Privacy Policy

A LEGAL DISCLAIMER

Last updated: {{01/10/2025}}

Legal entity: Rental Shield LTD. Registered in the ADGM, 000003739

1) Who we are?

Rental Shield LTD (“we”, “us”, “our”) provides software and integrations that help users connect their WHOOP™ accounts to our services. Contact: admin@rentalshield.ai Postal: {{Wework, Hub71, Al Maryah Island, ADGM, Abu Dhabi, U.A.E.}}.

2) What this policy covers

This policy explains what data we process when you connect your WHOOP account to our service, how we use OAuth 2.0, what we do with access/refresh tokens, how we share and retain data, and the choices and rights you have. It applies to our website (theappshield.com) and our connected apps.

3) How the WHOOP connection works (OAuth 2.0)

We use the OAuth 2.0 authorization code flow provided by WHOOP. You are redirected to WHOOP to sign in and grant consent; we never see your WHOOP password. developer.whoop.com
If you grant access, WHOOP sends us an authorization code we exchange for an access token (short-lived) and a refresh token (long-lived). We store tokens securely (see §9).
We only request scopes necessary for our features (e.g., body measurements, sleep, recovery, strain). Each WHOOP endpoint requires an appropriate scope; our API calls are limited to what you approved. developer.whoop.com
You may revoke access at any time from your WHOOP account settings; if you do, our access immediately stops, and we delete tokens and related cached WHOOP data per §8.

4) Data we receive from WHOOP

Depending on which features you use and which scopes you grant, we may retrieve:

Profile & body metrics (e.g., height, weight, max HR).
Physiological & activity data such as sleep/wake, recovery, strain, HR/HRV summaries, workouts, and related timestamps (exact fields depend on scopes and API version v2).
Event/webhook notifications indicating new data is available

We do not collect your WHOOP password. We do not read data outside the scopes you granted.

5) Why we use your data (purposes & legal bases)

Provide the service you requested (e.g., show trends, generate insights, sync workouts). Legal basis: contract/consent.
Improve features and accuracy (aggregate/analytics, bug-fixing, forecasting). Legal basis: legitimate interests (balanced against your rights).
Security, abuse prevention, and compliance with developer/API terms. Legal basis: legitimate interests/legal obligation. developer.whoop.com

If we rely on consent, you can withdraw it at any time (see §10).

6) How we use and share data

We use your data inside our systems to provide you with charts, recommendations, and integrations you turn on.
We may share data with processors (cloud hosting, error monitoring, analytics) bound by confidentiality and data-processing terms.
We do not sell your personal data.
If WHOOP terminates our API access, we will cease use and delete any cached/stored WHOOP content as required by WHOOP’s API Terms.

7) Data minimization & retention

We store only the minimum data necessary for the features you enable.
Tokens and WHOOP-derived data are retained only as long as needed to provide the feature(s), fulfill legal obligations, resolve disputes, or enforce agreements.
If you disable the integration or revoke access, we delete tokens immediately and purge WHOOP-derived personal data from active systems within 30 days (backups within ~90 days), unless we must retain certain records by law or for legitimate interests (e.g., security logs)

8) Your choices & controls

Disconnect WHOOP: revoke our access in your WHOOP account; we will delete tokens and purge personal data as above.
Delete data: email us at admin@rentalshield.ai to request deletion of WHOOP-derived data we hold. We will confirm once completed (subject to lawful exceptions). WHOOP also offers member data rights directly. WHOOP+1
Access & portability: request a copy of your data.
Correction: request corrections where applicable.
Consent withdrawal: where we rely on consent, you may withdraw it.

9) Security

We protect tokens and personal data using encryption in transit and at rest, role-based access, least-privilege principles, and secure key management.
Production access is restricted; logs are monitored.
We regularly review our controls against API-security best practices and WHOOP developer guidance.

10) International transfers

Our infrastructure may be hosted outside your country. Where required, we use legally recognized safeguards for cross-border transfers (e.g., standard contractual clauses) and ensure processors meet comparable security and privacy obligations.

11) Children

Our services are not directed to children under 13. Users must ensure they meet WHOOP’s age requirements and local law before connecting. (WHOOP indicates 13+ in certain partner docs; always defer to WHOOP’s own terms/policies and your local law.)

12) Legal bases & regional disclosures

UAE: We align with the UAE Federal Decree-Law No. 45 of 2021 (PDPL) principles (lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability).
EEA/UK: If you are in the EEA/UK, we rely on GDPR/UK-GDPR legal bases listed in §5. You have GDPR rights to access, rectify, erase, restrict, object, and portability, and to complain to a supervisory authority.
US (California): We do not “sell” personal information as defined by the CCPA/CPRA.

13) Third-party services

Your WHOOP data remains subject to WHOOP’s own policies and terms while in WHOOP systems. See WHOOP’s privacy pages for details.

14) API versioning notice

We support WHOOP API v2 and plan deprecation of any v1 usage before October 1, 2025, per WHOOP’s migration notice.

15) Changes to this policy

We may update this policy to reflect changes in law, our services, or WHOOP API requirements. If changes are material, we will post a clear notice on theappshield.com and, where required, seek your consent again

16) Contact

Questions or requests: admin@rentalshield.ai
Data Protection Contact: {{James Daniel/ CEO}}
Address: {{Wework, Hub71, Al Maryah Island, ADGM, Abu Dhabi, U.A.E.}}