Pacenote Privacy Policy — United States

We collect the following categories of information to provide, maintain, and optimize our Service:

A. Account & Profile Information

• Google Sign-In Assets: Email address, display name, and profile photo URL retrieved upon authentication.
• System Identifiers: A unique Firebase User Identifier (UID) generated automatically to anchor your data profile.
• Optional Profile Parameters: Gender, date of birth, weight, running experience level, and personalized running goals. Date of birth is required to enforce our minimum age requirement of fourteen (14) years.

B. Running, Fitness, & Health Data

• Activity Metrics: Distance, duration, real-time and average pace, active calories burned, heart rate profiles, cadence, and elevation metrics.
• Gear Tracking Data: Running shoe brand, model, purchase dates, and accumulated mileage logs.
• Training & Performance Schedules: Custom race information, target finish times, and dynamic calendar training logs.
• Health Connect (Android) & Apple HealthKit (iOS): If explicitly linked by you, we ingest daily step counts, heart rate arrays, active calories, and recorded workout sessions. This data is used strictly for training load analysis and is never sold, used for cross-context behavioral advertising, or shared with third parties in violation of Apple HealthKit or Google Health Connect platform policies.

C. Precise Location Tracking (GPS)

D. Billing & Transactions (Post-General Release)

• Subscription tier status, purchase authorization tokens, and payment receipts validated through the Apple App Store or Google Play Store.
• We do not collect or store full credit card numbers or financial account data; all transactions are securely intermediated by the respective app store operators.

E. Advertising Identifiers (Free Tier Only — Age-Gated)

F. Device & System Metadata

Device model, OS version, app version logs, and routine system access logs used for crash analysis, performance optimization, and anti-cheat enforcement.

G. Community & Supporter Interactions

• Nickname, user avatar, and fitness summaries visible to your designated social networks.
• STEP Feed Assets: Route snapshots, performance stats, and customized descriptions shared with your approved Supporters. These entries are visible to your Supporters only for the selected posting duration before automatically archiving into your private locker.

If you activate the Garmin Connect™ synchronization toggle within the Service, we receive activity summaries, spatial route tracks, pace files, and fitness metadata within the authorized scope of the Garmin API.

Strict Non-AI and Third-Party Restriction

In accordance with the Garmin Connect Developer Program requirements, we do not transmit, share, or sell Garmin-sourced data to external Generative AI providers, Large Language Models (LLMs), or third-party behavioral data hubs for training or inference. All coaching insights, training load computations, and analytical projections are compiled securely within the Pacenote application architecture and our managed servers.

Policy adjustments: Any material modifications to how Garmin API data is parsed, stored, or managed must be submitted to Garmin for prior corporate approval before implementation.

• Service Operations: Rendering real-time runs, calculating Pace League tiers, maintaining Crew structures, and synchronizing STEP feeds.
• Security & Anti-Cheat Protocols: Cross-referencing logs to detect and block GPS spoofing and unauthorized vehicle-driven data forgery.
• Subscription Maintenance: Auditing Pro features and processing auto-renew events via mobile store protocols.
• Contextual Advertising (Free Tier, age-gated): Displaying relevant banner ads to eligible Free Tier users via secure ad delivery configurations.
• Legal Compliance: Fulfilling obligations under applicable U.S. federal and state law, including COPPA, the FTC Health Breach Notification Rule, and applicable state privacy laws.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. The table below summarizes our standard retention periods:

Upon account deletion, all personal data is permanently erased or irreversibly anonymized within our active production clusters, subject to legally mandated retention exceptions listed above. See our Account Deletion page for step-by-step instructions.

We do not sell your personal information. Disclosure is strictly limited to the following:

• Contracted Processors: Vetted service providers who handle data strictly under our explicit instructions (see Section 6).
• User-Directed Sharing: Syncing workout maps directly to your personal Strava or linked social channels when manually authorized by you.
• Platform Integrations: Garmin Connect and Apple HealthKit / Google Health Connect, as described in Sections 1-B and 2, only when you have explicitly connected such integrations.
• Legal & Safety Enforcement: Compliance with formal judicial subpoenas, court orders, or urgent safety requirements to protect the legal rights of our community.
• Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred. We will notify you via email and/or in-app notification at least 30 days prior, and your continued use will constitute consent to the transfer.

• Google Firebase & Google Cloud Platform (GCP): Cloud infrastructure, database storage, user authentication, and system backups.
• Google AdMob: Delivering ad placements exclusively to age-verified Free Tier users.
• Apple Inc. & Google LLC: Management of secure in-app store transactions and HealthKit / Health Connect API frameworks.
• Garmin: When you connect Garmin Connect (see Section 2).

All service providers are bound by data processing agreements that prohibit them from using your data for their own purposes or disclosing it to third parties except as necessary to provide services to us.

