Privacy Policy

Privacy Policy

We are very pleased about your interest in our application. Data protection is of particularly high importance for the management of PaceMind. The use of the PaceMind websites is generally possible without any indication of personal data. However, if a data subject wants to use special services provided by our company via our website, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR), other applicable data protection laws in EU member states, and other data protection provisions is:
Elmar Braun, PaceMind
Niederrheinstr. 8a
40474 Düsseldorf
Germany

Data Protection Officer

We are not obligated to appoint a dedicated data protection officer. Please contact elmar@pacemind.io if needed.

Collection of General Data and Information

Strava Connection Data

When you connect your Strava account, we request access via Strava's OAuth2 authentication to the following data:

Your public profile information (e.g., athlete ID, profile picture URL).

Your activity data, including details such as type, name, date, distance, duration, pace/speed, elevation, heart rate, and calories. Access token to retrieve this data on your behalf. List of relevant scopes: `read`, `activity:read_all`, `profile:read_all` This data is retrieved directly from Strava and used to provide the core functionalities of the app, such as displaying your activities and enabling AI-powered analysis.

Profile Data You Provide

Within the app settings, you may optionally provide additional personal information to enhance AI analysis, such as:

• Fitness goals (e.g., "improve 5km time").
• Additional self-entered notes for the AI coach.

Application Usage Data

We may collect technical information about your device and your interaction with our app (e.g., feature usage, error logs) to improve performance and user experience. This data is typically aggregated and anonymized.

Purpose of Data Processing

Providing, maintaining, and improving the PaceMind application and its features. Displaying your Strava activities and related statistics. Enabling AI-based analysis of your activities to deliver insights and recommendations. Personalizing AI feedback when you provide specific fitness goals or profile data.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

Your consent (Art. 6 para. 1 lit. a GDPR) for connecting your Strava account, providing optional profile data, and opting in to anonymous data sharing. The necessity of fulfilling a contract with you (Art. 6 para. 1 lit. b GDPR) to provide the core functions of the app when you use the service. Our legitimate interests (Art. 6 para. 1 lit. f GDPR) in improving our services, ensuring security, and analyzing aggregated, anonymized data.

Data Storage and Retention

Strava access and refresh tokens are stored in your browser's `localStorage`. They are deleted when you explicitly disconnect from Strava in the app or when token validation fails.

Settings data (selected time range, fitness goals, opt-in status for anonymous data, anonymous user ID) are stored in your browser's `localStorage` to facilitate your use of the app and remain until you clear your browser data or change your settings.

Data Sharing and Third Parties

We do not sell your personal data. We only share data with the following third parties necessary for providing our service:

• View on Strava: We interact with the Strava API to fetch your activity data after you authorize the connection.
• Google Cloud Platform (Firebase & Genkit AI): We use Firebase Firestore to store anonymized activity data (if you consent). We use Genkit, which utilizes Google AI models (such as Gemini), to perform activity analysis. Your activity and profile data (if provided for analysis) are sent to these AI models for processing. Google's terms and privacy policy apply to their services.
• Genkit AI Models: User requests and relevant activity/profile data are sent to AI models via Genkit for analysis. These models process the data to generate insights and recommendations.

We are not responsible for the privacy practices of these third parties. We recommend reading their privacy policies.

Cookies and Local Storage

This application uses your browser's `localStorage` to store your preferences (time range, fitness goals, opt-in settings, anonymous ID) and Strava authentication tokens. `localStorage` allows local data storage in your browser without an expiration date. These data are not automatically deleted when you close your browser but can be removed via your browser settings.

We do not use tracking cookies for advertising purposes. Standard features from Next.js and Firebase may use essential cookies for session management or performance, but not to track you across websites.

Your Privacy Rights

According to the GDPR, you have several rights concerning your personal data:

• Right of access: You have the right to request information about the personal data we store about you.
• Right to rectification: You have the right to request the correction of inaccurate personal data.
• Right to erasure ("right to be forgotten"): You have the right to request the deletion of your personal data under certain conditions.
• Right to restrict processing: You have the right to request the restriction of processing your personal data under certain conditions.
• Right to data portability: You have the right to receive your personal data provided to us in a structured, commonly used, and machine-readable format.
• Right to object: You have the right to object to the processing of your personal data under certain conditions.
• Right to withdraw consent: If processing is based on your consent, you have the right to withdraw your consent at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

Data Security

We take appropriate technical and organizational measures to protect your data from unauthorized access, loss, or alteration. However, no internet transmission is 100% secure.

Children's Privacy

Our service is not intended for individuals under the age of 16 (or a higher age if set by local laws). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.

Updates to This Privacy Policy

We may update this privacy policy from time to time. We will inform you about significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy regularly.

Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at: