Legal

Privacy Policy

Effective date: [TO COMPLETE] · Last updated: May 10, 2026

Plain Language Summary

ClarityRun is currently operated on an individual basis by [TO COMPLETE: first name and last name] as a beta project. The Service collects only the data needed to create your account, connect Strava, import and analyze your activities, generate debriefs and reports, manage subscriptions, provide support, secure the Service, and improve reliability.

The Service uses Stripe for payments and OpenRouter for production LLM processing. Personal data is not sold to third parties. The Publisher does not intentionally use Strava data or User Content to train ClarityRun AI or machine learning models. Several legal, retention, hosting, and provider details still need confirmation before publication.

1. Introduction

This Privacy Policy explains how [TO COMPLETE: first name and last name], acting as the individual publisher and data controller (the "Publisher", "Controller", "ClarityRun", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data when you use ClarityRun, including our website, application, Strava integration, post-run debriefs, deep analysis reports, paid features, support, and related services (the "Service").

ClarityRun is currently operated on an individual basis as a beta project. If a legal entity is created later to operate the Service, this Privacy Policy may be updated to identify the new controller, contact details, and effective date of the change.

This Policy is intended to cover users in the European Union and other countries where data protection laws may apply. If the General Data Protection Regulation ("GDPR") applies, this Policy provides information required under Articles 13 and 14 GDPR.

2. Data Controller

The data controller is currently the individual Publisher:

  • Name: [TO COMPLETE: first name and last name]
  • Status: individual publisher of a beta SaaS project, not an incorporated operator unless this Policy is later updated.
  • Country of residence or establishment: [TO COMPLETE: country]
  • Address or legally required contact details: [TO COMPLETE: address or legally required contact information]
  • Privacy contact: support@clarityrun.tech or [TO COMPLETE: privacy email if different]

Data Protection Officer: [TO COMPLETE: DPO name/contact if appointed, or state "not appointed"].

3. Personal Data Management During Beta

ClarityRun is currently operated on an individual basis as a project in beta testing. Data collection is limited to information that is strictly necessary for the operation of the Service, including:

  • email address;
  • login and authentication information;
  • Service usage data;
  • content voluntarily provided by the user;
  • Strava-authorized activity data and training context needed to provide the Service.

This data is used only to:

  • allow access to the Service;
  • ensure the application works properly;
  • improve the user experience during beta;
  • prevent abuse and secure the Service;
  • respond to support requests;
  • generate the activity analysis and debriefs requested by users.

Personal data is not sold to third parties.

4. Personal Data We Collect

Depending on how you use the Service, we may collect the following categories of personal data:

  • Account data: email address, username, password authentication data, account settings, account status, and timestamps.
  • Profile and athlete context: resting heart rate, maximum heart rate, heart-rate zone preferences, race sport, race distance, race elevation, race date, target time, athlete notes, and other context you choose to provide.
  • Connected account data: Strava athlete ID, access token, refresh token, token expiry, profile photo URL, and authorization status.
  • Activity data: activity source, external activity ID, activity type, start date and time, distance, moving time, elapsed time, elevation gain, minimum and maximum elevation, average and maximum heart rate, cadence, speed, route summary polyline, stream metrics, and deletion status.
  • Analysis data: debrief status, observations, explanations, corrections, session reads, historical reads, next actions, proposed next sessions, watch signals, coach questions, confidence labels, baseline snapshots, token usage, reports, uploaded export files, and analysis errors.
  • Feedback data: helpfulness rating, reason code, optional comments, and feedback timestamps.
  • Billing data: Stripe customer ID, Stripe subscription ID, plan, subscription status, current billing period end, and payment-related metadata. Full card numbers are handled by Stripe and are not stored by ClarityRun.
  • Usage and analytics data: user events such as debrief views, returns, sync completion, feedback submission, founder outreach events, metadata, and timestamps.
  • Technical and security data: IP address, browser or device information, session cookies, CSRF cookies, logs, request metadata, and security events. Exact log content and retention must be confirmed.
  • Support and communication data: messages you send to us, support requests, email communication status, and related metadata.
  • Other data: [TO COMPLETE: any other data categories collected in production].

5. Data Provided by the User

You provide data when you create an account, fill out profile or settings fields, enter athlete notes, set race goals, submit feedback, upload exports, contact support, subscribe to a paid plan, or otherwise interact with the Service.

