enduco mobile App

Privacy Policy

Your trust is incredibly important to us, and we take the responsibility of handling your fitness and health data with the utmost care. We understand the importance of keeping your personal information secure, and we’re committed to safeguarding it with the highest standards of security, privacy, and transparency.

Our promise to you is simple: your data is yours. We only use it to support your progress and will never share it without your consent. We are fully GDPR-compliant and store your data on secure German servers unless explicitly stated otherwise in this policy.

We’re here to help you train smarter, achieve more, and do so with complete peace of mind.

Updated on November 4, 2024

1. Introduction

In the following, we provide information about the collection of personal data when using our mobile app (hereinafter only "App").

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1. Contact details

The controller within the meaning of Art. 4 (7) EU General Data Protection Regulation (GDPR) is endurance coach GmbH, Warschauer Platz 11/12, 10245 Berlin, Germany, email: hello@enduco.app. We are legally represented by Lennard Schäfer.

Our data protection officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, E-Mail: datenschutz@heydata.eu.

1.2. Scope of data processing, processing purposes and legal bases

We detail the scope of data processing, processing purposes and legal bases below. In principle, the following come into consideration as the legal basis for data processing:

Art. 6 para. 1 s. 1 it. a GDPR serves as our legal basis for processing operations for which we obtain consent.
Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. if a user purchases a product from us or we perform a service for him. This legal basis also applies to processing that is necessary for pre-contractual measures, such as in the case of inquiries about our products or services.
Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.
Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis when we can rely on legitimate interests to process personal data, e.g. for cookies that are necessary for the technical operation of our website.

1.3. Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data during the transfer is guaranteed by adequacy decisions of the EU Commission, insofar as they exist (e.g. for Great Britain, Canada and Israel) (Art. 45 para. 3 GDPR).

In the case of data transfer to service providers in the USA, the legal basis for the data transfer is an adequacy decision of the EU Commission if the service provider has also certified itself under the EU US Data Privacy Framework.

In other cases (e.g. if no adequacy decision exists), the legal basis for the data transfer are usually, i.e. unless we indicate otherwise, standard contractual clauses. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of the data transfer. Many of the providers have given contractual guarantees that go beyond the standard contractual clauses to protect the data. These include, for example, guarantees regarding the encryption of data or regarding an obligation on the part of the third party to notify data subjects if law enforcement agencies wish to access the respective data.

1.4. Storage duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal obligations to retain data conflict with the deletion. If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

1.5. Rights of data subjects

Data subjects have the following rights against us with regard to their personal data:

Right of access,
Right to correction or deletion,
Right to limit processing,
Right to object to the processing,
Right to data transferability,
Right to revoke a given consent at any time.

Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data. Contact details of the data protection supervisory authorities are available at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

1.6. Obligation to provide data

Within the scope of the business or other relationship, customers, prospective customers or third parties need to provide us with personal data that is necessary for the establishment, execution and termination of a business or other relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or to provide a service or will no longer be able to perform an existing contract or other relationship.

Mandatory data are marked as such.

1.7. No automatic decision making in individual cases

As a matter of principle, we do not use a fully automated decision-making process in accordance with article 22 GDPR to establish and implement the business or other relationship. Should we use these procedures in individual cases, we will inform of this separately if this is required by law.

1.8. Making contact

When contacting us, e.g. by e-mail or telephone, the data provided to us (e.g. names and e-mail addresses) will be stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) to answer inquiries directed to us. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.

2. Data processing in the app

2.1. Downloading the app

Our app is ready for download at Apple's App Store und Google's Play Store (hereinafter "Stores"). When users download the app, the necessary information is transmitted to the stores, i.e. in particular user name, e-mail address and customer number of the account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only insofar as it is necessary for downloading the mobile app to the user's mobile device.

2.2. Hosting

Our app is hosted by Amazon Webservices. The provider thereby processes the personal data transmitted via the app, e.g. on content, usage, meta/communication data or contact data. It is our legitimate interest to provide an app, so that the legal basis of the data processing is Art. 6 para. 1 s. 1 lit. f GDPR.

2.3. Informative use of our app

When users use our app, we collect the data that is technically necessary for us to offer users the functions of our app and to ensure stability and security. This is our legitimate interest, so that the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

The data processed to this extent are:

IP address
Date and time of the request
Time zone difference from Greenwich Mean Time (GMT)
Content of the request (concrete interface)
Access status/HTTP status code
Amount of data transferred in each case
Operating system and its interface
Language and version of the operating system

2.4. Access to functions or data

The app requests the user's access to functions of the end device or to data of the device in order to be able to execute functions of the app. By allowing access, the user gives consent to the associated data processing, so that the legal basis is Art. 6 para. 1 s. 1 lit. a GDPR. Users can revoke their consent at any time by terminating access in the settings of their end device. The revocation does not affect the lawfulness of the processing until the revocation.

The data processed or access functions used in this context are as follows:

Notifications: The permission to send push notifications is used, for example, to display messages related to training plan information, even if the app is not currently open. Notifications can occur through sounds, messages, and/or icon badges.
Device Storage: The permission to access device storage is mainly needed to transfer planned training sessions as a file to other service providers.
GPS Data: The permission to access GPS/location data is required to store the location in the profile.

