Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Run-It
Kleine Negenbundersstraat 44
3511 Kuringen, Belgium
KBO: 1019077050
BTW: BE1019077050
Email: brechtc@run-it.be

For questions about this privacy policy or your data rights, please contact us at the email address above.

Data Protection Officer: Based on our current processing activities, we are not required to appoint a Data Protection Officer under GDPR Article 37. For any data protection inquiries, please contact us directly at the email address above.

2. What Personal Data We Collect

We collect the following categories of personal data:

2.1 Account Information

• Email address (required for authentication)

2.2 Running and Performance Data

• Running activity files (.fit) you upload
• Running metrics derived from your activities (cadence, ground contact time, vertical oscillation, pace, etc.)
• Heart-rate (HR), VO2 max where provided by a connected service, and derived physiological performance metrics, such as effort trends or pace-coupled heart-rate drift, where included in your activity data
• Physical characteristics you optionally provide (height, weight, age, etc.)
• Running shoe preferences, feedback, and ratings

Source of data: Running and performance data is either directly uploaded by you, synced from connected services you authorize, or derived/calculated from activity files you provide.

2.3 Technical Data

• IP address
• Consent-evidence records, including the consent choices you submitted, timestamp, account/user identifier or session identifier, consent version/source, and the IP address captured server-side from request headers when you submit consent choices
• Browser type and version
• Device information
• Error, performance, and reliability diagnostics, such as stripped URLs, browser/runtime details, stack traces, and timestamps when monitoring is enabled
• Cookies and similar tracking technologies (see Section 7)

Server log retention: Technical logs (IP addresses, access times, error logs) are retained for up to 90 days for security and debugging purposes, after which they are automatically deleted.

Consent evidence: We record consent evidence so we can demonstrate when and how required or optional consent was given or withdrawn. We capture the IP address from our own backend request headers; the sign-up page does not call a third-party IP lookup service for this purpose.

2.4 Payment and Subscription Information

Web payment processing is handled by Stripe. We do not store your full credit card details. We may receive limited payment metadata (such as payment status, transaction identifiers, customer IDs, billing address, tax IDs where supplied, invoices, refund status, subscription interval, and limited card information like the last 4 digits) for accounting, tax, entitlement, cancellation, and support.

For Run-It Pro web checkout, we also record contract-evidence metadata such as the Terms version, Privacy Policy version, checkout summary version, selected billing interval, immediate-access request, withdrawal acknowledgement, and withdrawal/refund handling status. This is not marketing consent; it is used to prove the subscription terms accepted at checkout and to handle cancellation, withdrawal, refund, tax, and digital-service conformity requests.

iOS in-app subscriptions are handled by Apple App Store. We may receive product IDs, transaction IDs, original transaction IDs, signed transaction metadata, subscription status, renewal/cancellation status, and entitlement state needed to provide Run-It Pro access and support.

3. Legal Basis for Processing (GDPR Article 6 & 9)

We process your personal data based on the following legal grounds:

Data Type	Purpose	Legal Basis
Account, running, and non-HR performance data	Providing performance analytics and shoe recommendations	Contract performance (Art. 6(1)(b))
Heart-rate and physiological performance data, where present	Running analytics, effort/fatigue context, and shoe recommendations	Contract performance (Art. 6(1)(b)) plus explicit consent for special-category data under Art. 9(2)(a), where required
Payment data	Processing payments	Contract performance (Art. 6(1)(b))
Subscription checkout evidence, immediate-access request, withdrawal acknowledgement, and refund/conformity records	Provide Pro access, prove accepted contract terms, process cancellations and consumer-rights requests, and defend legal claims	Contract performance (Art. 6(1)(b)), legal obligation where consumer, tax, or accounting law requires records (Art. 6(1)(c)), and legitimate interests for legal claims (Art. 6(1)(f))
Email address	Account authentication	Contract performance (Art. 6(1)(b))
Pseudonymized running data, shoe ratings, and feedback	Recommendation logic improvement	Consent (Art. 6(1)(a)). You can withdraw this consent at any time in settings or by email. See Section 4.1 for what this includes.
Analytics cookies	Service improvement	Consent (Art. 6(1)(a))
Consent-evidence records, including server-captured IP address	Demonstrate required and optional consent choices, manage withdrawal, and defend legal claims	Legal obligation/accountability (Art. 6(1)(c), GDPR Art. 7) and legitimate interests for legal claims (Art. 6(1)(f))
Error monitoring, security logs, and baseline reliability diagnostics	Secure the service, investigate faults, prevent abuse, and keep the service reliable	Legitimate interests (Art. 6(1)(f)); optional browser tracing/session replay only where enabled after statistics consent
Newsletter subscription and unsubscribe records	Send requested product updates and special offers; honor opt-outs	Consent (Art. 6(1)(a)) and legitimate interests for suppression records
Payment records	Tax compliance	Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

