Privacy Policy
How we collect, process, and protect your personal data (GDPR-compliant)
Last updated: 2026-04-07 | Effective date: 2026-04-14
1. Introduction
PACEFLOW ("we", "us", "our", or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.
We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. If you are a resident of the European Union (EU) or European Economic Area (EEA), this policy applies to you in full.
2. Data Controller & Contact Information
PACEFLOW
- Email: privacy@paceflow.co
- Legal Representative: [Your Name/Entity]
- Data Protection Officer: dpo@paceflow.co
For any questions about this Privacy Policy or our data practices, please contact us at the email address above.
3. Personal Data We Collect
3.1 Information You Provide Directly:
- Identity Information: Full name, email address
- Health Data: Age, max heart rate, lactate threshold HR, recent race distance and time, average HR during race
- Training Preferences: Training weeks, runs per week, distance units, plan start date, long run day, busy days
- Payment Information: Card details (processed by Stripe; we do not store this directly)
3.2 Information Collected Automatically:
- Usage Data: Pages visited, time spent, clicks, browser type, IP address
- Device Information: Device type, operating system, screen resolution
- Cookies & Analytics: We use Google Analytics to understand how users interact with our site
4. Legal Basis for Processing (GDPR Article 6)
| Data Type | Legal Basis |
|---|---|
| Name, email, training preferences | Contract performance (to deliver your training plan) |
| Health data (age, HR, race times) | Contract performance + Your explicit consent (special category data under GDPR Article 9) |
| Payment information | Contract performance (payment processing via Stripe) |
| Usage analytics | Legitimate interest (improving our service) |
| Marketing emails (if opted in) | Your explicit consent |
5. How We Use Your Personal Data
- 🎯 Service Delivery: To generate, customize, and deliver your training plan
- 💳 Payment Processing: To process payments and send invoices (via Stripe)
- 📧 Communication: To send training plan confirmations, updates, and customer support
- 📊 Analytics: To understand usage patterns and improve our service
- 📬 Marketing (Opt-in): To send training tips and product updates (only with your consent)
- ⚖️ Compliance: To comply with legal obligations and protect our rights
6. Data Sharing & Third Parties
We do NOT sell your personal data. We share data only with:
- Stripe: Payment processor (PCI-DSS compliant). See Stripe's Privacy Policy
- Supabase: Database provider for plan storage (GDPR-compliant). See Supabase's Privacy Policy
- Email Service Provider: For sending plan confirmations and support (GDPR-compliant)
- Google Analytics: For usage analytics (anonymized)
- Legal authorities: If required by law
7. Data Retention (GDPR Article 5)
We retain your data only as long as necessary:
- Training plans: 24 months after purchase (for reference)
- Payment records: 7 years (required for tax/accounting purposes)
- Email communications: Until you unsubscribe
- Usage analytics: 13 months (Google Analytics default)
After retention periods expire, we securely delete your data. You can request deletion at any time (see Your Rights below).
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
📋 Right to Access
Request a copy of your personal data we hold
✏️ Right to Rectification
Correct inaccurate or incomplete data
🗑️ Right to Erasure
Request deletion of your data ("right to be forgotten")
⛔ Right to Object
Object to processing for marketing or profiling
📤 Right to Data Portability
Receive your data in a portable format (JSON/CSV)
⚖️ Right to Restrict Processing
Limit how we use your data
To exercise any of these rights, contact us at: privacy@paceflow.co
We will respond within 30 days (as required by GDPR).
9. Data Security
We implement industry-standard security measures to protect your data:
- SSL/TLS encryption: All data transmitted over HTTPS
- Database encryption: Data encrypted at rest (Supabase)
- Access controls: Only authorized personnel can access data
- Regular backups: Data backed up and recoverable
- PCI-DSS compliance: Payment processing via Stripe (PCI-DSS Level 1)
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
10. Cookies & Tracking Technologies
We use cookies for:
- Essential cookies: Required for site functionality (session, security)
- Analytics cookies: Google Analytics (can be disabled)
- Performance cookies: To measure site speed and optimization
You can disable cookies in your browser settings. This may limit site functionality.
11. Children's Privacy
Our service is not intended for users under 18 years old. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.
12. International Data Transfers
Your data may be stored on servers located in different countries. If you are in the EU/EEA, we use:
- Standard Contractual Clauses (SCCs): For transfers to non-EU countries
- EU-US Data Privacy Framework: Where applicable
By using our service, you consent to data transfers as described in this policy.
13. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or by posting a notice on our website. Your continued use of the service constitutes acceptance of changes.
14. Contact Information & Complaints
Questions about this Privacy Policy? Contact us:
Email: privacy@paceflow.co
Data Protection Officer: dpo@paceflow.co
If you have a complaint about our data practices:
You have the right to lodge a complaint with your local data protection authority (e.g., your national DPA or ICO for UK residents).