Privacy Policy

Introduction

Welcome to RunTree. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our running analytics platform.

Information We Collect

1. Information You Provide

• Account Information: Name, email address, and profile handle when you sign up via Google OAuth
• Profile Data: City, country, bio, social media links, and profile customization preferences
• Race Information: Race names, dates, distances, finish times, and race photos you manually enter
• Communication Preferences: Email delivery settings, timezone, and opt-in preferences for weekly coaching reports

2. Information from Third Parties

• Strava Data: When you connect your Strava account, we access your running activities including distance, duration, pace, elevation, heart rate, GPS data, and other activity metrics (33+ data points per activity)
• Google Account: Basic profile information (name, email, profile picture) when you authenticate via Google

3. Automatically Collected Information

• Usage Data: Pages visited, features used, and interaction patterns
• Device Information: Browser type, operating system, and device identifiers
• Analytics: We use Vercel Analytics to understand how users interact with our platform

How We Use Your Information

• Provide Core Services: Display your running activities, generate performance analytics, and create public profile pages
• AI Coaching: Analyze your training data using OpenAI GPT-4o-mini to provide personalized weekly coaching insights and recommendations
• Email Communications: Send weekly coaching reports via Resend when you opt in
• Sync Activities: Automatically sync your Strava activities and refresh authentication tokens
• Improve Our Service: Analyze usage patterns to enhance features and user experience
• Process Subscriptions: Manage premium subscriptions via Polar.sh
• Store Images: Upload and host profile and race photos via Cloudinary

Third-Party Services

We use the following third-party services:

• Strava: Activity data synchronization (Strava Privacy Policy)
• Google OAuth: Authentication services (Google Privacy Policy)
• OpenAI: AI-powered coaching analysis (OpenAI Privacy Policy)
• Resend: Email delivery for coaching reports (Resend Privacy Policy)
• Cloudinary: Image hosting and processing (Cloudinary Privacy Policy)
• Polar.sh: Subscription management (Polar Privacy Policy)
• NeonDB: PostgreSQL database hosting (Neon Privacy Policy)
• Vercel: Hosting and analytics (Vercel Privacy Policy)

Data Storage and Security

Your data is stored securely in a PostgreSQL database hosted by NeonDB with industry-standard encryption. We implement the following security measures:

• Encrypted database connections
• Secure authentication via BetterAuth with OAuth 2.0
• Encrypted Strava tokens with automatic refresh mechanisms
• CSRF protection in OAuth flows
• Limited OAuth scopes to minimize data access
• CodeQL security scanning for code vulnerabilities
• Type-safe database queries using Drizzle ORM

Public Information

Your profile page (accessible at runtree.com/[your-handle]) is public by default and displays:

• Profile information (name, bio, location, social links)
• Recent running activities from Strava
• Race results and photos
• Performance statistics and analytics

You can customize what appears on your public profile through your customization settings.

Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct your profile information
• Deletion: Request deletion of your account and associated data
• Export: Download your data in a portable format
• Opt-Out: Unsubscribe from weekly coaching emails at any time
• Disconnect: Revoke Strava access through your account settings

Data Retention

We retain your data for as long as your account is active. If you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal obligations. Strava activity data is cached for performance; disconnecting Strava will stop new syncs but historical data remains until account deletion.

Cookies and Tracking

We use essential cookies for authentication and session management via BetterAuth. We also use Vercel Analytics to understand usage patterns. These services may set cookies in your browser. You can control cookies through your browser settings.

Children's Privacy

RunTree is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information.

International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Us

If you have questions about this privacy policy or wish to exercise your rights, please contact us at:

Email: contact@runtr.ee