You should only provide personal data that is accurate, lawful, and relevant to your use of the Service.

6. Data Collected Automatically

We may automatically collect technical, usage, analytics, and security data when you access the Service. This may include IP address, pages viewed, actions taken, timestamps, session identifiers, browser information, device information, and diagnostic logs.

The current codebase records product events in the application database. Additional production analytics, monitoring, hosting, or logging tools must be listed in the "Processors" section once confirmed.

7. Cookies and Similar Technologies

The Service uses cookies and similar technologies that are necessary for authentication, session management, CSRF protection, security, and account functionality. The production settings use secure, HTTP-only session cookies and CSRF protection.

Analytics, marketing, preference, or third-party cookies are [TO COMPLETE: confirm whether used]. If non-essential cookies are used for users in the EU, UK, or other consent-based jurisdictions, we will provide a cookie banner or consent mechanism where required by law.

8. Purposes of Processing

We process personal data for the following purposes:

  • creating and managing user accounts;
  • authenticating users and securing sessions;
  • connecting Strava and importing authorized activity data;
  • displaying activities, insights, debriefs, and reports;
  • generating post-run analysis and deep analysis reports;
  • managing subscriptions, checkout, billing status, and customer portals;
  • providing support and responding to requests;
  • sending service emails and, where applicable, product or founder outreach communications;
  • collecting feedback and improving product reliability;
  • monitoring usage, preventing abuse, and protecting security;
  • complying with legal, tax, accounting, and regulatory obligations;
  • enforcing our Terms and protecting our rights;
  • other purposes: [TO COMPLETE].

9. Legal Bases Under GDPR

Where GDPR applies, we rely on the following legal bases:

  • Contract: to create and manage your account, provide the Service, connect integrations, generate analysis, manage subscriptions, and provide support.
  • Consent: for optional cookies, optional marketing communications, optional profile information where required, and any processing that legally requires consent.
  • Legitimate interests: to secure the Service, prevent abuse, troubleshoot, improve reliability, understand usage, respond to non-contractual requests, and protect legal rights, where those interests are not overridden by your rights.
  • Legal obligation: to comply with tax, accounting, consumer, payment, data protection, and regulatory obligations.
  • Explicit consent or another Article 9 condition: [TO COMPLETE if health or sensitive data is classified as special category data in the applicable jurisdiction].

10. Sharing Personal Data With Third Parties

Personal data is not sold. The Controller may share personal data with service providers, processors, integration providers, payment providers, infrastructure providers, professional advisers, authorities, or other parties where necessary for the purposes described in this Policy.

We may also disclose data if required by law, court order, government request, or to protect the rights, safety, and security of ClarityRun, users, third parties, or the public.

11. Processors and Service Providers

The Service may use the following categories of processors or third-party services:

  • Hosting and infrastructure: [TO COMPLETE: provider and hosting country]
  • Database: PostgreSQL hosted by [TO COMPLETE]
  • Queue and background processing: Redis hosted by [TO COMPLETE]
  • Object storage: S3-compatible storage, currently documented as Garage, hosted by [TO COMPLETE]
  • Payments: Stripe
  • Activity integration: Strava
  • AI and LLM routing: OpenRouter in production
  • Email delivery: SMTP provider and/or Resend, depending on production configuration: [TO COMPLETE]
  • Analytics: in-app analytics plus [TO COMPLETE: any third-party analytics]
  • Monitoring and logs: [TO COMPLETE]
  • Support or CRM: [TO COMPLETE]
  • Other providers: [TO COMPLETE]

Before publication, this list should be verified against the actual production infrastructure, data processing agreements, and provider privacy terms.

12. International Data Transfers

Your personal data may be processed in countries other than your country of residence, including outside the European Economic Area, depending on our hosting, payment, email, analytics, support, and AI providers.

Where GDPR applies and personal data is transferred outside the EEA to a country without an adequacy decision, we will rely on appropriate safeguards such as Standard Contractual Clauses, provider participation in an applicable adequacy framework, supplementary measures, or another lawful transfer mechanism.

Specific transfer mechanisms for each provider: [TO COMPLETE].

13. Data Retention

We retain personal data only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. Current retention rules must be confirmed before publication.

Indicative retention periods:

  • Account data: while the account is active, then [TO COMPLETE: deletion or retention period] after account deletion.
  • Activity data, debriefs, reports, athlete notes, race goals, and analysis data: while the account is active, then [TO COMPLETE] after deletion or disconnection, unless earlier deletion is requested and legally required.
  • Strava tokens: while the Strava account remains connected, then deleted or invalidated after disconnection or deletion where technically feasible.
  • Billing records and invoices: [TO COMPLETE: legal accounting/tax retention period].
  • Security logs and technical logs: [TO COMPLETE: number of days/months].
  • Support communications: [TO COMPLETE].
  • Marketing consent records: [TO COMPLETE].

14. Data Security

We use reasonable technical and organizational measures designed to protect personal data, including authentication, password hashing through Django authentication, CSRF protection, secure production cookies, HTTPS enforcement in production, restricted access controls, and operational security practices.

No method of transmission or storage is completely secure. You are responsible for keeping your credentials confidential and reporting suspected unauthorized access.

15. Your Rights

Depending on your location and applicable law, you may have the right to:

  • access your personal data;
  • correct inaccurate or incomplete data;
  • request deletion of your data;
  • object to certain processing;
  • restrict certain processing;
  • receive a portable copy of your data;
  • withdraw consent where processing is based on consent;
  • object to direct marketing;
  • lodge a complaint with a data protection authority.

These rights may be limited by law, including where we need to retain data for legal, security, accounting, dispute, or fraud prevention reasons.

16. How to Exercise Your Rights

To exercise your rights, contact support@clarityrun.tech or [TO COMPLETE: privacy email if different]. Please contact us from the email address linked to your account where possible.

We may need to verify your identity before responding. If GDPR applies, we aim to respond within one month, unless an extension is permitted by law.

17. Account Deletion

You can request deletion of your ClarityRun account, imported Strava activities, reports, or other personal data by emailing support@clarityrun.tech. You can also review the Data Deletion page.

You may revoke ClarityRun access from your Strava account settings at any time. After revocation, ClarityRun will no longer import new Strava activities unless you reconnect. Some limited records may be retained where required for security, legal, billing, compliance, or dispute purposes.

18. Children's Data

The Service is not intended for users under [TO COMPLETE: minimum age]. We do not knowingly collect personal data from children below the applicable minimum age. If you believe a child has provided personal data unlawfully, contact us so we can take appropriate action.

19. AI Processing

ClarityRun uses AI to generate post-run debriefs and analysis reports. In production, LLM processing is routed through OpenRouter. Data sent for AI processing may include structured activity data, recent training history, baseline snapshots, athlete notes, race goals, user feedback, and other context needed to produce the requested analysis.

The Publisher does not intentionally use your Strava data or User Content to train ClarityRun AI or machine learning models. Whether OpenRouter or downstream model providers use submitted data for their own model training is [TO COMPLETE: verify production provider settings, data processing terms, and opt-out configuration].

AI-generated outputs may be inaccurate or incomplete and should not be treated as medical advice or a substitute for a qualified professional.

20. Newsletter and Marketing Communications

We may send service-related emails that are necessary for account operation, security, billing, support, or product use. We may also send marketing, founder outreach, newsletter, or product update communications where permitted by law or where you have consented.

You may opt out of marketing communications by using the unsubscribe method provided or by contacting us. You may still receive service-related communications.

21. Analytics

We use analytics to understand product usage, improve reliability, detect abuse, and make the Service more useful. The current application records internal user events such as debrief views, user returns, first sync completion, feedback submission, and outreach status.

Third-party analytics tools, if any, are [TO COMPLETE]. If consent is required for analytics cookies or identifiers, we will request consent where required by law.

22. Legal Obligations

We may process or retain personal data to comply with tax, accounting, billing, consumer protection, payment, data protection, security, and regulatory obligations, and to establish, exercise, or defend legal claims.

23. Data Breach

If we become aware of a personal data breach, we will assess the risk and take appropriate steps required by applicable law. Where GDPR applies, we will notify the competent supervisory authority and affected individuals when legally required.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify you, such as by posting the updated Policy, updating the date above, emailing account holders, or displaying an in-product notice.

25. Privacy Contact

For privacy questions or requests, contact: support@clarityrun.tech or [TO COMPLETE: privacy email if different].

26. Competent Supervisory Authority

If GDPR applies, you have the right to lodge a complaint with a supervisory authority in the EU member state where you live, work, or where you believe an infringement occurred.

