Privacy Policy

This Privacy Policy explains what personal information Rundown collects, how we use it, who we share it with, and what rights you have. By using Rundown you agree to the data practices described here. For Terms of Service, see Terms.

Washington and Nevada residents: the heart rate, precise location, and body weight you share with Rundown are "consumer health data." See our dedicated Consumer Health Data Privacy Policy for how we collect, use, and share it under the Washington My Health My Data Act and Nevada SB 370.

1. Who We Are

Rundown is a mobile application operated by Daniel Nesfeder, an individual based in the United States ("Rundown", "we", "us", "our"). For the purposes of the EU and UK GDPR, we are the data controller for personal information processed through the Service.

For privacy questions or to exercise your rights, contact us at privacy@therundown.app.

2. Summary — The Short Version

If you only read one section, read this one:

• What we collect: your Strava activity data for runs and walks (including GPS, heart rate, pace, distance, elevation, cadence), an anonymous device identifier, your shoe, nutrition, and walk-equipment logs if you choose to track them, your training goal and app preferences, any body weight or heart-rate zones you enter to calibrate scoring, any training plan you import (as a photo, CSV, or pasted text), a device push-notification token if you enable notifications, and your email address only if you join the waitlist or turn on the weekly email digest.
• Where it goes: stored on your device for offline use, synced to our backend (Supabase) so you can keep your data across devices, and a summarized subset is sent to our AI provider (OpenAI) to generate insights when you use that feature. If you import a training plan as a photo, that image is sent to OpenAI so it can read the plan.
• What we don't do: we don't sell your data, we don't show your data to other Rundown users, and we don't use your data to train AI models.
• Your rights: you can disconnect Strava, delete your account data, and export your data at any time. Email privacy@therundown.app.

3. Information We Collect

3.1 Information from Strava

When you connect your Strava account, we receive the following from Strava's API on your behalf:

• Athlete profile: your Strava athlete ID, first name, last name, profile picture URL, sex, country/state/city, weight, premium status, and athlete-level lifetime statistics
• Activity metadata: activity ID, name, type, sport type, start/end times, time zone, moving time, elapsed time, distance, total elevation gain, elevation high/low, calories, device name, workout type, description, achievement count, kudos count, comment count, photo count, athlete count, trainer/commute/manual flags, privacy and visibility flags
• Activity GPS and route data: start latitude/longitude, end latitude/longitude, encoded map polyline (full and summary)
• Activity sensor data: average and max speed, average cadence, average temperature, average and max watts, weighted average watts, average and max heart rate, has-heart-rate flag, has-power flag
• Activity streams (detailed time-series): per-second latitude/longitude, altitude, watts, heart rate, cadence, distance, time, temperature, moving status, grade — when available and if you authorize the streams scope
• Heart rate zones: your custom heart rate zone definitions if configured in Strava
• Lifetime stats: total run/ride/swim distance, time, elevation, count, and recent (4-week) and year-to-date totals
• Gear: shoe and bike IDs and names if linked to activities

OAuth tokens for your Strava account are stored securely on our backend (Supabase). Your long-lived refresh token never leaves the server; the app receives only short-lived access tokens, minted on demand, to make authorized API calls to Strava on your behalf. We use these tokens only for that purpose.

3.2 Information You Provide Directly

• Shoe data: shoe brand, model, nickname, purchase date, notes, mileage tracking, shoe type, optional shoe images
• Nutrition data: pre/during/post-activity nutrition entries (item name, brand, category, phase, timing, notes)
• Walk equipment data: equipment category (vest, ruck, ankle weights, poles, etc.), nickname, load weight, notes, and per-activity loadout (which equipment and how much weight you carried on a given walk)
• Walk session-type confirmations: if you correct Rundown's auto-detected walk type (Casual, Brisk, Incline, Hike, Ruck, Weighted), we store your selection
• Activity-to-shoe, activity-to-nutrition, and walk-to-equipment links: which shoes, nutrition, and equipment you used on each activity
• Training goal: your selected goal mode (Improve, Maintain, or Race) and, if you choose Race, your optional target race date, distance, and goal time
• Body and fitness calibration: your body weight and, if you set them, your maximum heart rate or custom heart-rate zone boundaries. These are optional, are used only to sharpen your scores, and are never shown as a stat, score, or share, nor disclosed to other users.
• Training plans: if you import a plan, the plan you provide — a photo or screenshot, a CSV, or pasted text — and the parsed result we keep (workout types, target distances, paces, weekly structure, days, and any notes). The raw photo or text is used only to read the plan and is not stored (see Section 6.3).
• App settings: distance and temperature unit preferences, your time zone, and notification preferences
• Email address: if you join our waitlist (we also receive the page you signed up from, your browser/user-agent string, and any UTM campaign parameters), or if you turn on the optional weekly email digest (we store a delivery email address and your opt-in choice)
• Support communications: if you contact us by email, we receive your email address, message contents, and any attachments

