Privacy Policy

Overview

Route Pacer is designed with a minimal data footprint. We collect only what is necessary to provide predictions, and we do not sell, share, or monetize your data. This policy describes what we collect, how we use it, and your rights.

Data Collected

Data Storage

Your pace profile (a few numbers) and prediction history are stored in our database. Strava OAuth tokens are encrypted at rest using AES-256 (via Fernet) and are only decrypted when fetching activities on your behalf. We do not store OAuth tokens in plaintext.

Data Retention

Individual prediction results are automatically deleted 12 months after they are generated. Your pace profile (a small set of derived statistics) is automatically deleted after 24 months with no updates. Registered accounts that have been inactive (no sign-in or Strava sync) for 24 months are deleted entirely, cascading to all associated data. You may also delete your account at any time via Settings → Delete Account, which permanently removes all associated data immediately.

Anonymous / guest accounts that have no saved predictions are automatically deleted 7 days after creation.

Your Rights

• Erasure (GDPR Art. 17 / UK GDPR Art. 17 / OCPA / CCPA § 1798.105): Delete all your data at any time via the Settings page.
• Access (GDPR Art. 15 / UK GDPR Art. 15 / OCPA / CCPA § 1798.110): Your prediction results are visible in the History page; a full machine-readable copy of every record we hold about you is available via Portability below.
• Correction (GDPR Art. 16 / UK GDPR Art. 16 / OCPA / CCPA § 1798.106): Your pace profile is derived from your training data — to correct it, provide updated training runs via Strava or upload corrected GPX files, then re-sync. Predictions are point-in-time snapshots and can be deleted and re-run with corrected inputs. To correct personal identifiers (email address, display name), email [email protected].
• Revoke Strava: You can disconnect Strava at any time from your Strava app settings.
• Portability (GDPR Art. 20 / UK GDPR Art. 20 / OCPA): Download a complete machine-readable export of all data we hold about you from Settings → Download My Data in JSON format.

To exercise any of the rights above, email [email protected] with “Data Request” in the subject line. We will respond within 45 days. If we deny your request, you may appeal by replying to our denial within 30 days and we will review and respond within a further 45 days.

Third Parties

• Strava — OAuth2 activity access, governed by Strava's Privacy Policy. We do not share your personal data with Strava beyond the OAuth2 exchange.
• Google Sign-In — Optional sign-in method. If you choose to log in with Google, Google receives the OAuth sign-in interaction; we receive your Google account identifier and email address, which we use to create or access your account. No other Route Pacer data is shared with Google, and nothing is sent to Google unless you actively choose this sign-in method. Governed by Google's Privacy Policy.
• Open-Meteo — Weather forecast and archive data. Requests include only a location (latitude/longitude) and date; no personal identifiers are transmitted. Open-Meteo is GDPR-compliant and does not store personally identifiable request data.
• Overpass API (Wikimedia Foundation) — OpenStreetMap surface type lookups. When you run a prediction, we send the geographic bounding box of your uploaded race course (four coordinate floats) to overpass-api.de to retrieve surface=* tags (e.g. asphalt, trail) for terrain technicality estimation. No user identifier is transmitted — only the bounding box coordinates of the course. Bounding box coordinates are not personal data under GDPR Art. 4(1) as they carry no user identifier. The service is operated by the Wikimedia Foundation and governed by the Wikimedia Foundation Privacy Policy. No countersigned DPA is in place; this is consistent with the non-personal-data nature of the request.
• CARTO (map imagery)— Base-map tiles for the route maps shown with library-course predictions. Your browser never connects to CARTO: our own servers fetch each tile — identified only by map style and tile coordinates, with no user identifier or IP address attached — then cache it on our EU infrastructure and serve it to you first-party. Tiles are fetched only for the shared public courses in our race library; courses you upload yourself never produce a map, because we keep no route coordinates from them. Map imagery © OpenStreetMap contributors & CARTO.
• Cookiebot (Usercentrics A/S) — Consent Management Platform. Records your cookie-consent choices and blocks non-essential cookies until you consent; also operated as our registered IAB TCF CMP (see the dedicated section below). Cookiebot is GDPR-compliant and publishes a Data Processing Addendum. See Cookiebot's Privacy Policy.
• Mediavine Grow— Audience-engagement and advertising technology from Mediavine, Inc. Grow currently powers newsletter subscriptions and content alerts on this site. The Grow script is served from Mediavine's CDN, so loading it transmits your IP address to Mediavine as part of the ordinary HTTP request; however, Grow sets no cookies and performs no tracking or personalisation until you give consent through the banner (signalled via the IAB TCF — see below). When you choose to subscribe via a Grow prompt, the email address you enter is collected and stored by Mediavine on our behalf. Mediavine publishes a privacy policy at mediavine.com/privacy-policy.
• HubSpot — Used for email communications and marketing automation (race reminders, feature release announcements). Data shared: email address, page views. Data is only transmitted to HubSpot when you actively opt in to email updates via the subscription form on the upload page. The HubSpot script loads only after you accept marketing cookies in the consent banner; once loaded it records page views, and none of that activity is associated with you personally unless you identify yourself by submitting your email address. HubSpot publishes a privacy policy at hubspot.com/legal/privacy-policy.
• Resend— Transactional email delivery. Used to send email that Route Pacer generates — the race-director partnership enquiry form and account-related messages (email-address verification, password reset), plus opt-in reminders in future. Data shared: the contents of those messages, including any name and email address you enter into a form. Email is processed in Resend's EU (Ireland) region. Resend publishes a Data Processing Addendum (DPA) and is GDPR-compliant. See Resend's Privacy Policy.
• Cloudflare — Domain registrar and DNS provider for routepacer.com. Cloudflare does not proxy or terminate Route Pacer user requests; it resolves the domain name only. DNS query logs may include the querying IP address. Cloudflare publishes a Data Processing Addendum (DPA) and is GDPR-compliant. See Cloudflare's Privacy Policy.
• Railway — Hosts the Route Pacer API and database. All persistent user data (pace profiles, prediction results, encrypted Strava tokens) resides on Railway infrastructure. Railway publishes a Data Processing Addendum (DPA). See Railway's Privacy Policy.
• Google Workspace— Hosts Route Pacer's email inboxes (e.g. partnerships@ and privacy@). Email you send us — partnership enquiries submitted through the form, and any data-subject-rights requests — is received and stored in Google Workspace. Data shared: the contents of those messages, including your name and email address. Google LLC publishes a Cloud Data Processing Addendum and is GDPR-compliant. See Google's Privacy Policy.

Route Pacer is moving to an ad-supported model. Mediavine, Inc.(the company behind Grow) is our advertising and audience-engagement partner, and we participate in the IAB Transparency & Consent Framework described below, which governs advertising-related processing. Personalised advertising operates only on the consent choices you make through the banner, and this policy will be updated as advertising features roll out.

Cookie Consent & the IAB Transparency and Consent Framework (TCF)

Consent for cookies and similar technologies on routepacer.com is managed by Cookiebot (Usercentrics A/S), a registered Consent Management Platform. Cookiebot records your consent choices and blocks non-essential cookies until you have given consent.

Route Pacer participates in the IAB Europe Transparency & Consent Framework (TCF v2.3) and, in activating it, attests that it operates as a publisher in compliance with the Framework's policies. Our CMP signals your consent choices to participating vendors through the standard TCF API. The only TCF vendor disclosed on this site is Mediavine, Inc. (Global Vendor List ID 858), the provider of the Grow engagement tool described above; no other IAB or Google additional-consent vendors are enabled. You can review or change these choices at any time through the “Ad Settings” panel of the consent banner.

Lawful Basis (GDPR / UK GDPR)

We process your data under the following lawful bases:

• Contract performance (Art. 6(1)(b)) — Processing your GPS traces, pace data, and training history is necessary to deliver the race prediction you requested. This processing does not require your consent; it is required to provide the service. This applies to uploaded GPX files, Strava activity data used to build your pace profile, and the resulting prediction.
• Explicit consent (Art. 9(2)(a)) — Heart rate data is special category data under both GDPR and UK GDPR. We process it only when you explicitly opt in via the consent checkbox before connecting Strava. You can withdraw this consent at any time in Settings; withdrawal stops all future HR processing and does not affect your pace predictions.
• Legitimate interests (Art. 6(1)(f)) — Storing prediction results so you can review your history. We apply a 12-month retention limit to minimise unnecessary data holding.

