Privacy Policy

Last updated: April 7, 2026  ·  Effective: April 7, 2026

This Privacy Policy explains what personal information Rundown collects, how we use it, who we share it with, and what rights you have. By using Rundown you agree to the data practices described here. For Terms of Service, see Terms.

1. Who We Are

Rundown is a mobile application operated by Daniel Nesfeder, an individual based in the United States ("Rundown", "we", "us", "our"). For the purposes of the EU and UK GDPR, we are the data controller for personal information processed through the Service.

For privacy questions or to exercise your rights, contact us at daniel.nesfeder+privacy@gmail.com.

2. Summary — The Short Version

If you only read one section, read this one:

  • What we collect: your Strava running activity data (including GPS, heart rate, pace, distance, elevation), an anonymous device identifier, your shoe and nutrition logs if you choose to track them, and basic app preferences.
  • Where it goes: stored on your device for offline use, synced to our backend (Supabase) so you can keep your data across devices, and a summarized subset is sent to OpenAI to generate insights when you use that feature.
  • What we don't do: we don't sell your data, we don't show your data to other Rundown users, and we don't use your data to train AI models.
  • Your rights: you can disconnect Strava, delete your account data, and export your data at any time. Email daniel.nesfeder+privacy@gmail.com.

3. Information We Collect

3.1 Information from Strava

When you connect your Strava account, we receive the following from Strava's API on your behalf:

  • Athlete profile: your Strava athlete ID, first name, last name, profile picture URL, sex, country/state/city, weight, premium status, and athlete-level lifetime statistics
  • Activity metadata: activity ID, name, type, sport type, start/end times, time zone, moving time, elapsed time, distance, total elevation gain, elevation high/low, calories, device name, workout type, description, achievement count, kudos count, comment count, photo count, athlete count, trainer/commute/manual flags, privacy and visibility flags
  • Activity GPS and route data: start latitude/longitude, end latitude/longitude, encoded map polyline (full and summary)
  • Activity sensor data: average and max speed, average cadence, average temperature, average and max watts, weighted average watts, average and max heart rate, has-heart-rate flag, has-power flag
  • Activity streams (detailed time-series): per-second latitude/longitude, altitude, watts, heart rate, cadence, distance, time, temperature, moving status, grade — when available and if you authorize the streams scope
  • Heart rate zones: your custom heart rate zone definitions if configured in Strava
  • Lifetime stats: total run/ride/swim distance, time, elevation, count, and recent (4-week) and year-to-date totals
  • Gear: shoe and bike IDs and names if linked to activities

OAuth access and refresh tokens for your Strava account are stored locally on your device. We use them only to make authorized API calls to Strava on your behalf.

3.2 Information You Provide Directly

  • Shoe data: shoe brand, model, nickname, purchase date, notes, mileage tracking, shoe type, optional shoe images
  • Nutrition data: pre/during/post-run nutrition entries (item name, brand, category, phase, timing, notes)
  • Run-to-shoe and run-to-nutrition links: which shoes and nutrition you used on each run
  • App settings: distance and temperature unit preferences, notification preferences
  • Support communications: if you contact us by email, we receive your email address, message contents, and any attachments

3.3 Information Generated Automatically

  • Anonymous device identifier: a random user ID is generated on first launch and used to associate your data with your device. This ID is not tied to your name, email, or any other personally identifiable information unless you connect Strava (which links it to your Strava athlete ID).
  • Computed scores and explanations: Rundown calculates performance scores and explanation cards from your Strava activities. These are stored locally and (for some features) synced to our backend.
  • AI-generated insights: the text of insight cards returned from OpenAI is cached locally and may be cached on our backend.
  • Technical logs: we may collect basic operational logs (timestamps, error codes, sync status) to diagnose issues. We do not currently use third-party analytics or crash-reporting services.

3.4 Information We Do NOT Collect

  • We do not collect your name, email address, or password unless you contact us directly.
  • We do not access your device's contacts, photos (except images you choose to attach to shoes), microphone, or camera.
  • We do not track you across other apps or websites.
  • We do not use third-party advertising SDKs or behavioral advertising.
  • We do not currently use crash reporting (Crashlytics, Sentry, etc.) or analytics SDKs (Firebase Analytics, Mixpanel, Amplitude, etc.).

