Privacy Policy — RunClub

1. Who We Are

HUTCLUB LIMITED ("we", "us") is the data controller of personal data processed via the RunClub app and website. Company number 15147202, registered in England & Wales. Registered office: Aston House, 62-68 Oak End Way, Gerrards Cross, SL9 8FU. Contact: support@run-club.app.

2. Data We Collect

Account data: name, username, email, profile photo, date of birth, mobile phone number, Firebase user ID.
Activity data: GPS coordinates, distance, pace, duration, splits, heart rate (if you grant HealthKit access).
Social data: posts, comments, likes, friend connections, club memberships.
Device & usage data: device type, OS version, app version, crash logs, anonymised analytics.
Payment data: handled by Apple — we do not see or store your card details.

3. How We Use Your Data

To operate the Service (display your runs, surface your club's events, render the social feed).
To send transactional emails (welcome, password reset, deal alerts).
To improve the Service via aggregated analytics.
To prevent fraud, abuse and policy violations.
To verify your age (you must be 16 or over to use RunClub) — your date of birth is used to confirm eligibility at signup and is not displayed publicly.
To secure your account — your mobile phone number is used for two-factor authentication, account recovery, and to alert you to suspicious sign-in activity. It is not used for marketing.

4. Legal Basis

We rely on the following lawful bases under Article 6 UK-GDPR for the purposes above:

Performance of a contract (Art. 6(1)(b)) — running your account, hosting your runs and posts, processing your subscription, providing customer support.
Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud and abuse prevention, service-level analytics (e.g. crash reporting). You can object to processing on this basis at any time.
Consent (Art. 6(1)(a)) — marketing emails, optional analytics cookies, app usage analytics (Firebase Analytics / Crashlytics, off by default in the iOS app; opt in via Settings → Privacy → Share anonymous usage data), push notifications, and HealthKit access. You can withdraw this consent at any time without affecting the lawfulness of processing before withdrawal.
Legal obligation (Art. 6(1)(c)) — keeping certain financial and tax records for the periods HMRC requires.

Special category (health) data — Article 9. Where we process health-related data from Apple HealthKit (workouts, heart rate, distance, GPS routes), we rely on your explicit consent under Article 9(2)(a) UK-GDPR. You provide this when you grant HealthKit permission inside iOS. You can withdraw it at any time by revoking HealthKit access in iOS Settings → Privacy & Security → Health, or by emailing support@run-club.app.

5. Sharing

We do not sell your personal data. We share data with the following processors and partners, each under a written data-processing agreement:

Firebase / Google Cloud — authentication, Firestore database, file storage, push notifications.
Google Analytics 4 (via Firebase Analytics) — anonymised app and website usage analytics, where you have consented.
Amazon Web Services (SES) — sending transactional and marketing emails.
Stripe — processing venue subscription payments (we do not see card numbers).
Apple — processing iOS in-app subscription payments and providing HealthKit, push and authentication services.

We may also disclose data where we are required to do so by law, regulation or a binding order.

6. Data Retention

Account data is retained while your account is active. After deletion, personal data is removed from production systems within 30 days, except where retention is required by law (e.g. financial records, which we retain for 6 years to meet HMRC obligations). Anonymised, aggregated statistics may be retained indefinitely.

7. Your Rights

Under UK-GDPR you have the right to:

Access the personal data we hold about you (Article 15);
Rectification — correct data that is wrong or out of date (Article 16);
Erasure — have your data deleted (Article 17);
Restriction of processing in certain circumstances (Article 18);
Portability — receive a copy in a machine-readable format (Article 20);
Object to processing carried out on legitimate-interests grounds (Article 21);
Withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal;
Lodge a complaint with the Information Commissioner's Office at ico.org.uk.

The easiest way to exercise any of these rights is via our Request your data page, or by emailing support@run-club.app. We respond within one calendar month as required by law.

7a. International Users — Regional Rights

If you are resident outside the UK, your local data protection law may give you additional or differently named rights. We honour them through the same mechanisms described above — the Request your data page handles every request type below regardless of the legal label.

European Economic Area (EU-GDPR): the rights described in §7 above apply identically. Complaints to your national supervisory authority, or to our lead authority (UK ICO).
California residents (CCPA / CPRA): right to know, delete, correct, port your data; right to opt out of the “sale” or “sharing” of personal information; right to limit use of sensitive personal information; right to non-discrimination for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising, and we do not use sensitive personal information beyond the purposes described in this Policy.
Other US state residents (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Iowa, Indiana, Tennessee, Montana, Florida, New Jersey, New Hampshire, Minnesota, Maryland and others with comprehensive privacy laws): the same set of rights — access, deletion, correction, portability and opt-out — applies under your state law and we will honour them.
Canadian residents (PIPEDA + Quebec Law 25): access, correction, and withdrawal of consent. Quebec residents also have explicit data portability rights and the right to be notified of automated decision-making.
Australian residents (Privacy Act 1988 and the Australian Privacy Principles): access, correction, and the right to complain to the Office of the Australian Information Commissioner (OAIC).
New Zealand residents (Privacy Act 2020): access, correction, and the right to complain to the Office of the Privacy Commissioner (OPC).
Brazilian residents (LGPD): access, correction, anonymisation, portability, deletion, and information about processors with whom we share your data.

For any of the above, use our Request your data page or email support@run-club.app. We will verify your identity before responding and complete the request within the timeframe required by your local law (typically 30–45 days). If you believe we have not handled your data correctly, you may complain to the data protection regulator in your country in addition to (or instead of) raising it with us.

8. International Transfers

Some of our processors are located outside the UK and EEA, including in the United States (Firebase / Google Cloud, Stripe), the EU (Amazon Web Services SES, eu-west-1) and other jurisdictions. Where personal data is transferred outside the UK or EEA, we rely on the safeguards approved by the relevant regulator — Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK-IDTA) where applicable — together with supplementary measures such as encryption in transit and at rest. We do not transfer personal data to jurisdictions that lack adequate protection without these safeguards in place.

9. Cookies

The website uses essential cookies for authentication and limited analytics cookies. See our Cookie Policy for details.

10. Children

RunClub is not intended for children under 16. We do not knowingly collect data from children under 16.

11. Changes

We may update this Policy from time to time. Material changes will be notified in-app or by email.

12. Contact

Questions? Email support@run-club.app.