Privacy Policy

This Privacy Policy explains what personal data RunBoost collects, why we collect it, how we use it, who we share it with, and the rights you have over it. We take your privacy seriously, particularly because RunBoost processes data about your body, your training, and your location.

Effective date: 18 April 2026
Data controller:RunBoost B.V. ("RunBoost", "we", "us"), registered in the Netherlands.
Contact: support@runboost-app.com

Draft notice: this document is a working draft prepared to give legal counsel a head start. It has not been reviewed by a qualified lawyer. Do not rely on it as a final legal document.

1. Who we are

RunBoost is an AI-powered training-plan and coaching application for runners. The service is provided by RunBoost B.V., a company established in the Netherlands. When this policy refers to "the Service", it means the RunBoost mobile app, website, any associated APIs, and customer-support channels.

For the purposes of the EU/UK General Data Protection Regulation ("GDPR"), RunBoost is the data controller for the personal data described below, unless stated otherwise.

2. Data we collect

2.1 Account data

Name (first and last) and email address.
Password (stored only as a salted hash) or third-party sign-in identifiers.
Profile information you choose to provide (age, sex, weight, height, running experience, race goals).
Support correspondence you send us.

2.2 Training and health-related data

Some of the data RunBoost processes is, or could be used to infer, health-related information. Under Article 9 GDPR this may qualify as a special category of personal data. We process this data on the basis of your explicit consent, which you can withdraw at any time. The data includes:

Runs you log manually or that are synced from third-party services.
Heart rate, pace, cadence, power, stride, elevation, and similar metrics from your watch, phone or connected device.
Route data (GPS traces), start/end times and locations of activities.
Subjective inputs: perceived effort (RPE), mood, sleep quality, soreness, injury notes, symptoms.
Menstrual-cycle information, if you choose to share it to improve plan adaptation.

2.3 Data from connected services (e.g. Strava)

If you connect RunBoost to Strava, Apple Health, Google Health Connect, Garmin, Polar, COROS or similar platforms, we receive the activity and profile data those platforms make available via their APIs, based on the permissions you grant. We only request the scopes we need to build and adapt your plan. You can disconnect at any time inside the RunBoost app or in the third-party platform's settings.

Detailed commitments that apply specifically to Strava-sourced data are set out in Section 12 (Strava-specific commitments).

If any activity information displayed in the app was originally captured by a Garmin device and is shown to you via the Strava API, we attribute it to Garmin in accordance with Garmin's brand guidelines.

2.4 Device and usage data

Device model, OS version, app version, language, time zone.
IP address, approximate location derived from IP.
Crash logs, performance traces, and diagnostic events.
Feature usage (screens viewed, actions taken, notifications sent), used to improve the Service.

2.5 Payment data

Paid subscriptions are processed by our payment providers (e.g. Apple App Store, Google Play, Stripe). RunBoost does not receive or store your full card details. We do receive a transaction identifier, billing country, and subscription status.

2.6 Communications with our AI coach

Messages you send to the RunBoost AI coach are processed to generate responses and refine your plan. These messages, together with the model's responses, are stored in your account history. We describe AI processing in more detail in Section 8.

3. How we use your data (and the legal basis)

Purpose	Legal basis (GDPR)
Create your account and provide the Service (generate plans, sync activities, show progress).	Performance of a contract (Art. 6(1)(b)).
Process health-related data to personalise training, adapt load, and support injury recovery.	Explicit consent (Art. 9(2)(a)).
Take payment, prevent fraud, and meet tax/accounting obligations.	Contract and legal obligation (Art. 6(1)(b), (c)).
Send service notifications (plan updates, sync issues, security alerts).	Contract and legitimate interests (Art. 6(1)(b), (f)).
Send occasional product updates and newsletters.	Consent (Art. 6(1)(a)). You can unsubscribe anytime.
Debug, secure, and improve the Service; measure feature performance.	Legitimate interests (Art. 6(1)(f)).
Respond to legal requests and defend legal claims.	Legal obligation and legitimate interests.

4. Who we share data with

We do not sell your personal data. We share limited data only with:

Sub-processors acting on our instructions (cloud hosting, database hosting, email delivery, analytics, error monitoring, payment, customer support).
Connected services you authorise (e.g. Strava, Apple Health, Garmin); data flows both ways only to the extent you permit.
Our AI providers (e.g. Anthropic, OpenAI) for the sole purpose of generating coach responses. These providers are contractually bound never to train any model on your data, in any form, under any circumstances (see Section 8).
Authorities, where required by law, court order, or to protect rights, property, or safety.
A successor in case of a merger, acquisition, or asset sale, in which case we will notify you and ensure any successor honours this policy.

A current list of sub-processors is available at support@runboost-app.com on request.

5. International data transfers

RunBoost primarily stores data in the European Economic Area. Some sub-processors are located outside the EEA (for example, in the United States). When data is transferred outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses, adequacy decisions where available, and additional technical safeguards (such as encryption in transit and at rest).

6. How long we keep your data

Strava data: cached for no longer than seven (7) days, as required by the Strava API Agreement. After that we re-fetch from Strava as needed. Strava data is deleted from our systems when you disconnect Strava or delete your account (see Section 12).
Account and non-Strava training data: while your account is active, and up to 24 months after deletion or account closure, unless a shorter period is required.
Backups: purged on a rolling basis (typically within 35 days).
Invoices and tax records: 7 years (Dutch legal requirement).
Support tickets: up to 3 years after last contact.
Analytics and diagnostic data: typically aggregated or de-identified within 14 months. Strava data is never included in analytics or aggregated datasets.