Regulatory notice: Pacenote is subject to the FTC's Health Breach Notification Rule (HBNR), as amended effective July 29, 2024, because we collect health-related personal information and integrate with multiple data sources (Garmin Connect, Apple HealthKit, Google Health Connect, Strava).

In the event of a breach of unsecured personal health record information, we will:

• Individual Notification: Notify each affected user without unreasonable delay and within 60 calendar days of discovering the breach. Notification will be sent by email to the address associated with your account and, where feasible, via in-app alert.
• FTC Notification: Notify the Federal Trade Commission within 60 calendar days of breach discovery. For breaches affecting 500 or more users in a single U.S. state, we will additionally notify prominent media outlets in that state as required by the Rule.
• Content of Notice: Each breach notification will include: (a) a description of what happened and the date of the breach; (b) the types of personal health information involved; (c) steps affected individuals should take to protect themselves; (d) what we are doing to investigate and mitigate the breach; and (e) contact information for follow-up questions.

Under the amended HBNR, a "breach of security" includes any unauthorized acquisition of personal health record information, including unauthorized access, disclosure, sharing, or sale not authorized by the individual.

For state-level breach notification obligations (e.g., California, New York, Texas), we will comply with the most protective applicable state law in addition to the HBNR requirements above.

Depending on your jurisdiction, you may hold specific legal rights regarding your personal data. The following rights are available to all U.S. users:

• Access & Portability: Request a copy of the personal data we hold about you, including your fitness logs, via the profile dashboard or by contacting [email protected].
• Rectification: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated data as described in Section 4.
• Consent Withdrawal: Revoke data consent at any time by disabling location services, unlinking Health apps, or disconnecting Garmin Connect in your device system settings.
• Opt-Out of Advertising: Opt out of interest-based advertising by adjusting your device tracking settings or by upgrading to the Pro Subscription.

We will respond to verified privacy rights requests within 45 days of receipt. If we require additional time (up to 45 additional days), we will notify you of the extension and the reason for the delay. To submit a request, email [email protected] with the subject line "[State] Privacy Request" (e.g., "California Privacy Request", "Washington Health Data Request"). We will verify your identity before processing your request.

We honor the Global Privacy Control (GPC) opt-out signal as required by California (CPRA) and Colorado (CPA) law. If your browser or mobile app transmits a GPC signal indicating your preference to opt out of the sale or sharing of personal data, we will treat this as a valid opt-out request for cross-context behavioral advertising and will not sell or share your personal data for that purpose.

GPC support is implemented at the application level. You may also opt out manually via the in-app Privacy Settings menu or by contacting [email protected].

• Transit Protections: All application endpoints communicate exclusively over secure HTTPS channels using TLS 1.2 or higher encryption.
• Access Controls: Production database nodes are restricted to authorized automated scripts and DevOps administrators under role-based access controls.
• Incident Response: We maintain a documented incident response plan aligned with the FTC HBNR requirements described in Section 7. Our security team conducts periodic risk assessments and vulnerability testing.
• Vendor Security: All contracted processors are required to maintain industry-standard security practices and to notify us of any security incidents affecting our data within 48 hours of discovery.

If you are a resident of California, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know & Access: Request details about the categories and specific pieces of data collected, purposes of collection, and categories of third parties to whom data is disclosed.
• Right to Delete & Correct: Request deletion or correction of inaccurate personal data, subject to legal exceptions.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal data for financial compensation. However, sharing advertising IDs (GAID/IDFA) with AdMob on the Free Tier may constitute "sharing" under California law. You may opt out by: (a) adjusting your device-level ad tracking settings; (b) upgrading to the Pro Subscription; or (c) submitting an opt-out request to [email protected].
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of your sensitive personal information (including precise geolocation and health data) to purposes strictly necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Global Privacy Control: We honor GPC signals as described in Section 9.

Submit requests to [email protected] with subject "California Privacy Request." We will verify your identity before responding and will complete your request within 45 days, with one possible 45-day extension for complex requests.

Data Collected in the Past 12 Months

• Categories Collected: Account identifiers, fitness and health data, precise geolocation, device metadata, and (for age-verified Free Tier users) advertising identifiers.
• Business Purpose: Service delivery, security enforcement, subscription management, and contextual advertising (Free Tier).
• Third Parties Disclosed To: Google (Firebase, AdMob, Health Connect), Apple (HealthKit, App Store), Garmin Connect, and Strava (user-directed only).

Washington residents: The Washington My Health My Data Act (MHMD Act, RCW 19.373) grants Washington residents specific rights over consumer health data, including data collected, inferred, or derived from fitness and wellness services. Pacenote's collection of GPS routes, heart rate, pace, and other fitness metrics may constitute "consumer health data" under the MHMD Act.

