GRITRACE

Privacy Policy

Effective April 2026
On this page
  1. Short version
  2. Who is responsible
  3. The iOS app
  4. The website
  5. The feedback platform
  6. Third-party processors
  7. Cookies
  8. Your rights (GDPR)
  9. Contact

1. Short version

The iOS app stores everything on your device — no servers, no accounts, no tracking. The website (gritrace.app) does not use cookies or analytics; the only data your visit produces is server logs kept for security and operations. The feedback platform (feedback.gritrace.app) stores the email you sign in with and any posts or comments you submit; nothing more.

2. Who is responsible

The data controller for this privacy notice is:

Manuel Doser

Neuhauser Str. 28

78052 Villingen-Schwenningen, Germany

Email: privacy@gritrace.app

Our full imprint is available at gritrace.app/imprint.

3. The iOS app

GritRace is a privacy-first race tracker. We do not collect, transmit, or share any personal data through the app.

Local storage

All race data, training plans, settings, and preferences are stored exclusively on your device, using iOS UserDefaults and on-device storage. Nothing is sent to any server we operate.

iCloud

If you sign in to iCloud on your device, the app uses Apple's CloudKit to sync your data privately to your other Apple devices (iPhone, iPad, Mac). This data is encrypted in transit and at rest by Apple. We never have access to it. You can disable iCloud sync at any time in iOS Settings → Apple ID → iCloud.

Apple Health (HealthKit)

The app may request permission to read your heart rate during workouts and to write completed workout sessions. This happens entirely on your device. Health data never leaves your device through GritRace.

Apple Intelligence

The optional AI Race Coach feature uses Apple's on-device foundation models (iOS 26+). All inference happens on your device. No prompt or response is sent to external servers.

Crash reports

If you have enabled Share with App Developers in iOS Settings → Privacy & Security → Analytics & Improvements, Apple may forward anonymised crash logs to us through App Store Connect. These logs do not contain personal data and are managed by Apple.

4. The website (gritrace.app)

The marketing website is a static site. We do not use cookies, local storage, analytics, fingerprinting, ad networks, or any third-party trackers.

Server logs

Our hosting provider keeps short-lived access logs containing the requested URL, the response status code, the timestamp, and a truncated IP address. These logs are used for security (rate limiting, abuse detection) and operational debugging. They are kept for at most 14 days and are not used to profile visitors.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure website.

Fonts

The site loads typefaces from Google Fonts (Anton, Manrope, JetBrains Mono). When you load the page, your browser fetches them from fonts.googleapis.com. Google may receive your IP address and User-Agent. We use this only because the alternative (self-hosting fonts) is operationally complex on a static site, and we will move fonts to self-hosted in a future update.

5. The feedback platform (feedback.gritrace.app)

The feedback platform is where you can submit ideas, vote, and discuss the roadmap. It is the only part of GritRace that stores user-submitted data on a server we operate.

What we store

  • Email address — used as your sign-in identifier (magic-link auth) and to notify you when a post you've submitted or subscribed to changes status.
  • Display name — initially derived from your email address; you may change it.
  • Avatar — fetched from Gravatar (a service by Automattic) using a SHA-256 hash of your email. If you have no Gravatar account, a generic placeholder is shown. You can disable this by removing your Gravatar.
  • Posts, comments, votes, subscriptions — the content you create and the actions you take.
  • Session cookie — a single HTTP-only session cookie identifying your authenticated session. Lifetime: 30 days. No tracking cookies.
  • Truncated IP address — kept temporarily for spam-prevention rate-limiting (5 anonymous posts per hour, 5 magic-link requests per hour). Pruned after 24 hours.

Anonymous posting

You can submit a post without an account. We will email a confirmation link to the address you provide; clicking it publishes the post and creates an account so that we can notify you of status changes. The pending draft is deleted from our database after 1 hour if you do not click the link.

Legal basis

  • Account creation, posting, and notifications: Art. 6(1)(b) GDPR — performance of the service you have requested.
  • Spam prevention via IP-based rate limiting: Art. 6(1)(f) GDPR — legitimate interest in keeping the service usable.

Retention

Your account and all associated content are kept until you delete your account or ask us to delete it. You can delete individual posts and comments at any time via the UI. Server-side rate-limit IP records are pruned after 24 hours.

6. Third-party processors

We use the following processors. Each has been selected for privacy-friendliness and EU presence where possible.

Hetzner Online GmbH (hosting, Germany)

Servers are physically located in Germany. We have a Data Processing Agreement (DPA, Auftragsverarbeitungsvertrag) with Hetzner. Hetzner privacy policy.

Resend (transactional email)

We use Resend to deliver magic-link sign-in emails and notifications. Resend processes your email address and the message contents on our behalf. We have a DPA. Resend privacy policy.

Apple (App Store distribution & iCloud)

The iOS app is distributed through the App Store. iCloud sync is provided by Apple. Apple privacy policy.

Automattic / Gravatar (avatar images)

Optional. The feedback platform fetches avatar images from Gravatar based on a hash of your email. Automattic privacy policy.

7. Cookies

The marketing website at gritrace.app sets no cookies.

The feedback platform at feedback.gritrace.app sets one cookie:

fb_session — HTTP-only, SameSite=Lax. Identifies your authenticated session. Expires after 30 days. Strictly necessary for the service; consent under § 25 (1) TTDSG is not required.

During an OAuth sign-in (Google or Apple, optional), short-lived state and verifier cookies are set for the duration of the sign-in flow (10 minutes). They are deleted automatically once you complete or cancel the flow.

8. Your rights (GDPR)

You have the following rights under the General Data Protection Regulation:

  • Access (Art. 15) — get a copy of your data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — delete your account and data.
  • Restriction (Art. 18) — restrict processing in certain cases.
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Complaint — lodge a complaint with a supervisory authority. The lead authority for GritRace is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart.

To exercise any of these rights, email privacy@gritrace.app. We will respond within 30 days.

9. Contact

Email: privacy@gritrace.app

Postal: see Imprint

We may update this policy when we ship features that change how data flows. The effective date at the top of this page reflects the most recent change. Material changes will be announced on the feedback board and via email to people with accounts.