Supervisory Authority (GDPR Art. 13(2)(d) / UK GDPR Art. 13(2)(d))

If you are located in the European Economic Area (EEA) and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

If you are located in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first at [email protected] so we can address your concern directly.

International Data Transfers (GDPR / UK GDPR Art. 13(1)(f); Chapter V)

Route Pacer's API, database, and backups are hosted on Railway in the europe-west4 region (Amsterdam, Netherlands). Live user data — pace profiles, prediction results, encrypted Strava tokens — is stored only in the EU, and Railway has confirmed that volume backups do not leave the region in which they are generated. Raw heart-rate time series are processed transiently and never stored at rest; the derived aerobic-efficiency metrics (Pa:HR decoupling) are stored — in the EU, like all other account data — only with your explicit consent and are deleted if you withdraw it. For users in the EEA and the UK, this means the core processing of your personal data does not involve a Chapter V transfer to a third country.

A limited number of sub-processors operate from the United States. Where transfers of personal data occur to those processors, we rely on the legal mechanism each processor publishes:

• Strava (US)— joint controller under GDPR Art. 26, not a processor. Strava's collection and onward transfer of your activity data is governed by your direct relationship with Strava and its own privacy policy; Route Pacer's role is limited to retrieving the data you have authorised via OAuth.
• HubSpot (US) — used only if you opt in to email marketing. HubSpot self-certifies under the EU-US Data Privacy Framework (DPF) and offers Standard Contractual Clauses (SCCs) as a fallback.
• Mediavine Grow (US) — script delivery (IP address as part of the HTTP request) and, only if you subscribe to a Grow prompt, the email address you enter. Mediavine relies on Standard Contractual Clauses (it is not DPF-certified).
• Cloudflare (US) — DNS resolution only; no request proxying or TLS termination. Cloudflare publishes a DPA with SCCs and is DPF-certified.
• Resend (email delivery; EU/Ireland region)— transactional and notification email. Message content is processed in Resend's EU (Ireland) region, so it remains in the EEA and the core processing involves no Chapter V transfer. Resend is additionally certified under the EU-US Data Privacy Framework and provides a DPA with Standard Contractual Clauses covering any access by its US parent entity.
• Google Workspace (US) — hosts the email inboxes that receive form submissions and data-subject-rights requests. Google LLC is certified under the EU-US Data Privacy Framework, and its Cloud Data Processing Addendum (which we have accepted) includes Standard Contractual Clauses as a fallback.
• AWS Secrets Manager (US) — holds service encryption keys (EU/Ireland region). AWS publishes a DPA with SCCs and is DPF-certified. Encryption keys are not personal data on their own; this is disclosed for completeness.
• Open-Meteo (Switzerland) — non-personal data (lat/lon + date). Switzerland is recognised as having an adequate level of data protection under European Commission decision.
• Overpass API / Wikimedia Foundation (US) — bounding box coordinates only, not personal data under GDPR Art. 4(1); no transfer mechanism is required.

You can request a copy of the specific safeguards in place for any of the transfers above by emailing [email protected].

Contact & Data Controller

The data controller for personal data processed by Route Pacer is:

For privacy questions or data requests, please email the address above.

Do Not Sell My Personal Information

Route Pacer does not sell, rent, or share your personal information with third parties for commercial purposes. This notice is provided in compliance with the California Consumer Privacy Act (CCPA/CPRA) and similar US state laws (Oregon OCPA, Colorado CPA, Virginia VCDPA, Connecticut CTDPA, and others). We also honour the Global Privacy Control (GPC) opt-out signal. If you have questions about your data, see the Contact section above.