4. How We Use Your Information

We use the information described above only for the following purposes:

  • Operate the Service: sync your Strava activities, compute scores, generate explanations, render trends and charts, manage your shoe and nutrition logs
  • Provide AI insights: send a summarized subset of your run data to a third-party large language model to generate weekly and monthly insight cards (see Section 6 for what is and is not sent)
  • Fetch historical weather: send the GPS coordinates and timestamp of your run starts to OpenWeather to retrieve historical conditions used in scoring
  • Sync across devices: store certain data on our backend so you can access it after reinstalling or switching devices
  • Diagnose problems: investigate bugs and outages using minimal operational logs
  • Communicate with you: respond to support inquiries and notify you of material changes to the Service
  • Comply with law: respond to lawful requests, investigate fraud, and enforce our Terms

We do not use your information to:

  • Sell or rent it to third parties for any purpose, ever
  • Train artificial intelligence or machine learning models
  • Build advertising profiles or serve targeted ads
  • Display your data to other Rundown users
  • Match or merge your data with information from third parties without your consent

5. Legal Bases for Processing (EU/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under the following legal bases:

  • Contract (Article 6(1)(b)): processing necessary to provide the Service you requested (Strava sync, scoring, insights)
  • Consent (Article 6(1)(a)): for AI insight generation and any optional features you affirmatively enable
  • Legitimate interests (Article 6(1)(f)): diagnosing bugs, preventing abuse, securing the Service. We balance these interests against your rights and you can object to processing on this basis at any time.
  • Legal obligation (Article 6(1)(c)): when required to comply with a lawful request

Heart rate, GPS, and physical activity data may constitute "data concerning health" under GDPR Article 9. We process this information based on your explicit consent (Article 9(2)(a)), which you give by connecting Strava and using the Service. You may withdraw consent at any time by disconnecting Strava and deleting your account data.

6. How We Share Your Information

We share information only with the third-party processors listed below, only to the extent necessary to operate the Service.

6.1 Strava (data source)

We exchange OAuth tokens with Strava and request your activity data from Strava's API. We do not send Strava any data beyond what is required to authenticate and make API calls. Strava's Privacy Policy.

6.2 Supabase (backend infrastructure)

We use Supabase (operated by Supabase, Inc.) as our backend database, authentication, and file storage provider. The following information is stored on Supabase:

  • Your anonymous device user ID and (if you connect Strava) your Strava athlete ID
  • Your shoe and nutrition logs
  • Run log metadata that links runs to shoes and nutrition
  • Optional shoe images

Data is encrypted in transit (TLS) and at rest. Supabase processes this information as our service provider under a data processing agreement and may not use it for any other purpose. Supabase Privacy Policy.

6.3 OpenAI (AI insight generation)

When you use the Insights feature, we send a structured request to OpenAI's API containing the following per run in the analysis window:

  • Activity ID, start date and time, distance text, moving time, average pace text
  • Average heart rate (if available), elevation gain, weather summary (temperature, dew point, humidity)
  • Computed scores: total score and per-pillar subscores (Execution, Efficiency, Consistency, Conditions)
  • Score deltas, trend direction, and a compact "top drivers" summary string
  • Detected session type (Easy, Long, Interval, Tempo, Race) and data confidence level

We do not send your name, email address, exact GPS coordinates, raw second-by-second sensor streams, or your Strava credentials to OpenAI.

We use the OpenAI API under their API Data Policy, which provides that data submitted via the API is not used to train OpenAI models and is retained by OpenAI for up to 30 days for abuse monitoring before deletion (zero-retention is available on request for eligible API tiers). OpenAI Privacy Policy.

6.4 OpenWeather (historical weather lookup)

To enrich your run scores with weather context, we send the following to OpenWeather:

  • Latitude and longitude of the run's start location
  • Unix timestamp of the run's start time
  • Your unit preference (metric or imperial)

We do not send your name, Strava ID, or any other identifying information to OpenWeather. OpenWeather Privacy Policy.

6.5 Apple and Google (app distribution)

The app is distributed via Apple App Store and Google Play Store. Apple and Google may collect installation, crash, and performance data according to their respective privacy policies. We do not control this collection.

6.6 Legal disclosures

We may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, protect the safety of any person, or investigate violations of our Terms.

6.7 Business transfers

If Rundown is acquired, merged, or sells substantially all of its assets, your information may be transferred to the new owner. We will notify you and the new owner will be bound by this Privacy Policy or provide equivalent protections.

7. Your Rights and Choices

You have the following rights regarding your personal information. We honor these rights regardless of where you are located, and we will respond within 30 days (or sooner where required by law).

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate or incomplete information
  • Deletion: request deletion of your account data from our backend
  • Portability: request a copy of your data in a structured, machine-readable format
  • Restriction: ask us to limit how we process your data
  • Objection: object to processing based on our legitimate interests
  • Withdraw consent: withdraw any consent you previously gave (this does not affect prior lawful processing)
  • Lodge a complaint: file a complaint with your local data protection authority

How to exercise these rights:

  1. Disconnect Strava: visit strava.com/settings/apps and revoke Rundown's access. This stops all future data syncing.
  2. Delete local data: uninstall Rundown from your device. This removes all locally cached activity data, scores, and tokens.
  3. Delete backend data: email daniel.nesfeder+privacy@gmail.com with the subject "Delete my account". Include your Strava athlete ID or device user ID so we can locate your records. We will delete all data within 30 days (and within 48 hours for Strava-derived data, as required by Strava's API Agreement).
  4. Export your data: email daniel.nesfeder+privacy@gmail.com with the subject "Export my data". We will provide a JSON export within 30 days.

8. Data Retention

  • On-device data: retained until you uninstall the app or revoke Strava access from within the app
  • Strava-derived data on our backend: retained while you are an active user. If you revoke Strava access or request deletion, we delete this data within 48 hours in accordance with Strava's API Agreement
  • Shoe and nutrition logs: retained until you delete them or request account deletion
  • Support emails: retained for up to 2 years for service quality and dispute resolution
  • Operational logs: retained for up to 90 days for debugging
  • OpenAI API requests: retained by OpenAI for up to 30 days for abuse monitoring per their API Data Policy, then deleted
  • Anonymized aggregate data: we may retain de-identified, aggregated data (e.g., total number of runs scored across all users) indefinitely for product analytics

9. International Data Transfers

Rundown's operator and Supabase are based in the United States. OpenAI and OpenWeather may process data in the United States, the European Union, and other countries. If you access Rundown from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions that may have data protection laws different from your own.

Where required, we rely on the European Commission's Standard Contractual Clauses and other appropriate safeguards to transfer personal data outside the EEA, UK, or Switzerland.

10. Security

We take reasonable technical and organizational measures to protect your information, including:

  • TLS encryption for all network requests
  • Encryption at rest for data stored in Supabase
  • Row-level security policies on backend tables to ensure each user can only access their own data
  • Limited access to production systems

However, no method of transmission or storage is 100% secure. You should keep your device secure (lock screen, screen lock, OS updates) since Rundown caches data locally. Strava OAuth tokens are stored in standard device preferences storage; we recommend not using Rundown on rooted or jailbroken devices.

If we discover a personal data breach affecting you, we will notify you and the relevant supervisory authorities without undue delay as required by law.

11. Children's Privacy

Rundown is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at daniel.nesfeder+privacy@gmail.com and we will delete it.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know what personal information we have collected about you, where we got it, and who we shared it with
  • Right to delete personal information we have collected from you
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to limit use of sensitive personal information — we use sensitive information (precise geolocation, health data) only for the specific purposes described above and not for inferring characteristics
  • Right to non-discrimination for exercising your privacy rights

Categories of personal information we collect (per CCPA Cal. Civ. Code § 1798.140):

  • Identifiers: anonymous device user ID, Strava athlete ID
  • Internet/electronic activity: app usage, error logs
  • Geolocation data: precise GPS coordinates from your Strava runs
  • Sensory data: heart rate, cadence, power output
  • Inferences: performance scores and trends derived from your runs

To exercise these rights, email daniel.nesfeder+privacy@gmail.com. We will verify your identity using your Strava athlete ID before responding.

13. Notice for Other U.S. State Residents

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, or another U.S. state with comprehensive privacy laws, you have similar rights to access, correct, delete, and port your personal information, and to opt out of targeted advertising and sale of personal information. Contact us at daniel.nesfeder+privacy@gmail.com to exercise these rights.

14. Cookies and Tracking

The Rundown mobile app does not use cookies. Our marketing website (therundown.app) uses only essential cookies required for the site to function and does not employ third-party analytics, advertising, or tracking cookies.

15. Do Not Track

Some browsers transmit "Do Not Track" signals. Because there is no industry standard for how to interpret these signals, we currently do not respond to them. Regardless, we do not track you across other apps or websites.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and provide notice within the app or by email if we have your contact information. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact Us

For any privacy-related question, data access or deletion request, complaint, or general support inquiry:

Privacy email: daniel.nesfeder+privacy@gmail.com
General support: daniel.nesfeder+rundown@gmail.com

Dedicated privacy@therundown.app and support@therundown.app addresses will be enabled ahead of production launch. During the closed beta period, please use the address above.

If you are in the EU/UK and we do not respond to your request within 30 days, or if you are unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority.