Privacy Policy

Last updated: April 2026

Your privacy matters to us. This policy explains, in plain language, what data we collect, how we use it, who we share it with and what rights you have over it. It applies to runningwithai.run and all associated services. By using RunningWithAI, you agree to this policy.

1. Data Controller

Personal data collected through this site is controlled by RunningWithAI ("we", "our"). For privacy questions, contact us at privacy@runningwithai.run. Our Data Protection Officer replies in English and Portuguese.

2. Data We Collect

We collect three types of data. (a) Account data: when you sign up we store your name, email, profile photo (via Google Sign-In) and a unique user identifier. (b) Training data: runs you log manually or sync via Strava โ€” distance, time, pace, date, route (if you choose to share), rate of perceived exertion. (c) Technical data: anonymised IP address, device type, browser, pages visited, referring source. We do not collect sensitive data such as medical records or financial information.

3. Legal Basis for Processing (GDPR)

We process your data based on: (a) Consent โ€” when you subscribe to the newsletter or accept non-essential cookies. (b) Contract performance โ€” to provide the services to you (dashboard, training plans, calculators). (c) Legitimate interest โ€” for aggregated anonymous analytics, fraud detection and security. You can withdraw consent at any time.

4. How We Use Your Data

We use your data exclusively to: personalise training plans via AI algorithms, send you communications you requested (newsletter, training reminders, transactional emails), improve the platform based on aggregated usage, detect and prevent abuse, comply with legal obligations. We do not use your data for advertising profiling outside our own site.

5. Sharing with Third Parties / Subprocessors

We do not sell or rent personal data. We share strictly necessary data with subprocessors operating our service: (a) Google Firebase (Authentication, Firestore, Cloud Functions) โ€” primary subprocessor, data in EU data centres. (b) Vercel (hosting and anonymised analytics). (c) Strava API โ€” only if you link your Strava account to sync runs. (d) Google AdSense โ€” advertising cookies (you can opt out in your Google account). (e) Transactional email provider (Resend or similar). All subprocessors have signed Data Processing Agreements (DPAs) aligned with GDPR.

6. Data Retention

We keep your data while your account is active. If you delete your account, we erase your identifiable personal data within 30 days, except where legal retention obligations apply (e.g. tax records for 10 years, if applicable). Backups rotate within 90 days. Fully anonymised analytics data may be retained indefinitely.

7. Cookies and Similar Technologies

We use three categories of cookies: (a) Essential โ€” required for login and core functionality; no consent needed. (b) Analytics โ€” Vercel Analytics (anonymised, no fingerprinting). (c) Advertising โ€” Google AdSense cookies; loaded only after your consent and manageable via your Google account or https://adssettings.google.com. You can delete cookies in your browser at any time; some features will stop working if you delete essential ones.

8. Your Rights (GDPR, CCPA, LGPD)

If you are in the EU, UK, Brazil (LGPD) or California (CCPA), you have the right to: access your data, correct inaccurate data, erase data ("right to be forgotten"), restrict or object to processing, data portability (receive your data in a structured format), withdraw consent, lodge a complaint with a supervisory authority. To exercise any of these rights, email privacy@runningwithai.run with "GDPR Rights" in the subject โ€” we respond within 30 days.

9. Children

RunningWithAI is not directed to children under 16. We do not knowingly collect data from minors. If we discover we have collected data from a minor without guardian consent, we will delete it immediately. If you are a guardian and suspect a minor in your care created an account without authorisation, contact privacy@runningwithai.run.

10. International Transfers

Your data is processed primarily in EU data centres. When subprocessors (Firebase, Vercel) process data outside the EU, they do so under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring a level of protection equivalent to GDPR.

11. Data Breach Notification

In the event of a personal-data breach that poses a risk to your rights, we notify the relevant supervisory authority within 72 hours, as required by GDPR. If the breach poses a high risk, we will notify you directly by email without undue delay.

12. Security

We apply technical and organisational measures to protect your data: encryption in transit (TLS 1.3), encryption at rest with our cloud providers, strong authentication for administrative access, regular security reviews, principle of least privilege. No system is 100% secure, but we do our best.

13. Changes to This Policy

We may update this policy. Material changes will be announced on the site or by email at least 30 days before they take effect. The current version is always at runningwithai.run/privacy with the last-updated date at the top. Continued use of the service after a change constitutes acceptance of the new version.

14. Contact

For privacy questions, contact privacy@runningwithai.run. For other questions, contact hello@runningwithai.run. Typical response time: 48 hours on business days.