You can request immediate deletion at any time (see Section 9). We may retain a minimal record that you exercised this right.

7. Security

We use industry-standard safeguards, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, least-privilege principles, and regular vulnerability testing. No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to your rights, we will notify you and the relevant supervisory authority as required by law.

8. AI coaching and model training

Your messages to the RunBoost AI coach are sent to our AI providers solely in order to generate a response. We minimise what we send, typically the conversation and the plan context needed to answer the question.

No AI training, ever. No opt-in. RunBoost does nottrain, fine-tune, evaluate, or otherwise use any personal data, any training data, any health-related data, any AI-coach conversation, any Strava-sourced data, or any other user data to develop artificial-intelligence, machine-learning, or similar models, whether our own or a third party's, whether identifiable, pseudonymised, de-identified, or aggregated. There is no opt-in mechanism to allow this. We will never ask you to consent to it, and we will not introduce one in the future. If this commitment ever changes materially, it will only be through a new product with a new privacy policy that you separately sign up for.

Our AI providers (for example Anthropic, OpenAI) are contractually bound to the same commitment: no training, no fine-tuning, and no retention of your inputs or outputs beyond the short window strictly needed to return the response and to detect abuse (typically zero-retention enterprise endpoints where available). Zero-retention configuration is the default wherever an AI provider offers it.

Improvements to RunBoost are built by our engineers from metadata that does not contain user data (for example, anonymous feature-usage counts, latency metrics, and aggregated crash data) and from feedback you voluntarily send via support channels.

9. Your rights

Under the GDPR (and similar laws in the UK, California, and elsewhere), you have the right to:

Access a copy of your personal data.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten").
Restrict or object to processing, including for legitimate-interest purposes.
Port your data to another service in a structured, commonly used format.
Withdraw consent at any time (this does not affect the lawfulness of prior processing).
Lodge a complaint with your local supervisory authority. In the Netherlands, the Autoriteit Persoonsgegevens.

To exercise any of these rights, email support@runboost-app.com. We will verify your identity and respond within one month, extendable by two further months for complex requests as allowed under Article 12(3) GDPR.

10. Children

RunBoost is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Cookies and similar technologies

Our website uses strictly necessary cookies to operate and, with your consent, a limited set of analytics cookies to understand how visitors use the site. You can change your choice at any time via the cookie banner. The app uses mobile equivalents (device identifiers, secure storage, push tokens) for similar purposes.

12. Strava-specific commitments

RunBoost integrates with Strava under the Strava API Agreement (effective 11 November 2024). In addition to everything else in this policy, the following commitments apply to any data we receive from the Strava API ("Strava Data"):

Authorisation.We only access Strava Data after you explicitly authorise RunBoost via Strava's OAuth flow, and only within the granular scopes you approve. You can revoke access at any time in Strava's settings or from within RunBoost.
Only your own data, only to you. We only display Strava Data that belongs to you, and we only display it to you. We will not display or disclose the Strava Data of other Strava users to you, even if that data is publicly visible on Strava.
No sharing, no selling, no licensing. We do not, directly or indirectly, disclose, sell, license, lease, or otherwise make Strava Data available to any third party (including advertisers and data brokers), even if you were to ask us to.
No AI/ML training. We do not use Strava Data, directly or indirectly, to train, fine-tune, or evaluate any artificial-intelligence, machine-learning, or similar model. This prohibition is unconditional and is not subject to any opt-in.
No analytics, no aggregation, no combination. We do not process Strava Data (even in aggregated or de-identified form) for analytics, customer insights, product improvement, or benchmarking. We do not combine Strava Data with data we have collected from other sources.
No advertising. We do not use Strava Data in advertisements or for targeted advertising.
Retention limit. Strava Data is cached for no longer than seven (7) days, as required by the Strava API Agreement. After that we re-fetch from Strava as needed.
Respect for deletions and privacy settings. If you delete an activity on Strava, change a privacy setting, or disconnect RunBoost from Strava, we will remove the corresponding Strava Data from our systems promptly, and in any event within 48 hours.
Encryption. Strava Data is transmitted only over encrypted channels (HTTPS/TLS) and is encrypted at rest.
Security incidents. If we become aware of a security incident involving Strava Data, we will notify Strava as soon as possible and no later than 24 hours after we identify the incident, and we will notify affected users as required by law.
Garmin attribution.Where an activity was originally captured by a Garmin device and is surfaced to you via the Strava API, we attribute the data to Garmin in accordance with Garmin's brand guidelines.
Strava trademarks.We use Strava's name, logos, and brand elements only as permitted by the Strava API Brand Guidelines, and only to indicate that an activity came from Strava.
Strava usage data.You acknowledge that Strava may monitor and collect certain usage data relating to RunBoost's access to the Strava API, and may use that data for any business purpose, as described in the Strava API Agreement.
Independent controllers.RunBoost and Strava each act as independent data controllers for the personal data each of us receives or discloses under our Strava integration, as contemplated by Article 26 GDPR. Strava's own Privacy Policy continues to apply to data held on Strava's side.

13. Other third-party platforms

When you link another third-party platform (Apple Health, Google Health Connect, Garmin, Polar, COROS, etc.), that platform's own privacy policy continues to apply to data held on their side. We recommend you review those policies. You can revoke RunBoost's access inside the third-party platform at any time.

14. Changes to this policy

We may update this policy to reflect changes in the Service, in technology, or in the law. When we make material changes, we will notify you in-app or by email at least 14 days before they take effect. The commitment in Section 8 that we will never train AI or ML models on your data will not be weakened by such updates.

15. Contact

Questions, requests, or complaints? Email support@runboost-app.com.