Cursa is a running app. We collect the minimum data needed to make it work. We do not sell your data, and we do not track you outside the app. This policy explains what we collect, why, who we share it with, and what rights you have.
Section 1
Data controller
The data controller for personal data processed by Cursa is:
Cursa
Contact: privacy@cursa.run
For GDPR and UK GDPR purposes, "Cursa" refers to the individual or entity operating the Cursa app and cursa.run website.
Section 2
Data we collect and why
We collect data in six categories. Each category has a stated purpose that maps to our App Store privacy nutrition label and to the PrivacyInfo.xcprivacy manifest shipped with every Cursa build.
| Category | What exactly | Why | Linked to you? |
|---|---|---|---|
| Health & Fitness | Running workouts, heart rate samples, distance, duration, pace, cadence, calories | Core app function — tracking runs, detecting personal records, training plan progress | Yes (on your device / iCloud only — not sent to Cursa servers in raw form) |
| Precise location | GPS coordinates during active outdoor runs only | Route recording, live tracking (if you opt in per run) | Yes — only collected while a run is active; not collected in the background at other times |
| Account & profile | Email address, display name, optional profile photo | Authentication (Sign in with Apple / Google), profile display, social features | Yes |
| Social graph | Who you follow, clubs you belong to, kudos and comments you send or receive, RSVPs, run summaries you choose to share | Social features — feed, clubs, leaderboards, live tracking share links | Yes — stored on Supabase (see Section 4) |
| Race results | Official chip times imported from RunSignUp when you initiate a search by name | Importing official race history and updating personal records | Yes |
| Device identifier | A pseudonymous UUID stored in the device Keychain — not your IDFV or IDFA | Privacy-safe analytics (TelemetryDeck) and crash reporting (Sentry) | No — not linked to your Cursa account or identity |
| App usage events | Bucketed feature interactions (e.g. "run completed", "plan created") — no GPS, no route data, no pace values | Product analytics to improve Cursa | No |
| Crash & performance data | Stack traces, app hang reports, launch time metrics — no PII, no health data | Bug fixing and stability | No |
| Push notification token | APNs device token | Sending push notifications you have opted into (plan reminders, kudos, race alerts) | Yes — linked to your account in Supabase |
| Payment data | None — subscription transactions are handled entirely by the Apple App Store | N/A — Cursa never sees or stores payment card data | N/A |
What is not collected
- We do not collect any data for advertising or tracking purposes.
NSPrivacyTrackingin our privacy manifest is false. - We do not collect your full GPS route on our servers unless you explicitly start a live tracking broadcast for a specific run — and even then only the real-time position stream is transmitted, not saved in raw form on our side.
- We do not read your contacts, calendar, messages, or any other app's data.
- We do not use HealthKit data to derive inferences beyond what you can already see in the app (pace, PR detection, training load).
Section 3
Legal basis for processing (GDPR / UK GDPR)
We rely on the following legal bases:
- Performance of a contract — health, fitness, location, account, and social data are necessary to provide the service you signed up for.
- Legitimate interests — crash reporting and analytics help us improve the app without adversely affecting your interests, and we use the least-identifying data possible for these purposes.
- Consent — precise location access and HealthKit access are granted or revoked by you at any time in iOS Settings. Analytics can be opted out in-app at Me → Privacy → Analytics. Push notifications require explicit iOS permission.
Section 4
Third-party processors
We use the following sub-processors. Each is bound by a data processing agreement and our instructions.
Apple HealthKit & iCloud / CloudKit
Your health and fitness data — workouts, heart rate, distance, pace — is read from and written to Apple HealthKit on your device. Full run data (GPS routes, splits, personal records, training plans) syncs across your Apple devices via CloudKit under your Apple ID. Cursa does not receive this data on our servers. Apple's privacy policy governs their handling: apple.com/legal/privacy.
Supabase (hosted on AWS)
Cursa's backend for authentication, social graph, live race tracking, run clubs, and race event registry. The data stored on Supabase is listed in the "Social graph" and "Account & profile" rows of Section 2. Supabase is SOC 2 Type II certified. supabase.com/privacy.
Anthropic (Claude AI)
When AI coaching feedback is generated, a summary of your run (distance, pace, heart rate zone, training plan context) is sent to Anthropic's Claude API. No personally identifiable information is transmitted — your name, email, and GPS route are stripped before the request is made. Anthropic does not train on API inputs by default. anthropic.com/privacy.
RunSignUp
When you use the "Find My Results" feature, your first and last name are sent to the RunSignUp API to search for matching race results. This is a read-only, user-initiated request. RunSignUp is a US-based company. runsignup.com/privacy.
TelemetryDeck
Privacy-preserving analytics. Events sent to TelemetryDeck contain no GPS coordinates, no health values, no email address, and no name. Values are bucketed (e.g. distance ranges, not exact distances). The identifier is a pseudonymous device UUID — not linked to your Cursa account. You can opt out in the app at Me → Privacy → Analytics. telemetrydeck.com/privacy.
Sentry
Crash reporting and performance monitoring. PII scrubbing is enabled in our Sentry configuration — stack traces contain file/function names and device metadata but not your personal data or health data. The device identifier sent is the same pseudonymous UUID used for TelemetryDeck. You can opt out in the app at Me → Privacy → Analytics. sentry.io/privacy.
Apple App Store
Subscription purchases and payment processing are handled entirely by Apple. Cursa does not receive, store, or process payment card details. Apple's In-App Purchase terms apply. When subscription features are introduced, we will update this section accordingly.
Section 5
Data retention
- On-device data (runs, routes, training plans, personal records) — retained until you delete the app. Managed by iOS; Cursa has no control over this data once it leaves the app.
- Supabase data (account, social graph, shared run summaries) — retained until you delete your account. Account deletion removes all associated server-side data within 30 days.
- Analytics data (TelemetryDeck) — aggregated event data retained per TelemetryDeck's standard retention. Because it contains no PII, deletion is not applicable at the individual level.
- Crash data (Sentry) — retained per Sentry's standard 90-day retention for event data.
- Push tokens — deleted immediately when you delete your account.
Account deletion: Open Cursa → Me tab → scroll to the bottom → tap Delete Account. This queues permanent deletion of your Supabase profile, social connections, and shared run summaries. Your on-device data is not affected; remove the app to clear that.
Section 6
International data transfers
Cursa is operated from the United Kingdom. Some of our sub-processors are based in the United States (Supabase/AWS, Anthropic, RunSignUp, Sentry). Where data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable, to ensure an adequate level of protection.
Section 7
Your rights
Under GDPR, UK GDPR, and CCPA you have the following rights. We honour all of them.
| Right | How to exercise it |
|---|---|
| Access | Me → Privacy → Download my data — exports a JSON bundle of everything we hold server-side. |
| Rectification | Edit your display name in the app. For email address, use your Apple or Google account settings. |
| Erasure ("right to be forgotten") | Me tab → Delete Account. Server-side data deleted within 30 days. |
| Data portability | Same data export as access (JSON bundle). The export includes all run summaries, social connections, and profile data we hold. |
| Objection to analytics | Me → Privacy → Analytics — toggle off. Stops TelemetryDeck events and Sentry reporting immediately. |
| Withdraw consent (location) | iOS Settings → Cursa → Location → Never. Note: this prevents outdoor run tracking. |
| Withdraw consent (HealthKit) | iOS Settings → Health → Data Access & Devices → Cursa. |
| Ghost mode (social opt-out) | Me → Privacy → Ghost mode. Hides your runs from all social feeds without deleting your account. |
| CCPA "Do Not Sell" | We do not sell personal data. No action needed. |
To exercise any right not listed above, or to lodge a complaint, contact privacy@cursa.run. We will respond within 30 days. UK residents also have the right to complain to the Information Commissioner's Office (ICO). EU residents may contact their local supervisory authority.
Section 8
Children's privacy
Cursa is not directed at children under the age of 13 (or 16 in the European Union and UK, where a higher age of consent for data processing applies). We do not knowingly collect personal data from children below these ages. If you believe we have inadvertently collected data from a child, please contact privacy@cursa.run and we will delete it promptly.
Section 9
Website cookies
cursa.run is a static site. It does not set any tracking cookies, run analytics scripts, or use advertising pixels. The fonts loaded from Google Fonts are the only third-party request; no identifying data is transmitted to Google from this site beyond the standard HTTP request your browser makes to fetch the font files.
Section 10
Changes to this policy
We will update this policy when our data practices change in a material way. When we do:
- We will update the "Last updated" date at the top of this page.
- For significant changes, we will notify you via an in-app notice or push notification before the change takes effect.
- Continued use of Cursa after the effective date constitutes acceptance of the updated policy.
Section 11
Contact
Privacy questions: privacy@cursa.run
General support: support@cursa.run