Duane Labs← Back

Two Twenty Two

Privacy Policy

Effective: June 3, 2026

01

Who we are

Two Twenty Two(the “Two Twenty Two” or “222” app) is made by Duane Labs Inc. (“Duane Labs,” “we,” “our,” “us”), a company based in New York, NY, USA. This Privacy Policy describes how we collect, use, and share information when you use the Two Twenty Two mobile app and related services at twotwentytwo.app (collectively, the “Service”).

If you have questions about this policy or your data, contact us at privacy@duanelabs.com.

02

Information we collect

2.1Account information

When you sign up, we collect your email address. We use email as your account identifier and to send one-time passcodes (OTPs) for sign-in. We do not collect your real name, phone number, physical address, or payment information.

2.2Activity and training data

When you connect a third-party fitness service (such as Garmin Connect, COROS, Apple Health, Polar, or Wahoo — typically routed through our data aggregator, Terra), we receive the workout data those services hold for you, including:

  • Activity summaries: distance, duration, pace, elapsed time, and start time
  • Heart rate, GPS routes, elevation, cadence, power, and other recorded streams
  • Per-lap and per-interval splits
  • Activity titles, types, and timestamps
  • Athlete identifiers issued by those services (e.g., your Garmin athlete ID)

We use this data to compute your fitness metrics (critical speed, threshold pace, heart rate and pace zones, race predictions) and to generate personalized coaching feedback.

If you choose to connect Apple Health, the app reads your workout and related fitness data (such as runs, heart rate, route/location, and VO2 max) directly from Apple HealthKit on your device, with your permission, and syncs it to Two Twenty Two via Terra. You grant this access through the iOS Health permission sheet, and you can revoke it at any time in the iOS Settings app. We only read the data needed for running and fitness analysis, and we do not write any data back to Apple Health.

2.3Coaching conversations

The Two Twenty Two coach is an AI-generated chat interface. We store:

  • Messages you send to the coach
  • Coach responses generated on your behalf
  • Workout plans, schedule edits, and proposals that arise from those conversations

To generate coach responses, we send relevant portions of your workout data and message history to Anthropic, Inc. (the Claude API). Anthropic processes this data under their own terms and, as of the effective date of this policy, does not train models on commercial API traffic.

2.4Device and technical information

  • iOS device push notification token (so we can send you notifications)
  • App version, OS version, and device timezone (for support and to render times correctly)
  • IP address and request logs maintained by our hosting providers

2.5What we do not collect

  • We do not collect your contacts, photos, microphone, or camera data
  • We do not collect device location independently of the GPS streams that arrive via your connected fitness service
  • We do not collect payment information
  • We do not use third-party analytics or advertising SDKs
03

How we use your information

We use the information we collect to:

  • Provide the Service: import your workouts, run analytics, generate coach feedback, and deliver push notifications
  • Authenticate you (email OTP)
  • Operate, maintain, and improve the Service
  • Respond to your support requests
  • Comply with legal obligations

We do not sell your personal information. We do not share your information with advertisers. We do not use your information for cross-context behavioral advertising.

04

Service providers we share with

We share information with the following service providers solely to operate the Service:

  • Supabase Inc.(authentication and database hosting): your email, account record, and all workout, coaching, and schedule data are stored on Supabase’s PostgreSQL database in the United States.
  • Anthropic, Inc. (LLM provider): workout summaries and coach messages are sent to the Claude API to generate personalized coach responses.
  • Apple Inc.(push notifications): your device push token and notification content (e.g., “Your coach posted a new note”) are transmitted via Apple Push Notification service.
  • Vercel Inc. (web hosting and serverless functions): standard request logs (IP address, request paths, user agent) are retained by Vercel as part of normal hosting operations.
  • Terra (tryterra.co) is our data aggregator and sub-processor: when you connect a watch ecosystem (Garmin, COROS, Apple Health, Polar, Wahoo, etc.), Terra receives the data from that service and forwards it to Two Twenty Two. Terra has its own privacy policy that applies to its handling of your data.
  • Third-party fitness services you connect (such as Garmin Connect, COROS, Apple Health, Polar, Wahoo, and additional services we add over time): we receive your workout data from these services via Terra. We do not write data back to them. These services have their own privacy policies that apply to your relationship with them.

We do not transfer personal data to any other third parties for their own use.

05

How long we keep your data

We keep your data for as long as your account is active. When you delete your account from the iOS app (Settings → Account settings → Delete account), we permanently delete:

  • Your email and authentication record
  • All your workout data, coach history, planned workouts, and fitness models
  • Your device push tokens
  • Your authentication tokens for connected fitness services

Some operational logs (request logs at Vercel, error logs in our system) that do not contain personally identifying information may persist for up to 30 days for security and debugging purposes.

If you uninstall the app from your device but do not delete your account, your data remains. We do not currently auto-delete inactive accounts.

06

Your rights and choices

6.1All users

  • Access: email privacy@duanelabs.com and we will provide a copy of the personal data we hold about you within 30 days.
  • Delete: open the iOS app → Settings → Account settings → Delete account. This is immediate and permanent.
  • Correct: most data we hold is data you have provided or that has been synced from a fitness service you connected. To correct it, update the source.

6.2California residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act, including:

  • The right to know what personal information we collect, use, and disclose
  • The right to delete personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of personal information (we do not sell or share personal information for advertising purposes)
  • The right to limit the use of sensitive personal information
  • The right to non-discrimination for exercising these rights

To exercise any of these rights, email privacy@duanelabs.com.

6.3EU / UK residents (GDPR)

If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR or UK GDPR including the rights to access, rectify, erase, restrict, and port your personal data, and to object to processing. You also have the right to lodge a complaint with your local supervisory authority.

Our legal basis for processing is your consent (where required) and our legitimate interest in providing the Service. By using the Service, you consent to the transfer of your data to our service providers in the United States. Where transfers require additional safeguards, we rely on Standard Contractual Clauses or other appropriate mechanisms.

To exercise GDPR or UK GDPR rights, email privacy@duanelabs.com.

07

Data security

We use industry-standard practices to protect your data, including:

  • HTTPS for all network traffic
  • Encryption at rest for stored data (provided by Supabase)
  • JWT-based authentication for the iOS app
  • Scoped, refreshable access tokens for connected fitness services
  • Rate limiting on authentication endpoints

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and applicable regulators in accordance with applicable law.

08

Health and fitness data

The data Two Twenty Two collects is fitness and training data, not medical or clinical data. Two Twenty Two:

  • Is not a healthcare provider
  • Is not a HIPAA-covered entity under the U.S. Health Insurance Portability and Accountability Act
  • Reads workout and fitness data from Apple HealthKit only when you choose to connect Apple Health and grant permission
  • Provides coaching analysis for informational purposes only

The coaching, race predictions, and training recommendations the Service provides are not medical advice. Consult a qualified healthcare professional before starting or modifying any training program.

09

Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, contact us at privacy@duanelabs.com and we will delete it.

10

International users

The Service is operated from the United States and our service providers store data in the United States. By using the Service, you consent to the transfer of your information to the United States. Privacy laws in the United States may differ from those in your home country.

11

Changes to this policy

We may update this Privacy Policy from time to time. The “Effective” date at the top of this page reflects the most recent revision. For material changes, we will provide additional notice (such as via email or in-app notification) before the changes take effect.

12

Contact

If you have any questions about this Privacy Policy or our practices, please contact us at:

Duane Labs Inc.
159 Duane Street
New York, NY 10013
privacy@duanelabs.com