Privacy Policy

Version date: 26 June 2026 · Governing law: England and Wales · UK GDPR, Data Protection Act 2018 and applicable privacy and electronic communications legislation

1. Who we are

O.NEVO is operated by SLG Limited, a company registered in England and Wales under company number 16715958, whose registered office is at Unit 24 Brookside Business Park, Stone, Staffordshire, England, ST15 0RZ.

For the purposes of data-protection law, the data controller is:

In this Privacy Policy, “O.NEVO”, “we”, “our” and “us” refer to this legal entity.

2. When this Privacy Policy applies

This Privacy Policy applies when you:

• create or use an O.NEVO account;
• use the O.NEVO mobile application, website or wearable device;
• purchase or manage an O.NEVO membership;
• record workouts or synchronise fitness information;
• connect your account to a gym, personal trainer or coach;
• contact our customer-support team; or
• otherwise interact with O.NEVO.

Gym and trainer accounts

Where you receive O.NEVO through a gym, personal trainer, coach or other organisation, that organisation may be a separate data controller for information it collects or accesses about you.

Your onboarding screen or membership information should identify whether:

1. O.NEVO is the controller;
2. your gym or trainer is the controller and O.NEVO processes information on its instructions; or
3. O.NEVO and the gym or trainer are separate or joint controllers for specified purposes.

A gym or trainer that acts as a separate controller is responsible for providing its own privacy information and responding to requests concerning its processing.

O.NEVO remains a separate controller for purposes including account security, payment administration, fraud prevention, legal compliance and the operation of its own service.

3. Information we collect

3.1 Account and identity information

This may include:

• your name;
• email address;
• telephone number;
• account identifier;
• encrypted or hashed password;
• authentication records;
• login history; and
• age or confirmation that you are at least 18.

3.2 Profile information

This may include information you choose to provide, such as:

• date of birth or age;
• sex;
• height;
• weight;
• fitness level;
• exercise preferences;
• lifestyle information;
• goals;
• preferred units; and
• profile photograph.

You do not have to provide optional profile information, although some features or calculations may be less accurate without it.

3.3 Health, fitness and wellbeing information

Depending on the device and features you use, we may collect or calculate:

• heart rate;
• resting heart rate;
• heart-rate variability;
• estimated blood-oxygen saturation;
• respiratory rate;
• sleep duration and estimated sleep stages;
• physical activity;
• steps;
• movement;
• workouts;
• exercise duration and intensity;
• estimated strain or exertion;
• stress and recovery indicators;
• estimated energy expenditure and calories;
• nutrition information you enter;
• body measurements;
• menstrual or cycle-related information, where supported and voluntarily provided;
• readiness, recovery, strain, sleep or wellbeing scores;
• trends and comparisons derived from this information; and
• notes you add about your health, exercise or wellbeing.

These measurements and scores may be estimates and may not be clinically accurate.

3.4 Device and sensor information

This may include:

• wearable-device identifier and serial number;
• device model;
• firmware and software version;
• battery and charging information;
• Bluetooth connection information;
• mobile-device model and operating system;
• application version;
• IP address;
• crash reports;
• diagnostic logs; and
• device-performance information.

3.5 Location information

Where you give permission, we may collect:

• precise GPS coordinates and routes during outdoor workouts;
• workout start and finish locations;
• approximate location based on your device or IP address; and
• gym or venue proximity information where you enable geofencing.

You can normally disable precise location access through your mobile-device settings, but route recording and location-dependent features will then be unavailable.

We do not continuously collect precise GPS location unless this is clearly explained to you and you have enabled the relevant feature.

3.6 Payment and membership information

Payment-card information is processed by Stripe or another payment provider identified during checkout.

We generally receive:

• customer and transaction identifiers;
• membership plan;
• payment status;
• billing country;
• limited card information, such as card type and last four digits;
• invoices;
• refunds;
• failed-payment information; and
• membership start, renewal and cancellation dates.

We do not normally receive or store your complete card number or security code.

3.7 Trainer and coaching information

Where you connect to a gym, trainer or coach, we may process:

• the identity of the trainer or organisation;
• connection and consent records;
• information you have agreed to share;
• training plans;
• goals;
• messages;
• check-ins;
• comments;
• progress information; and
• changes made by the trainer to your programme.

3.8 Communications and support information

This may include:

• emails and messages;
• customer-support enquiries;
• complaints;
• survey responses;
• call records, where calls are recorded after notice;
• marketing preferences; and
• records showing which legal terms and consent wording you accepted.