We use your personal data to:

• Analyze your running mechanics and performance signals, including heart-rate data where available, and generate personalized shoe recommendations
• Create and manage your user account
• Process Run-It Pro subscriptions, Stripe web checkout, App Store billing records, invoices, tax evidence, cancellation status, refunds, and billing support
• Improve our recommendation logic
• Send service-related communications (e.g., reminder to provide feedback)
• Respond to your support requests
• Record and prove required or optional consent choices, including withdrawal of consent
• Comply with legal obligations

4.1 Recommendation logic improvement (what we do and do not do)

Opt-in only: We use pseudonymized running data, shoe ratings, and feedback to improve our recommendation logic (for example, validating whether recommendations were helpful and improving scoring rules) only if you explicitly consent. Pseudonymized data does not include direct identifiers such as your email address, but it remains personal data under GDPR.

We do not use your raw uploaded .FIT file contents to train a third-party AI model (for example, we do not send your .FIT file to an external AI provider for training). Our backend parses your .FIT file to extract running metrics and then deletes the temporary file.

Your choice: You can provide or withdraw this consent at any time in your account settings or by emailing us.

4.2 Subscription and consumer-rights records

For Run-It Pro, we process subscription, billing, tax, withdrawal/refund, cancellation, and digital-service conformity records so we can provide access, prove the subscription terms accepted at checkout, comply with Belgian accounting and tax obligations, and handle consumer-rights requests.

5. Data Sharing and Recipients

We share your data with the following categories of recipients:

5.1 Service Providers and Connected Providers

We use vetted service providers and connected providers to operate the service, including for:

• Supabase for database, authentication, and user settings
• Stripe for web checkout, subscription billing, tax calculation, invoices, payment method handling, refunds, and the billing portal
• Apple App Store for iOS in-app subscription billing, receipts, cancellation, and refund handling
• Azure and Vercel for backend, website hosting, deployment, and platform logs
• Azure Application Insights for infrastructure diagnostics if enabled in the hosting environment
• Cookiebot for cookie-consent management and consent records
• PostHog for consent-gated product and website analytics, including page views, onboarding and upgrade flow events, feature interactions, integration and sync activity, account and product usage signals, and masked website and dashboard session recordings after statistics consent. We disable broad PostHog autocapture.
• Sentry for error monitoring and reliability diagnostics. Browser session replay and performance tracing are disabled unless configured and allowed by your statistics consent; replay is configured to mask text and block media.
• Garmin, Strava, and Stryd where you connect those accounts or import their activity data
• Resend and any successor email provider for transactional service messages and newsletter messages where you subscribe

We keep processor evidence and data-processing terms for launch-critical providers. When providers process data outside the EEA, we use appropriate transfer safeguards such as adequacy decisions, the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses, and transfer risk reviews. More details are available on request.

5.2 No Sale or Advertising Share of Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We also do not share personal data with analytics providers for cross-context behavioral advertising, remarketing, advertising audience creation, or ad personalization. If we ever enable advertising features such as Google Analytics advertising features, Google Signals, Google Ads remarketing or audience sharing, or similar targeted-advertising tools, we will update this policy and provide any required consent or opt-out controls before using them.

5.3 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) when we use service providers that operate globally. Where required, we use appropriate safeguards for such transfers (for example, Standard Contractual Clauses or adequacy mechanisms). You can contact us if you want more information about the safeguards that apply in your case.

7. Cookies and Tracking Technologies

We use cookies and similar technologies when you visit our website and dashboard. Some cookies are strictly necessary for the service to function (for example, security and login). Others (such as analytics) are used only if you choose to enable them.