3.3 Information Generated Automatically

• Anonymous device identifier: a random user ID is generated on first launch and used to associate your data with your device. This ID is not tied to your name, email, or any other personally identifiable information unless you connect Strava (which links it to your Strava athlete ID).
• Computed scores and explanations: Rundown calculates performance scores and explanation cards from your Strava activities. These are stored locally and (for some features) synced to our backend.
• AI-generated insights: the text of insight cards returned from our AI provider (OpenAI) is cached locally and may be cached on our backend.
• Device push token: if you enable push notifications, the operating system issues a notification token for your device, which we store so we can send you the notifications you've enabled (such as a new-score alert or your weekly recap). You can turn notifications off at any time in your device settings.
• Subscription status: if you purchase Rundown Pro, our payments provider gives us your subscription tier, trial and renewal/expiration dates, store platform (iOS or Android), and an anonymous subscriber identifier. We never receive your full payment card details.
• Technical logs: we may collect basic operational logs (timestamps, error codes, sync status) to diagnose issues. We do not currently use third-party analytics or crash-reporting services.

3.4 Information We Do NOT Collect

• We do not collect a password — Rundown has no separate login. We collect your email address only if you join the waitlist or enable the weekly email digest, and we collect your name only from your Strava profile (if connected) or if you contact us directly.
• We do not access your device's contacts, photos (except images you choose to attach to shoes, or a training-plan screenshot you choose to import), microphone, or camera.
• We do not track you across other apps or websites.
• We do not use third-party advertising SDKs or behavioral advertising.
• We do not currently use crash reporting (Crashlytics, Sentry, etc.) or analytics SDKs (Firebase Analytics, Mixpanel, Amplitude, etc.).

4. How We Use Your Information

We use the information described above only for the following purposes:

• Operate the Service: sync your Strava activities, compute run and walk scores, generate explanations, render trends and charts, manage your shoe, nutrition, and walk-equipment logs
• Provide AI insights: send a summarized subset of your activity data (and your training goal and unit preference, to frame the output) to a third-party large language model to generate weekly and monthly insight cards (see Section 6 for what is and is not sent)
• Parse training plans you import: send the photo, CSV, or text you provide to our AI provider to read it into a structured plan (see Section 6.3), then store the parsed result so we can match your activities to it
• Calibrate scoring: use your body weight and any heart-rate zones you set to make your run and walk scores more accurate
• Fetch historical weather: send the GPS coordinates and timestamp of your activity starts to OpenWeather to retrieve historical conditions used in scoring
• Look up shoe details: send the shoe brand and model you search for to a third-party catalog to retrieve product and pricing information when you add a shoe
• Send notifications: deliver the push notifications you've enabled (e.g. new-score alerts and your weekly recap)
• Send the weekly email digest: if you opt in, email you a weekly recap of your activity; every digest includes a one-click unsubscribe link
• Process subscriptions: manage Rundown Pro purchases, trials, and renewals through our payments provider and unlock the corresponding features
• Sync across devices: store certain data on our backend so you can access it after reinstalling or switching devices
• Diagnose problems: investigate bugs and outages using minimal operational logs
• Communicate with you: respond to support inquiries and notify you of material changes to the Service
• Comply with law: respond to lawful requests, investigate fraud, and enforce our Terms

We do not use your information to:

• Sell or rent it to third parties for any purpose, ever
• Train artificial intelligence or machine learning models
• Build advertising profiles or serve targeted ads
• Display your data to other Rundown users
• Match or merge your data with information from third parties without your consent

5. Legal Bases for Processing (EU/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Contract (Article 6(1)(b)): processing necessary to provide the Service you requested (Strava sync, scoring, insights)
• Consent (Article 6(1)(a)): for AI insight generation and any optional features you affirmatively enable
• Legitimate interests (Article 6(1)(f)): diagnosing bugs, preventing abuse, securing the Service. We balance these interests against your rights and you can object to processing on this basis at any time.
• Legal obligation (Article 6(1)(c)): when required to comply with a lawful request

Heart rate, GPS, body weight, and physical activity data may constitute "data concerning health" under GDPR Article 9. We process this information based on your explicit consent (Article 9(2)(a)), which you give by connecting Strava and using the Service. You may withdraw consent at any time by disconnecting Strava and deleting your account data.

6. How We Share Your Information

We share information only with the third-party processors listed below, only to the extent necessary to operate the Service.

6.1 Strava (data source)

We exchange OAuth tokens with Strava and request your activity data from Strava's API. We do not send Strava any data beyond what is required to authenticate and make API calls. Strava's Privacy Policy.

6.2 Supabase (backend infrastructure)

We use Supabase (operated by Supabase, Inc.) as our backend database, authentication, and file storage provider. The following information is stored on Supabase:

• Your anonymous device user ID and (if you connect Strava) your Strava athlete ID, display name, and profile image URL
• Your shoe, nutrition, and walk-equipment logs
• Activity log metadata that links runs and walks to shoes, nutrition, walk equipment, and walk session-type confirmations
• Optional shoe images
• Your computed scores, weekly recaps, and AI insight cards
• Your profile preferences: unit preferences, time zone, training goal, notification/email settings, and your calibration inputs (body weight and any maximum heart rate or custom heart-rate zones you set)
• Your imported training plans: the parsed plan structure only — titles, pace zones, weekly grids, planned sessions, and the matches between planned sessions and your activities (not the raw photo or text you uploaded)
• Your device push-notification token (if notifications are enabled)
• Your weekly-email delivery address and opt-in status (if enabled), and your subscription status
• Your Strava OAuth tokens (access and refresh), held securely server-side so we can fetch your activities on your behalf — never exposed to the app

Data is encrypted in transit (TLS) and at rest. Supabase processes this information as our service provider under a data processing agreement and may not use it for any other purpose. Supabase Privacy Policy.

6.3 OpenAI (AI insights and plan parsing — sub-processor)

OpenAI acts as a data processor (sub-processor) on Rundown's behalf under GDPR Art. 28 and OpenAI's Data Processing Addendum. OpenAI processes data only to return an API response for generating your personal training insights and weekly recap, and for reading a training plan you import; it does not use API-submitted data for model training, for its own purposes, or for any purpose other than fulfilling the API request.

When you use the Insights feature or receive a weekly recap, we send a structured request to OpenAI's API containing the following per activity in the analysis window:

• Activity ID, kind (run or walk), start date and time, distance text, moving time, average pace text
• Average heart rate (if available), elevation gain, weather summary (temperature, dew point, humidity)
• Computed scores: total score and per-pillar subscores (for runs: Execution, Efficiency, Consistency, Conditions; for walks: Zone 2 Adherence, Cadence Quality, Elevation Gain, Load Stimulus, Duration)
• Score deltas, trend direction, and a compact "top drivers" summary string
• Detected session type (for runs: Easy, Long, Interval, Tempo, Race, Recovery; for walks: Casual, Brisk, Incline, Hike, Ruck, Weighted) and data confidence level
• For walks only: equipment loadout summary (e.g. "ruck, 25 lb") if logged
• Your unit preference and, if set, your training goal (goal mode and, for a race goal, the target date, distance, and goal time) so the output is framed for you
• Analysis period window (date range only — no location data)

We do not send your name, email address, Strava athlete ID or credentials, exact GPS coordinates, raw second-by-second sensor streams, or any segment or leaderboard data to OpenAI.

When you receive a weekly recap narrative, we additionally send a summary of your walk activity (counts, minutes, and load) and, if you use a plan, your plan-adherence context (the week label, sessions planned versus completed, and whether sessions were on-zone) so the recap reflects your week. No location data is sent.

When you import a training plan, we send the photo, CSV, or pasted text you provide to OpenAI solely to read it into structured form; plan images are processed by OpenAI's vision model. We do not retain the raw image or text after parsing — only the structured result is saved to your account — and OpenAI does not use this content to train its models.

The sole purpose of this transfer is generating personalized training insights for your own use. Per OpenAI's Business Terms and API data-usage policy, data submitted via the API is not used to train OpenAI's models and is retained only as needed to provide the service and comply with legal obligations. OpenAI Privacy Policy.

6.4 OpenWeather (historical weather lookup)

To enrich your activity scores with weather context, we send the following to OpenWeather:

• Latitude and longitude of the activity's start location
• Unix timestamp of the activity's start time
• Your unit preference (metric or imperial)

We do not send your name, Strava ID, or any other identifying information to OpenWeather. OpenWeather Privacy Policy.

6.5 Google (push notifications)

We use Firebase Cloud Messaging (operated by Google LLC) to deliver push notifications. If you enable notifications, your device's push token is stored on our backend and passed to Firebase so it can route the notifications you've enabled to your device. We send Firebase only the push token and the notification content — not your activity data or identity. We do not use Firebase Analytics, Crashlytics, or any other Firebase product. Firebase Privacy and Security.

6.6 Resend (email delivery)

We use Resend (operated by Resend, Inc.) to send transactional and digest emails — waitlist and beta-invite messages and, if you opt in, your weekly recap — and to route inbound replies to our support inbox. We provide Resend your email address and the message content. Resend processes this information as our service provider and may not use it for any other purpose. Every marketing or digest email includes a one-click unsubscribe link. Resend Privacy Policy.

6.7 RevenueCat (subscription management)

We use RevenueCat (operated by RevenueCat, Inc.) to manage Rundown Pro purchases, trials, and renewals across the Apple App Store and Google Play. The actual payment is processed by Apple or Google — we never receive your payment card details. RevenueCat provides us your subscription tier, trial/renewal/expiration dates, store platform, and an anonymous subscriber identifier so we can unlock the features you paid for. RevenueCat Privacy Policy.

6.8 Kicks.dev (shoe catalog lookup)

When you add a shoe and search for a model, we send the brand and model text you enter to Kicks.dev to retrieve product details and pricing. We do not send your name, Strava ID, location, or any other identifying information — only the shoe search text. Kicks.dev.

6.9 Apple and Google (app distribution)

The app is distributed via Apple App Store and Google Play Store, which also process Rundown Pro payments. Apple and Google may collect installation, crash, performance, and purchase data according to their respective privacy policies. We do not control this collection.

6.10 Legal disclosures

We may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, protect the safety of any person, or investigate violations of our Terms.

6.11 Business transfers

If Rundown is acquired, merged, or sells substantially all of its assets, your information may be transferred to the new owner. We will notify you and the new owner will be bound by this Privacy Policy or provide equivalent protections.

7. Your Rights and Choices

You have the following rights regarding your personal information. We honor these rights regardless of where you are located, and we will respond within 30 days (or sooner where required by law).

• Access: request a copy of the personal information we hold about you
• Correction: request correction of inaccurate or incomplete information
• Deletion: request deletion of your account data from our backend
• Portability: request a copy of your data in a structured, machine-readable format
• Restriction: ask us to limit how we process your data
• Objection: object to processing based on our legitimate interests
• Withdraw consent: withdraw any consent you previously gave (this does not affect prior lawful processing)
• Lodge a complaint: file a complaint with your local data protection authority

How to exercise these rights:

1. Disconnect Strava: visit strava.com/settings/apps and revoke Rundown's access. This stops all future data syncing.
2. Delete local data: uninstall Rundown from your device. This removes all locally cached activity data, scores, and tokens.
3. Delete your account in the app: open Profile → Delete my account and confirm. This immediately revokes Rundown's Strava access, deletes your data from our backend, and signs you out.
4. Delete backend data by email: alternatively, email privacy@therundown.app with the subject "Delete my account". Include your Strava athlete ID or device user ID so we can locate your records. We will delete all data within 30 days (and within 48 hours for Strava-derived data, as required by Strava's API Agreement).
5. Export your data: email privacy@therundown.app with the subject "Export my data". We will provide a JSON export within 30 days.
6. Manage notifications and emails: turn push notifications off at any time in your device settings, turn the weekly email digest off in the app, or use the unsubscribe link in any digest email. This stops the corresponding messages without deleting your account.

