Legal

Privacy Policy

Last updated: 16 May 2026

English legal text

The full legal policy below is currently provided in English. The site navigation is localized, and if you need help understanding any section, email us at [email protected].

The short version

RowPilot is built so your data stays on your iPhone and Apple Watch by default. The few things that do leave your device are listed below — and the big one (Concept2 Logbook sync) only happens if you ask for it.

  • Your workouts, heart rate, and history live in your device's storage and Apple Health — not on our servers — unless you opt in to Concept2 Logbook sync.
  • If you connect a Concept2 Logbook account, we upload your sessions to Concept2 and keep an encrypted copy in our small sync database so the same workouts show up across your devices. Disconnect any time.
  • We run a tiny voice-coaching cache that sees the phrase to speak and an anonymous per-install ID — no name, no email, no health data.
  • We don't use advertising trackers, third-party analytics, or marketing pixels. We don't sell your data and we don't share it for advertising.

1. Who we are

RowPilot is an independent indoor-rowing coaching app for iPhone and Apple Watch. It is not affiliated with Concept2, Inc. or Apple Inc. The app and this website are operated by the RowPilot project. You can reach us at [email protected].

2. What runs on your device only

The following data is created, stored, and used entirely on your iPhone and Apple Watch. We have no access to it.

  • Rowing machine metrics received over Bluetooth from a Concept2 PM5 (pace, distance, stroke rate, power, drag factor, stroke counts, intervals).
  • Heart rate streamed from your Apple Watch during a workout via Apple's HealthKit / WatchConnectivity frameworks.
  • Completed workouts saved in the app's private storage as JSON files, used to draw your history and trends.
  • Award progress, plan state, and preferences stored in the app's local preferences.
  • Workouts written back to Apple Health, when you grant permission, so they appear in the Health app alongside your other activity.

You can wipe all of this at any time by deleting RowPilot from your device. Workouts you wrote to Apple Health remain there until you delete them in the Health app.

3. HealthKit and Apple Health

RowPilot uses Apple's HealthKit framework to read your heart rate during workouts and to write completed rowing sessions back to Health. HealthKit data never leaves your device through RowPilot — Apple's framework hands it to the app on-device, and we don't transmit it anywhere. Apple's own rules also prohibit us from using Health data for advertising or selling it.

You control HealthKit access from Settings → Health → Data Access & Devices → RowPilot. Revoking access only stops new data flowing; it does not delete sessions you previously chose to save to Health.

4. Bluetooth and your Concept2

RowPilot uses Bluetooth to discover and connect to a Concept2 PM5. The Bluetooth connection is point-to-point between your iPhone and the rower — none of that data is sent over the internet by RowPilot. The PM5 itself does not transmit personal information.

5. Onboarding: which rower you have

The first time you launch RowPilot, the app asks which rowing machine you own (Concept2 RowErg, WaterRower, Hydrow, etc., or "no rower yet"). After you pick one, the app sends that selection to our API at api.rowpilot.app together with a random per-install identifier (Apple's identifierForVendor, which resets when you delete the app). We use this to see which rowers our users actually own, so we can prioritise compatibility work.

We do not collect your name, email, or precise location. The only location signal we see is the two-letter ISO country code that Cloudflare derives from your IP address for the request (e.g. "US", "DE"). The request IP itself is visible to Cloudflare at the network layer but is not stored in our database alongside the rower row.

6. Concept2 Logbook (optional connection)

RowPilot can optionally connect to your Concept2 Logbook account so your RowPilot sessions appear in your Logbook history alongside any rows you do directly from the PM5. This is entirely opt-in: nothing about Logbook is touched unless you tap Connect Concept2 Logbook in the app.

What happens when you connect

  • You're sent to Concept2's own sign-in page in a secure web view. We never see your Concept2 password.
  • Concept2 hands our server an OAuth grant — an access token and a refresh token — scoped to reading your profile and (on supported environments) uploading results. We store these tokens server-side so we can talk to Concept2 on your behalf when the app asks us to.
  • We also store your Concept2 user ID and your Concept2 username, so the app can show "Connected as @yourname".

What we mirror to our database while you're connected

  • Workouts you complete in RowPilot — we upload them to Concept2 and keep a copy of the workout JSON (pace, distance, stroke samples, duration, etc.) so it can be re-served to your other devices.
  • Existing workouts already in your Concept2 Logbook — we pull them down so they show up in RowPilot's history view.

Every workout copy is encrypted at rest in our database with AES-256-GCM, using a key derived from your Concept2 user ID and a master key that lives only in the Worker's encrypted secret store. A database leak on its own would not expose your sessions in readable form.

What else we keep

  • A per-device app token — the bearer token your iPhone uses to call our API. We store only its SHA-256 hash, so a database leak doesn't hand out usable tokens. The token itself lives in the iOS Keychain on your device.
  • A short audit log of authenticated requests (timestamp, endpoint, HTTP status, your IP address, and user-agent) so we can detect suspicious access patterns. We plan to prune entries older than 90 days.

Disconnecting and deleting your data

Tapping Disconnect in RowPilot revokes the app token for that device immediately — that device can no longer read or write your Logbook through us. To also revoke the underlying OAuth grant from Concept2's side, sign in at log.concept2.com and remove RowPilot from your connected apps. If you also want us to delete the mirrored workouts, OAuth tokens, and audit-log entries we hold for you, email [email protected] and we'll do it within 30 days.

Concept2's handling of your Logbook account and the workouts in it is governed by Concept2's own privacy policy.

7. Voice coaching cues

If you turn on voice coaching, RowPilot generates spoken cues like "halfway there" or "ease off the pace" by sending the cue text to a Cloudflare Worker we operate. That worker proxies the request to ElevenLabs, our text-to-speech provider, and caches the audio so the same phrase is never generated twice.

Each request includes:

  • The text to speak (a short coaching phrase — never your name, location, or health metrics).
  • A random per-install identifier used solely to enforce per-device rate limits, so a leaked client key can't be abused.
  • The standard request metadata your network connection always includes (IP address, user-agent), which Cloudflare uses for transport security and DDoS protection.

We don't link this identifier to you or your workouts. The cached audio is stored in Cloudflare R2 keyed by a hash of the phrase, so we have no way to look up "what cues did this user hear." ElevenLabs receives only the phrase text and standard request metadata; their privacy policy applies to that processing.

8. We don't run analytics or trackers

RowPilot does not embed third-party analytics SDKs (no Firebase, Mixpanel, Amplitude, Sentry, Crashlytics, advertising SDKs, or social-media pixels). We don't track which screens you view or which buttons you tap. Apple's standard App Store / TestFlight tooling reports aggregate, anonymous install and crash statistics to us — you can opt out in Settings → Privacy & Security → Analytics & Improvements.

9. This website and our API

The marketing site at rowpilot.app is a static page hosted on Cloudflare Pages. It does not set first-party cookies, run analytics, or include marketing trackers. Cloudflare logs standard request metadata (IP address, user-agent, timestamp, URL) at the network layer for security, abuse prevention, and basic operational diagnostics — this is the same processing Cloudflare performs for any site behind their proxy.

The site loads the Inter typeface from rsms.me, a third-party CDN, which means your browser's IP address is visible to that host when fetching the font. We may move the font in-house in a future revision.

Our backend at api.rowpilot.app is the small Cloudflare Worker described in sections 5, 6, and 7 above (onboarding, Concept2 Logbook sync, voice cues). It is the only RowPilot server that holds your data.

10. Children

RowPilot is intended for adults learning to row indoors. We don't knowingly collect personal information from anyone under 13. If you believe a child has provided personal data to us, please email [email protected] and we'll delete it.

11. International users

By default the app stores your data locally on your device, wherever you are. Our Cloudflare Worker (the onboarding, voice-coaching, and optional Logbook-sync backend) runs on Cloudflare's global edge, with the D1 database currently hosted in Cloudflare's Western Europe region. ElevenLabs processes voice-cue phrase text on infrastructure they operate, and — if you connect Concept2 Logbook — Concept2 processes your workouts on infrastructure they operate. Wherever you are in the world, the data flows described above are the same.

12. Your rights

For data stored on your device, you have full control: every screen in RowPilot is acting on your own copy. To wipe it, delete the app.

For data we hold on our servers — the onboarding rower selection, and, if you've connected Concept2 Logbook, your Concept2 OAuth tokens, mirrored workouts, app token hash, and audit-log entries — you can ask us to access, export, or delete it. Email [email protected] from any address you like and tell us your Concept2 username (and/or the approximate date you first installed the app) and we'll find your records and respond within 30 days.

13. Changes to this policy

If we add a feature that meaningfully changes what we collect (for example, adding accounts, social features, or analytics), we'll update this page and bump the "last updated" date at the top. Material changes will also be called out in the app.

14. Contact

Questions, requests, or concerns: [email protected].