PaceRabbit Privacy Policy

v1.1 (2026-07-19). This is the English version of the Korean privacy policy (privacy-policy.md), adjusted for readers outside Korea. In case of any conflict for users in the Republic of Korea, the Korean version prevails. Effective date and operator name are finalized at publication. v1.1: updated §1 wording for automatic weather-region setup (one-time on-device location check snapped to the nearest region; coordinates never transmitted or stored).

PaceRabbit (the "Service") is operated from the Republic of Korea and complies with applicable data protection laws, including the Personal Information Protection Act of Korea (PIPA). This policy explains what we collect, why, and the choices you have.

1. What We Collect and Why

Data How it is collected Purpose Required / Optional
Account identifier (anonymous ID; email or social sign-in details if introduced later) First app launch / sign-up Account management, data sync Required
Nickname Entered by you Personalizing coaching messages Optional
Workout records (health information / sensitive data): completed sessions, distance, time, average pace, running level, how the run felt Entered by you; Apple Health integration (only if you grant permission) Confirming training completion, auto-adjusting your plan, generating AI coaching Required (separate consent)
Goals and training settings (target race, available weekdays, reminder time, weather region) Entered by you Creating and guiding your training plan Required
Injury risk tier (onboarding screening result: one of two levels, standard/elevated) Computed by the app from your answers Conservatively adjusting starting training volume, offering joint-protection mode Optional (you may skip the questions)
Subscription entitlement status (trial/subscription state, product ID) Generated automatically during payment processing Managing access to paid features When subscribing
Hashed device identifier (not an advertising identifier) Generated automatically Abuse prevention (usage limits) Required
AI coach questions Entered by you Generating AI coaching answers When using the coach

What we do NOT collect: GPS location coordinates (your running routes) are never stored on our servers. We do not collect detailed biometric streams such as continuous heart-rate data; even with opt-in, only summary values are processed. The "heat adjustment" feature operates only at the level of a region name (e.g., Seoul). If you grant location permission, the app checks your location once, entirely on your device, to automatically select the nearest region — GPS coordinates are never transmitted off your device or stored. If you decline, you can simply pick a region yourself. The age band, height, and weight you may enter for injury screening are used transiently to compute the risk tier and are never stored anywhere — only the resulting tier is kept. Payment card details are handled by Apple; we never receive them.

2. Health Information (Sensitive Data)

Workout records constitute health-related information, treated as sensitive data under Korean law. We collect them only after obtaining your separate, explicit consent during initial app setup. You may decline, in which case training-record and coaching features are limited. You can withdraw consent at any time in the app settings or by deleting your account.

3. AI Coaching and Data Transmission

To generate AI coaching answers, and only after your separate consent given before first use of the coach, the following is sent to our AI processing providers: a summary of your workout records (completed sessions, running level, goal) and your question. We do not store the text of your questions on our servers; it is used only to generate the answer. AI coaching is produced by generative artificial intelligence (disclosed pursuant to Korea's Framework Act on Artificial Intelligence) and is not medical advice.

4. Third Parties, Processors, and International Data Transfers

We do not provide your personal information to third parties for their own purposes without your consent, except where required by law — the recipients listed below are processors acting on our instructions, not third-party recipients. PaceRabbit is operated from the Republic of Korea, and some of our service providers are located in other countries — primarily the United States. Under Korean law (PIPA Article 28-8), such transfers for the performance of a contract (processing/storage outsourcing) must be disclosed in this policy, which we do below. For users outside Korea: this means your data may be processed both in the Republic of Korea and in the United States, by the providers listed here, solely to operate the Service. If you do not want these transfers, you may choose not to use the relevant features (account sync, AI coaching) or withdraw consent; those features will then be limited.

Recipient Country Data transferred Purpose Retention
Supabase Inc. USA (entity) / data stored in Seoul, Republic of Korea region All items in Section 1 Data storage, sync, authentication Deleted upon account deletion
Google LLC (Gemini API) USA Workout summary, question text Generating AI coaching answers Processed immediately to generate the answer (not retained by us)
OpenAI, L.L.C. USA Same (backup processing during outages) Same Same
RevenueCat, Inc. USA Account identifier (anonymous ID), subscription purchase/renewal events, App Store receipt identifiers Verifying subscription status, syncing entitlements Deletion requested upon account deletion (subject to RevenueCat's retention policy)
Apple Inc. USA Subscription payment information (collected directly by Apple) In-app purchase processing Per Apple's policies

Timing and method of transfer: transmitted over the network as needed while you use the Service. Privacy contacts of each recipient: Supabase · Google · OpenAI · RevenueCat · Apple

We do not sell your personal information, and we do not share it for cross-context behavioral advertising — the recipients above act only as our service providers. Consistent with the U.S. FTC Health Breach Notification Rule's expectations for health apps, we do not disclose your health information to third parties without your authorization, and the providers above are contractually limited to providing the Service.

5. Retention and Deletion

6. Your Rights

You may at any time request access to, correction of, deletion of, or suspension of processing of your personal information, and you may withdraw consent (health data, AI transmission). Requests made in the app settings or to the contact below are handled without undue delay. We do not discriminate against you for exercising any privacy right.

For California and other U.S. state residents: as stated above, we do not sell or share personal information (including sensitive/health information) as those terms are defined in the CCPA/CPRA, and we do not use sensitive personal information for purposes beyond providing the Service. The rights to know, delete, and correct described in this section are available to all users regardless of residence, and you will not receive discriminatory treatment for exercising them.

Children: the Service is not directed to children. Users under 14 years of age (the parental-consent threshold under Korean law) may not use the Service, which also satisfies the under-13 threshold of the U.S. COPPA — we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

7. Security Measures

Encryption in transit (TLS), access separation (database row-level security), server-side usage limits, and sensitive-data minimization (no coordinates, no biometric streams) are applied.

8. Automatically Collected Data

We currently use no advertising or behavioral-analytics cookies. Only minimal service-quality records (AI usage counts, error logs) are collected automatically. (This section will be updated if analytics tools are introduced.) We also do not currently send marketing communications (promotional notifications or emails); if introduced, we will obtain separate prior opt-in consent as required by Korean law.

9. Privacy Officer

Users in Korea may also contact the Personal Information Infringement Report Center (privacy.kisa.or.kr, 118) or the Personal Information Dispute Mediation Committee (www.kopico.go.kr, 1833-6972).

10. Changes to This Policy

Changes are announced in the app at least 7 days before taking effect (30 days for material changes).