This document is a placeholder describing the real shape of our data practices. It has not been reviewed by legal counsel and must not be relied upon as a binding privacy policy until that review is complete.
1. Who we are
Run Buddy (“we”, “us”) is an AI-powered running training app. This policy explains what data we collect when you use the service at runbuddyai.com, why we collect it, and the rights you have over it.
2. Data we collect
We collect only what we need to operate the service:
Account data: email address, password (stored as a salted hash, never in plaintext), and an optional display name.
Profile & biometric data: age, weight, gender, and resting heart rate where you choose to provide it. These are used to calibrate training paces and workout prescriptions.
Training data: race history, weekly mileage, goal races, generated training plans, and individual workout records.
Activity data: runs you log manually or import via Strava — distance, duration, pace, heart rate, GPS-derived metrics, and any notes you attach.
Strava connection data: if you connect Strava, we store an OAuth access token and refresh token server-side, scoped to your account, used solely to fetch your activities on your behalf.
Operational data: request logs, error logs, and rate-limit counters tied to your account ID. We do not currently run third-party analytics or advertising trackers.
3. How we use your data
To generate and adapt your personalized training plan.
To compute fitness metrics (VDOT, pace zones, weekly load).
To match logged activities against planned workouts and surface coaching feedback.
To authenticate you and prevent abuse (rate limiting, audit logging).
To send you transactional email related to your account (e.g. password reset). We do not send marketing email without explicit opt-in.
4. Third parties we share data with
We share the minimum data needed to deliver core functionality with the following processors:
Anthropic (Claude API):when you generate or adapt a plan, we send relevant training context — fitness tier, age bracket, goal race, recent workouts, and your free-text feedback — to Anthropic's API to produce coaching output. We do not send your email, name, or password. See Anthropic's Privacy Policy.
Strava: if you connect Strava, we exchange an OAuth code with Strava and use the resulting tokens to fetch your activities. We do not write data back to Strava. See Strava's Privacy Policy.
Neon (PostgreSQL hosting):our database lives in Neon's managed Postgres service. All your account and training data is stored there, encrypted at rest. See Neon's Privacy Policy.
We do not sell your data. We do not share data with advertisers. We disclose data to law enforcement only when compelled by valid legal process.
5. Cookies & local storage
We use a single first-party authentication cookie (httpOnly, signed) to keep you signed in. We use browser localStorage to remember your theme preference and your cookie-banner choice. We do not load third-party analytics or advertising cookies unless you explicitly opt in.
6. Data retention
We retain your account and training data for as long as your account is active. When you delete your account, we delete your profile, biometrics, plans, workouts, and Strava tokens within 30 days. Aggregated, de-identified telemetry (e.g. error counts) may be retained longer for operational analysis. Backups are rotated on a standard cycle and purged within 90 days.
7. Your rights
Regardless of where you live, you can:
Access the data we hold about you.
Export your training plans and activity logs.
Correct any inaccurate profile or biometric data.
Delete your account, which permanently removes your data per section 6.
Disconnect Strava at any time, which revokes our tokens.
Residents of the EEA, UK, and California have additional rights under GDPR and CCPA respectively, including the right to object to processing and the right to data portability. Email us to exercise any of these rights — we respond within 30 days.
8. Security
Passwords are hashed with bcrypt. Session cookies are signed, httpOnly, and Secure in production. All traffic is served over HTTPS. Database connections are TLS-encrypted. Anthropic API calls are made server-side; your API key and Strava tokens are never exposed to the browser.
9. Children
Run Buddy is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
10. Changes to this policy
We will update the “Last updated” date when this policy changes. Material changes will be communicated via email or an in-app notice before they take effect.