Privacy Policy

1. Introduction

Outrunr ("we", "our", or "us") is a AI-powered running coach mobile application. This Privacy Policy explains what data we collect, why we collect it, how it is stored and secured, and your rights over that data.

By using the Outrunr app you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.

2. Data We Collect

3. How We Use Your Data

• Coaching & Analysis — generating personalised training plans, pace targets, and post-run insights using your fitness history.
• Account Sync — backing up your runs, shoes, and plans to the cloud so they are available across devices and after reinstallation.
• Notifications — sending training reminders and streak alerts at times you configure.
• Strava Integration — uploading your completed activities to Strava when you connect your account (see Section 5).
• App Improvement — understanding how features are used and resolving crashes via anonymised analytics.

We do not use your data for advertising, and we do not sell, rent, or trade your personal information to any third party.

4. Data Storage & Security

Your run history, training plans, and profile are stored locally on your device using an encrypted database (Isar) and are synchronised to Google Firebase (Firestore) when you are online and signed in.

Strava OAuth access tokens are stored exclusively in the iOS Keychain or Android Keystore — never in plaintext storage — using the highest available security tier for each platform.

All data transmitted to Firebase and Strava is sent over HTTPS (TLS 1.2+). Firebase infrastructure is hosted in Google data centres and subject to Google's security certifications (ISO 27001, SOC 2 Type II).

5. Strava Integration

Outrunr offers optional integration with Strava. If you connect your Strava account, the following applies:

• We request the activity:write and read scopes, which allow us to upload completed runs as activities on your behalf.
• Uploaded activities include GPS route, distance, duration, heart rate, cadence, elevation, and activity type — structured in the TCX format.
• Strava runs under its own privacy policy, available at strava.com/legal/privacy.
• You can disconnect Strava at any time from the Outrunr Settings screen. Disconnecting immediately deletes your Strava tokens from the device. Previously uploaded activities remain on Strava and must be deleted there directly.
• Runs flagged as Stealth Mode within Outrunr are never uploaded to Strava, regardless of connection status.

6. Third-Party Services

The app uses the following third-party services, each with their own privacy policies:

• Google Firebase (Firestore, Analytics, Crashlytics, Authentication, Storage) — data sync, crash reporting, and analytics.
• Google Maps & Roads API — mapping your run routes and analysing terrain. Route coordinates are sent to Google for terrain classification only and are not stored by Google beyond the API response.
• Google Sign-In — account authentication.
• Strava — optional activity upload (see Section 5).

7. Location Data

Outrunr requests precise (GPS) location permission while a run is in progress. On Android, background location is requested so the run continues tracking when the screen is off or you switch apps. Location data is stored as a sequence of coordinates forming your run route.

We do not track your location outside of an active run session. You can revoke location permission at any time in your device settings, though this will prevent the GPS run-tracking feature from functioning.

8. Health Data

On iOS, Outrunr may request access to Apple HealthKit to read heart rate data from a paired Apple Watch. On Android, we may request Health Connect access for the same purpose.

Health data read from HealthKit or Health Connect is used only within the app for coaching analysis. It is not uploaded to any server other than your own Firestore account, and is never shared with third parties without your explicit consent.

9. Children's Privacy

Outrunr is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data via the in-app profile settings.
• Delete your account and all associated data by contacting us at the address below. We will complete deletion within 30 days.
• Export your run data (all runs are stored locally on-device and can be accessed directly).
• Withdraw consent for Strava at any time via Settings → Strava → Disconnect.

Depending on your jurisdiction, you may have additional rights under GDPR, CCPA, or other applicable privacy laws. To exercise any right, contact us using the details in Section 12.

11. Data Retention

We retain your run data and profile for as long as your account is active. Anonymised, aggregated analytics data (crash reports, usage events) may be retained for up to 24 months to inform product improvements.

If you delete your account, all personally identifiable data is removed from our Firebase databases within 30 days. Locally-stored data on your device is deleted when you uninstall the app.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top of this page will change. We encourage you to review this page periodically. Continued use of the app after changes constitutes acceptance of the updated policy.