Privacy Policy

This Privacy Policy explains what personal information Rundown collects, how we use it, who we share it with, and what rights you have. By using Rundown you agree to the data practices described here. For Terms of Service, see Terms.

1. Who We Are

Rundown is a mobile application operated by Daniel Nesfeder, an individual based in the United States ("Rundown", "we", "us", "our"). For the purposes of the EU and UK GDPR, we are the data controller for personal information processed through the Service.

For privacy questions or to exercise your rights, contact us at daniel.nesfeder+privacy@gmail.com.

2. Summary — The Short Version

If you only read one section, read this one:

• What we collect: your Strava activity data for runs and walks (including GPS, heart rate, pace, distance, elevation, cadence), an anonymous device identifier, your shoe, nutrition, and walk-equipment logs if you choose to track them, and basic app preferences.
• Where it goes: stored on your device for offline use, synced to our backend (Supabase) so you can keep your data across devices, and a summarized subset is sent to Anthropic to generate insights when you use that feature.
• What we don't do: we don't sell your data, we don't show your data to other Rundown users, and we don't use your data to train AI models.
• Your rights: you can disconnect Strava, delete your account data, and export your data at any time. Email daniel.nesfeder+privacy@gmail.com.

3. Information We Collect

3.1 Information from Strava

When you connect your Strava account, we receive the following from Strava's API on your behalf:

• Athlete profile: your Strava athlete ID, first name, last name, profile picture URL, sex, country/state/city, weight, premium status, and athlete-level lifetime statistics
• Activity metadata: activity ID, name, type, sport type, start/end times, time zone, moving time, elapsed time, distance, total elevation gain, elevation high/low, calories, device name, workout type, description, achievement count, kudos count, comment count, photo count, athlete count, trainer/commute/manual flags, privacy and visibility flags
• Activity GPS and route data: start latitude/longitude, end latitude/longitude, encoded map polyline (full and summary)
• Activity sensor data: average and max speed, average cadence, average temperature, average and max watts, weighted average watts, average and max heart rate, has-heart-rate flag, has-power flag
• Activity streams (detailed time-series): per-second latitude/longitude, altitude, watts, heart rate, cadence, distance, time, temperature, moving status, grade — when available and if you authorize the streams scope
• Heart rate zones: your custom heart rate zone definitions if configured in Strava
• Lifetime stats: total run/ride/swim distance, time, elevation, count, and recent (4-week) and year-to-date totals
• Gear: shoe and bike IDs and names if linked to activities

OAuth access and refresh tokens for your Strava account are stored locally on your device. We use them only to make authorized API calls to Strava on your behalf.

3.2 Information You Provide Directly

• Shoe data: shoe brand, model, nickname, purchase date, notes, mileage tracking, shoe type, optional shoe images
• Nutrition data: pre/during/post-activity nutrition entries (item name, brand, category, phase, timing, notes)
• Walk equipment data: equipment category (vest, ruck, ankle weights, poles, etc.), nickname, load weight, notes, and per-activity loadout (which equipment and how much weight you carried on a given walk)
• Walk session-type confirmations: if you correct Rundown's auto-detected walk type (Casual, Brisk, Incline, Hike, Ruck, Weighted), we store your selection
• Activity-to-shoe, activity-to-nutrition, and walk-to-equipment links: which shoes, nutrition, and equipment you used on each activity
• App settings: distance and temperature unit preferences, notification preferences
• Support communications: if you contact us by email, we receive your email address, message contents, and any attachments

3.3 Information Generated Automatically

• Anonymous device identifier: a random user ID is generated on first launch and used to associate your data with your device. This ID is not tied to your name, email, or any other personally identifiable information unless you connect Strava (which links it to your Strava athlete ID).
• Computed scores and explanations: Rundown calculates performance scores and explanation cards from your Strava activities. These are stored locally and (for some features) synced to our backend.
• AI-generated insights: the text of insight cards returned from Anthropic is cached locally and may be cached on our backend.
• Technical logs: we may collect basic operational logs (timestamps, error codes, sync status) to diagnose issues. We do not currently use third-party analytics or crash-reporting services.

3.4 Information We Do NOT Collect

• We do not collect your name, email address, or password unless you contact us directly.
• We do not access your device's contacts, photos (except images you choose to attach to shoes), microphone, or camera.
• We do not track you across other apps or websites.
• We do not use third-party advertising SDKs or behavioral advertising.
• We do not currently use crash reporting (Crashlytics, Sentry, etc.) or analytics SDKs (Firebase Analytics, Mixpanel, Amplitude, etc.).

