Back

RUNWISE

Privacy Policy

Effective date: June 4, 2026

RunWise is a training readiness application for amateur runners. This policy explains what personal data we collect, how we use it, and what rights you have. We take data protection seriously — your training data is yours and is used for one purpose only: helping you train better.

1. Data Controller

RunWise is operated as a sole-trader business registered in Sweden.

Service
RunWise
Website
runwiseapp.com
Contact
hello@runwiseapp.com
Country
Sweden

2. Data We Collect

We collect the minimum data necessary to deliver the service. Data is always collected either directly from you or through an OAuth 2.0 authorization you explicitly grant.

2.1 Account data

Email address and, optionally, your first name — used solely for authentication and to personalise the interface.

2.2 Strava activity data

When you connect your Strava account via OAuth 2.0, we access the following read-only scopes:

  • activity:read — activity list (distance, duration, elevation, date, sport type)
  • activity:read — per-activity metrics: average and max heart rate, average cadence, average power, perceived exertion, elapsed time

We do not access private notes, photos, segments, or any social graph data. Your Strava credentials are never shared with RunWise — authentication is handled entirely by Strava's OAuth server.

2.3 Garmin health data

When you connect Garmin via the Garmin Health API (OAuth 1.0a), we access the following data types with your explicit consent:

  • Daily summary — steps, active minutes, resting heart rate
  • Body Battery™ — energy reserve level
  • Heart Rate Variability (HRV) status — overnight HRV readings
  • Sleep data — total sleep duration and sleep stage summary
  • Activity data — sport sessions, distance, duration, heart rate

Garmin health data is used solely to compute training load (ACWR) and to generate your daily readiness recommendation. It is never used for any other purpose.

2.4 User-entered data

Daily check-in responses (perceived exertion 1–10, discomfort location and severity, sleep quality, motivation) and periodic health declarations (injury status, life stress, wellbeing). These are voluntary and are used only to weight your readiness score.

2.5 Technical data

An authentication session cookie (HttpOnly, Secure) is set when you sign in. No advertising cookies, no third-party tracking scripts, no fingerprinting.

3. How We Use Your Data

All data processing serves a single purpose:

Training load calculation
Compute Acute:Chronic Workload Ratio (ACWR) from activity history
Daily readiness signal
Generate a Green / Yellow / Red recommendation
Race prediction
Apply Riegel's formula to recent training runs
Personalisation
Adjust thresholds based on your health declaration and check-ins

We do not use your data for advertising, behavioural profiling, or any purpose beyond the service described above. We do not sell your data.

4. Data Processing & Sub-processors

We use a small number of carefully selected sub-processors. Each processes only the data strictly required for its function.

Sub-processor
Location
Purpose
Supabase (PostgreSQL)
EU — Frankfurt (eu-central-1)
Database — all user data at rest
Vercel
EU/US edge
Application hosting — no persistent storage of user data
Anthropic
US
AI inference — activity metrics sent per-request to generate recommendations; data is not used to train Anthropic models

Data sent to the Anthropic API is governed by Anthropic's Privacy Policy. Per their Data Processing Agreement, data submitted through the API is not used to train their models.

5. Strava API Compliance

RunWise is built on the Strava API and complies with the Strava API Agreement. Specifically:

  • Strava data is accessed only with the user's explicit OAuth authorization.
  • Strava data is used exclusively to calculate training load and generate recommendations — no other use.
  • Strava activity data is not displayed publicly or shared with third parties.
  • Users can revoke RunWise's Strava access at any time via strava.com/settings/apps. Revoking access immediately stops future data syncs; existing data can be deleted on request.
  • We do not store Strava credentials. OAuth tokens are encrypted at rest.

6. Garmin Health API Compliance

RunWise accesses Garmin health data through the Garmin Health API under Garmin's developer programme. The following commitments apply:

  • Garmin health data is accessed only after the user explicitly authorises the connection via Garmin's OAuth flow.
  • Health data (Body Battery, HRV, sleep) is processed solely to compute training readiness. It is never used for advertising, sold, or disclosed to third parties beyond the sub-processors listed in Section 4.
  • Users can disconnect Garmin at any time from within RunWise or via their Garmin Connect account. Disconnecting stops all future data collection.
  • Upon account deletion or data deletion request, all Garmin-sourced data is permanently removed within 30 days.
  • Garmin health data is stored in the EU (Supabase, Frankfurt) and is not transferred outside the EU/EEA except for AI inference requests to Anthropic (covered by standard contractual clauses).

7. Legal Basis for Processing (GDPR)

Data category
Legal basis
Account data
Performance of a contract (Art. 6(1)(b))
Strava activity data
Consent via OAuth authorisation (Art. 6(1)(a))
Garmin health data
Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))
User check-in data
Consent (Art. 6(1)(a))
Session cookie
Legitimate interest — security (Art. 6(1)(f))

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Your Rights (GDPR)

As a data subject you have the following rights:

Access
Request a copy of all personal data we hold about you
Rectification
Correct inaccurate or incomplete data
Erasure
Delete all your personal data ("right to be forgotten")
Portability
Receive your data in a machine-readable format
Restriction
Restrict processing while a dispute is resolved
Objection
Object to processing based on legitimate interest

To exercise any of these rights, contact us at hello@runwiseapp.com. We will respond within 30 days. If you are unsatisfied with our response you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

9. Data Retention

Data type
Retention period
Account & activity data
Until account deletion or deletion request
Garmin health data
Until connection is revoked or account deleted
Session tokens
30 days (rolling)
Server logs
7 days

All data is permanently deleted within 30 days of a verified deletion request. Email hello@runwiseapp.com to request deletion.

10. Security

All data is transmitted over HTTPS (TLS 1.2+). Data at rest is encrypted using AES-256 (managed by Supabase). OAuth access tokens are stored encrypted and are never logged or exposed in application responses. We apply the principle of least privilege — each system component accesses only the data it requires.

11. Children

RunWise is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at hello@runwiseapp.com.

12. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated via email and/or a banner in the app before they take effect. The effective date at the top of this page is always updated to reflect the latest revision.

13. Contact

Questions about this policy or your data?

hello@runwiseapp.com

RunWise · runwiseapp.com · Effective June 4, 2026