RunPulse

Privacy Policy

Last updated: October 29, 2025

1. Introduction

RunPulse is a web application operated by an individual entrepreneur based in Switzerland. We take the protection of your personal data very seriously and are committed to complying with the Swiss Federal Act on Data Protection (FADP) and the European Union's General Data Protection Regulation (GDPR).

This privacy policy explains what data we collect, how we use it, and your rights regarding your personal data.

2. Data Controller

RunPulse
Individual entrepreneur
Fribourg, Switzerland
Email: hello@runpulse.io

For complete publisher identification, please see our Legal Notice.

3. Data Collected

3.1 Registration Data

When you create an account, we collect:

  • Your email address
  • Your full name
  • Your password (encrypted)

3.2 Strava Data

If you connect your Strava account, we collect:

  • Your running activities (distance, duration, pace, heart rate, elevation gain)
  • Your Strava ID
  • Strava access tokens (to automatically sync your data)
  • Detailed activity data (velocity and altitude streams)

3.3 Sports Profile Data

We store:

  • Your calculated or manually entered VMA (Maximum Aerobic Speed)
  • Your maximum heart rate
  • Your calculated training zones

3.4 Technical Data

Automatically collected:

  • IP address (for security and rate limiting)
  • Browser type and operating system
  • Pages visited and interactions
  • Error logs (without personally identifiable information)

3.5 Analytics Data (Google Analytics)

⚠️ Requires your explicit consent

This data is only collected if you accept analytics cookies via the consent banner.

If you consent, Google Analytics collects:

  • Pages visited and navigation paths
  • Session duration and bounce rate
  • Traffic source (organic, direct, referral)
  • Device type (desktop, mobile, tablet)
  • Approximate geographic location (country, city - not your exact address)
  • Anonymized IP address (last octets are masked)

Legal basis: Consent (GDPR Article 6.1.a)
Purpose: Audience measurement, user experience improvement
Retention period: 14 months (Google Analytics cookies)

4. Data Usage

We use your data to:

  • Provide the service: Calculate your VMA, training zones, and race predictions
  • Authentication: Manage your account and secure access
  • Strava synchronization: Automatically retrieve your new activities
  • Service improvement: Analyze usage (anonymously) to improve the application
  • Security: Detect and prevent abuse (rate limiting, fraud detection)
  • Communication: Send you important notifications about your account (policy changes, security alerts)

We never sell your personal data.

5. Legal Basis for Processing (GDPR)

We process your data on the following legal bases:

  • Consent (GDPR Art. 6.1.a):
    • Connection of your Strava account (collection of your activities)
    • Google Analytics cookies (audience measurement)
  • Contract performance (GDPR Art. 6.1.b): Processing is necessary to provide the service you subscribed to (authentication, VMA calculation, training zones)
  • Legitimate interests (GDPR Art. 6.1.f): Service improvement, security, fraud prevention

6. Data Sharing

We only share your data with:

6.1 Service Providers

  • Supabase (database hosting, USA - with GDPR Standard Contractual Clauses)
  • Vercel (application hosting, USA - with GDPR Standard Contractual Clauses)
  • Google LLC (Google Analytics, USA - with Standard Contractual Clauses approved by the European Commission)
    Only if you consent to analytics cookies. Data is anonymized (truncated IP).
  • Strava (API for activity synchronization, USA)

🇪🇺 International Transfers (GDPR Chapter V)

Some of our service providers are based in the United States. Transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission, ensuring a level of protection equivalent to GDPR.

6.2 Legal Obligations

We may disclose your data if required by law (court orders, law enforcement authorities).

Your data is never sold or shared for advertising purposes.

7. Retention Period

  • Account data: As long as your account is active
  • Strava activities: As long as your account is active
  • Technical logs: Maximum 90 days
  • After account deletion:
    • Personal data (email, name, Strava tokens): Deleted within 30 days
    • Anonymized statistics: Retained for 6 years for:
      • Accounting obligations (Swiss LCD Article 958f)
      • Service improvement (churn analysis)
      • Data includes: account creation/deletion dates, aggregated activity statistics, subscription tier, deletion reason (if provided)
      • This data does NOT allow us to identify you (user ID is hashed with SHA-256)

Transparency commitment: When you delete your account, we explicitly inform you which data is anonymously retained and why (GDPR Article 89 - statistical purposes). You have full transparency about our data retention practices.

8. Your Rights

In accordance with GDPR and Swiss FADP, you have the following rights:

  • Right of access: Obtain a copy of your personal data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Delete your data ("right to be forgotten")
  • Right to restriction of processing: Restrict the use of your data
  • Right to data portability: Receive your data in a structured format
  • Right to object: Object to the processing of your data
  • Right to withdraw consent: At any time (particularly for Strava)

To exercise your rights, contact us at hello@runpulse.io. We will respond within 30 days.

You also have the right to lodge a complaint with the competent data protection authority:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
  • EU: Data protection authority of your country

9. Data Security

We implement appropriate security measures:

  • HTTPS encryption for all communications
  • Passwords encrypted with bcrypt
  • Rate limiting to prevent abuse
  • User input validation (XSS and SQL injection protection)
  • Secure logs with sensitive data redaction
  • Secured Strava tokens with automatic refresh

10. International Transfers

Your data may be transferred and stored in the United States (via Supabase and Vercel). These transfers are governed by:

  • Standard contractual clauses (SCC) approved by the European Commission
  • Technical and organizational security measures
  • Commitment from our service providers to comply with GDPR standards

11. Cookies and Similar Technologies

We only use essential cookies:

  • Session cookies: To maintain your login (deleted on logout)
  • Authentication cookies: To secure your access

We do not use advertising or third-party tracking cookies. For more details, see our Cookie Policy.

12. Minors

RunPulse is not intended for persons under 16 years of age. If you are under 16, you should not use this service or provide us with personal data.

13. Changes to this Policy

We may modify this privacy policy. In case of major changes, we will notify you by email. The last update date is shown at the top of this page.

Continued use of the service after modification constitutes your acceptance of the changes.

14. Contact

For any questions regarding this privacy policy or to exercise your rights:

Email: hello@runpulse.io

Privacy | RunPulse