This privacy policy explains how this application ("the App", "we", "us") collects, uses, stores and protects your personal data. The App is operated by John Glanville, based in the United Kingdom. This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. What data we collect
We collect the following data when you use the App:
- Account data: your username, email address, and hashed password.
- Strava data: activity history, GPS tracks, performance metrics, and other data you authorise us to access via the Strava API.
- Garmin data: activity and health data synced from your Garmin account where you choose to connect it.
- Location and activity data you record in the App: when you use the App's run-recording feature, the mobile app collects precise GPS location to record your route, distance, and pace. Location is only collected while you are actively recording or following a workout; recording continues in the background while a session is active so your track stays complete when your screen is off. We do not track your location when you are not in a recording session.
- Coaching data: training plans and AI coaching conversation history generated during your use of the App. Conversation history is capped at 500 messages and is deleted when you delete your account.
- Push notification data: if you enable notifications, we store the push token issued by Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android) so we can send you activity and coaching alerts. You can disable notifications at any time in your device settings.
- Subscription data: if you subscribe to a paid tier or make a donation, we store your subscription status, tier, and the identifiers needed to manage it. Payments are processed by Stripe (web) or Apple (in-app purchase); we do not collect or store your full card details.
2. How we use your data
Your data is used solely to provide the App's coaching and analysis features to you. Specifically:
- Strava and Garmin activity data is used to generate personalised training plans and coaching insights for you.
- Your data is never shared with other users of the App.
- Your data is never sold, licensed, or disclosed to advertisers, data brokers, or other third parties.
- Your Strava data is not used, directly or indirectly, to train any artificial intelligence or machine learning model.
- Your data is not aggregated or combined with data from other users for any purpose.
3. Strava data
The App accesses your Strava data via the Strava API under the terms of the Strava API Agreement. Your Strava data is only ever displayed to you. If you revoke the App's access to your Strava account, or if you delete your App account, all Strava data stored by the App will be deleted within 48 hours.
Activity data obtained via Strava may include data sourced from Garmin devices. Where Garmin-sourced data is displayed, attribution is given to Garmin in accordance with Garmin's brand guidelines.
4. AI coaching
The App uses the OpenAI API to power its coaching features. Your activity data is sent to OpenAI to generate coaching responses. You can review OpenAI's privacy policy at openai.com/policies/privacy-policy.
5. Data storage and security
Your data is stored on secure servers. We use appropriate technical and organisational measures to protect your data from unauthorised access, loss, or disclosure. All data is transmitted over encrypted connections (HTTPS).
We retain your data for as long as you have an active account. You may request deletion of your data at any time (see Section 7).
6. Third-party services
The App integrates with the following third-party services:
- Strava — activity data. See Strava's Privacy Policy.
- Garmin — activity and health data. See Garmin's Privacy Statement.
- OpenAI — AI coaching. See OpenAI's Privacy Policy.
- Stripe — payment processing for web subscriptions and donations. See Stripe's Privacy Policy.
- Apple — in-app purchases and subscriptions on iOS. See Apple's Privacy Policy.
- Google Firebase Cloud Messaging — push notification delivery on Android. See Firebase's Privacy and Security information.
- Resend — transactional email (email verification, password reset). See Resend's Privacy Policy.
Strava's Privacy Policy shall take precedence over this policy in the event of any conflict with respect to Strava data.
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you.
- Correction: request that inaccurate data is corrected.
- Deletion: request deletion of all your personal data, including all stored Strava and Garmin activity data. Deletion will be completed within 48 hours of your request.
- Restriction: request that we restrict processing of your data.
- Portability: request your data in a machine-readable format.
- Objection: object to processing of your data.
- Withdraw consent: you may disconnect the App from your Strava account at any time via your Strava account settings. Upon disconnection, all Strava data held by the App will be deleted within 48 hours.
To exercise any of these rights, contact us at hello@runexpress.app. We will respond within 30 days.
You also have the right to lodge a complaint with the UK's data protection authority, the Information Commissioner's Office (ICO).
8. Cookies
The App uses a single session cookie to keep you logged in. This cookie is strictly necessary to provide the service and does not track you across other websites. No tracking, advertising, or analytics cookies are used. The session expires after 30 days of non-use or when you sign out.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email. The date at the top of this page indicates when the policy was last updated.
10. Contact
For any privacy questions or requests, contact: hello@runexpress.app
