Privacy Policy

1. Introduction

RunPaced ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy applies to all users of RunPaced, including users in the European Economic Area (EEA) and United Kingdom, and complies with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Information We Collect

2.1 Account Information

• Email address (required for account creation)
• Full name (optional)
• Profile picture (if using social login)
• Password (encrypted, never stored in plain text)

2.2 Usage Data

• GPX files you upload (stored securely)
• Race plans you create
• Goal times and pacing preferences
• Post-race analysis data
• Race contributions you submit

2.3 Connected Services Data

• Strava: When connected, we access your activity history to calculate fitness metrics. We store your athlete ID, name, and encrypted OAuth tokens.
• Garmin: When connected, we can sync courses to your Garmin account. We store your Garmin user ID and encrypted OAuth tokens.

2.4 Technical Data

• IP address (for security and fraud prevention)
• Browser type and version
• Device type and operating system
• Pages visited and actions taken
• Date and time of visits
• Referral source

2.5 Payment Information

Payment details are processed securely by Stripe. We do not store your full credit card number, CVV, or other sensitive payment details. We only receive confirmation of payment status and a customer ID for subscription management.

3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Service (account creation, race plan generation, etc.)
• Consent: For marketing emails and analytics cookies (you can withdraw consent at any time)
• Legitimate Interests: For security, fraud prevention, and service improvement
• Legal Obligation: For compliance with tax and legal requirements

4. How We Use Your Information

• To provide, operate, and maintain the Service
• To process transactions and manage subscriptions
• To generate personalized pacing recommendations
• To send transactional emails (confirmations, receipts, password resets)
• To respond to customer support requests
• To analyze usage patterns and improve the Service
• To detect and prevent fraud, abuse, and security incidents
• To send marketing communications (only with your consent)

5. Third-Party Services

We share data with the following third-party services to operate our Service:

All third-party services are carefully selected and contractually bound to protect your data in accordance with applicable privacy laws.

6. Data Storage and Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit using TLS 1.3
• Sensitive data is encrypted at rest using AES-256
• OAuth tokens are encrypted before storage
• Passwords are hashed using bcrypt
• Regular security audits and penetration testing
• Access controls and audit logging

Your data is primarily stored in the United States on servers operated by our infrastructure providers (Neon, Cloudflare, Vercel). We ensure appropriate safeguards are in place for international transfers.

7. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

• Right to Access: Request a copy of all personal data we hold about you. You can do this through Settings > Privacy > Export My Data.
• Right to Rectification: Correct any inaccurate personal data in your account settings.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data. You can do this through Settings > Privacy > Delete Account.
• Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
• Right to Object: Object to processing based on legitimate interests.
• Right to Restrict Processing: Request limitation of processing in certain circumstances.
• Right to Withdraw Consent: Withdraw consent for marketing and analytics at any time.

To exercise any of these rights, use the in-app settings or contact us at privacy@runpaced.com. We will respond within 30 days.

8. Cookies and Tracking

We use cookies and similar technologies for authentication, security, and analytics. See our Cookie Policy for detailed information.

Essential cookies are required for the Service to function. Analytics cookies are only set with your consent. You can manage cookie preferences at any time.

9. Data Retention

We retain your data for as long as your account is active. After account deletion:

• Personal data is deleted within 30 days
• Backup copies are deleted within 90 days
• Anonymized usage data may be retained for analytics
• Payment records are kept for 7 years for tax compliance
• Security logs are retained for 1 year

10. Children's Privacy

RunPaced is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@runpaced.com.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. For transfers from the EEA/UK:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• Our US providers participate in data protection frameworks where applicable
• We assess the data protection laws of destination countries

12. Changes to This Policy

We may update this Privacy Policy periodically. For significant changes:

• We will notify you by email at least 30 days before changes take effect
• We will display a prominent notice in the Service
• The "Last updated" date at the top will be revised

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Data Protection Officer

For privacy-related inquiries, you can contact our Data Protection team:

• Email: privacy@runpaced.com
• Response time: Within 30 days

If you are in the EU/UK and believe your rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority.