 6DN, UK. Companies House 08480771. FCA EMI authorisation 900461. | Payment processing, billing, tax. | UK (post-Brexit adequacy with EU). Onward processing to Stripe affiliates under SCCs + DPF where applicable. |
| Mistral AI SAS | 15 Rue des Halles, 75001 Paris, France. RCS Paris 952 418 325. | AI inference (Mistral Small / Large / Embed). | Within EU/EEA. |
| Requesty Ltd | 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, UK. Companies House 15165717. | EU routing layer for DeepSeek R1 inference. | Within UK (adequacy with EU). |
| OpenAI Ireland Limited | 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland. Irish CRO 737350. | Voice transcription (Whisper) and failsafe AI inference. EU data controller for EEA users. | Within EU/EEA; onward to US under SCCs + EU–US DPF where applicable. |
| Resend, Inc. | 2261 Market Street #4041, San Francisco, CA 94114, USA. | Transactional and newsletter email delivery. Sending region: Ireland (eu-west-1). Account data and email metadata stored on Resend's US infrastructure. | SCCs + EU–US Data Privacy Framework (Resend is DPF-certified). |
| Garmin International Inc. | 1200 East 151st Street, Olathe, KS 66062, USA. | Garmin Health API — source of Garmin device data. Independent controller of its source data; processor for the data it sends us. | User authorises via Garmin Connect OAuth. SCCs and EU–US DPF for any necessary onward processing. |
| Telegram FZ-LLC | License No. 94349, Dubai, United Arab Emirates (Free Zone). | Optional Telegram Bot for daily training briefings (only for users who opt in by linking their Telegram account). | SCCs (UAE is not on the EU adequacy list). |
| Discord Netherlands B.V. | Schiphol Boulevard 195, 1118BG Schiphol, Netherlands (EU controller for EEA users). | Optional Discord OAuth and role sync (only for users who explicitly connect their Discord account). | Within EU/EEA. |
| Google Ireland Limited | Gordon House, Barrow Street, Dublin 4, Ireland. | Optional Google OAuth for sign-in (no Drive, Calendar or other Google API access). | Within EU/EEA. |
An up-to-date subprocessor list is maintained at flowmomentum.ai/legal/subprocessors. Material changes are announced 30 days in advance by email to active subscribers.
7. Retention
| Category | Retention period | Trigger for deletion |
|---|---|---|
| Account data (email, auth) | Active subscription + 90 days after cancellation | Account deletion |
| Profile data | Active subscription + 90 days | Account deletion |
| Coach conversation history | 12 months rolling | Auto-purge |
| Private Wiki content | Indefinite while opt-in is on | User delete, opt-out, or reset |
| Garmin health data | 24 months rolling | Disconnect or reset |
| Uploaded files (documents, transcripts, Excel) | 90 days rolling | Auto-purge |
| Voice transcripts | 30 days rolling | Auto-purge |
| Invoices and tax records | 7 years | UK tax law obligation (HMRC) |
| Server logs (technical, sanitised) | 30 days | Auto-purge |
| Email subscriber list (where newsletter is active) | Until unsubscribe | Unsubscribe link |
| Administrative-access audit log | 12 months | Auto-purge |
| Database backups | 30 days rolling | Auto-purge |
7.1 Self-service deletion
Under Settings → Privacy:
- Reset App Data — deletes Coach conversations, Wiki, uploaded files, Garmin data cache. Keeps account, subscription, profile.
- Delete Account Entirely — full GDPR Art. 17 erasure. Stripe invoices are retained for 7 years (HMRC); your email is anonymised on those records.
8. Your Rights Under UK GDPR and EU GDPR
- Access (Art. 15) — receive a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your account and data.
- Restriction of processing (Art. 18).
- Portability (Art. 20) — export your data in a machine-readable format. See §8.1.
- Object (Art. 21) — to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing before withdrawal.
