This document describes the technical safeguards and data lifecycle controls Vista Data
implements to comply with the Garmin Connect Developer Program Agreement.
Garmin user grants are obtained via OAuth 2.0 Authorization Code flow with Proof Key for Code
Exchange (PKCE) using the SHA-256 challenge method. Vista Data does not store or transmit
any Garmin user passwords. Access and refresh tokens are sealed at the application layer
using Fernet authenticated encryption (AES-128-CBC with HMAC-SHA256 integrity protection)
before being persisted to PostgreSQL. The Fernet master key is sourced exclusively from the
deployment environment and is never embedded in source code or version control. Access
tokens are refreshed automatically upon expiration. Any 401 response from a Garmin endpoint
triggers a forced token refresh followed by a single retry of the original request.
Vista Data requests access only to the categories of biometric, health, and athletic data
necessary to operate the core service: activity telemetry, heart rate, HRV, sleep, stress, body
battery, and related wellness metrics. Ingested data is processed solely to generate athletic
optimization insights, real-time cadence and heart-rate analysis, recovery-state coaching, and
predictive fatigue modeling — within each user's individual athlete profile. Individual user data is
not used to train global or cross-user machine-learning models.
Every database query against telemetry, coaching cues, activities, wellness records, and OAuth
tokens is parameterized on the requesting athlete's identifier. Real-time data streams over
WebSocket are scoped per athlete at the broadcaster. When and where Vista Data offers
team-coached functionality, coach access is gated on an explicit consent record per
athlete-coach pairing.
Connections to Vista Data are served over TLS 1.3, terminated at Cloudflare. All data at rest is
encrypted at the disk level by the managed PostgreSQL provider. Garmin OAuth credentials
carry an additional application-layer Fernet encryption as described in Section 1, providing
defense in depth.
On a user's disconnection request, Vista Data:
On 5xx or unrecoverable errors from Garmin's deregistration endpoint, Vista Data retains local
state, surfaces the failure to the operations team, and retries on a defined schedule; the user is
acknowledged within 48 hours and the full procedure completes within 30 days.
Garmin push notifications are verified at the application boundary via HMAC-SHA256 signature
over the raw request body before any payload parsing or downstream processing. Signature
verification failure terminates the request with HTTP 401 and zero side effects. Verified payloads
carrying an activityFileId are dereferenced via authenticated outbound GET to the
Garmin-provided callbackURL — Vista Data does not construct download URLs from
notification fields, preventing server-side request forgery against unauthorized hosts.
Vista Data enforces an absolute prohibition on the commercialization of user data. No
Garmin-derived biometric, health, or athletic data will be sold, traded, rented, or transferred to
third-party data brokers, advertising networks, or external analytics firms. This restriction applies
universally, including to anonymized or aggregated derivatives.
In the event of unauthorized access or breach affecting Garmin-derived user data, Vista Data
will notify affected users and Garmin's developer program within 72 hours of discovery, in
accordance with applicable data-protection regulations.
Technical and compliance inquiries: security@vistadata.io.
Building future-ready talent with AI + Data Analytics Micro-credentials.
At Vista Data, we specialize in stackable micro-credential programs and workforce development that equip learners (ages 13 and up) and professionals with practical AI and data analytics skills. Our approach supports early career exploration for teens as well as upskilling and reskilling for adult professional learners.