4. How We Use Your Information

We use the information described above only for the following purposes:

• Operate the Service: sync your Strava activities, compute run and walk scores, generate explanations, render trends and charts, manage your shoe, nutrition, and walk-equipment logs
• Provide AI insights: send a summarized subset of your activity data to a third-party large language model to generate weekly and monthly insight cards (see Section 6 for what is and is not sent)
• Fetch historical weather: send the GPS coordinates and timestamp of your activity starts to OpenWeather to retrieve historical conditions used in scoring
• Sync across devices: store certain data on our backend so you can access it after reinstalling or switching devices
• Diagnose problems: investigate bugs and outages using minimal operational logs
• Communicate with you: respond to support inquiries and notify you of material changes to the Service
• Comply with law: respond to lawful requests, investigate fraud, and enforce our Terms

We do not use your information to:

• Sell or rent it to third parties for any purpose, ever
• Train artificial intelligence or machine learning models
• Build advertising profiles or serve targeted ads
• Display your data to other Rundown users
• Match or merge your data with information from third parties without your consent

5. Legal Bases for Processing (EU/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Contract (Article 6(1)(b)): processing necessary to provide the Service you requested (Strava sync, scoring, insights)
• Consent (Article 6(1)(a)): for AI insight generation and any optional features you affirmatively enable
• Legitimate interests (Article 6(1)(f)): diagnosing bugs, preventing abuse, securing the Service. We balance these interests against your rights and you can object to processing on this basis at any time.
• Legal obligation (Article 6(1)(c)): when required to comply with a lawful request

Heart rate, GPS, and physical activity data may constitute "data concerning health" under GDPR Article 9. We process this information based on your explicit consent (Article 9(2)(a)), which you give by connecting Strava and using the Service. You may withdraw consent at any time by disconnecting Strava and deleting your account data.

6. How We Share Your Information

We share information only with the third-party processors listed below, only to the extent necessary to operate the Service.

6.1 Strava (data source)

We exchange OAuth tokens with Strava and request your activity data from Strava's API. We do not send Strava any data beyond what is required to authenticate and make API calls. Strava's Privacy Policy.

6.2 Supabase (backend infrastructure)

We use Supabase (operated by Supabase, Inc.) as our backend database, authentication, and file storage provider. The following information is stored on Supabase:

• Your anonymous device user ID and (if you connect Strava) your Strava athlete ID
• Your shoe, nutrition, and walk-equipment logs
• Activity log metadata that links runs and walks to shoes, nutrition, walk equipment, and walk session-type confirmations
• Optional shoe images

Data is encrypted in transit (TLS) and at rest. Supabase processes this information as our service provider under a data processing agreement and may not use it for any other purpose. Supabase Privacy Policy.

6.3 Anthropic (AI insight generation — sub-processor)

Anthropic acts as a data processor (sub-processor) on Rundown's behalf under GDPR Art. 28 and Anthropic's Data Processing Agreement. Anthropic processes data only to return an API response for generating your personal training insights; it does not use API-submitted data for model training, for its own purposes, or for any purpose other than fulfilling the API request.

When you use the Insights feature, we send a structured request to Anthropic's API containing the following per activity in the analysis window:

• Activity ID, kind (run or walk), start date and time, distance text, moving time, average pace text
• Average heart rate (if available), elevation gain, weather summary (temperature, dew point, humidity)
• Computed scores: total score and per-pillar subscores (for runs: Execution, Efficiency, Consistency, Conditions; for walks: Zone 2 Adherence, Cadence Quality, Elevation Gain, Load Stimulus, Duration)
• Score deltas, trend direction, and a compact "top drivers" summary string
• Detected session type (for runs: Easy, Long, Interval, Tempo, Race, Recovery; for walks: Casual, Brisk, Incline, Hike, Ruck, Weighted) and data confidence level
• For walks only: equipment loadout summary (e.g. "ruck, 25 lb") if logged
• Analysis period window (date range only — no location data)

We do not send your name, email address, Strava athlete ID or credentials, exact GPS coordinates, raw second-by-second sensor streams, or any segment or leaderboard data to Anthropic.

The sole purpose of this transfer is generating personalized training insights for your own use. Per Anthropic's Commercial Terms, data submitted via the API is not used to train Anthropic models and is retained only as needed to provide the service and comply with legal obligations. Anthropic Privacy Policy.

6.4 OpenWeather (historical weather lookup)

To enrich your activity scores with weather context, we send the following to OpenWeather:

• Latitude and longitude of the activity's start location
• Unix timestamp of the activity's start time
• Your unit preference (metric or imperial)

We do not send your name, Strava ID, or any other identifying information to OpenWeather. OpenWeather Privacy Policy.

6.5 Apple and Google (app distribution)

The app is distributed via Apple App Store and Google Play Store. Apple and Google may collect installation, crash, and performance data according to their respective privacy policies. We do not control this collection.

6.6 Legal disclosures

We may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, protect the safety of any person, or investigate violations of our Terms.

6.7 Business transfers

If Rundown is acquired, merged, or sells substantially all of its assets, your information may be transferred to the new owner. We will notify you and the new owner will be bound by this Privacy Policy or provide equivalent protections.