Canadian Users (PIPEDA)

If you are located in Canada, your personal information is collected, used, and disclosed in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. You have the right to access the personal information we hold about you and to request correction of inaccuracies. To exercise these rights, email [email protected]. We will respond within 30 days.

Brazilian Users (LGPD)

If you are located in Brazil, your personal data is processed in accordance with the Lei Geral de Proteção de Dados (Lei nº 13.709/2018, “LGPD”). This section describes how the rights and obligations set out in the LGPD apply to your use of Route Pacer. This English version is the controlling text; a Portuguese translation will be published if and when Route Pacer is actively marketed in Brazil.

Legal bases (Art. 7 LGPD)

• Execution of a contract (Art. 7(V)) — processing your training data and uploaded race files to deliver the pace prediction you requested.
• Consent (Art. 7(I) and Art. 11(I)) — processing of heart-rate data, which is sensitive personal data under Art. 5(II), relies on your explicit and specific consent given via the unbundled checkbox at Strava connect time. You may revoke this consent at any time in Settings; revocation stops all future HR processing.
• Legitimate interests (Art. 7(IX)) — storing prediction results for 12 months so you can review your race history. We apply the storage-limitation principle (Art. 6(VI)) by automatically deleting predictions after the retention window.

Your rights (Art. 18 LGPD)

As a Brazilian data subject (titular dos dados) you have the right to:

• Confirmation and access (Art. 18 I, II) — confirm we process your data and obtain a copy. Available in Settings → Download My Data (JSON format).
• Correction (Art. 18 III) — request correction of incomplete, inaccurate, or out-of-date data. Email [email protected].
• Anonymisation, blocking, or deletion of unnecessary or excessive data (Art. 18 IV) — email us; we will assess and respond.
• Portability (Art. 18 V) — the same JSON export under Settings → Download My Data satisfies this right.
• Deletion of data processed under consent (Art. 18 VI) — available in Settings → Delete Account, which removes all associated data immediately.
• Information about entities with whom data was shared (Art. 18 VII) — the Third Parties section above is the comprehensive list.
• Information about the option not to consent and the consequences (Art. 18 VIII) — you may use the service without consenting to HR processing; pace and grade analysis continue to work. You may decline to use Route Pacer entirely; no part of the service is mandatory.
• Revocation of consent (Art. 18 IX) — HR consent can be revoked in Settings; account-wide processing can be ended via account deletion.

International transfers (Art. 33 LGPD)

Personal data of Brazilian users is processed and stored on Railway infrastructure in europe-west4 (Amsterdam, Netherlands). This transfer is supported by the contractual safeguards published by Railway (Standard Contractual Clauses) and, where applicable, by your specific consent at the point of providing the data. The European Union provides a level of data protection equivalent to that required by the LGPD.

Encarregado / DPO (Art. 41 LGPD)

Route Pacer's processing of Brazilian personal data is low-volume and low-risk; we claim the small-scale processing-agent exemption from formal Encarregado appointment under ANPD Resolution CD/ANPD nº 2/2022. As required by that resolution, we publish a direct contact channel for data subjects and for the Autoridade Nacional de Proteção de Dados: [email protected]. We respond within 15 days, in line with Art. 19 LGPD.

Children and adolescents (Art. 14 LGPD)

All users must affirm they are at least 16 years of age via an unbundled checkbox before connecting Strava or generating a prediction. This threshold sits above the Brazilian Civil Code threshold of 12 for “criança” (Art. 14 LGPD) and covers the “adolescente” range (12–17) through to majority for most of it. We do not knowingly process personal data of children or adolescents under 16.

Complaints to ANPD

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd. We encourage you to contact us first.

Age Restriction

Route Pacer is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. Before connecting Strava or generating a prediction, users must affirm they are at least 16 years of age via an unbundled checkbox. The 16-year threshold is set to align with the strictest GDPR-K member states (Ireland, Germany, Netherlands, France) so the same age gate applies to all users regardless of jurisdiction, and is well above the US Children's Online Privacy Protection Act (COPPA) threshold of 13. If we learn we have collected personal information from a person under 16, we will delete it promptly. If you believe we may have information from or about a person under 16, please contact us at [email protected].