Privacy Policy

Introduction

Steffen Bøgeholm (32982808) ("we," "us," or "our") is committed to safeguarding your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and disclose personal data when you use our fitness application ("App") that integrates with the Garmin Connect API and Wahoo API. Our App processes activity data only within the scope you explicitly authorize.

As a company based in the European Union (EU), we comply with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws. This policy outlines our data practices and your rights regarding your personal data.

For inquiries about this Privacy Policy, please contact us at hello@steffenbogeholm.com.

1. Data Controller

Steffen Bøgeholm (32982808), located at Polensgade 48, Copenhagen, Denmark, is the data controller responsible for processing your personal data. Our lead supervisory authority for GDPR purposes is Datatilsynet (the Danish Data Protection Agency).

2. Categories of Personal Data Processed

Personal Data Processed When You Create an Account

When you create an account with our App, we collect:

• Email Address: Used for account login and communication.
• Name: Associated with your account profile and displayed within the App.

Purposes and Legal Grounds:

• Account Security: We process your email address to enable secure sign-in with your password. The legal basis is our legitimate interest in protecting your account security (GDPR Article 6(1)(f)).
• Communication: We use your email address to send activity statistics, updates, or material changes to this Privacy Policy. The legal basis is our legitimate interest in providing relevant information about your App usage or account (GDPR Article 6(1)(f)).
• Customer Support: We process your email address to associate it with your account when you contact our support team. The legal basis is our legitimate interest in providing effective customer support (GDPR Article 6(1)(f)).
• Profile Display: Your name is used for your account profile and displayed in the App. The legal basis is our legitimate interest in enhancing user experience (GDPR Article 6(1)(f)).

Personal Data Processed When You Link a Third-Party Account

When you link your Garmin Connect or Wahoo account to our App, we store:

• Authentication Credentials: Provided by Garmin Connect or Wahoo to verify your identity.
• Activity Data: Data you authorize us to access via the Garmin Connect API or Wahoo API, such as workout details (e.g., distance, duration, heart rate, GPS routes).

Purposes and Legal Grounds:

• We store authentication credentials and process activity data to fulfill your request to link third-party accounts and display your fitness data. The legal basis is your explicit consent (GDPR Article 6(1)(a)) provided during the authorization process. When processing Wahoo data, we are also bound by the terms of the Wahoo API Agreement.

Personal Data Processed When You Complete an Activity

We process geographical location data provided directly or through linked Garmin Connect or Wahoo accounts, such as GPS routes or fitness metrics. Precise/raw GPS data is not shared with other users without your consent.

Purposes and Legal Grounds:

• We process this data to provide activity tracking and insights. The legal basis is your consent (GDPR Article 6(1)(a)) or our legitimate interest in delivering core App functionality (GDPR Article 6(1)(f)).

Personal Data Processed When You Visit Our Website

When you visit our website, we collect:

• Technical Data: Information about requested resources (e.g., page views, IP address) to ensure site performance and availability.

Purposes and Legal Grounds:

• We use this data to maintain and improve our website. The legal basis is our legitimate interest in ensuring site functionality and security (GDPR Article 6(1)(f)).

Personal Data Processed in Emails

We use third-party email services to send communications. These services may track email interactions (e.g., whether emails are opened or links clicked) to analyze engagement.

Purposes and Legal Grounds:

• We use this data to improve our communications. The legal basis is our legitimate interest in optimizing user engagement (GDPR Article 6(1)(f)).

3. Other Disclosures

We may disclose your personal data:

• With your valid consent (GDPR Article 6(1)(a)).
• To comply with legal obligations, such as valid subpoenas, court orders, or regulatory requests (GDPR Article 6(1)(c)).
• To enforce our terms, conditions, or policies (GDPR Article 6(1)(f)).
• To pursue or defend legal claims (GDPR Article 6(1)(f)).
• In the event of a business transfer (e.g., merger, acquisition), provided the receiving entity complies with this Privacy Policy and GDPR. We will notify you and, if required, obtain your consent.

We do not sell your personal data or share it for direct marketing purposes.

4. Data Storage and Security

Your personal data is stored in secure databases managed by Supabase and Vercel, our trusted cloud providers. We implement the following security measures per GDPR Article 32:

• Encryption: Data is encrypted in transit using TLS and at rest on storage systems.
• Access Controls: Only authorized personnel can access your data.
• Regular Audits: We conduct security assessments to protect against unauthorized access.

While we strive to protect your data, no system is entirely secure. In case of a data breach, we will notify you and Datatilsynet as required by GDPR.

5. Retention of Personal Data

We retain your personal data only as long as necessary:

• Account and Activity Data: Retained while your account is active. If you delete your account, we will delete your data within 30 days, unless retention is required by law (e.g., for tax purposes, up to 7 years).
• Technical Data: Retained for up to 12 months for analytics and security, then anonymized or deleted.

See Section 7 for details on your right to erasure.

6. Children's Privacy

Our App is not intended for individuals under 16 years old, per GDPR requirements. We do not knowingly collect personal data from children under 16. If we discover such data, we will delete it promptly.

7. Your Rights

As an EU resident, you have the following GDPR rights:

• Right to Be Informed (Article 13-14): We transparently disclose what data we process, why, and with whom it is shared.
• Right of Access (Article 15): You can request a copy of your personal data.
• Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17): You can request deletion of your data (e.g., by deleting your account) if it is no longer needed, consent is withdrawn, or processing is unlawful. We will delete your data within 30 days, subject to legal retention obligations.
• Right to Restrict Processing (Article 18): You can request a temporary halt to processing, e.g., during a dispute or correction.
• Right to Data Portability (Article 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You can object to processing based on legitimate interests, including profiling or direct marketing.
• Rights Regarding Automated Decision-Making (Article 22): You are not subject to decisions based solely on automated processing that produce legal or significant effects.

To exercise these rights, contact us at hello@steffenbogeholm.com. You can also disconnect your Garmin Connect or Wahoo account to revoke data access. You may file a complaint with Datatilsynet (https://www.datatilsynet.dk).

8. Third-Party Integrations

Our App integrates with:

• Garmin Connect: Data is processed per Garmin's Privacy Policy (https://www.garmin.com/en-US/privacy/).
• Wahoo: Data is processed per Wahoo's Privacy Policy (https://www.wahoofitness.com/legal/privacy-policy).

We are not responsible for the privacy practices of Garmin or Wahoo. Please review their policies before authorizing access.

9. International Data Transfers

We primarily process data within the EEA. If data is transferred outside the EEA (e.g., via Supabase or Vercel services), we ensure GDPR-compliant safeguards, such as:

• Standard Contractual Clauses (SCCs).
• Data processing agreements.
• Adequacy decisions (if applicable).

10. Privacy Policy Updates

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. You can check the "Last Updated" date at the top of this policy. Material changes will be communicated via email or in-App notifications at least 30 days before taking effect, and we will obtain your consent if required by law.

11. Contact Us

To communicate with our Data Protection Officer or for questions about this Privacy Policy, contact:

Steffen Bøgeholm (32982808)
Polensgade 48, Copenhagen, Denmark
Email: hello@steffenbogeholm.com
Website: https://steffenbogeholm.dk

You may also contact Datatilsynet at https://www.datatilsynet.dk.

12. Links to Third-Party Privacy Policies

• Garmin Connect Privacy Policy: https://www.garmin.com/en-US/privacy/
• Wahoo Privacy Policy: https://www.wahoofitness.com/legal/privacy-policy