7. Your Rights and Choices

You have the following rights regarding your personal information. We honor these rights regardless of where you are located, and we will respond within 30 days (or sooner where required by law).

• Access: request a copy of the personal information we hold about you
• Correction: request correction of inaccurate or incomplete information
• Deletion: request deletion of your account data from our backend
• Portability: request a copy of your data in a structured, machine-readable format
• Restriction: ask us to limit how we process your data
• Objection: object to processing based on our legitimate interests
• Withdraw consent: withdraw any consent you previously gave (this does not affect prior lawful processing)
• Lodge a complaint: file a complaint with your local data protection authority

How to exercise these rights:

1. Disconnect Strava: visit strava.com/settings/apps and revoke Rundown's access. This stops all future data syncing.
2. Delete local data: uninstall Rundown from your device. This removes all locally cached activity data, scores, and tokens.
3. Delete backend data: email daniel.nesfeder+privacy@gmail.com with the subject "Delete my account". Include your Strava athlete ID or device user ID so we can locate your records. We will delete all data within 30 days (and within 48 hours for Strava-derived data, as required by Strava's API Agreement).
4. Export your data: email daniel.nesfeder+privacy@gmail.com with the subject "Export my data". We will provide a JSON export within 30 days.

8. Data Retention

• On-device data: retained until you uninstall the app or revoke Strava access from within the app
• Strava-derived data on our backend: retained while you are an active user. If you revoke Strava access or request deletion, we delete this data within 48 hours in accordance with Strava's API Agreement
• Shoe, nutrition, and walk-equipment logs: retained until you delete them or request account deletion
• Support emails: retained for up to 2 years for service quality and dispute resolution
• Operational logs: retained for up to 90 days for debugging
• Anthropic API requests: retained by Anthropic only as needed to provide the service and comply with legal obligations per their Commercial Terms, then deleted
• Anonymized aggregate data: we may retain de-identified, aggregated data (e.g., total number of runs and walks scored across all users) indefinitely for product analytics

9. International Data Transfers

Rundown's operator and Supabase are based in the United States. Anthropic and OpenWeather may process data in the United States, the European Union, and other countries. If you access Rundown from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions that may have data protection laws different from your own.

Where required, we rely on the European Commission's Standard Contractual Clauses and other appropriate safeguards to transfer personal data outside the EEA, UK, or Switzerland.

10. Security

We take reasonable technical and organizational measures to protect your information, including:

• TLS encryption for all network requests
• Encryption at rest for data stored in Supabase
• Row-level security policies on backend tables to ensure each user can only access their own data
• Limited access to production systems

However, no method of transmission or storage is 100% secure. You should keep your device secure (lock screen, screen lock, OS updates) since Rundown caches data locally. Strava OAuth tokens are stored in standard device preferences storage; we recommend not using Rundown on rooted or jailbroken devices.

If we discover a personal data breach affecting you, we will notify you and the relevant supervisory authorities without undue delay as required by law.

11. Children's Privacy

Rundown is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at daniel.nesfeder+privacy@gmail.com and we will delete it.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information we have collected about you, where we got it, and who we shared it with
• Right to delete personal information we have collected from you
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information — we use sensitive information (precise geolocation, health data) only for the specific purposes described above and not for inferring characteristics
• Right to non-discrimination for exercising your privacy rights

Categories of personal information we collect (per CCPA Cal. Civ. Code § 1798.140):

• Identifiers: anonymous device user ID, Strava athlete ID
• Internet/electronic activity: app usage, error logs
• Geolocation data: precise GPS coordinates from your Strava runs
• Sensory data: heart rate, cadence, power output
• Inferences: performance scores and trends derived from your runs

To exercise these rights, email daniel.nesfeder+privacy@gmail.com. We will verify your identity using your Strava athlete ID before responding.

13. Notice for Other U.S. State Residents

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, or another U.S. state with comprehensive privacy laws, you have similar rights to access, correct, delete, and port your personal information, and to opt out of targeted advertising and sale of personal information. Contact us at daniel.nesfeder+privacy@gmail.com to exercise these rights.

14. Cookies and Tracking

The Rundown mobile app does not use cookies. Our marketing website (therundown.app) uses only essential cookies required for the site to function and does not employ third-party analytics, advertising, or tracking cookies.

15. Do Not Track

Some browsers transmit "Do Not Track" signals. Because there is no industry standard for how to interpret these signals, we currently do not respond to them. Regardless, we do not track you across other apps or websites.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and provide notice within the app or by email if we have your contact information. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact Us

For any privacy-related question, data access or deletion request, complaint, or general support inquiry:

Privacy email: daniel.nesfeder+privacy@gmail.com
General support: daniel.nesfeder+rundown@gmail.com

Dedicated privacy@therundown.app and support@therundown.app addresses will be enabled ahead of production launch. During the closed beta period, please use the address above.

If you are in the EU/UK and we do not respond to your request within 30 days, or if you are unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority.