CourseRecon

Legal

Privacy Policy

Last updated February 2026

Privacy Policy

CourseRecon — Privacy Policy Effective Date: [Launch Date] Last Updated: [Launch Date]

1. Overview

CourseRecon is operated by [Your Legal Entity Name] ("we," "us," or "our"), based in Auckland, New Zealand. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use CourseRecon.

We are committed to compliance with the New Zealand Privacy Act 2020 and the EU General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Password (stored as a salted hash, never in plain text)
  • Sport preferences (running, cycling, triathlon)

2.2 Athlete Profile Data

To provide personalised analysis, you may provide:

  • Age, weight, and gender
  • Experience level
  • Race goals and target events
  • Training preferences

2.3 Activity and Training Data

When you connect a third-party fitness platform or upload files directly:

From Strava (via OAuth):

  • Activity history (routes, distances, durations, elevation, heart rate)
  • Athlete profile data (weight, FTP, heart rate zones)
  • Segment efforts and personal records

From Garmin Connect (via OAuth):

  • Activity history (routes, distances, durations, elevation, heart rate)
  • Device and sensor data from FIT files
  • Performance metrics (VO2max estimates, training load, training status)

From direct FIT/GPX/TCX file uploads:

  • GPS coordinates and elevation data
  • Heart rate, cadence, power, and other sensor data embedded in activity files
  • Timestamps and activity metadata

2.4 Course Data

When you upload a course file for analysis:

  • GPX/FIT/TCX file contents (coordinates, elevation, waypoints)
  • Race name, date, and event details you provide

2.5 Payment Information

When you make a purchase:

  • Payment is processed by Stripe. We receive a transaction record, last four digits of your card, and billing country. We do not store full credit card numbers, CVVs, or bank account details.

2.6 Technical and Usage Data

We automatically collect:

  • IP address (anonymised after 30 days)
  • Browser type, operating system, and device type
  • Pages visited and features used within CourseRecon
  • Referral source
  • Session duration and interaction patterns

We use privacy-respecting analytics. We do not use Google Analytics or any tracking tool that shares data with advertising networks.

3. How We Use Your Information

We use your information to:

Purpose Data Used Legal Basis (GDPR)
Provide course analysis and readiness scoring Activity data, course files, athlete profile Contract performance
Generate pacing and training recommendations Activity data, athlete profile, course analysis Contract performance
Process payments Payment and account information Contract performance
Send service emails (receipts, account updates) Email address Contract performance
Improve our algorithms and analysis accuracy Aggregated, anonymised activity and course data Legitimate interest
Respond to support requests Account and communication data Contract performance
Detect fraud and abuse Technical data, usage patterns Legitimate interest
Send product updates and feature announcements Email address Consent (opt-in)

We do not use your data for:

  • Advertising or ad targeting
  • Sale to third parties
  • Profiling for purposes unrelated to the Service
  • Training AI/ML models on individually identifiable data

4. How We Share Your Information

We share your data only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party services to operate CourseRecon:

Provider Purpose Data Shared Location
Supabase Authentication, database hosting Account data, athlete data, course data USA
Stripe Payment processing Payment details, email, billing country USA (PCI-DSS compliant)
Vercel Application hosting Technical data (IP, request logs) USA (Global CDN)
Strava Fitness data sync (when connected) OAuth tokens; activity data flows from Strava to us USA
Garmin Connect Fitness data sync (when connected) OAuth tokens; activity data flows from Garmin to us USA

4.2 Open Data Sources

To perform course analysis, we query open data services using the GPS coordinates from your uploaded course files. These services include OpenStreetMap (Overpass API), NASA SRTM, and ESA Copernicus. Only geographic coordinates are sent — no personal information is transmitted to these services.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect the rights, safety, or property of CourseRecon, our users, or the public.

4.4 Business Transfers

If CourseRecon is acquired or merged, your data may be transferred to the new entity. We will notify you before any such transfer and give you the option to delete your account.

We will never sell your personal data.

5. Data Storage and Security

5.1 Where Your Data Is Stored

Your data is primarily stored in Supabase's US region. Application hosting and static assets are served via Vercel's global CDN. Payment data is processed and stored by Stripe in PCI-DSS compliant infrastructure.

5.2 Security Measures

We implement the following security measures:

  • Encryption in transit (TLS 1.2+) for all connections
  • Encryption at rest for database storage
  • Salted password hashing (bcrypt)
  • Row-level security policies in our database
  • OAuth 2.0 for third-party integrations (no passwords stored for Strava or Garmin)
  • Regular security reviews and dependency updates
  • Principle of least privilege for internal access

5.3 Data Retention

Data Type Retention Period
Account information Until you delete your account
Activity and training data Until you delete your account or disconnect the integration
Course analysis results Until you delete the analysis or your account
Payment records 7 years (NZ tax and legal requirements)
Technical/usage logs 90 days (IP anonymised after 30 days)
Support communications 2 years after resolution

6. Your Rights

6.1 All Users

Regardless of your location, you can:

  • Access your data — view and export your data from your account settings
  • Correct your data — update your profile and preferences at any time
  • Delete your data — delete your account and all associated data
  • Disconnect integrations — revoke Strava or Garmin Connect access at any time
  • Opt out of marketing emails — unsubscribe link in every email

6.2 Additional Rights (GDPR — EU/EEA/UK Users)

If you are located in the EU, EEA, or UK, you additionally have the right to:

  • Data portability — receive your data in a machine-readable format
  • Restrict processing — ask us to limit how we use your data
  • Object to processing — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint — with your local data protection authority

6.3 New Zealand Privacy Act 2020

Under the NZ Privacy Act, you have the right to:

  • Access your personal information held by us
  • Request correction of inaccurate information
  • Lodge a complaint with the Office of the Privacy Commissioner

7. Cookies and Tracking

CourseRecon uses a minimal set of cookies:

Cookie Purpose Type Duration
Session token Authentication Essential Session / 30 days
Preferences UI settings (units, dark mode) Functional 1 year
Analytics Privacy-respecting usage analytics Analytics 90 days

We do not use:

  • Third-party advertising cookies
  • Cross-site tracking pixels
  • Social media tracking widgets
  • Fingerprinting techniques

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

8. Third-Party Integrations

8.1 Strava

When you connect Strava, we use OAuth 2.0 to access your activity data. We request only the permissions necessary to provide the Service:

  • Activity summaries and details (routes, pace, heart rate, elevation)
  • Athlete profile (weight, FTP, heart rate zones)
  • Segment efforts

We do not post to your Strava account, modify your data, or access your social feed, followers, or clubs. You can disconnect Strava at any time from your CourseRecon account settings or from Strava's "My Apps" settings page.

Strava API compliance: CourseRecon displays Strava data in accordance with the Strava API Agreement. Activity data sourced from Strava is attributed with the "Powered by Strava" badge where required.

8.2 Garmin Connect

When you connect Garmin Connect, we use OAuth 2.0 to access your activity data. We request only the permissions necessary to provide the Service:

  • Activity summaries and details
  • GPS and sensor data from activities
  • Device information

We do not post to your Garmin account or modify your data. You can disconnect Garmin Connect at any time from your CourseRecon account settings or from the Garmin Connect app.

8.3 FIT File Uploads

When you upload FIT files directly, we process the embedded data (GPS, heart rate, cadence, power, temperature, etc.) to build your training profile. FIT files are stored securely and deleted if you remove the activity or delete your account.

9. Children's Privacy

CourseRecon is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. International Data Transfers

Your data is primarily processed in the United States (Supabase, Vercel, Stripe, Strava, Garmin) and may transit through other locations via Vercel's global CDN. As your data is transferred outside New Zealand, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR for EU/EEA/UK users.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before changes take effect. The "Last Updated" date at the top of this page indicates the most recent revision.

12. Contact Us

For privacy questions, data requests, or complaints:

Privacy Contact: [privacy@courserecon.app] Address: [Your registered address, Auckland, New Zealand]

For NZ Privacy Act complaints, you may also contact: Office of the Privacy Commissioner PO Box 10094, Wellington 6143 https://privacy.org.nz