- Not be subject to automated decision-making (Art. 22) — we do not perform automated decisions with legal or similarly significant effects.
- Lodge a complaint with the UK ICO (
ico.org.uk) or your local EU/EEA supervisory authority.
To exercise any right: compliance@flowmomentum.ai. We respond within 30 days.
8.1 Data export — what you get
When you request a data export under Settings → Privacy → Export My Data, we provide a single ZIP archive containing:
conversations/— your Coach sessions as Markdown files (one file per conversation).wiki/— your private Wiki entries as Markdown files.garmin/garmin_data.xlsx— your Garmin activities and health metrics as Excel sheets.uploads/— your originally uploaded files in their original format.profile.json— account and preference metadata.README.txt— index of the contents.
Exports are delivered within 30 days. For accounts with large data volumes, we send a secure download link by email.
9. Security
- Encryption at rest: AES-256 for the database. Encrypted volumes.
- Encryption in transit: TLS 1.3 for all connections.
- Authentication: salted bcrypt password hashing, JWT tokens with rotation, OAuth 2.0 + PKCE for third-party integrations.
- Authorisation: Row-Level Security in Postgres — User A cannot technically access User B's data.
- Multi-factor authentication for administrators. Principle of least privilege.
- All administrative actions are logged with timestamp and actor. See §3.7.
- Encrypted daily database backups, 30-day rolling retention. Restorability tested monthly.
- Breach notification to ICO/DPAs within 72 hours as required by Art. 33 GDPR.
No transmission over the internet or storage technology is 100 % secure. Despite our measures, we cannot guarantee absolute security.
10. Cookies and Similar Technologies
Flow Momentum uses strictly necessary cookies for authentication only (session JWT). No advertising cookies, no third-party trackers, no marketing pixels.
Strictly necessary cookies do not require consent under ePrivacy and UK ICO guidance.
11. International Transfers — Summary
See §6 (Subprocessors) for the full list and individual transfer mechanisms. Where data leaves the EEA or UK, transfers are protected by Standard Contractual Clauses and/or the EU–US Data Privacy Framework. We do not engage in transfers to third countries lacking an appropriate transfer mechanism.
12. Children
Flow Momentum is intended for users 18 years and older. We do not knowingly collect data from minors. If we learn that a minor has registered, we delete the account.
13. Limitations — What Flow Momentum Is Not
- Not a medical device. Garmin "stress score", "sleep score" and "training readiness" are wellness indicators, not medical diagnoses. Do not use Flow Momentum to make medical decisions.
- Not psychological therapy. Comms Coach and Team Coach help you reflect on workplace situations. They are not licensed therapists and not a substitute for professional psychological care.
- Not an HR system. Team Coach analyses team dynamics in the context of your own leadership. It is not an employee evaluation tool, not a recruitment tool, not a performance-review system. You retain full responsibility for any HR decisions. Flow Momentum's outputs must not be the sole or decisive factor in employment decisions.
- Not financial advice. Team Coach can analyse uploaded financial data for sense-making, but does not provide regulated financial advice.
- Not a substitute for human judgement. All AI outputs are suggestions. You remain accountable for your decisions.
14. Changes to This Privacy Policy
Material changes are announced 30 days in advance by email to all active subscribers, with an opportunity to delete your account before the change takes effect. The "Last Updated" date at the top of this Policy is updated with every change. A change log is maintained at flowmomentum.ai/legal/privacy-changelog.
For changes that affect Garmin-data processing or the third-party recipients of Garmin data (§3.3.6), we obtain written approval from the Garmin Connect Developer Program team before implementation, in accordance with our Garmin Developer Program License Agreement.
15. Contact
- Data protection matters:
compliance@flowmomentum.ai - General questions:
hello@flowmomentum.ai - Postal: Flow Momentum Limited, Bartle House, 9 Oxford Court, Manchester, M2 3WQ, United Kingdom
We respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the UK ICO (ico.org.uk) or your local EU/EEA Data Protection Authority.