PRIVACY POLICY

This Privacy Policy explains how ENDURE (“we”, “us”, “our”) collects, uses, and shares data when you use the ENDURE mobile app, desktop app (if available), and website endure-cycling.com (together, the “Services”).

1. Controller / Contact

Controller: Christoph Martin (ENDURE)
Address: Fischerweg 8, 7503 Großpetersdorf, Austria
Email: info@endure-cycling.com

2. Data we collect

2.1 Account & identity data

• Email address and authentication metadata (via Supabase Auth)
• User ID and basic account settings

2.2 Training, workout & performance data

• Workouts you create or import (e.g., .zwo, .erg, .mrc, .fit and related metadata)
• Ride/session data recorded in ENDURE (e.g., power, cadence, heart rate, timestamps, intervals)
• Derived analytics and trends (e.g., FTP and VO₂max estimates, time-in-zone, training load)

2.3 Device & technical data

• Device model, OS version, app version/build, language, time zone
• Connectivity diagnostics needed for trainer/sensor integration (e.g., Bluetooth status, supported capabilities)
• Push notification token(s) (FCM/APNs)

2.4 Crash & error diagnostics (Sentry)

• Crash reports, error logs, stack traces, and performance traces
• Limited device/app context to diagnose issues (as configured)

2.5 Website analytics (Google Analytics)

• Website usage data (e.g., page views, interactions, device/browser information, approximate location)
• Cookies and similar identifiers may be used depending on configuration and applicable consent requirements.

3. Why we process your data (purposes) and legal bases (GDPR)

If you are located in the EEA/UK/Switzerland, we process personal data based on one or more of the following legal bases:

3.1 Provide the Services (GDPR Art. 6(1)(b) — contract necessity)

• Create and manage your account
• Store, display, and analyze your workouts and sessions
• Provide imports, history, and progress views
• Provide device connection features (trainer/sensors) where supported

3.2 Improve reliability, security, and support (GDPR Art. 6(1)(f) — legitimate interests)

• Prevent abuse, maintain security, and debug issues
• Diagnose crashes and errors (Sentry)
• Improve performance, stability, and user experience

3.3 Consent (GDPR Art. 6(1)(a)) — where required

• Non-essential website analytics cookies/trackers (Google Analytics), depending on your region and configuration
• Marketing emails/newsletters (if/when offered)

3.4 Special category data (health data) — explicit consent (GDPR Art. 9(2)(a))

Some data processed in the app may qualify as data concerning health, such as heart rate data and related physiological signals (if you connect such sensors). Where this applies, we process such data only with your explicit consent in accordance with GDPR Art. 9(2)(a) and, where required, GDPR Art. 6(1)(a).

You can withdraw your consent at any time in the app settings. If you withdraw consent, we will stop collecting and processing new health data for the affected features. You can also request deletion of existing data (see Section 8).

If you do not provide consent, you may still use parts of the Services that do not require processing of health data (feature availability may be limited).

4. Sharing of data / Processors and recipients

We share data only as necessary to operate the Services:

• Supabase (EU region) — authentication and database hosting (processor)
• Sentry — crash reporting and diagnostics (processor)
• Google Analytics — website analytics (processor)
• Firebase Cloud Messaging (FCM) / Apple Push Notification service (APNs) — delivery of push notifications (service providers)
• Subscription management (RevenueCat) — if/when enabled

If subscription functionality is enabled, we may use RevenueCat to manage subscription entitlement status (e.g., whether you have access to paid features) and to validate purchases. RevenueCat may process:

• an app user identifier (e.g., RevenueCat App User ID),
• subscription/entitlement status,
• purchase/receipt metadata from app stores for validation, and
• limited device/app metadata (e.g., OS version).

RevenueCat acts as a processor for this purpose.

App Stores (Apple / Google)
If you make purchases through Apple App Store or Google Play, those platforms process payment and billing information as independent controllers under their own privacy policies. We do not receive full payment details (e.g., credit card numbers).

We may also disclose data if required by law, or to protect rights, safety, and security.

5. International transfers

Core app data is hosted in the EU (Supabase EU region). Some service providers may process data outside your country (potentially including the United States). Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and vendor commitments.

6. Data retention

• Account + training data: retained while your account is active.
• Crash/error data (Sentry): typically retained for 90 days (depending on configuration).
• Website analytics (Google Analytics): retained per GA settings (typically 14 months).

You can request deletion (Section 8).

7. Security

We use reasonable technical and organizational measures to protect data (encryption in transit, access controls, least privilege). No method of transmission or storage is 100% secure.

8. Your rights (EEA/UK/Switzerland)

Depending on your location, you may have rights to access, rectify, delete, restrict, object, and port your data, and to withdraw consent.

How to exercise rights: email info@endure-cycling.com from the email address linked to your account.

Account deletion: You can request account deletion by emailing info@endure-cycling.com from your registered email address. We will delete or anonymize your account data unless we must retain certain information for legal obligations or to resolve disputes.

9. Cookies (website)

If we use cookies or similar identifiers for analytics, you may be asked for consent depending on local law and configuration. You can also control cookies via browser settings.

10. Children

The Services are not intended for children under 16. If you believe a child provided data, contact us.

11. Changes

We may update this Privacy Policy. We will update the “Last updated” date and may provide notice for material changes.