Privacy Policy

Last updated: 10.06.2026

Runtool Oy (“Runtool”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Runtool website, applications, and related services (together, the “Service”), in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applicable Finnish data protection law.

1. Data Controller

The controller responsible for your personal data is:

Runtool Oy

Business ID: 3606731-1

Email: hello@runtool.app

If you have questions about this policy or how we handle your data, please contact us at hello@runtool.app. We will respond to all requests within one month.

2. Personal Data We Collect

We collect and process different categories of personal data depending on how you use the Service.

2.1 Account data

When you create an account, we collect:

  • Email address
  • Name or display name
  • Account settings and preferences

2.2 Training and activity data

When you use the Service, we process data related to your training, including:

  • Training plans and workouts
  • Workout history and activity logs
  • User-generated training notes and inputs
  • Performance and training metrics

2.3 Health and fitness data

The following data is health data and requires your explicit consent, which you provide when connecting a fitness service or enabling specific features. For connected watches, sharing sleep, heart rate variability, and resting heart rate is a separate choice you make when connecting the device, and you can turn it off at any time on the integrations page. You may withdraw consent at any time; see Section 4.3.

When you connect third-party fitness services or manually enter data, we may process:

  • Heart rate (HR), resting heart rate, and heart rate variability (HRV)
  • Sleep data, including sleep duration
  • Recovery and readiness metrics
  • VO₂max and related performance indicators
  • Training load and intensity data
  • Distance, pace, duration, and elevation
  • Other activity and device-generated fitness metrics

The exact data we receive depends on the connected service and the permissions you grant.

2.4 Technical and usage data

When you use the Service, technical data may be processed automatically by our infrastructure and service providers, including:

  • Device and browser type and operating system
  • Log data
  • IP address (processed by infrastructure providers)
  • Approximate location derived from IP address
  • Usage events and interaction data

2.5 Analytics data

We use product analytics tools to understand how the Service is used and to improve user experience. This may include:

  • Feature usage and navigation patterns
  • Interaction events (clicks, views, usage flows)
  • Device and browser information
  • Technical identifiers such as IP address (which may be anonymised or truncated)

We do not use analytics to track users across third-party websites.

3. How We Collect Personal Data

We collect personal data:

  • Directly from you when you create or use an account
  • Automatically through your use of the Service
  • From third-party fitness platforms you connect (see Section 9)
  • Through analytics and technical infrastructure tools

4. Legal Basis for Processing

4.1 Contract

Processing necessary to provide the Service to you, including:

  • Account creation and management
  • Training planning and analysis
  • Importing and processing fitness data
  • Core Service functionality

4.2 Legitimate interests

We rely on legitimate interests for:

  • Service improvement and product analytics
  • Debugging and performance monitoring
  • Security and fraud prevention

We have conducted legitimate interests assessments and are satisfied that these interests are not overridden by your fundamental rights and freedoms.

4.3 Consent

Where we process health data (Section 2.3), we rely on your explicit consent. We also rely on consent for:

  • Marketing communications
  • Optional features that require consent

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. For wearable health-data sharing, you can withdraw consent directly by turning off sharing on the integrations page. For other consent-based processing, contact us at hello@runtool.app.

5. How We Use Personal Data

We use personal data to:

  • Provide and operate the Service
  • Generate training insights and personalised recommendations
  • Process and display fitness and activity data
  • Enable AI-powered features (see Section 8)
  • Improve performance and user experience
  • Provide customer support
  • Ensure security and prevent misuse
  • Comply with legal obligations

6. Sharing of Personal Data

We do not sell personal data.

Sharing with your coach: if you connect with a coach on Runtool, your training data and any health data you have chosen to share (Section 2.3) are visible to that coach as part of the Service. You control this sharing and can stop sharing health data at any time (Section 4.3).

