Privacy Policy

Last updated: 30 April 2026  ·  Terms of Service

This Privacy Policy explains what data Runnory ("we", "our", or "us") collects, how we use it, and your rights regarding that data when you use the Runnory mobile application and website.

1. Information We Collect

We collect the following categories of information:

• Account information — name, email address, age, and country, provided during sign-up via Apple Sign-In or Google Sign-In.
• Profile data — username, baseline running pace, and other preferences you set in the app.
• Activity data — GPS coordinates, heart rate (from a connected Bluetooth monitor), pace, and duration recorded during a run session.
• Device data — device type, operating system version, and app version for debugging and performance purposes.
• Third-party integration data — if you connect Strava, we store OAuth tokens and your Strava athlete name to enable activity uploads. We never access data beyond what is required for activity upload.

2. How We Use Your Information

• To generate the in-run narrative, using your heart rate and pace in real time.
• To calculate XP, streaks, and leaderboard rankings.
• To upload completed runs to third-party services you have connected (e.g. Strava).
• To improve app performance, fix bugs, and develop new features.
• To communicate important account or service updates.

3. Legal Basis for Processing

We process your personal data on the following legal grounds under the UK GDPR and EU GDPR:

• Contract performance (Article 6(1)(b)) — account information and run session data are processed to deliver the Service you have requested.
• Explicit consent (Articles 6(1)(a) and 9(2)(a)) — heart rate and other health-related data are Special Category data under data protection law. We process this data only with your explicit, freely given consent, which you may withdraw at any time by contacting us at privacy@runnory.com or through your device settings.
• Legitimate interests (Article 6(1)(f)) — device data is processed to improve app performance, diagnose technical issues, and maintain security, where these interests are not overridden by your rights and freedoms.

4. Analytics

We use Umami Analytics to collect anonymous, aggregate usage data — including page views, referrer sources, country, and device type. Umami does not use cookies, does not collect personal data, and does not track individuals across sessions. No consent banner is required. You can learn more at umami.is/privacy.

5. Data Storage and Security

Your data is stored on secure servers. Session telemetry (GPS, heart rate) is temporarily held in Redis during an active run and deleted immediately after the session ends. Persistent data (account info, run history, track points) is stored in a PostgreSQL database with access controls and encrypted connections.

No method of transmission over the internet is 100% secure and we cannot guarantee absolute security.

6. Data Sharing

We do not sell your personal data. We may share data with:

• Service providers — hosting, infrastructure, and analytics services that process data on our behalf under strict confidentiality agreements.
• Third-party integrations — only the data necessary to fulfil a connection you explicitly authorised (e.g. Strava).
• Legal obligations — if required by applicable law, regulation, or court order.

7. Location Data

GPS location is collected only while a run session is active and only with your explicit permission. Location is used solely to generate narrative context and record your route. You can revoke location permission at any time through your device settings, which will disable the active-run features.

8. Health and Heart Rate Data

Heart rate data is used exclusively to drive the in-run narrative engine and calculate performance metrics. It is not shared with advertisers or sold to any third party.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Receive a copy of your personal data in a portable, machine-readable format (data portability).
• Object to processing based on our legitimate interests.
• Withdraw consent for specific data uses at any time, including consent to process your heart rate data.

To exercise any of these rights, contact us at privacy@runnory.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you are located in the UK, or with your local data protection supervisory authority if you are located in the EU.

10. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

11. Children's Privacy

Runnory is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the app or email. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions or requests, contact us at privacy@runnory.com.