Cursa is a running app. We collect the minimum data needed to make it work. We do not sell your data, and we do not track you outside the app. This policy explains what we collect, why, who we share it with, and what rights you have.
Section 1
Data controller
The data controller for personal data processed by Cursa is:
Inflect LLC (a Florida limited liability company, operator of Cursa)
Contact: privacy@cursa.run
For GDPR and UK GDPR purposes, "Cursa" refers to Inflect LLC, a limited liability company registered in the State of Florida, United States, which operates the Cursa service.
Section 2
Data we collect and why
We collect data in six categories. Each category has a stated purpose that maps to our App Store privacy nutrition label and to the PrivacyInfo.xcprivacy manifest shipped with every Cursa build.
| Category | What exactly | Why | Linked to you? |
|---|---|---|---|
| Health & Fitness — per-second HealthKit samples | Heart-rate ticks, cadence, every individual pace reading and calorie sample | Live metrics during your run and pace coaching feedback. Aggregated locally into the summary below. | On-device only — never uploaded |
| Health & Fitness — run summaries | Completion time, distance, elapsed time, average pace, average heart rate, calories, treadmill/outdoor flag, source | Saving your run history, detecting personal records, training-plan progress, and the social activity feed | Yes — uploaded to Cursa servers* |
| Health & Fitness — training plans, PRs, shoes | Adaptive training plans, personal record history, shoe mileage | Personal training data — never visible to other Cursa users | Yes — iCloud only (Apple's servers via CloudKit). Cursa servers never see this data. |
| Precise location — GPS route | Polyline-encoded coordinates of your outdoor run, uploaded after the run completes | Map view on the run-detail screen and the social activity feed | Yes — uploaded to Cursa servers*, but only when: your run is outdoors, Ghost Mode is off, and route trim doesn't reduce the route to nothing. Trim distance is configurable in Settings → Privacy. |
| Precise location — live tracking | Real-time GPS coordinates streamed while a run is in progress | Letting friends/family follow your run live, only when you explicitly tap "Share Live" | Yes — uploaded to Cursa servers* only while you have an active live-share session. Recorded points are retained for 7 days after the run ends, then deleted. |
| Account & profile | Email address, display name | Authentication (Sign in with Apple), profile display, social features | Yes — Cursa servers* |
| Social graph | Who you follow, clubs you belong to, kudos and comments you send or receive, RSVPs, run summaries you choose to share | Social features — feed, clubs, leaderboards, live tracking share links | Yes — Cursa servers* |
| Race results | Official chip times imported from RunSignUp when you initiate a search by name | Importing official race history and updating personal records | Yes |
| Device identifier | A pseudonymous UUID stored locally on your device — not your IDFV, IDFA, or any Apple-issued identifier. The UUID is reset whenever you reinstall the app, so it cannot be used to re-identify you across installs. | Privacy-safe analytics (TelemetryDeck) and crash reporting (Sentry) | No — not linked to your Cursa account or identity |
| App usage events | Bucketed feature interactions (e.g. "run completed", "plan created") — no GPS, no route data, no pace values | Product analytics to improve Cursa | No |
| Crash & performance data | Stack traces, app hang reports, launch time metrics — no PII, no health data | Bug fixing and stability | No |
| Push notification token | APNs device token | Sending push notifications you have opted into (plan reminders, kudos, race alerts) | Yes — linked to your account on Cursa servers* |
| Payment data | None — subscription transactions are handled entirely by the Apple App Store | N/A — Cursa never sees or stores payment card data | N/A |
* "Cursa servers" refers to our backend infrastructure, which is hosted on Supabase — an open-source Postgres and Storage platform. See Section 4 for the full sub-processor list and the relevant data-processing agreements.
What is not collected
- We do not collect any data for advertising or tracking purposes.
NSPrivacyTrackingin our privacy manifest is false. - We do not collect your full GPS route on our servers unless you explicitly start a live tracking broadcast. Position data from a live broadcast is retained for 7 days from when the run ends, so people you shared the link with can review the route after the run, then automatically deleted from our servers.
- We do not read your contacts, calendar, messages, or any other app's data.
- We do not use HealthKit data to derive inferences beyond what you can already see in the app (pace, PR detection, training load).
Section 3
Legal basis for processing (GDPR / UK GDPR)
We rely on the following legal bases:
- Performance of a contract — health, fitness, location, account, and social data are necessary to provide the service you signed up for.
- Legitimate interests — crash reporting and analytics help us improve the app without adversely affecting your interests, and we use the least-identifying data possible for these purposes.
- Consent — HealthKit access, precise location access, and push notifications are each granted or revoked by you at any time in iOS Settings. Analytics can be opted out in-app at More → Me → Privacy → Analytics.
Section 4
Third-party processors
We use the following sub-processors. Each is bound by a data processing agreement and our instructions.
Apple HealthKit & iCloud / CloudKit
Your health and fitness data — workouts, heart rate, distance, pace — is read from and written to Apple HealthKit on your device. Full run data (GPS routes, splits, personal records, training plans) syncs across your Apple devices via CloudKit under your Apple ID. Cursa does not receive this data on our servers. Apple's privacy policy governs their handling: apple.com/legal/privacy.
