Skip to main content

Privacy Policy

Last Updated: December 19, 2024

Effective Date: December 19, 2024

1. Introduction and Data Controller Information

This Privacy Policy ("Policy") describes how PaceBrain Pty Ltd, ABN 21 237 258 402, a company incorporated in Australia ("Company," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal data in connection with our website located at pacebrain.com, mobile applications, and related services (collectively, the "Platform"). PaceBrain acts as the data controller for the personal data processed through the Platform.

This Policy applies to all individuals who access or use the Platform, including registered users, visitors, and any other persons whose personal data we process. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with our data practices as described herein, you must immediately cease using the Platform.

This Policy is incorporated by reference into our Terms of Service and should be read in conjunction with our Cookie Policy.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

  • Account Registration Data: Name, email address, password (stored in hashed/encrypted form), and profile information.
  • Athletic and Fitness Data: Running activities, distance, pace, duration, heart rate data, elevation, cadence, training goals, race plans, and performance metrics.
  • User-Generated Content: Activity notes, personal records, goals, and any other content you submit through the Platform.
  • Communication Data: Information contained in your communications with us, including support requests and feedback.
  • Payment Information: When applicable, payment card details, billing address, and transaction history (processed by our third-party payment processor, Stripe).

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, browser type and version, unique device identifiers, and mobile network information.
  • Usage Data: Pages visited, features used, time spent on the Platform, click patterns, navigation paths, and interaction data.
  • Log Data: IP address, access times, referring URLs, and system activity logs.
  • Location Data: Approximate geographic location derived from IP address; precise geolocation only with your explicit consent for GPS-enabled activity tracking.

2.3 Information from Third-Party Sources

  • Connected Services: If you connect Strava to your account, we receive activity data, profile information, and other data you authorize Strava to share. You may also upload activity files exported from other fitness platforms (e.g., Garmin, Polar, COROS).
  • Authentication Providers: If you use social login (e.g., Google), we receive basic profile information from those providers.

3. Legal Bases for Processing (GDPR/UK GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions requiring a legal basis for processing, we process your personal data on the following grounds:

  • Contractual Necessity (Article 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including providing the Platform services, managing your account, and fulfilling subscription obligations.
  • Consent (Article 6(1)(a) GDPR): Where you have given explicit consent to specific processing activities, such as marketing communications, non-essential cookies, and location tracking.
  • Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate interests, including Platform improvement, fraud prevention, security measures, and analytics, provided such interests are not overridden by your fundamental rights and freedoms.
  • Legal Obligation (Article 6(1)(c) GDPR): Processing necessary to comply with applicable laws, regulations, and legal processes.

For processing of special category data (e.g., health-related fitness data), we rely on your explicit consent pursuant to Article 9(2)(a) GDPR.

4. Purposes of Processing

We process your personal data for the following purposes:

  • Service Provision: To provide, maintain, and improve the Platform, including activity tracking, AI-powered coaching insights, race planning, and personalized recommendations.
  • Account Management: To create and manage your account, authenticate your identity, and provide customer support.
  • Communication: To send transactional emails (password resets, activity summaries), service announcements, and, with consent, marketing communications.
  • Analytics and Improvement: To analyze usage patterns, conduct research, and improve Platform functionality and user experience.
  • Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, and abuse.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • AI and Machine Learning: To train and improve our AI models for personalized coaching recommendations (using anonymized and aggregated data where possible).

5. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

5.1 Service Providers and Data Processors

We engage third-party service providers who process personal data on our behalf, subject to contractual obligations requiring them to implement appropriate security measures and process data only as instructed:

  • Supabase: Database hosting, authentication, and storage services
  • Vercel: Hosting, content delivery, and analytics
  • Stripe: Payment processing
  • Resend: Transactional email delivery
  • Sentry: Error monitoring and application performance
  • Groq: AI/ML model inference for coaching features

5.2 Legal and Regulatory Disclosures

We may disclose personal data when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to:

  • Comply with applicable laws or respond to valid legal processes
  • Protect the rights, property, or safety of PaceBrain, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our Terms of Service or other agreements

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data.

5.4 With Your Consent

We may share your personal data with third parties when you have provided explicit consent to such sharing.

6. International Data Transfers

Your personal data may be transferred to, and processed in, countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): European Commission-approved contractual terms ensuring adequate protection
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK
  • Supplementary Measures: Technical and organizational measures to enhance data protection where necessary

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Retention periods are determined based on:

  • Active Accounts: Personal data is retained for the duration of your account's existence.
  • Deleted Accounts: Upon account deletion, we delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal claims).
  • Legal Requirements: Certain data may be retained for longer periods as required by applicable laws (e.g., tax records, transaction data).
  • Anonymized Data: Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytical purposes.

8. Your Rights Under GDPR/UK GDPR

If you are located in the EEA, UK, or a jurisdiction with similar data protection laws, you have the following rights regarding your personal data:

  • Right of Access (Article 15): The right to obtain confirmation of whether we process your personal data and to request a copy of such data.
  • Right to Rectification (Article 16): The right to request correction of inaccurate personal data and completion of incomplete data.
  • Right to Erasure (Article 17): The right to request deletion of your personal data in certain circumstances ("right to be forgotten").
  • Right to Restriction of Processing (Article 18): The right to request limitation of processing in specific situations.
  • Right to Data Portability (Article 20): The right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object (Article 21): The right to object to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes.
  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, please contact us at privacy@pacebrain.com or use the account deletion feature within your account settings. We will respond to your request within 30 days, as required by applicable law.

9. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: The right to request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom data is shared.
  • Right to Delete: The right to request deletion of personal information, subject to certain exceptions.
  • Right to Correct: The right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: The right to opt-out of the sale or sharing of personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: The right to limit the use and disclosure of sensitive personal information.
  • Right to Non-Discrimination: The right not to be discriminated against for exercising privacy rights.

Notice at Collection: We collect the categories of personal information described in Section 2 for the purposes described in Section 4. We do not sell your personal information as defined by the CCPA/CPRA. We may share certain information for targeted advertising purposes, which you can opt-out of through our cookie preferences.

To exercise your California privacy rights, contact us at privacy@pacebrain.com. We will verify your identity before fulfilling requests and respond within 45 days as required by law.

10. Australian Privacy Rights (Privacy Act 1988)

Australian residents have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We are committed to complying with these requirements:

  • APP 1 - Open and Transparent Management: We manage your personal information openly and transparently, as outlined in this Policy.
  • APP 6 - Use or Disclosure: We only use or disclose your personal information for the purposes for which it was collected, or for a related secondary purpose you would reasonably expect, unless you have consented or an exception applies.
  • APP 7 - Direct Marketing: You can opt-out of receiving direct marketing communications at any time by using the unsubscribe link in emails or contacting us.
  • APP 8 - Cross-Border Disclosure: Before disclosing your personal information overseas, we take reasonable steps to ensure the overseas recipient does not breach the APPs, or we obtain your consent.
  • APP 11 - Security: We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.
  • APP 12 - Access: You have the right to request access to the personal information we hold about you.
  • APP 13 - Correction: You have the right to request correction of your personal information if it is inaccurate, incomplete, or out of date.

Making a Complaint: If you believe we have breached the APPs, you can lodge a complaint with us at privacy@pacebrain.com. We will respond to your complaint within 30 days. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Anonymity: Where practicable, you have the option to interact with us anonymously or using a pseudonym. However, if you choose not to provide certain personal information, we may not be able to provide you with full access to the Platform's features.

11. Data Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication mechanisms, including hashed passwords
  • Regular security assessments and vulnerability testing
  • Access controls limiting data access to authorized personnel
  • Monitoring and logging of system access and activities
  • Incident response procedures for security breaches

Data Breach Notification: In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security and disclaim any liability for unauthorized access resulting from circumstances beyond our reasonable control.

12. Children's Privacy

The Platform is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@pacebrain.com, and we will take steps to delete such information.

13. Automated Decision-Making and Profiling

We use automated processing, including AI and machine learning algorithms, to provide personalized coaching recommendations, training insights, and race predictions. This processing is based on your athletic data and does not produce legal or similarly significant effects.

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. The AI-generated recommendations provided through the Platform are for informational purposes only and should not be considered medical, professional athletic, or legal advice.

14. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications not operated by us. This Policy does not apply to such third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the updated Policy on the Platform with a revised "Last Updated" date. For significant changes affecting your rights, we will provide additional notice via email or in-app notification.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. We encourage you to periodically review this Policy.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

PaceBrain Pty Ltd - Privacy Inquiries
ABN: 21 237 258 402
Email: privacy@pacebrain.com
Subject Line: Privacy Policy Inquiry

For users in the EEA, you may also contact your local data protection authority if you have concerns about our data processing practices.

17. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of New South Wales, Australia, without regard to conflict of law principles. Nothing in this Policy shall limit any rights you may have under applicable data protection laws, including the Privacy Act 1988 (Cth), the GDPR, or the CCPA/CPRA.

Cookie PolicyTerms of ServiceReturn to Home