Privacy Policy
Effective Date: February 6, 2026
At RunPlan, your privacy is paramount. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our personalized running coaching service.
Quick Navigation
1.What Information We Collect
1.1 Account Information
When you create a RunPlan account, we collect:
- Email address (for account access and weekly training plan delivery)
- Password (encrypted and never stored in plain text)
- Account preferences (notification settings, training goals)
1.2 Fitness Platform Data
When you connect Garmin Connect or Strava to RunPlan, we access the following data through official OAuth APIs:
πActivity Data
- Running activities (distance, duration, pace, date/time)
- Heart rate data during activities (average, max)
- Cadence and elevation gain
- Training load and perceived exertion (if available)
π€Recovery Metrics (Garmin only)
- Sleep duration and quality (light, deep, REM sleep stages)
- Resting heart rate and heart rate variability (HRV)
- Body Battery or stress level data
- VO2 Max estimates
Important: We have read-only access to your fitness data. We cannot post activities, edit existing data, or access any non-fitness information from your Garmin or Strava account.
1.3 Training Preferences
During setup and ongoing use, you provide:
- Race goal (5K, 10K, half marathon, marathon, or base building)
- Target race date and goal time
- Current fitness level and weekly mileage
- Training preferences (preferred training days, maximum weekly mileage)
1.4 Usage and Analytics Data
To improve our service, we collect:
- Pages visited and features used
- Email open rates and link clicks (training plan emails)
- Browser type, device type, and operating system
- IP address and general geographic location (city/country level)
We use Google Analytics to track usage patterns. This data is anonymized and aggregated.
2.How We Use Your Information
We use your personal information solely to provide and improve the RunPlan service:
Generate Personalized Training Plans
Analyze your running activities, recovery metrics, and training history to create weekly plans adapted to your current fitness and goals.
Deliver Weekly Training Plans
Send your personalized training plan to your email address every week (or at your preferred frequency).
Send Service Notifications
Notify you of important account events (e.g., platform connection expiring, plan adjustments, race week reminders).
Improve Our Service
Analyze aggregated, anonymized usage data to improve training plan algorithms, fix bugs, and develop new features.
Provide Customer Support
Respond to your questions, troubleshoot issues, and provide assistance when you contact us.
What We Don't Do
- No selling your data - We never sell or rent your personal information to third parties
- No advertising - We don't use your data for targeted advertising or marketing campaigns
- No spam - We only send training plan emails and critical account notifications
- No social sharing - We don't post to your Garmin or Strava feeds
3.How We Store Your Data
Your data security is our top priority. We implement industry-standard security measures:
Encryption at Rest
All sensitive data (OAuth tokens, access credentials) is encrypted using AES-256 encryption before storage.
Encryption in Transit
All data transmitted between your browser and our servers uses TLS 1.3 encryption (HTTPS).
Secure Infrastructure
Hosted on Vercel with Supabase database infrastructure. Both services are SOC 2 Type II certified.
Access Controls
Row-level security (RLS) policies ensure users can only access their own data. Passwords are hashed using bcrypt.
Data Location: Your data is stored on secure servers located in the United States. By using RunPlan, you consent to the transfer and storage of your data in the U.S.
4.Third-Party Services
RunPlan integrates with the following third-party services to provide our functionality:
Garmin Connect
We use Garmin's official OAuth 2.0 API to access your fitness and health data. Garmin's privacy policy governs how they handle your data on their platform.
View Garmin Privacy Policy βStrava
We use Strava's official OAuth 2.0 API to access your activity data. Strava's privacy policy governs how they handle your data on their platform.
View Strava Privacy Policy βGoogle Analytics
We use Google Analytics to understand how users interact with RunPlan. This data is anonymized and aggregated. You can opt out of Google Analytics tracking using browser extensions.
View Google Privacy Policy βSupabase
We use Supabase for authentication and database services. Supabase is SOC 2 Type II certified and GDPR compliant.
View Supabase Privacy Policy β5.Data Sharing and Disclosure
We do not sell your personal information. We only share your data in the following limited circumstances:
Legal Compliance
We may disclose your information if required by law, court order, subpoena, or to comply with legal processes.
Safety and Security
To protect the rights, property, or safety of RunPlan, our users, or the public (e.g., fraud prevention, abuse detection).
Business Transfers
If RunPlan is acquired or merged with another company, your information may be transferred as part of that transaction. You will be notified via email of any such change.
With Your Consent
We may share your data with third parties if you explicitly consent (e.g., connecting to additional services in the future).
6.Your Privacy Rights
You have the following rights regarding your personal information:
π Right to Access
Request a copy of all personal data we hold about you. You can view your data anytime in your dashboard.
βοΈ Right to Correction
Update or correct inaccurate information in your account settings.
ποΈ Right to Deletion
Request permanent deletion of your account and all associated data. This can be done instantly from your account settings.
π¦ Right to Data Portability
Request your data in a machine-readable format (JSON/CSV export available from dashboard).
π« Right to Object
Object to processing of your data for specific purposes (e.g., opt out of analytics).
π Right to Revoke Consent
Disconnect Garmin or Strava at any time from your dashboard. We immediately stop accessing your fitness data.
To exercise any of these rights, visit your account settings or contact us at privacy@runplan.fun. We will respond within 30 days.
7.Data Retention
We retain your personal information for as long as your account is active or as needed to provide our service:
- Active accounts: Data retained indefinitely while your account is active
- Inactive accounts: If you don't log in for 2+ years, we may send a reminder email. If no response after 3 years, your account may be deactivated
- Deleted accounts: When you delete your account, all personal data is permanently deleted within 30 days
- Legal requirements: Some data may be retained longer if required by law (e.g., transaction records, abuse reports)
You can delete your account anytime from your account settings. This action is immediate and irreversible.
8.Security Measures
We take comprehensive measures to protect your data:
π Password Hashing
All passwords hashed with bcrypt (industry standard)
π Token Encryption
OAuth tokens encrypted with AES-256 before storage
π HTTPS Only
All traffic encrypted in transit using TLS 1.3
π Regular Audits
Routine security audits and dependency updates
πͺ Access Controls
Row-level security ensures data isolation
π Monitoring
Real-time monitoring for suspicious activity
Security Breach Notification: In the unlikely event of a data breach affecting your personal information, we will notify you via email within 72 hours of discovery, as required by GDPR and CCPA regulations.
9.Children's Privacy
RunPlan is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child under 18, we will delete it immediately. If you believe we have collected information from a child, please contact us at privacy@runplan.fun.
10.International Users
RunPlan is operated from the United States. If you are accessing our service from outside the U.S., please be aware that your information will be transferred to, stored, and processed in the United States.
πͺπΊ European Union (GDPR)
RunPlan complies with GDPR requirements for EU residents. You have the right to access, correct, delete, port, and object to processing of your data. To exercise these rights, contact us at privacy@runplan.fun.
πΊπΈ California (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA). You may request disclosure of what personal information we collect, sell (we don't), and share. You may also request deletion of your data. To exercise these rights, email privacy@runplan.fun with "CCPA Request" in the subject line.
11.Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make significant changes, we will:
- Update the "Effective Date" at the top of this page
- Notify you via email at the address associated with your account
- Display a prominent notice on our website for 30 days
Your continued use of RunPlan after changes become effective constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.
12.Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
Contact Information
We aim to respond to all privacy inquiries within 30 days.
This Privacy Policy was last updated on February 6, 2026.
By using RunPlan, you acknowledge that you have read and understood this Privacy Policy.