Cursa servers — hosted on Supabase
Cursa's backend (authentication, run summaries, social graph, live race tracking, run clubs, race event registry, push notification tokens) is provided by Supabase — an open-source Postgres and Storage platform. Every Section 2 row marked "Cursa servers" is stored here, scoped to your account by row-level security. Supabase is SOC 2 Type II certified. supabase.com/privacy.
Apple Intelligence (on-device)
AI coaching feedback is generated on your device using Apple Intelligence. Your run data (distance, pace, heart rate, splits, training plan context) is analysed locally — none of it is sent to a remote server for this analysis. Apple's privacy policy governs Apple Intelligence: apple.com/legal/privacy.
RunSignUp
When you use the "Find My Results" feature, your first and last name are sent to the RunSignUp API to search for matching race results. This is a read-only, user-initiated request. RunSignUp is a US-based company. runsignup.com/privacy.
TelemetryDeck
Privacy-preserving analytics. Events sent to TelemetryDeck contain no GPS coordinates, no health values, no email address, and no name. Values are bucketed (e.g. distance ranges, not exact distances). The identifier is a pseudonymous device UUID — not linked to your Cursa account. You can opt out in the app at Me → Privacy → Analytics. telemetrydeck.com/privacy.
Sentry
Crash reporting and performance monitoring. PII scrubbing is enabled in our Sentry configuration — stack traces contain file/function names and device metadata but not your personal data or health data. The device identifier sent is the same pseudonymous UUID used for TelemetryDeck. You can opt out in the app at Me → Privacy → Analytics. sentry.io/privacy.
Apple App Store
Subscription purchases and payment processing are handled entirely by Apple. Cursa does not receive, store, or process payment card details. Apple's In-App Purchase terms apply. When subscription features are introduced, we will update this section accordingly.
Section 5
Data retention
- On-device data (runs, routes, training plans, personal records) — retained until you delete the app. Managed by iOS; Cursa has no control over this data once it leaves the app.
- Cursa server data (account, social graph, shared run summaries) — retained until you delete your account. Account deletion removes all associated server-side data within 30 days.
- Analytics data (TelemetryDeck) — aggregated event data retained per TelemetryDeck's standard retention. Because it contains no PII, deletion is not applicable at the individual level.
- Crash data (Sentry) — retained per Sentry's standard 90-day retention for event data.
- Push tokens — deleted immediately when you delete your account.
Account deletion: Open Cursa → More tab → Me → scroll to the bottom → tap Delete Account → confirm with Delete My Account. This permanently deletes your Cursa profile, runs, kudos, comments, and club memberships from our servers. Your Apple Health data is not affected — remove the app from your device to clear local data.
Section 6
International data transfers
Cursa is operated from the United States by Inflect LLC, a Florida limited liability company. Our backend processor Supabase, and other sub-processors (RunSignUp, Sentry, TelemetryDeck), store data in the United States. For users in the EU, EEA, or UK, where data is transferred outside those regions we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable, to ensure an adequate level of protection.
Section 7
Your rights
Under GDPR, UK GDPR, and CCPA you have the following rights. We honour all of them.
| Right | How to exercise it |
|---|---|
| Access | Me → Privacy → Download my data — exports a JSON bundle of everything we hold server-side. |
| Rectification | Edit your display name in the app. For email address, use your Apple or Google account settings. |
| Erasure ("right to be forgotten") | Me tab → Delete Account. Server-side data deleted within 30 days. |
| Data portability | Same data export as access (JSON bundle). The export includes all run summaries, social connections, and profile data we hold. |
| Objection to analytics | Me → Privacy → Analytics — toggle off. Stops TelemetryDeck events and Sentry reporting immediately. |
| Withdraw consent (location) | iOS Settings → Cursa → Location → Never. Note: this prevents outdoor run tracking. |
| Withdraw consent (HealthKit) | iOS Settings → Health → Data Access & Devices → Cursa. |
| Ghost mode (social opt-out) | Me → Privacy → Ghost mode. Hides your runs from all social feeds without deleting your account. |
| CCPA "Do Not Sell" | We do not sell personal data. No action needed. |
To exercise any right not listed above, or to lodge a complaint, contact privacy@cursa.run. We will respond within 30 days. UK residents also have the right to complain to the Information Commissioner's Office (ICO). EU residents may contact their local supervisory authority.
Section 8
Children's privacy
Cursa is not directed at children under the age of 13 (or 16 in the European Union and UK, where a higher age of consent for data processing applies). We do not knowingly collect personal data from children below these ages. If you believe we have inadvertently collected data from a child, please contact privacy@cursa.run and we will delete it promptly.
Section 9
Website cookies
cursa.run is a static site. It does not set any tracking cookies, run analytics scripts, or use advertising pixels. The fonts loaded from Google Fonts are the only third-party request; no identifying data is transmitted to Google from this site beyond the standard HTTP request your browser makes to fetch the font files.
Section 10
Changes to this policy
We will update this policy when our data practices change in a material way. When we do:
- We will update the "Last updated" date at the top of this page.
- For significant changes, we will notify you via an in-app notice or push notification before the change takes effect.
- Continued use of Cursa after the effective date constitutes acceptance of the updated policy.
Section 11
Contact
Privacy questions: privacy@cursa.run
General support: support@cursa.run
A Data Protection Officer has not been appointed at this time, as our processing volumes do not meet the threshold set out in GDPR Article 37. We review this position regularly as the service grows.