Privacy Policy

Last updated: 2026-05-19

1. Who we are

Pacer (“we”, “us”) is an AI-powered running coach application operated by Mateusz Różański (sole proprietor, Poland). Contact: mateusz.rozanski@synergycodes.com.

2. What data we collect

2.1 Account data

• Email address, display name, profile picture (from Google OAuth sign-in)
• Unique user identifier (UUID)
• Account creation timestamp

2.2 Profile data (provided by you)

• Physical: age, weight, height
• Training: running experience, weekly kilometers, personal records (5k/10k/HM/M times)
• Health context: injuries, recovery notes, HR zones
• Goals: target races, priorities, deadlines
• Coaching preferences: language, coach personality, custom instructions
• (Optional, opt-in) Menstrual cycle tracking data for female athletes

2.3 Activity data (from integrations)

• Strava: activity history (distance, time, pace, heart rate, GPS routes, splits, cadence), athlete ID. We request read-only access via OAuth 2.0.
• Garmin Connect: activity history, calendar workouts, training effect, recovery, HRV (if available). Access via your credentials (encrypted at rest with AES-256-GCM).
• Apple Health / Google Fit: manually uploaded XML/CSV exports parsed for running/walking activities.

2.4 Generated data

• Conversations with the AI coach (full message history)
• Generated training plans
• Daily mood check-ins, skip-with-reason logs, recovery preferences
• Push notification subscriptions (device tokens via Web Push)

2.5 Technical data

• IP address (transient, for rate limiting only)
• Browser type and version
• Approximate geolocation (from browser geolocation API, for weather forecasting only — opt-in)

3. How we use your data

• Generate personalized training plans
• Analyze your activities and provide coaching feedback
• Calculate training metrics (PMC, VDOT, pace zones, adherence)
• Send push notifications about your daily plan (opt-in)
• Synchronize plans to your Garmin watch (if connected)
• Detect personal records and unlock achievements

4. Third parties we share data with

• Google (Gemini AI): your messages and profile context are sent to Google's Gemini API for AI coaching response generation. Google's privacy policy applies. policies.google.com/privacy
• Strava: we read your data from Strava (OAuth). We do not write back to Strava.
• Garmin Connect: we write training plans to your Garmin Calendar via unofficial API using your credentials.
• Upstash (Redis): data storage provider. upstash.com privacy
• Vercel: application hosting. vercel.com/legal/privacy-policy
• Web Push (Apple/Google): push notification delivery via standard browser Web Push protocol.

We do not sell or share your data with advertisers, data brokers, or third parties for marketing purposes.

5. Where data is stored

All user data is stored in Upstash Redis (EU-West region for EU users where available). Authentication sessions are managed by NextAuth.js stored in the same Redis instance. We do not maintain separate analytics databases or data warehouses.

6. Data retention

• Account data: retained while account is active
• Conversations: retained while account is active (max 100 in sidebar history)
• Activity data: retained while account is active
• Strava tokens: refreshed automatically; deleted if you disconnect
• Garmin tokens: encrypted; deleted if you disconnect
• Push subscriptions: max 5 devices, oldest replaced

7. Your rights (GDPR for EU residents)

You have the right to:

• Access: request a copy of your data (via /profile → Export)
• Rectify: correct your profile data at any time via /profile
• Delete: email mateusz.rozanski@synergycodes.com with subject “Delete my Pacer account”. We will delete all data within 30 days.
• Portability: export your data as JSON via /profile → Export
• Restrict processing: disconnect integrations or pause your account
• Withdraw consent: revoke OAuth grants from Strava (strava.com/settings/apps) or Google (myaccount.google.com/permissions)
• Lodge a complaint: with your local data protection authority (in Poland: UODO — Urząd Ochrony Danych Osobowych)

8. Security

• HTTPS enforced on all endpoints
• Garmin credentials encrypted at rest with AES-256-GCM
• Authentication via Google OAuth 2.0 (no passwords stored)
• Per-user data isolation: every database key prefixed with your user ID
• Service worker push notifications use VAPID signed payloads

9. Cookies

We use only essential cookies for authentication (NextAuth.js session cookie). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Children

Pacer is not intended for users under 16. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this policy. Material changes will be announced in the app. Continued use after changes implies acceptance.

12. Contact

Questions, requests, or complaints: mateusz.rozanski@synergycodes.com