Cookie consent: We use Cookiebot to manage cookie preferences and, where required, obtain your consent for non-essential cookies. You can review and change your choices at any time via the “Cookie Settings” link in our footer. See the Cookie Policy for the current cookie categories and controls.

Analytics: If you consent, we may use analytics cookies to understand how the website and dashboard are used and improve them. This can include consent-gated PostHog events for page views, signup and upgrade flows, feature interactions, integration and sync activity, and other account and product usage signals. It may also include masked PostHog website and dashboard session recordings after statistics consent; text and inputs are masked, URLs and network request details are scrubbed, and console-log recording is disabled. We currently use analytics for service measurement and product improvement, not for targeted advertising, remarketing, advertising audience creation, or ad personalization. If you don’t consent, we don’t place analytics cookies or send non-essential PostHog events.

Error monitoring: We may use security and reliability diagnostics to detect crashes, abuse, and broken flows. We minimize this data by stripping cookies, authorization headers, email addresses, IP addresses, and query strings where our monitoring hooks support it. Optional browser performance tracing or masked session replay is only enabled after statistics consent where configured.

You can also manage or delete cookies via your browser settings. Please note that blocking strictly necessary cookies may affect the functionality of the service (for example, staying signed in may not work correctly).

8. Data Retention

We retain your personal data for the following periods:

• Account data: Until you delete your account
• Profile data (height, weight, preferences): Deleted when you delete your account
• Running activity data, including heart-rate streams and physiological performance values where present: Until you delete it or your account
• Analysis reports: Stored in your account until you delete them or delete your account.
• Shoe ratings and feedback: Retained unless you delete them or delete your account; we use this information to improve the service only if you consent. You can withdraw consent in settings or by email.
• Payment, subscription, invoice, tax, checkout-evidence, withdrawal, and refund records: 10 years where required for Belgian accounting, tax, VAT/OSS, consumer-rights, or legal-claims evidence
• Newsletter records: Until you unsubscribe, plus a minimal suppression record as needed to honor your opt-out
• Consent-evidence records: While your account exists. After account deletion or consent withdrawal, we keep only minimal audit evidence (consent choices, timestamp, consent version/source, account or session reference, and server-captured IP address) for up to 5 years where needed for GDPR accountability, complaint handling, or legal claims, unless a longer legal hold applies.
• Server logs (IP, access logs): Up to 90 days
• Error monitoring and diagnostic events: Up to 90 days unless needed for an active incident or legal hold

8.1 What Happens When You Delete Your Account

When you delete your account, we delete your account profile information (such as height, weight, age, etc.), analysis reports, running shoe opinions, derived running metrics, running activity data, connected-service records, and local authentication record where supported. We do not retain your analysis reports, running shoe opinions, or derived running metrics for recommendation-improvement after account deletion. We may keep limited records where required or permitted by law, such as payment, subscription, tax, withdrawal, refund, consent-audit, security-log, or legal-claims records for the periods described above. You can change optional recommendation-improvement consent at any time in your account settings or by emailing us while your account is active.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

9.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete data.

9.3 Right to Erasure (Art. 17)

You can request deletion of your personal data ("right to be forgotten").

9.4 Right to Restriction (Art. 18)

You can request that we limit how we use your data.

9.5 Right to Data Portability (Art. 20)

You can request your data in a structured, machine-readable format.

9.6 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Secure authentication via Supabase
• Regular security updates and monitoring
• Access controls and principle of least privilege

11. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

12. Automated Decision-Making

Our shoe recommendation system uses automated processing of your running data to generate personalized suggestions. This processing:

• Is necessary for providing our service (contract performance)
• Does not produce legal effects or similarly significant effects on you
• Generates informational recommendations only - you remain fully responsible for your purchase and training decisions

Your rights: You may request human review of any recommendation or contest the output by contacting us at brechtc@run-it.be. We will explain the logic involved and, if appropriate, adjust the recommendation.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page with an updated "Last updated" date
• Sending an email notification for significant changes (if you have an account)

14. Complaints

If you believe we have violated your data protection rights, you have the right to lodge a complaint with:

Belgian Data Protection Authority (Gegevensbeschermingsautoriteit)
Drukpersstraat 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be

15. Contact Us

For any questions about this privacy policy or your personal data, contact us at:

Run-It
Brecht Colemont
Email: brechtc@run-it.be
Phone: +32 497 74 43 21