Privacy Policy
1. Data Controller
besser als gestern UG (haftungsbeschränkt)
Elisabeth-Emter-Weg 6
79110 Freiburg im Breisgau
Germany
Email: help@race-mind.com
2. Overview
This Privacy Policy explains what personal data we collect when you use the app RaceMind – Triathlon & Running Coach (hereinafter “App”) and our website race-mind.com (hereinafter “Website”), how we process it, and what rights you have.
The App is intended for users aged 16 and older. We do not knowingly collect data from anyone under the age of 16.
3. What Data We Collect
3.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Profile data | Name, year of birth, height, weight | Training plan creation, zone calculation |
| Training experience | Experience duration, current weekly volume, available hours | Plan individualization |
| Performance data | Running personal bests, cycling speed, swim pace, heart rate values (Max HR, LTHR, resting HR) | Threshold calculation, race prognosis |
| Health data | Injuries and conditions (name, severity 1–5, body region) | Plan adjustment, injury management |
| Race data | Target race, date, distance, goal time | Training planning, prognosis |
| Availability | Rest days, time slots (AM/PM) | Weekly planning |
| Chat messages | Questions to the coach, feedback, mood check-ins | Coaching responses, plan adjustment |
| Account data | Email address (when linking account via Apple, Google, or email) | Authentication, data recovery |
3.2 Data From Third Parties
| Source | Data | Purpose |
|---|---|---|
| Strava | Training activities (duration, distance, pace, heart rate, power, lap data, elevation, cadence, device name) | Training analysis, baseline calculation, Performance Score |
| Intervals.icu | Training activities and performance data | Training analysis, plan optimization |
| Garmin Connect | Training activities (duration, distance, pace, heart rate, power, lap data, elevation, cadence, device name) | Training analysis, baseline calculation, workout push to watch |
| Apple Health / HealthKit (iOS) | Heart rate variability (HRV SDNN), resting heart rate, sleep duration and stages | Recovery assessment, training readiness |
| Google Health Connect (Android) | Heart rate variability (HRV RMSSD), resting heart rate, sleep sessions and stages | Recovery assessment, training readiness |
Connecting to these services is optional. You can use the App without any connections (manual data entry). When you connect a third-party service, the respective platform’s own privacy policy also applies to the collection and transfer of your data.
3.3 Automatically Collected Data
| Category | Details |
|---|---|
| Technical data | Device type, operating system, app version, error reports (crash logs via Sentry) |
| Usage data | Timestamps of app usage, onboarding progress |
| Anonymous session | An anonymous session ID is created at app launch (no personal identification) |
| Approximate location data | When you open the weekly planning screen, your IP address is converted into an approximate location (city/region level) exclusively on our server using the locally hosted MaxMind GeoLite2 database. The IP address is not transmitted to any third party and is not stored persistently. See Section 6.7 for details. |
3.4 Data Processing on Our Website (race-mind.com)
In addition to using the App, we also process personal data when you visit our Website or contact us through it.
Website Hosting and Server Log Files
When you access our Website, the hosting provider automatically collects and stores information in server log files that your browser transmits automatically. This includes:
- Browser type and version
- Operating system
- Referrer URL (the previously visited page)
- Hostname of the accessing device
- Time of server request
- IP address
This data is processed exclusively by the hosting provider (GitHub Pages) as part of operating the Website. We do not store server log files ourselves and do not have access to this data. This data is not merged with other data sources.
- Purpose: Ensuring a smooth connection, system security, and technical reliability of the Website.
- Legal basis: Art. 6(1)(f) GDPR. The legitimate interest lies in the secure and error-free provision of the Website.
Contact Form and Email Contact
If you send us inquiries via the contact form on the Website or by email, your details from the inquiry form (name, email address) including the message you entered are stored for the purpose of processing your request and in case of follow-up questions. We do not share this data without your consent.
- Purpose: Processing and responding to your individual inquiry.
- Legal basis: If your inquiry relates to the conclusion of a contract (e.g., questions about subscriptions or app usage), the legal basis is Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures). In all other cases, processing is based on our legitimate interest in effectively handling inquiries directed to us under Art. 6(1)(f) GDPR.
- Retention: The data you enter in the contact form remains with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been fully processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.
4. Legal Basis for Processing
| Processing activity | Legal basis |
|---|---|
| Training plan creation, analysis, prognosis, chat coaching | Art. 6(1)(b) GDPR – Performance of a contract |
| Processing health data (injuries, heart rate, HRV) | Art. 9(2)(a) GDPR – Explicit consent |
| Deletion of inactive anonymous profiles (cleanup) | Art. 6(1)(f) GDPR – Legitimate interest (data hygiene) |
| Connection to Strava, Intervals.icu, Garmin Connect, Apple Health | Art. 6(1)(a) GDPR – Consent |
| Display of weather forecast in weekly planning (IP-based geolocation) | Art. 6(1)(f) GDPR – Legitimate interest (providing relevant training context information) |
Your consent for processing health data is obtained as a mandatory step during onboarding. Since the App’s core functionality (training planning, analysis, injury management) requires processing health-related data, consent is a prerequisite for using the App.
You can withdraw your consent at any time by triggering the withdrawal in the App under Settings → Legal → Revoke consent (alternatively via Delete Account) or by emailing us (see Section 9). Because your data is strictly required to provide the coaching features, the withdrawal results in deletion of your account and all associated data.
5. Recipients and Third-Party Services
We use the following service providers to operate the App and Website:
| Service provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, serverless functions | EU (Ireland) | Data processing within the EU |
| Google LLC (Gemini API) | Training plan generation, training analysis, coach chat | USA | EU Standard Contractual Clauses (SCCs) |
| Google LLC (Firebase Cloud Messaging) | Push notification delivery (FCM to Android devices) | USA | EU Standard Contractual Clauses (SCCs), Data Privacy Framework |
| Strava Inc. | Training import (only when connected) | USA | You authorize access directly with Strava (OAuth) |
| Garmin International, Inc. | Training import, workout push to watch (only when connected) | USA | You authorize access directly with Garmin (OAuth); EU Standard Contractual Clauses (SCCs) |
| intervals.icu Ltd | Training import (only when connected) | UK (operator); data processing in Germany/Finland | You authorize access directly (OAuth); EU data processing; UK adequacy decision |
| GitHub Inc. (GitHub Pages) | Website hosting and server log files | USA | EU Standard Contractual Clauses (SCCs), Data Privacy Framework |
| Sentry (Functional Software, Inc.) | Error and crash monitoring of the App | EU (Frankfurt) | EU hosting (Sentry EU/Frankfurt), Data Processing Agreement (DPA), data processing within the EU |
| IONOS SE | Domain registration and DNS for race-mind.com | Germany | Data Processing Agreement (DPA), data processing within the EU |
| Expo, Inc. | Push notification delivery (relay to Apple APNs and Google FCM) | USA | EU Standard Contractual Clauses (SCCs) |
| Open-Meteo | Retrieval of the 7-day weather forecast based on coarse coordinates (no IP transmission) | Switzerland | EU Commission adequacy decision for Switzerland; open-source weather service (CC-BY 4.0) |
Note on third-country transfers: Some of our service providers are based in the USA. We ensure an adequate level of data protection through EU Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) pursuant to Art. 46(2)(c) GDPR.
6. Data Processing in Detail
6.1 Training Plan Generation
The training plan itself (weekly structure, intensity distribution, load management) is calculated entirely deterministically on our servers — using mathematical formulas, threshold models, and load ratios. No AI is involved in this calculation.
For the accompanying coaching texts (e.g., plan introduction, week descriptions, motivational notes), we send relevant profile and plan-context data to Google Gemini to phrase these texts in a personalized way. In this process:
- No real names are sent to Gemini (only anonymized user IDs)
- Data is used solely for text generation and is not used by Google for its own purposes
- Results are stored in our database (Supabase, EU)
6.2 Training Analysis
After each training session, your activity data (imported from Strava, Intervals.icu, or Apple Health) is analyzed:
- Metrics such as Efficiency Factor, Drift, and Pacing are deterministically calculated (no random element)
- The qualitative interpretation is provided by Google Gemini
- You receive a Performance Score (0–100) and actionable coaching advice
6.3 Coach Chat
Your chat messages are sent to Google Gemini along with relevant training context to provide personalized answers. Chat histories are stored in our database.
6.4 Health Data (Apple Health / Google Health Connect)
If you choose to connect Apple Health (iOS) or Google Health Connect (Android), the App reads the following data locally on your device:
- Heart rate variability (HRV) – SDNN (iOS) or RMSSD (Android)
- Resting heart rate
- Sleep duration and stages (e.g., deep sleep, REM, light sleep)
This data is used to calculate your daily Training Readiness – a recovery indicator that helps you decide whether to train as planned, reduce intensity, or take a rest day.
How the data is processed:
- Health data is read directly from Apple Health / Health Connect on your device via the respective platform APIs
- Daily summaries (HRV, resting HR, sleep duration) are transmitted to our database (Supabase, EU) and stored in the
wellness_dailytable, linked to your user ID - If you also have Intervals.icu connected, health data from that source takes priority; Apple Health / Health Connect data only fills in missing values
- The raw values from Apple Health / Health Connect (HRV, resting heart rate, sleep stages) are never shared with third parties, used for advertising, or sent directly to AI services. Training metrics derived from them (e.g., thresholds, recovery status) may be included in AI-based coaching text generation (see Section 6.1). Injury information you enter during onboarding may also be included in those texts.
- On first connection, the App backfills the last 14 days of health data to establish a stable baseline
Connecting Apple Health or Health Connect is entirely optional. You can use all other features of the App without it. You can disconnect at any time in the App under Settings → Connections, which stops further data synchronization. Previously synced data remains in your account until you request deletion.
- Legal basis: Art. 9(2)(a) GDPR – Explicit consent (you actively choose to connect and grant permissions via the platform’s permission dialog)
6.5 Automated Processing
Training plans, metrics, and prognoses are primarily based on deterministic calculations (mathematical formulas, threshold models, workload ratios). Google Gemini provides supplementary qualitative interpretation and coaching text. This does not constitute solely automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. All outputs are recommendations for fitness purposes — you are free to adjust or disregard them at any time.
In accordance with Art. 50 of Regulation (EU) 2024/1689 (AI Act), we inform you that the coach chat, training plans, and analysis texts are generated with the assistance of an AI system (Large Language Model). AI-generated content is labeled accordingly in the App.
6.6 Anonymous Usage and Account Linking
When you start the App, an anonymous session is created. You can initially use the App without personal registration. After onboarding, we recommend linking your account with Apple, Google, or email to enable data recovery on device changes.
6.7 Weather Forecast in Weekly Planning
On the weekly planning screen, we display a 7-day weather forecast for your approximate location to help you plan your training accordingly. For this, we process location data at city/region level:
- When you open the weekly planning screen, the App calls an Edge Function on our server (Supabase, EU). The Edge Function reads the IP address from the incoming HTTP request.
- The IP address is processed exclusively on our server: we derive an approximate location (latitude/longitude, city) using the locally hosted MaxMind GeoLite2 database. The IP address never leaves our infrastructure and is not transmitted to any third party. Accuracy is typically at city or regional level, not at street level.
- The resulting coordinates are sent to Open-Meteo (Switzerland) to retrieve the 7-day weather forecast. No IP address is transmitted to Open-Meteo; only the derived coordinates are sent.
- We do not store the IP address, the derived coordinates, or the city name persistently in our database. The data is processed exclusively at runtime during the weather lookup. In case of an error logged by the Edge Function, the IP address may be temporarily logged in our error monitoring (Sentry, EU).
- The weather forecast is an optional convenience feature. You can disable it at any time under Settings → App → Weather forecast. When disabled, the Edge Function is not called and your IP address is not processed for geolocation.
- Legal basis: Art. 6(1)(f) GDPR – Legitimate interest (providing relevant training context information such as precipitation and wind that supports your training decisions).
7. Data Retention
| Data | Retention period |
|---|---|
| Profile and training data | As long as your account is active |
| Chat histories | As long as your account is active |
| Anonymous profiles without completed onboarding | 48 hours, then automatically deleted |
| System logs (Gemini Logs) | 90 days, then anonymized or deleted |
After account deletion, all personal data is fully removed within 30 days (cascade delete across all linked tables).
8. Data Security
We implement the following technical and organizational measures:
- Row Level Security (RLS): Every database query is restricted to the user’s own ID. You can only access your own data.
- Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest (database encryption).
- OAuth 2.0: Strava, Garmin Connect, and Intervals.icu connections use industry-standard OAuth authentication. We store only access tokens, not your passwords.
- Anonymous authentication: Before account linking, the App operates with an anonymous session – no email or personal identification required.
9. Your Rights
Under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | You can request to know what data we store about you at any time. |
| Rectification (Art. 16) | Inaccurate data can be corrected. |
| Erasure (Art. 17) | You can request deletion of your account and all data. |
| Restriction (Art. 18) | You can request restriction of processing. |
| Data portability (Art. 20) | You can receive your data in a machine-readable format. |
| Objection (Art. 21) | You can object to processing based on legitimate interests. |
| Withdrawal of consent (Art. 7(3)) | You can withdraw your consent at any time. The lawfulness of processing prior to withdrawal remains unaffected. |
How to exercise your rights:
You can withdraw your consent directly in the App under Settings → Legal → Revoke consent or delete your account under Settings → Legal → Delete Account. Both paths result in deletion of all associated data and withdraw any previously given consent. Alternatively, send an email to help@race-mind.com. We will respond within 30 days.
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de
10. Disconnecting Third-Party Services
- Strava: In the App under Settings → Disconnect. Additionally at strava.com → Settings → My Apps.
- Garmin Connect: In the App under Settings → Disconnect. Additionally at connect.garmin.com → Account Settings → Connected Apps.
- Intervals.icu: In the App under Settings → Disconnect.
- Apple Health / Health Connect: In the App under Settings → Connections. Additionally, you can revoke the App’s access in your device’s health settings (iOS: Settings → Health → Data Access; Android: Settings → Health Connect → App permissions).
Disconnecting a service stops further data import. Previously imported training and health data remains in your account until you request deletion.
11. Cookies and Tracking
The App and the Website use no cookies and no tracking. Integration of PostHog (product analytics) is planned for a future release of the App. Before activation, you will be informed separately and asked for consent.
12. Push Notifications
The App uses push notifications to remind you of training sessions, send coach tips, and deliver other relevant updates. Push notifications are delivered via the Expo Push Notification Service (Expo, Inc.), which acts as a relay to Apple Push Notification Service (APNs) on iOS and Firebase Cloud Messaging (FCM) (Google LLC) on Android. Firebase Cloud Messaging is a service of Google LLC (USA); data transfer is based on EU Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework.
For delivery, a device-specific push token (Expo Push Token) is generated and stored in our database (Supabase, EU). This token is a technical identifier tied to your device and app installation — it does not contain personal information such as your name or email address.
Push notifications are optional. You can disable them at any time in your device settings (iOS: Settings → Notifications → RaceMind; Android: Settings → Apps → RaceMind → Notifications).
- Purpose: Delivery of training reminders, coaching tips, and app-related updates.
- Legal basis: Art. 6(1)(b) GDPR – performance of a contract (notifications as part of the coaching service); Art. 6(1)(f) GDPR – legitimate interest (general product updates).
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time, for example when adding new features or in response to changed legal requirements. We will notify you of material changes via in-app notification. The current version is always available in the App and on our website.
14. Contact
For questions about data protection, you can reach us at:
besser als gestern UG (haftungsbeschränkt)
Elisabeth-Emter-Weg 6
79110 Freiburg im Breisgau, Germany
Email: help@race-mind.com