Privacy Policy
Last Updated: February 10, 2026
1. Data Controller
RunPact is operated by Piotr Lewanda (sole proprietor), based in Poland. For all privacy-related inquiries, you can reach us at:
- Email: contact@runpact.com
As the data controller, we determine the purposes and means of processing your personal data as described in this policy.
2. Information We Collect
We collect the following categories of personal data:
- Account information: name, email address, and password (hashed) when you create an account.
- Profile and preferences: unit preferences, pace display settings, profile visibility settings, and onboarding progress.
- Athletic data: GPX files you upload (containing GPS coordinates, elevation, timestamps), training zones, race goals, and activity history.
- Strava data: if you connect your Strava account, we access your activity data (routes, times, distances, heart rate) as authorized by you during the Strava OAuth flow.
- Payment information: subscription status and billing history. We do not store credit card numbers — all payment processing is handled by Stripe.
- Technical data: error reports (via Sentry, with no personally identifiable information), browser type, and device information collected automatically.
3. Legal Basis for Processing
Under the GDPR, we process your data based on the following legal grounds:
- Contractual necessity (Art. 6(1)(b)): processing your account, athletic, and payment data is necessary to provide the RunPact service you signed up for — including training plan generation, GPX analysis, race predictions, and subscription management.
- Consent (Art. 6(1)(a)): sharing anonymized data for ML model improvements. You can opt in during onboarding or in your account settings, and withdraw consent at any time.
- Consent (Art. 6(1)(a)): connecting third-party accounts such as Strava. You authorize specific data access during the OAuth flow and can disconnect at any time.
- Legitimate interest (Art. 6(1)(f)): error tracking (via Sentry) to maintain service reliability and security. We minimize data collection — no personally identifiable information is sent to Sentry.
4. How We Use Your Information
We use your data to:
- Provide, maintain, and improve the RunPact service (training plans, GPX analysis, race predictions, 3D course visualization).
- Personalize your experience based on your preferences and athletic profile.
- Process subscription payments via Stripe.
- Synchronize activities from Strava when you connect your account.
- If you consent, use anonymized training and race data to improve our machine learning prediction models.
- Monitor and fix errors to maintain service reliability (via Sentry, without PII).
- Communicate with you about your account, service updates, or responses to your inquiries.
5. Service Providers and International Transfers
We share your data with the following third-party service providers ("sub-processors") who help us operate RunPact. Some of these providers are based outside the European Economic Area (EEA). Where data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs) or the provider's participation in recognized data protection frameworks.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | USA |
| Stripe | Payment processing, subscription management | USA |
| Vercel | Frontend hosting, delivery, and privacy-friendly analytics (no cookies, no PII) | USA (global CDN) |
| Railway | Backend API hosting | USA |
| Sentry | Error tracking (no PII collected) | USA |
| Strava | Activity sync (only if you connect your account) | USA |
| Mapbox | Map tiles for 3D visualization | USA |
We do not sell your personal data. We only share data with the providers listed above, and only to the extent necessary to operate the service.
6. Strava Integration
If you choose to connect your Strava account, we access your activity data (routes, distances, times, heart rate, and related metrics) through Strava's OAuth authorization flow. You control which data is shared during the authorization process.
- We use your Strava data to display your activities in RunPact, enrich training analysis, and improve race predictions.
- We do not post to your Strava account or modify your Strava data.
- You can disconnect your Strava account at any time from the RunPact Settings page, which stops further data synchronization.
- To fully revoke RunPact's access, you can also remove RunPact from your authorized applications in your Strava account settings.
7. Data Retention
- Account data: retained for as long as your account is active. If you delete your account, your personal data is deleted within 30 days.
- GPX files and analysis: retained for as long as your account is active and deleted upon account deletion.
- Training plans: retained for as long as your account is active and deleted upon account deletion.
- Payment records: Stripe retains transaction records in accordance with its own retention policy and applicable financial regulations. We retain subscription status data for the duration of your account.
- Error logs (Sentry): automatically deleted after 90 days. No personally identifiable information is included.
- Anonymized ML data: if you consented to data sharing, anonymized data may be retained indefinitely as it cannot be linked back to you.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data. These include encrypted data transmission (HTTPS/TLS), secure authentication via Supabase, and access controls on our backend systems. However, no system is completely secure, and we cannot guarantee absolute security.
9. Your Rights (GDPR)
As a user in the European Economic Area, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate data. You can update most information directly in your account settings.
- Right to erasure (Art. 17): request deletion of your personal data. You can delete your account from your account settings, or contact us at contact@runpact.com.
- Right to data portability (Art. 20): request your data in a structured, machine-readable format.
- Right to restrict processing (Art. 18): request that we limit how we process your data in certain circumstances.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent: where processing is based on consent (e.g., ML data sharing, Strava connection), you can withdraw consent at any time via your account settings. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights, contact us at contact@runpact.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (UODO).
10. Children's Privacy
RunPact is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at contact@runpact.com.
11. Cookies and Local Storage
RunPact uses only essential cookies and browser local storage. We do not use tracking or advertising cookies. For full details, see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on our website before the changes take effect. Your continued use of RunPact after any changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at contact@runpact.com.