Main supervisory authority for ClarityRun: [TO COMPLETE: CNIL if the Publisher is established in France, ICO if the Publisher is established in the UK, or other competent authority based on the Publisher's residence or establishment].

Legal Annexes

Missing Information Checklist

  • Publisher's first name and last name, country of residence or establishment, and address or legally required contact details.
  • Whether a legal entity is later created to operate the Service, and if so, its legal information and effective transfer date.
  • Official website URL, legal contact email, privacy contact email, and DPO status.
  • Target countries, minimum user age, governing law, and competent courts.
  • Exact pricing model, free trial terms, cancellation path, and refund policy.
  • Confirmed production hosting provider, hosting country, database provider, Redis provider, storage provider, monitoring provider, support provider, email provider, analytics provider, and CRM provider.
  • Confirmed cookie inventory, including necessary, analytics, marketing, and preference cookies.
  • Exact data retention schedule for account data, Strava data, analysis data, billing records, logs, support messages, and marketing records.
  • Confirmed OpenRouter and downstream model-provider data processing terms, training opt-out status, retention, and international transfer mechanisms.
  • Whether a public API exists or is planned, including rate limits and API-specific terms.
  • Whether Garmin or any future integration is live in production, since the model includes a Garmin source but the current documented integration is Strava.

GDPR Checklist

  • Map all personal data categories and processing purposes.
  • Confirm the individual controller identity and whether a DPO is required.
  • Define legal bases for each purpose, including any special category data analysis for health or fitness data.
  • Sign data processing agreements with processors and list subprocessors.
  • Document international transfer mechanisms, including SCCs where needed.
  • Create a retention schedule and deletion workflow.
  • Implement a rights-request workflow with identity verification and response deadlines.
  • Verify cookie consent requirements and deploy a compliant consent mechanism if non-essential cookies are used.
  • Complete a security risk review and incident response process.
  • Consider whether a DPIA is required because the Service processes detailed fitness, heart-rate, location-derived, and AI-analyzed data.
  • Confirm marketing consent and unsubscribe flows.
  • Confirm Strava API compliance, including deletion, display, and data-use obligations.

Clauses to Review With a Lawyer

  • Fitness and health disclaimer, especially if the product gives training recommendations.
  • Limitation of liability and liability cap, especially for consumer users.
  • Refund, cancellation, renewal, and withdrawal rights.
  • Governing law, jurisdiction, and consumer protection carve-outs.
  • AI processing clause, including OpenRouter and downstream providers.
  • Special category data and health data qualification under GDPR and local laws.
  • International transfers and processor agreements.
  • Indemnification clause for consumer versus professional use.
  • Account suspension and termination rights.
  • Strava API compliance and connected-account deletion obligations.

Terms of Service Short Summary

Users may use ClarityRun to import and analyze their own running data. They must use the Service lawfully, protect their account, respect third-party rights, and understand that ClarityRun provides informational training insights only. Paid features are billed through Stripe. ClarityRun owns the software; users keep their own content and grant ClarityRun the limited rights needed to provide the Service.

Privacy Policy Short Summary

ClarityRun processes account data, Strava-authorized activity data, training context, analysis outputs, payment metadata, usage events, and support communications to operate and improve the Service. Production AI processing uses OpenRouter. Users can request access, correction, deletion, portability, objection, restriction, and withdrawal of consent where applicable.

Specific SaaS Risk List

  • Fitness recommendations may be interpreted as medical, injury-prevention, or coaching advice.
  • Heart-rate, training, and route-related data may be sensitive or location-derived personal data.
  • AI outputs may be inaccurate, generic, or over-relied on by users.
  • OpenRouter may route data to downstream model providers, requiring careful provider and transfer review.
  • Strava API terms may impose specific restrictions on storage, deletion, display, and data reuse.
  • Subscription renewals and refunds may trigger consumer protection obligations in the EU and other markets.
  • International users may create multi-jurisdiction privacy and consumer law obligations.
  • Uploaded export files may contain more personal data than expected, including historical, location, device, and performance data.
  • Account deletion must be coordinated across the app database, object storage, queues, logs, Stripe records, Strava tokens, and AI-provider retention where applicable.
  • Non-essential cookies or marketing outreach may require consent and unsubscribe controls.