Privacy Policy

1. Data Controller

The data controllers within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws are:

Thomas Böhringer and Christian Bringmann

Schulstraße 62 86438 Kissing Germany

Email: privacy@pacefinity.app

2. Data We Collect

We process the following personal data:

2.1 Account Data

• Email address, username, password (hashed)
• Profile photo (optional), nationality (optional), home city (optional)
• Preferred language

2.2 Activity Data

• GPS coordinates during recorded runs, rides, and hikes
• Distance, duration, pace, and route (polyline)
• Territory polygons derived from your routes

2.3 Integration Data

• When connecting Strava or Garmin: OAuth tokens, activity IDs, and GPS data from synced activities
• This data is only transferred with your explicit consent

2.4 Technical Data

• IP address, browser type, operating system
• Access timestamps and pages visited (server logs)
• Cookies for session management and language preferences

3. Legal Basis

• Art. 6(1)(a) GDPR (Consent): GPS tracking, third-party connections
• Art. 6(1)(b) GDPR (Contract performance): Account data, game mechanics
• Art. 6(1)(f) GDPR (Legitimate interest): Security, abuse prevention, analytics

4. Purpose of Processing

• Providing and operating the service (accounts, map views, leaderboards)
• GPS-based territory conquest and competitive features
• Communication about your account and service
• Security and abuse prevention
• Service improvement

5. Data Retention

• Account data: Until account deletion
• Activity data and GPS routes: Until account deletion or earlier upon request
• Server logs: Maximum 90 days
• Third-party tokens: Until connection is revoked

6. Data Sharing

We share personal data only when:

• You have given explicit consent (e.g., Strava/Garmin connection)
• It is necessary to fulfill the contract
• We are legally obligated to do so

We use the following service providers:

• Hosting: Hetzner (Germany/EU), servers located within the EU
• Map tiles: OpenFreeMap / MapTiler (public map data, no personal data transmitted)
• Email (optional): For transactional emails

7. International Data Transfers

Your data is primarily processed on servers within the EU/EEA. If transfer to third countries is necessary (e.g., Strava/Garmin APIs), it is based on:

• EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
• EU Commission adequacy decisions

8. Your Rights

You have the following rights at any time:

• Access (Art. 15 GDPR): Learn what data we store about you
• Rectification (Art. 16 GDPR): Correct inaccurate data
• Erasure (Art. 17 GDPR): Request deletion of your data
• Restriction (Art. 18 GDPR): Restrict processing of your data
• Data portability (Art. 20 GDPR): Receive your data in a machine-readable format
• Objection (Art. 21 GDPR): Object to data processing
• Withdraw consent (Art. 7(3) GDPR): Withdraw any previously given consent

To exercise your rights, contact: privacy@pacefinity.app

9. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach Germany

10. Cookies

We use only technically necessary cookies for:

• Session management (login status)
• Language preferences
• Cross-Site Request Forgery (CSRF) protection

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11. Children

The service is intended for individuals aged 16 and older. We do not knowingly collect personal data from children under 16. If we discover that we have received data from a child under 16, it will be deleted immediately.

12. Changes to This Policy

We reserve the right to update this privacy policy. The current version is always available on this page. For material changes, we will notify registered users by email.

Last updated: June 2026