We share personal data only with trusted third-party service providers (“processors”) that support the operation of the Service. Our current processors are:

  • Google Cloud Platform — cloud hosting, storage, and infrastructure
  • Vercel — application hosting and content delivery
  • Supabase — database, authentication, and identity
  • Stripe — payment processing
  • Anthropic — AI service provider for AI-powered features (see Section 8)
  • PostHog — product analytics
  • Brevo — transactional and marketing email
  • Sentry — error monitoring and performance tracking

We update this list when we add or remove processors. All processors are bound by data processing agreements (DPAs) and are required to process personal data only on our instructions and in compliance with applicable data protection law.

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission (see also Section 12).

7. Children’s Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children below this age. If we become aware that such data has been collected, we will delete it promptly.

8. AI-Powered Features

Runtool uses artificial intelligence to provide features such as:

  • Training recommendations and workout suggestions
  • Analysis of training, recovery, and fitness data
  • Personalised insights based on your activity

To provide these features, relevant account, training, and health data is sent to Anthropic, our AI service provider, which acts as our data processor under a data processing agreement.

Model training: Your personal data is not used to train AI models. We do not train our own models, and Anthropic does not use this data to train its models.

Automated decision-making: The AI features do not make solely automated decisions that produce legal or similarly significant effects on you. AI-generated suggestions are informational and are not used to determine eligibility, pricing, or any other decision that materially affects you.

9. Connected Fitness Services

You may connect third-party fitness platforms such as Polar or Suunto. When you connect a service, we receive data that you authorise that provider to share with us, in accordance with your permissions on that platform.

You may disconnect any integration at any time through your account settings. Disconnecting stops future data imports but does not automatically delete previously imported data. Turning off health-data sharing for a connected device similarly stops future health imports while keeping previously imported data. You may request deletion separately by contacting hello@runtool.app.

10. Payments

If you purchase a subscription or paid feature, payments are processed by Stripe, Inc., which acts as an independent data controller for payment data in accordance with its own privacy policy. We do not store full payment card details.

11. Data Retention

We retain personal data only for as long as necessary to provide the Service and comply with our legal obligations. In general:

  • Account and training data: retained while your account is active
  • Health and fitness data: retained until deleted by you or upon account deletion
  • Technical and analytics data: retained for limited periods (typically up to 12–24 months) as necessary for operational purposes
  • Support communications: retained for up to 3 years for operational and legal reasons

11.1 Account deletion

When you delete your account:

  • Personal data is deleted or anonymised within 30 days
  • Backup copies may persist for up to 90 days before being automatically removed
  • Certain data may be retained where required by law or necessary to establish, exercise, or defend legal claims

12. International Data Transfers

Some of our service providers process personal data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission where applicable

You may request a copy of the relevant safeguards by contacting us at hello@runtool.app.

13. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. These measures include:

  • Encryption in transit using HTTPS/TLS for all connections to the Service
  • Encryption at rest provided by our infrastructure processors, including Supabase and Google Cloud Platform
  • Access controls including authenticated access and row-level security on database records
  • Regular dependency updates and security reviews

14. Your Rights Under GDPR

You have the following rights under GDPR:

  • Right of access (Article 15): obtain a copy of your personal data and information about how it is processed
  • Right to rectification (Article 16): correct inaccurate or incomplete data
  • Right to erasure (Article 17): request deletion of your data in certain circumstances
  • Right to restrict processing (Article 18): ask us to pause processing in certain circumstances
  • Right to data portability (Article 20): receive your data in a structured, machine-readable format
  • Right to object (Article 21): object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Article 7(3)): withdraw consent at any time without affecting prior processing
  • Right not to be subject to solely automated decisions (Article 22): where applicable

We will respond to all requests within one month. In complex cases we may extend this by a further two months and will notify you if we do so.

To exercise any of your rights, please contact: hello@runtool.app.

You also have the right to lodge a complaint with a supervisory authority. In Finland, the relevant authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): www.tietosuoja.fi.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email before the changes take effect. The “Last updated” date at the top of this document will always reflect the current version.

16. Contact

For any questions about this Privacy Policy or how we handle your personal data:

Runtool Oy

Email: hello@runtool.app