• Right to Know: Confirm whether we are collecting, sharing, or selling your consumer health data, and access a list of all third parties and affiliates that received it.
• Right to Delete: Request deletion of your consumer health data across our systems. We will instruct all processors and third-party recipients to delete such data as well.
• Right to Withdraw Consent: Revoke previously granted consent for health data collection or sharing at any time without penalty (disconnect integrations, disable location permissions, or email us).
• Right to Appeal: If we deny your request, you may appeal by emailing [email protected] with the subject line "MHMD Appeal." We will provide a written outcome within 45 days of receiving your appeal.

We obtain separate, explicit opt-in consent before collecting health data from Washington residents through integrations such as Apple HealthKit, Google Health Connect, and Garmin Connect. You may withdraw this consent at any time as described above.

We respond to MHMD rights requests within 45 days of receipt, with one possible 45-day extension when reasonably necessary. Submit requests to [email protected] with subject "Washington Health Data Request."

In addition to California and Washington, the following states have enacted privacy laws that may grant you additional rights depending on your state of residence. In all cases, you may exercise the rights below by contacting [email protected] with the subject line "[State] Privacy Request":

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), and Similar State Laws

• Right to access, correct, delete, and obtain a portable copy of your personal data.
• Right to opt out of targeted advertising and profiling that produces legal or similarly significant effects.
• Right to appeal a denial of your privacy rights request.
• Precise geolocation and health data are treated as sensitive personal data requiring opt-in consent before collection.

Indiana, Kentucky, and Rhode Island (Effective January 1, 2026)

• Right to access, correct, delete, and obtain a portable copy of your personal data.
• Opt-in consent is required before we process sensitive personal data, including health metrics and precise geolocation.
• Right to appeal a denial of your request within 60 days.

Maryland (Effective October 2025)

• Maryland law prohibits the sale of sensitive personal data, including precise geolocation and health data. We do not sell such data.
• Right to opt out of the sale, sharing, and use of sensitive personal data for targeted advertising.

Illinois (BIPA) and Texas (CUBI)

If we collect biometric identifiers or biometric information (which may include certain physiological metrics derived from your running data), we comply with Illinois BIPA and the Texas Capture or Use of Biometric Identifier Act (CUBI), including required consent, data protection, and retention/destruction schedules. Contact [email protected] for biometric data requests.

Age policy: Pacenote enforces a strict Age Gate. The Service is not directed to children and requires users to be at least fourteen (14) years old. In compliance with the U.S. Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 amended COPPA Rule (effective April 22, 2026), we do not knowingly collect, use, or disclose personal information from children under thirteen (13).

Our age and COPPA compliance measures include:

• Age Gate: Users must provide their date of birth during registration. Any user under fourteen (14) is denied account creation and no personal data from such users is collected or retained.
• Advertising ID Restriction: Advertising identifiers (GAID/IDFA), device identifiers, and IP addresses are not collected from any user under fourteen (14).
• No Knowing Collection: We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently done so, we will delete it promptly.
• Parental Contact: Parents or guardians who believe their child under 14 has created an account should contact [email protected] for immediate, permanent erasure.

See our Terms of Service for full eligibility requirements.

We maintain a formal incident response plan that includes the following procedures in the event of a suspected or confirmed data security incident:

• Detection & Containment: Immediate isolation of affected systems upon detection of a security incident.
• Assessment: Determination of the scope of affected data, including whether personal health record information has been accessed or disclosed without authorization.
• Notification: Implementation of breach notification procedures as described in Section 7, including notification to affected individuals and the FTC within 60 days of discovery.
• Remediation: Implementation of measures to prevent recurrence, including security patches, enhanced access controls, and updated monitoring.
• Documentation: Maintenance of a written record of all security incidents and our response for a minimum of 3 years.

We reserve the right to modify this Privacy Policy. Any updates will be reflected with a revised Effective Date. For major changes to our data practices, we will provide at least 30 days' advance notice through in-app dashboards or direct email correspondence before the changes take effect. Material changes affecting Garmin-sourced data follow Garmin Connect Developer Program approval procedures before implementation. For changes that materially affect Washington residents' health data rights under the MHMD Act, we will provide specific notice and, where required, obtain fresh opt-in consent.

• Legal Corporate Entity: 스튜디오흠스(STUDIO HEUMS)
• Corporate Representative: YOUNG HEUM CHO
• Business Registration Number (Korea): 608-42-67538
• Privacy & Data Protection Contact: [email protected]

Revision History

• May 26, 2026: Added FTC Health Breach Notification Rule compliance (Section 7); Washington MHMD Act rights (Section 12); expanded multi-state privacy rights (Section 13); COPPA 2026 advertising ID restriction; Global Privacy Control (GPC) section; data retention table; HealthKit/Health Connect platform policy clarification.
• May 13, 2026: Comprehensive integration of social networks, Crews, Supporter interaction nodes, and STEP feeds. Global English US asset published.
• October 15, 2025: Initial core service framework deployment.