8. Data Retention

• On-device data: retained until you uninstall the app or revoke Strava access from within the app
• Strava-derived data on our backend: retained while you are an active user. If you revoke Strava access or request deletion, we promptly delete this data — within 48 hours — in accordance with Strava's API Agreement
• Shoe, nutrition, and walk-equipment logs: retained until you delete them or request account deletion
• Calibration inputs (body weight, heart-rate zones): retained until you change or clear them, or delete your account
• Imported training plans: the parsed plan is retained until you delete the plan or your account; the raw photo or text you upload is not retained — only the parsed result is saved
• Push notification token: retained while notifications are enabled; removed when you disable notifications or delete your account
• Email and subscription data: waitlist entries retained until you ask us to remove them; weekly-email address and opt-in retained until you opt out or delete your account; subscription records retained as needed for billing, accounting, and legal compliance
• Support emails: retained for up to 2 years for service quality and dispute resolution
• Operational logs: retained for up to 90 days for debugging
• OpenAI API requests: retained by OpenAI only as needed to provide the service and comply with legal obligations per their Business Terms, then deleted
• Anonymized aggregate data: we may retain de-identified, aggregated data (e.g., total number of runs and walks scored across all users) indefinitely for product analytics

9. International Data Transfers

Rundown's operator and Supabase are based in the United States. OpenAI, OpenWeather, Google (Firebase), Resend, RevenueCat, and Kicks.dev may process data in the United States, the European Union, and other countries. If you access Rundown from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions that may have data protection laws different from your own.

Where required, we rely on the European Commission's Standard Contractual Clauses and other appropriate safeguards to transfer personal data outside the EEA, UK, or Switzerland.

10. Security

We take reasonable technical and organizational measures to protect your information, including:

• TLS encryption for all network requests
• Encryption at rest for data stored in Supabase
• Row-level security policies on backend tables to ensure each user can only access their own data
• Limited access to production systems

However, no method of transmission or storage is 100% secure. You should keep your device secure (lock screen, screen lock, OS updates) since Rundown caches data locally. Your Strava OAuth tokens are held server-side and never exposed to the app; we recommend not using Rundown on rooted or jailbroken devices.

If we discover a personal data breach affecting you, we will notify you and the relevant supervisory authorities without undue delay as required by law.

11. Children's Privacy

Rundown is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@therundown.app and we will delete it.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information we have collected about you, where we got it, and who we shared it with
• Right to delete personal information we have collected from you
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information — we use sensitive information (precise geolocation, health data) only for the specific purposes described above and not for inferring characteristics
• Right to non-discrimination for exercising your privacy rights

Categories of personal information we collect (per CCPA Cal. Civ. Code § 1798.140):

• Identifiers: anonymous device user ID, Strava athlete ID, device push token, and email address (if you join the waitlist or enable the weekly email)
• Commercial information: Rundown Pro subscription status and history (we do not receive payment card numbers)
• Internet/electronic activity: app usage, error logs, and the page/user-agent/UTM captured at waitlist signup
• Geolocation data: precise GPS coordinates from your Strava runs
• Sensory and health data: heart rate, cadence, power output, and your body weight (if you enter it)
• Inferences: performance scores and trends derived from your runs

To exercise these rights, email privacy@therundown.app. We will verify your identity using your Strava athlete ID before responding.

13. Notice for Other U.S. State Residents

Nineteen U.S. states now have comprehensive consumer privacy laws in effect — including Virginia, Colorado, Connecticut, Utah, and Texas, and, as of January 2026, Indiana, Kentucky, and Rhode Island. If you reside in one of these states (or any other state with such a law), you have similar rights to access, correct, delete, and port your personal information, and to opt out of targeted advertising and the sale of personal information. Contact us at privacy@therundown.app to exercise these rights.

14. Cookies and Tracking

The Rundown mobile app does not use cookies. Our marketing website (therundown.app) uses only essential cookies required for the site to function and does not employ third-party analytics, advertising, or tracking cookies.

15. Do Not Track

Some browsers transmit "Do Not Track" signals. Because there is no industry standard for how to interpret these signals, we currently do not respond to them. Regardless, we do not track you across other apps or websites.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and provide notice within the app or by email if we have your contact information. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact Us

For any privacy-related question, data access or deletion request, complaint, or general support inquiry:

Privacy email: privacy@therundown.app
General support: support@therundown.app

If you are in the EU/UK and we do not respond to your request within 30 days, or if you are unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority.