Privacy Policy

Effective Date: January 7, 2026

Last Updated: January 14, 2026

Business Status: Individual/Sole Proprietorship (Pre-Registration)

1. Introduction

OUTRUN ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services (the "Application" or "Service").

By using the Application, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Application.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

  • Email address
  • Username
  • Full name (optional)
  • Password (hashed and encrypted)

Health and Fitness Data:

  • Lactate readings (mmol/L values) - both manual entries and predicted values
  • Heart rate measurements
  • Temperature readings
  • Training session data
  • Journal entries (RPE, mood, sleep, soreness, notes)
  • Session participation records
  • Predictive algorithm data (used to improve predictions)
  • User profile data (for personalized predictions: max HR, lactate threshold HR, fitness level, etc.)

Profile Information:

  • Training preferences
  • Session notes and comments

2.2 Information Collected Automatically

Device Information:

  • Device type and operating system
  • App version
  • Unique device identifiers

Usage Data:

  • Session timestamps
  • Feature usage patterns
  • Error logs (anonymized)

Location Data:

  • Only if you enable location services for geofencing features
  • Used solely for session location tagging (optional)

2.3 Information from Third-Party Services

Garmin Health API (when connected):

  • Heart rate data
  • Pace and distance data
  • Activity summaries
  • Only collected with your explicit consent and OAuth authorization

Apple HealthKit / Google Fit (future integration):

  • Health metrics you choose to share
  • Only collected with your explicit permission

2.4 Predictive Algorithm Data

Data Used for Predictions:

  • Your historical lactate readings
  • Heart rate measurements (from manual entry or Garmin)
  • Time intervals between readings
  • Pace/distance data (when available)
  • Your user profile (max HR, lactate threshold HR, fitness level, sport type)
  • Individual baseline adjustments (calculated from your historical data)

How Predictions Work:

  • Predictions are generated using research-informed algorithms
  • Your data is used to personalize predictions for you
  • Predictions are estimates and should be verified with actual measurements
  • Algorithm improvements may use aggregated, anonymized data from all users

3. How We Use Your Information

We use the information we collect to:

3.1 Core Functionality

  • Provide and maintain the Application
  • Authenticate your account
  • Enable training session management
  • Store and display your lactate readings
  • Generate predictive lactate values using research-informed algorithms
  • Personalize predictions based on your profile and historical data
  • Generate analytics and insights from your training data
  • Facilitate coach-athlete interactions
  • Improve prediction accuracy over time using your historical data

3.2 Service Improvement

  • Analyze usage patterns (anonymized)
  • Improve app performance
  • Fix bugs and errors
  • Develop new features
  • Improve prediction algorithms using aggregated, anonymized data
  • Train machine learning models on anonymized historical data (with user consent)

3.3 Communication

  • Send service-related notifications
  • Respond to your inquiries
  • Provide customer support

3.4 Legal Compliance

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Protect our rights and safety

We do NOT:

  • Sell your personal data to third parties
  • Use your health data for advertising
  • Share your data with advertisers
  • Use your data for purposes beyond what is described in this policy

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on:

  • Consent: You provide explicit consent when creating an account and connecting third-party services
  • Contract Performance: Processing necessary to provide the services you requested (including predictive features)
  • Legitimate Interests: Improving our services, ensuring security, and enhancing prediction accuracy (with appropriate safeguards)
  • Legal Obligation: Compliance with applicable laws and regulations

Predictive Algorithm Processing:

  • Processing for predictions is necessary to provide the core functionality you requested
  • Personalization improves your user experience and prediction accuracy
  • Algorithm improvements using aggregated data serve legitimate interests in service enhancement
  • You can opt out of personalized predictions (though this may reduce accuracy)

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

5.2 Limited Sharing

We may share your information only in the following circumstances:

With Your Consent:

  • When you explicitly authorize sharing (e.g., sharing session data with a coach)

Service Providers:

  • Hosting providers (data storage)
  • Analytics services (anonymized data only)
  • Payment processors (if applicable in the future)
  • All service providers are contractually bound to protect your data

Legal Requirements:

  • When required by law or legal process
  • To protect our rights, property, or safety
  • To comply with government requests

Business Transfers:

  • In the event of a merger, acquisition, or sale of assets
  • Your data would be transferred subject to this Privacy Policy

5.3 Session Data Sharing

Within Training Sessions:

  • Coaches can see aggregate data from sessions they create
  • Athletes can see their own data and session overviews
  • Other athletes' detailed data is not visible to other participants

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
  • Encryption at Rest: We use secure database hosting with encryption capabilities
  • Password Security: Passwords are hashed using industry-standard methods
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Security Practices: We follow security best practices and update our systems regularly

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Your Rights (GDPR & Data Protection)

You have the following rights regarding your personal data:

7.1 Right to Access

  • Request a copy of all personal data we hold about you
  • Access your data through the Application or by contacting us

7.2 Right to Rectification

  • Correct inaccurate or incomplete data
  • Update your profile information at any time

7.3 Right to Erasure ("Right to be Forgotten")

  • Request deletion of your account and all associated data
  • Data will be permanently deleted within 30 days (except where legally required to retain)

7.4 Right to Data Portability

  • Export your data in a machine-readable format (JSON)
  • Transfer your data to another service

7.5 Right to Withdraw Consent

  • Withdraw consent for data processing at any time
  • Disconnect third-party integrations (Garmin, etc.)
  • Note: Withdrawing consent may affect service functionality

7.6 Right to Object

  • Object to processing based on legitimate interests
  • Object to automated decision-making (predictive algorithms)

7.7 Right to Restrict Processing

  • Request temporary restriction of data processing under certain circumstances

7.8 Automated Decision-Making and Profiling

  • Predictive lactate values are generated using automated algorithms
  • These predictions are estimates based on your data and research-informed models
  • You have the right to:
    • Request human review of automated decisions
    • Express your point of view regarding automated processing
    • Contest automated decisions
  • Predictions do not significantly affect your legal rights or freedoms
  • You can always override predictions with manual entries

To exercise these rights, contact us at: peder@outrun.no

8. Data Retention

8.1 Active Accounts

  • We retain your data while your account is active
  • Data is retained as long as necessary to provide services

8.2 Deleted Accounts

  • Upon account deletion, data is marked for deletion
  • Permanent deletion occurs within 30 days
  • Some data may be retained longer if required by law (e.g., tax records)

8.3 Anonymized Data

  • Anonymized, aggregated data may be retained indefinitely for analytics
  • This data cannot be linked back to individual users

8.4 Backup Data

  • Backup copies are securely deleted according to retention schedule
  • Typically within 90 days of account deletion

8.5 Predictive Algorithm Data

  • Historical data used for predictions is retained while your account is active
  • This data enables personalized predictions and improves accuracy over time
  • Upon account deletion, prediction-related data is deleted with your account
  • Aggregated, anonymized data used for algorithm improvement may be retained indefinitely (cannot be linked to you)

9. Children's Privacy

9.1 Age Requirements

  • Users must be at least 13 years old to use the Application
  • Users in the European Economic Area (EEA) must be at least 16 years old
  • Users under 18 require parental or guardian consent

9.2 Parental Rights

  • Parents/guardians can request access to their child's account information
  • Parents/guardians can request deletion of their child's account
  • We do not knowingly collect data from children without consent

If we discover that we have collected data from a child without consent, we will delete the account immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We implement appropriate safeguards where required:

  • Standard Contractual Clauses: Will be implemented when transferring data outside the EEA (if applicable)
  • Adequacy Decisions: We rely on adequacy decisions where applicable
  • Your Consent: By using the Application, you consent to such transfers
  • Current Setup: Data is primarily processed within the EEA (Fly.io Stockholm region)

11. Third-Party Services

11.1 Garmin Health API

  • When you connect your Garmin account, data is shared according to Garmin's Privacy Policy
  • You can revoke access at any time through the Application
  • We comply with Garmin Health API Terms of Service

11.2 Other Integrations

  • Future integrations (Apple HealthKit, Google Fit) will require your explicit consent
  • Each integration will have its own privacy policy
  • You can disconnect integrations at any time

11.3 Links to Third-Party Websites

  • Our Application may contain links to third-party websites
  • We are not responsible for the privacy practices of third parties
  • We encourage you to review their privacy policies

12. Cookies and Tracking Technologies

12.1 Cookies

  • We use essential cookies for authentication and session management
  • We do not use tracking cookies for advertising

12.2 Analytics

  • We use privacy-friendly analytics (anonymized data)
  • No personal identification information is shared with analytics providers

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time:

  • Material Changes: We will notify you via email or in-app notification
  • Effective Date: Changes become effective when posted
  • Continued Use: Continued use after changes constitutes acceptance
  • Previous Versions: Archived versions available upon request

We encourage you to review this Privacy Policy periodically.

14. Contact Information

14.1 Data Protection Officer

Email: peder@outrun.no
Response Time: We aim to respond within 48 hours for urgent matters, but cannot guarantee response times

14.2 General Privacy Inquiries

Email: peder@outrun.no
Support: peder@outrun.no

14.3 Regulatory Authority

Norwegian Data Protection Authority (Datatilsynet)
Website: https://www.datatilsynet.no
Phone: +47 22 39 69 00

You have the right to lodge a complaint with Datatilsynet if you believe your data protection rights have been violated.

15. Business Status

OUTRUN is currently operated as an individual project/sole proprietorship and is in the process of formal business registration in Norway. This Privacy Policy applies regardless of business structure and will be updated upon registration.

16. Governing Law

This Privacy Policy is governed by:

  • The laws of Norway
  • General Data Protection Regulation (GDPR)
  • Norwegian Personal Data Act (Personopplysningsloven)
  • Applicable international laws and treaties

Document Version: 1.1
Last Updated: January 14, 2026
Next Review: July 2026

This Privacy Policy is part of our commitment to transparency and data protection. We are committed to protecting your privacy and handling your data responsibly.