4. Health and special-category information

For health information used to provide tracking, scores, insights and connected-trainer functionality, we normally rely on:

• Article 6(1)(b): processing necessary to perform our contract with you; and
• Article 9(2)(a): your explicit consent to the processing of health information.

Your health-data consent is collected separately from your acceptance of our general terms. You may withdraw that consent at any time through the application or by contacting us. Withdrawal does not make earlier processing unlawful.

Where you withdraw consent:

• we will stop the processing that depended on that consent;
• health-tracking, scoring and coaching features may stop working;
• we may retain limited information where required by law or necessary for legal claims; and
• you may close your account or end your membership in accordance with the Membership Terms.

We may process health information where necessary to establish, exercise or defend legal claims under Article 9(2)(f).

5. Where information comes from

We may receive information:

• directly from you;
• from the O.NEVO device;
• from your mobile phone or connected device;
• from Apple Health, Health Connect or another service you authorise;
• from a trainer, gym or coach you have connected to;
• from our payment provider;
• from our technical, security and customer-support providers; and
• from information generated by our scoring and analytics systems.

You can disconnect third-party integrations through the relevant application or device settings.

6. How and why we use information

6.1 Account and membership administration

We use account, profile, membership and payment information to: create and authenticate your account; provide the application and membership; deliver and register your device; process payments; maintain your membership; provide customer support; and communicate important service information.

Lawful basis: performance of our contract and compliance with legal obligations.

6.2 Health tracking, scores and insights

We use health, profile, sensor and workout information to: display your measurements and history; calculate fitness, sleep, strain, recovery or readiness indicators; provide trends, comparisons and general wellbeing insights; synchronise information between authorised devices; and restore your account history.

Lawful basis: performance of our contract under Article 6(1)(b), together with explicit consent under Article 9(2)(a).

6.3 Connected trainers and gyms

Where you actively connect to a trainer or gym, we use and disclose the information covered by your sharing selection so that they can: review your progress; provide coaching; create or adjust plans; communicate with you; and support your fitness goals.

Lawful basis: consent under Article 6(1)(a) and explicit consent under Article 9(2)(a) where health information is shared.

You can disconnect a trainer or gym at any time. Disconnecting stops future access but does not automatically delete copies lawfully retained by a trainer acting as a separate controller.

6.4 Security, fraud prevention and service integrity

We use account, payment, device and usage information to: protect accounts; investigate suspicious activity; prevent fraud; enforce our terms; detect misuse; maintain technical security; and respond to security incidents.

Lawful basis: our legitimate interests in protecting members and operating a secure service, and compliance with legal obligations.

6.5 Service communications

We use your contact details for essential communications, including: payment confirmations; security alerts; device or application notices; significant changes to our service; membership reminders; and privacy or legal notices.

Lawful basis: performance of our contract, legal obligation and legitimate interests.

These messages are not marketing and cannot always be disabled while you maintain an account.

6.6 Marketing

We may send marketing where you have consented or where another lawful electronic-marketing exemption applies. You can unsubscribe at any time. We will retain a minimal suppression record so that we can respect your request.

Lawful basis: consent or legitimate interests where legally permitted, together with applicable electronic-marketing rules.

6.7 Product development and analytics

We may use aggregated or properly anonymised information to understand usage, test features, improve algorithms and develop O.NEVO. Where identifiable health information is used for optional research, algorithm development or a purpose that is not necessary to provide your service, we will obtain additional explicit consent where required.

Lawful basis: legitimate interests for non-sensitive operational information; consent and explicit consent where required for identifiable health information.

6.8 Legal and regulatory purposes

We may process information to: maintain accounting and tax records; respond to lawful requests; resolve complaints; establish or defend legal claims; protect our legal rights; and comply with regulatory obligations.

Lawful basis: legal obligation and legitimate interests. Where health information is necessary for legal claims, we rely on Article 9(2)(f).

7. Scores, recommendations and automated processing

O.NEVO may automatically combine information such as sleep, heart rate, activity and previous trends to generate scores, classifications and general recommendations.

These calculations:

• are estimates;
• may be affected by incomplete or inaccurate sensor information;
• are intended to support personal fitness and wellbeing decisions;
• are not diagnoses or clinical assessments; and
• are not normally used to make decisions that produce legal or similarly significant effects about you.

We do not use readiness, recovery or similar scores to determine access to employment, insurance, credit, housing or medical treatment.

Where we introduce automated decision-making that has legal or similarly significant effects, we will provide additional information about the logic, consequences and applicable rights before using it.

8. Who receives your information

We may share information with:

• Supabase or our replacement hosting, database and authentication provider;
• Stripe or our replacement payment provider;
• cloud-hosting and backup providers;
• application distribution platforms;
• email, notification and customer-support providers;
• crash-reporting and security providers;
• analytics providers, where enabled with appropriate consent;
• mapping and map-tile providers;
• gyms, trainers and coaches you connect to;
• professional advisers, auditors and insurers;
• regulators, courts or public authorities where legally required;
• a purchaser or investor involved in a proposed sale, merger or reorganisation, subject to appropriate confidentiality measures; and
• other suppliers necessary to provide the service.

Our processors may only process information under our instructions and contractual safeguards. We do not sell personal information.

Current key providers

• Supabase: database, authentication, hosting, and account/authentication emails (such as sign-up confirmation and password reset).
• Stripe: membership and payment processing.
• OpenStreetMap Foundation: map data and map tiles used to display your workout routes.

We do not currently use a separate analytics, crash-reporting, advertising or third-party push-notification provider. Application notifications are generated on your device. If we introduce any such provider, we will update this list and obtain any consent required. This list must be updated when suppliers change.

9. International transfers

Some suppliers may process information outside the United Kingdom. Where personal information is transferred to a country that is not covered by UK adequacy regulations, we use an appropriate safeguard where required, such as:

• the UK International Data Transfer Agreement;
• the UK Addendum to approved EU Standard Contractual Clauses; or
• another lawful transfer mechanism.

We also assess whether additional technical or organisational measures are necessary. You may contact us for further information about the safeguards relevant to your information.

10. Retention

Unless a longer period is required by law or reasonably necessary for legal claims, we apply the following retention periods:

• Health, fitness, workout and precise location information: while your account is active and for 90 days after account closure.
• Account and profile information: while your account is active and for 12 months after account closure.
• Trainer-connection records: while the connection is active and for 12 months afterwards.
• Customer-support and complaint records: three years after the matter is closed.
• Security and diagnostic logs: normally no longer than 12 months.
• Payment, invoice, tax and accounting records: six years from the relevant transaction or end of the relevant accounting period.
• Consent and legal acceptance records: six years after account closure or withdrawal of the relevant consent.
• Marketing suppression records: for as long as reasonably necessary to respect your opt-out.
• Backups: removed or overwritten through the normal backup cycle, normally within 90 days after deletion from live systems.

Information may be retained for longer where a dispute or legal claim is ongoing; law or a regulator requires it; fraud or misuse is being investigated; or deletion is temporarily restricted by technical backup processes. At the end of the retention period, information will be deleted or anonymised.

11. Security

We use appropriate technical and organisational measures designed to protect personal information, including measures such as:

• encryption in transit and, where appropriate, at rest;
• access controls;
• account authentication;
• logging and monitoring;
• supplier due diligence;
• backup and recovery arrangements;
• staff confidentiality controls; and
• incident-response procedures.

No internet-connected service can be guaranteed to be completely secure. You are responsible for protecting your password, mobile device and connected accounts. Please notify us promptly if you believe your account or device has been compromised.

12. Your rights

Depending on the circumstances, you may have the right to: access your personal information; correct inaccurate or incomplete information; request deletion; restrict processing; object to processing based on legitimate interests; object to direct marketing; receive certain information in a portable format; withdraw consent; complain about automated decision-making where applicable; and complain to the Information Commissioner’s Office. Some rights are subject to legal exceptions.

To exercise a right, contact support@bigbearautomations.com. We may need to verify your identity before acting on the request. You may complain to the Information Commissioner’s Office (ico.org.uk) if you believe your information has been handled unlawfully. We would appreciate the opportunity to investigate your concern first.

13. Cookies, local storage and similar technologies

We use essential cookies, software-development kits and local storage where necessary to: keep you signed in; protect accounts; remember essential settings; operate checkout; and maintain security.

We do not currently use non-essential analytics or advertising cookies. If we introduce them, they will not be activated until any legally required consent has been obtained. You can manage cookies and site storage through your browser or device settings. Disabling essential storage may prevent the website or application from working correctly.

14. Children

O.NEVO is intended only for people aged 18 or over. We do not knowingly offer memberships to or collect personal information directly from children. If we discover that a child has created an account, we may suspend the account and delete the information, subject to legal requirements.

15. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to our service, suppliers or legal obligations. We will publish the revised policy with a new version date. Where a change materially affects how we process health information or relies on consent, we will provide appropriate notice and obtain new consent where required.

16. Contact us

Privacy questions, complaints and rights requests should be sent to: