legal
Paceout is a coordination tool for run clubs, available only to residents of the United States. We collect the minimum data we need to run the Service safely. We do not sell your personal information. You can see, change, export, or delete your data from inside the app or by emailing privacy@paceout.app.
This Privacy Policy explains how Paceout ("Paceout", "we", "us") collects, uses, and shares personal information when you use our mobile app, website, and related services (the "Service"). The data controller is Paceout, located in San Francisco, California, USA.
Paceout is offered only to residents of the United States. The mobile app is available only on the U.S. App Store. We do not market the Service to people in the European Union, the United Kingdom, or other jurisdictions, and we do not knowingly collect personal information from residents of those places. If you are outside the United States, please do not use the Service. If you are a U.S. resident traveling outside the country, your use is still subject to U.S. law and this policy.
We collect the following categories of information: • Account information you give us at signup: phone number (required, used for SMS verification and as your account identifier), birth year (used to confirm you meet the 18-or-older minimum and to size cohorts on the discover surface), and the basics you choose during onboarding (display name, handle, profile photo, optional bio, pronouns, gender, typical pace, home neighborhood, and goals). • Content you create: clubs you host, runs you create, RSVPs, comments, club announcements, follows, blocks, and reports. • Usage data: events such as which screens you view, which buttons you tap, when you RSVP or post a comment, and timestamps. We use this in aggregate to understand what's working and what's not. • Device and technical data: device model, operating system version, app version, IP address, language, timezone, crash logs, and a non-resettable installation ID. This is used for security, fraud prevention, and debugging. • Push token: if you allow notifications, we store the push token associated with your device so we can deliver notifications you've opted into. • Connected services: if you choose to connect Strava, we receive the activities and athlete profile fields you authorize on Strava's consent screen. We do not collect precise GPS location in V1. The neighborhood and city values associated with your profile or club are coarse-grained, user-entered text, not GPS readings.
We use your information to: • Provide the Service — verify your phone, suggest clubs and runs, deliver RSVPs and comments, send notifications you opt into, and run the matching, ranking, and search features. • Keep the Service safe — detect and prevent spam, fraud, abuse, harassment, ban evasion, and other policy violations. • Improve the Service — measure feature usage, debug crashes, and prioritize what to build. • Communicate with you — send service-related messages (account, security, runs you've RSVP'd to, host announcements). We may send marketing messages only if you opt in, and you can opt out at any time.
We do not sell or rent your personal information. We share it only as follows: • With other users — your public profile (display name, handle, photo, bio, pronouns where you chose to display, location at the granularity you set, badges, and follower / following counts), the clubs and runs you host or RSVP to, the comments you post, and content within shared clubs. Hosts of clubs you join can see your handle, photo, and pace group; if a host approves you into a private club, they may also see brief notes you provide on join. • With service providers — we use the following processors, each under a written data processing agreement: – Supabase — managed Postgres, authentication, file storage. – Twilio — SMS delivery for phone verification. – OneSignal — push notification delivery. – Mapbox — map tiles and place lookup. – PostHog — product analytics. – Sentry — crash and error reporting. – Apple App Store / Google Play — subscription billing and platform analytics, where applicable. – Strava — only when you connect, and only to the extent you authorize on Strava. – Resend — transactional email (if you send us a contact-form message via the website). • For legal reasons — to comply with a subpoena, court order, or other legal process; to enforce our Terms; to protect Paceout, our users, or the public. • In a business transfer — if Paceout is acquired or merges with another company, your information may be part of the transferred assets, subject to this Privacy Policy or a successor we notify you about.
The mobile app does not use cookies; it uses local app storage (e.g., Expo SecureStore) to keep you signed in and to remember preferences. Our website may set strictly necessary cookies and, with your consent, analytics cookies. We do not use cross-site advertising trackers.
Paceout is not directed to children under 13, and we restrict the Service to users 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that we collected information from a minor, we will close the account and delete the information promptly. Parents or guardians who believe a minor has signed up should email privacy@paceout.app.
Depending on the U.S. state where you live — including California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws — you have some or all of the following rights: • Access — request a copy of the personal information we hold about you. • Correction — fix inaccurate or incomplete information. Most fields are editable in Settings → Account or your profile. • Deletion — close your account from Settings → Account or email privacy@paceout.app. • Portability — request a machine-readable export of your data. • Limit use of sensitive information — restrict our use of any sensitive personal info you've provided (e.g., gender, pronouns). • Opt-out of "sale" or "sharing" — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of, but you can confirm by emailing privacy@paceout.app. • Opt-out of analytics — toggle Settings → Privacy → Share anonymous usage off. This stops new analytics events immediately and disables our local analytics client. • Opt-out of marketing — unsubscribe from emails, or turn off Marketing in Settings → Notifications. • Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right. • Appeal — if we deny a request, you may appeal by replying to our response email; we respond to appeals within 60 days. We verify identity-based requests by sending a confirmation to the phone number on file. We respond within 45 days (and within shorter windows where state law requires). Where state law allows, you may designate an authorized agent to make a request on your behalf with your written permission.
Categories of personal information we collect: identifiers (phone, account ID), customer records (profile fields), commercial information (subscription status), internet/device information (IP, device ID, app version), inferences (cohort assignments for ranking), and content you provide. Sources: directly from you, automatically from your device, and from third parties you connect (e.g., Strava). Purposes: those listed in section 4. Sharing: with the service providers listed in section 5 and as required by law. We do not knowingly process sensitive personal information beyond what users voluntarily include in their profile (such as gender, pronouns, or running goals). We retain personal information per the schedule in section 10.
We keep your personal information for as long as your account is active. After you delete your account, we soft-remove your profile immediately and hard-delete most associated data within 30 days, except where we are required to keep records longer (for example, records of policy violations are kept for up to 2 years to prevent ban evasion; payment records are kept for 7 years for tax and accounting; security logs up to 1 year). Aggregate, de-identified data may be retained indefinitely.
We use encryption in transit and at rest, role-based access, regular dependency audits, and least-privilege practices. No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and the appropriate U.S. state regulators in line with applicable law.
Paceout is based in the United States, and our service providers process data primarily in the U.S. Some service providers may store backups or run infrastructure in other countries solely to deliver the Service to U.S. users. We do not transfer personal information internationally for marketing or sale.
We may update this policy. If a change is material, we will notify you in-app at least 7 days before it takes effect and, where the law requires, ask you to re-accept. The current version and effective date are at the top of this page.
Questions, requests, or concerns about your privacy? Email privacy@paceout.app. For other matters, support@paceout.app.