Privacy Policy

1. Data we collect

When you use RunCadence, we collect the following data:

• Account information — email address, first and last name.
• Profile data — experience level, running history, VO2max pace (VMA), available terrain, injury history, "about me" text.
• Training data — training plans, session logs, RPE ratings, notes, weekly feedback.
• Health data — with your explicit permission, we read the following data from Apple Health:
  • Workout data: distance, duration, heart rate, cadence, elevation, pace splits
  • Cardiac: resting heart rate, heart rate variability, heart rate recovery, respiratory rate, blood oxygen
  • Recovery: sleep duration and stages, sleeping wrist temperature
  • Fitness: VO2max, active energy, body mass
  • Running biomechanics: power, ground contact time, vertical oscillation, stride length
  • Activity: step count
  We use this data to compute training load, recovery, and readiness signals for your coach. The data stays in our EU databases. We never sell, share, or use this data for advertising. You can revoke any specific data type at any time in iPhone Settings → Privacy → Health → RunCadence.
• Chat messages — your conversations with the AI coach are stored to maintain coaching context.
• Technical information — device language, anonymized error logs, anonymized product events (see section 6).

2. Purposes and legal basis (Article 6 GDPR)

Each processing activity rests on an identified legal basis:

• Contract performance (Art. 6.1.b) — account creation, plan generation, coaching, sending workouts to your Apple Watch, user support.
• Consent (Art. 6.1.a) — Apple Health access, sharing data for session replay and product analytics, non-transactional communications. You can withdraw your consent at any time in the app Settings.
• Legitimate interest (Art. 6.1.f) — bug detection (Sentry), technical security, fraud prevention. Our interest in providing a reliable service is balanced against your rights; you can object by contacting us.
• Legal obligation (Art. 6.1.c) — retention of accounting data, responses to authority requests.

3. Third-party services

We use the following processors to operate RunCadence:

• Supabase — authentication and database hosting (EU region).
• Railway — backend application hosting (EU region).
• Anthropic — AI language model for coaching conversations. Your messages and profile context are sent to Anthropic's API to generate responses. Anthropic does not use this data to train models (Anthropic DPA).
• Langfuse — observability and quality monitoring of AI coaching.
• PostHog (EU hosted, eu.i.posthog.com) — product analytics, error tracking, and session replay. Replays capture screen navigation and taps, but all input fields are masked — your messages, onboarding answers, and passwords are never recorded.
• Sentry — crash and error reporting. Sentry receives the stack trace, device model, OS version, and a non-identifying user ID. No personal data, chat content, or training data is sent to Sentry.
• RevenueCat — subscription state and entitlement management. RevenueCat receives an anonymous user ID, your subscription status, and purchase events. Payment details (card, bank, identity) are handled exclusively by Apple.
• Apple App Store — subscription billing and trial management. Apple processes all payments under its own terms and shares only the minimum subscription state needed to grant you access.

4. International data transfers

Most of our processors operate in the EU region (Supabase, Railway, PostHog). Some processing nevertheless involves a transfer outside the EU:

• Anthropic (United States) — covered by the European Commission's Standard Contractual Clauses (SCCs) and a signed Data Processing Addendum (DPA).
• Sentry, RevenueCat, Vercel (United States) — covered by SCCs and their own compliance commitments under the EU-US Data Privacy Framework (DPF).

These mechanisms ensure a level of protection equivalent to that provided by the GDPR. You may request a copy of the applicable safeguards at contact@runcadence.app.

5. How we use your data

• To provide personalized AI coaching and generate your training plan.
• To adapt your plan based on your sessions, feeling, and feedback.
• To send structured workouts to your Apple Watch.
• To authenticate your account and secure access.
• To improve coaching quality and fix bugs.
• To compute physiological signals (readiness, training load, fitness trend) for personalized coaching.

6. Analytics & session replay

To improve RunCadence and fix bugs quickly, we collect anonymized product events — screen views, taps, actions such as "session logged" or "weekly feedback submitted". We never send your messages, session notes, or GPS coordinates to analytics.

Session replay records your navigation path (which screens you visited, in what order, with what taps) so we can reproduce a bug without asking you to describe it step by step. Input masking is enabled by default.

You can turn off analytics and session replay at any time from Settings → Privacy → Help improve RunCadence. The change takes effect immediately.

7. Health data

RunCadence requests Apple Health access solely to import workout data into your training log. We do not sell, share, or use your health data for advertising. Health data is transmitted via HTTPS and stored with your training data in our EU databases.

Health data is a special category of personal data under Article 9 GDPR. We process it solely with your explicit consent (Article 9.2.a), granted through the iOS HealthKit permission flow. You can withdraw consent at any time per the instructions above.

You can revoke Apple Health access at any time in your iPhone Settings.

8. Cookies

The runcadence.app marketing site does not set advertising cookies. The RunCadence mobile application does not use cookies; in-app analytics are described above (section 6). More details in our Legal Notice.

9. Retention periods

10. Your rights (GDPR)

Under Articles 15 to 22 of the GDPR, you have the following rights:

• Right of access to your personal data;
• Right to rectification of inaccurate data;
• Right to erasure ("right to be forgotten");
• Right to data portability in a structured format;
• Right to object and right to restriction of processing;
• Right to withdraw consent at any time;
• Right to set post-mortem directives on the fate of your data.

To exercise any of these rights, write to contact@runcadence.app. We respond within one month, in accordance with Article 12 of the GDPR.

11. Complaint to the CNIL

If after contacting us you believe your rights are not being respected, you may lodge a complaint with the French data protection authority (CNIL):

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
Phone: +33 1 53 73 22 22.
Site: www.cnil.fr

12. Minors

RunCadence is not intended for users under 16 years of age. We do not knowingly collect personal data from users under 16. If you become aware that a minor has created an account without parental authorization, write to us and we will promptly delete the account and associated data.

13. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you directly without undue delay, in accordance with Articles 33 and 34 of the GDPR.

14. Security

All data is transmitted via HTTPS. Authentication tokens are stored in the iOS Keychain. Database access is restricted and encrypted at rest. We apply industry best practices for security (key rotation, least-privilege access, logging).

15. Modifications

We may update this policy. Any material change will be notified to you by email or in the app before it takes effect. The last-updated date is shown at the top of this page.

16. Contact

For any question about this policy, write to contact@runcadence.app.

17. Reference language

This policy is drafted in French. The English version is provided for information only at /privacy. In case of discrepancy, the French version prevails.