Privacy Policy

Last updated: June 2026

This Privacy Policy explains how RunToIt (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our website and services. We are committed to handling your information in accordance with UK GDPR and the Data Protection Act 2018.

Who we are

RunToIt is the data controller for the personal data described in this policy. If you have any questions about how we use your data, or wish to exercise your rights, contact us at el18hrh@gmail.com.

What data we collect

We may collect and process the following personal data:

  • Account data: email address and password (stored securely by our authentication provider; we do not store your password in plain text).
  • Saved routes: route IDs and preferences you save to your account so they sync across devices.
  • Usage analytics: anonymised page views and session counts collected via cookieless web analytics (see data processors below).
  • Vibe matcher queries: text you enter when using the AI route-matching feature, sent to our AI provider to return results.
  • Technical data: IP addresses, User-Agent strings, and page URLs processed by our hosting and analytics providers; map interactions processed by Mapbox when you view route maps.

Why we use your data and our lawful basis

  • Providing the service (email, authentication, saved routes): Contractual necessity — we need this data to create and maintain your account and deliver the features you sign up for.
  • Vibe matcher and destination data: Contractual necessity — processing your search query and fetching venue details is necessary to provide these features.
  • Usage analytics: Legitimate interests — we measure how the app is used so we can improve it. We use cookieless analytics and do not use this data for advertising.
  • Security and abuse prevention: Legitimate interests — protecting the service and our users from misuse.

Data processors we use

We use trusted third-party providers to run RunToIt. Each acts as a data processor on our behalf under a written agreement where required by UK GDPR.

  • Supabase, Inc. (USA) — database and authentication infrastructure. Stores email addresses and saved route preferences for registered users. Data is retained until account deletion. Supabase operates under a Data Processing Agreement. supabase.com
  • Vercel, Inc. (San Francisco, USA) — hosting infrastructure and cookieless web analytics (aggregate page views, session counts). Vercel processes IP addresses, User-Agent strings, referrer URLs, and page URLs. Analytics data is retained for a maximum of 30 days. Vercel operates under a Data Processing Addendum (DPA). vercel.com
  • Google LLC(USA) — venue data via the Google Places API. When you view a route's destination, RunToIt makes server-side API calls to Google from our infrastructure. Google's servers receive our server's IP address and the place ID being queried — not your browser's IP directly for most calls, but Google still processes request metadata from our backend. google.com
  • Anthropic, PBC— AI inference for the vibe matcher feature. Your search query is sent to Anthropic's API to match routes. Queries are not stored or used to train models under Anthropic's standard API terms. anthropic.com
  • Mapbox, Inc.— interactive maps, map tiles, geocoding, and static map images (including Open Graph preview images). When you use route maps or we generate map previews, your browser or our servers load resources from Mapbox, and Mapbox processes IP addresses and device information per Mapbox's privacy policy. mapbox.com
  • Sentry (not yet enabled) — when error monitoring is added per SEC-15, Sentry may process IP addresses, User-Agent strings, and stack traces. We will update this policy before enabling Sentry in production.

How long we keep your data

  • Account data and saved routes: retained until you delete your account (see below).
  • Analytics data: retained by Vercel for a maximum of 30 days.
  • Vibe matcher queries:processed in real time and not stored by us; Anthropic's retention is governed by their API terms.

Account deletion

We do not yet offer in-app account deletion. To request deletion of your account and associated personal data, email el18hrh@gmail.com from the address linked to your account. We will confirm your request and delete your data within 30 days, unless we are required to retain certain information by law.

Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Request erasure (“right to be forgotten”)
  • Data portability
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances

To exercise any of these rights, contact el18hrh@gmail.com. We will respond within one month.

Right to complain

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

International transfers

Some of our data processors are based in the United States, including Vercel, Supabase, Google, Anthropic, Mapbox, and Sentry when enabled. Where personal data is transferred outside the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or the UK-US Data Bridge where applicable, to ensure an equivalent level of protection. Vercel's international transfer terms are set out in their Data Processing Addendum.

Cookies and similar technologies (PECR)

Under the Privacy and Electronic Communications Regulations (PECR), we must tell you about cookies and similar technologies that store or access information on your device.

Vercel Analytics: We use Vercel Web Analytics to measure page views and session counts. Per Vercel's documentation, this service is designed to be cookieless — it does not set first-party or third-party cookies to track visitors. Analytics data is sent to Vercel via a lightweight script and is processed as described above. Because no analytics cookies are used, we do not show a separate cookie consent banner for Vercel Analytics.

We periodically verify this in a fresh browser session (DevTools → Application → Cookies). If Vercel changes its implementation and sets cookies, we will update this policy and obtain consent where required before those cookies are placed.

Authentication: Supabase may set strictly necessary session cookies when you sign in. These are required to keep you logged in and are not used for analytics or advertising.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. For significant changes, we will provide reasonable notice where appropriate.