This gives us access to the personal data contained on the device within the scope of the permissions granted. We require these permissions to provide app functionalities. The legal basis for data processing is consent according to Art. 6 para. 1 sentence 1 lit. a GDPR. We delete the personal data we process based on the granted permissions as soon as it is no longer necessary for the purpose of collection.

2.5. Data processing for the provision of functions

In the app, we process data in order to provide the user with functions of the app. The legal basis for the processing is the usage agreement concluded with the user via the app.

The data processed to this extent are

Only the data entered by the user into the app

2.6. User account

Users can open a user account in the app. We process the data requested in this context to fulfill the respective user contract concluded for the account, so that the legal basis for the processing is Art. 6 para. 1 s. 1 lit. b GDPR. We delete the data when users delete their user account.

2.7. Single sign-on

Users can log in to our app using one or more single sign-on methods. In doing so, they use the login data already created for a provider. The prerequisite is that the user is already registered with the respective provider. When a user logs in using a single sign-on procedure, we receive information from the provider that the user is logged in to the provider and the provider receives information that the user is using the single sign-on procedure in our app. Depending on the user's settings in his account on the provider's site, additional information may be provided to us by the provider. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing users with a simple log-in option. At the same time, the interests of the users are safeguarded, as use is only voluntary.

Providers of the offered method(s) are:

Apple Inc., Infinite Loop, Cupertino, CA 95014, USA (Privacy policy: https://www.apple.com/legal/privacy/de-ww/).
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Privacy policy: https://policies.google.com/privacy).

2.8. Access to functions of the app

The Enduco app acts as an AI-powered personal trainer for endurance sports, helping users optimise their training by creating personalised plans based on the information given by the user in the app.

Users can import workouts (training data) and health data from various providers into the Enduco app. They can also export planned training sessions to different providers. In these cases, we act as independent controllers with respect to third-party providers. Further information on the data protection practices of each provider can be found in their respective privacy policies.

Garmin: https://www.garmin.com/en-US/privacy/
Strava: https://www.strava.com/legal/privacy
Apple: https://www.apple.com/legal/privacy/
Suunto: https://www.suunto.com/legal-pages/privacy/
Coros: https://coros.com/privacy-policy
TrainingPeaks: https://www.trainingpeaks.com/privacy-policy/
Wahoo: https://www.wahoofitness.com/legal/privacy-policy

We process the following personal data from the app for the purpose of providing the AI-powered personal trainer:

Training data (e.g. distance, duration of training, type of activity, speed, training load, energy consumption, self-assessment of training level)
Health data (e.g. heart rate, sleep duration, resting heart rate, heart rate variability, body temperature, height, weight, assessment of muscle soreness, assessment of stress level, assessment of fatigue, definition of intensities)
Gender
Age
Location data for displaying the map

The data is processed for the purpose of fulfilling the contract concluded with the respective user (Art. 6 (1) (b) GDPR).

Insofar as health data is processed or the processing of the data is otherwise optional, the processing is carried out on the basis of the consent of the user in accordance with Art. 6 (1) point a or Art. 9 (2) point a GDPR.

2.9. Chatbot

We use OpenAI’s API, employing the large language model GPT-4, to enable users to utilize an AI-based chat feature. This API is used to simulate communication with a human trainer, allowing users to interact with the app as they would with a human trainer via chat, and vice versa. Users can ask questions about their training plans, Enduco, or training-related topics in general. In this context, the following personal data are processed:

First and last name
IP address
Content of the communication

The legal basis for using the API and the large language model GPT-4 is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in utilizing new technologies to provide app users with a “digital trainer,” thereby enhancing their training experience.

The provider is OpenAI LLC, 3180 18th St, San Francisco, California 94110, USA. In this context, personal data are transferred to the USA. While an adequacy decision has been issued by the European Commission under Art. 45 para. 3 GDPR for the EU-U.S. Data Privacy Framework, OpenAI is not currently certified under this framework. To ensure an adequate level of data protection at the recipient, we have established Standard Contractual Clauses of the European Commission with OpenAI for the protection of personal data according to Art. 46 para. 1, 2 lit. c GDPR.

2.10. Payment processors

For the processing of payments, we use payment processors who are themselves data controllers within the meaning of Art. 4 No. 7 GDPR. Insofar as they receive data and payment data entered by us in the ordering process, we thereby fulfill the contract concluded with our customers (Art. 6 para. 1 s. 1 lit. b GDPR).

2.11. Third-party tools

2.11.1. Purchasely

We use Purchasely for A/B testing. The provider is PURCHASELY SAS, 17, chemin des loriots 93230 Romainville, France. The provider processes usage data (e.g. web pages visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent. Data subjects may revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation.

The data will be deleted when the purpose for which it was collected no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at https://www.purchasely.com/privacy-policy.

2.11.2. Mapbox

We use Mapbox for geocoding addresses. The provider is Mapbox, Inc., 50 Beale St floor 9, San Francisco, CA, USA. The provider processes usage data (e.g. web pages visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.

2.11.3. Amazon AWS

We use Amazon AWS for hosting. The provider is Amazon Web Services EMEA Sarl, 38 avenue John F. Kennedy, L-1855, Luxemburg. The provider processes usage data (e.g. web pages visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in maintaining a modern and cost-effective hosting environment.

2.11.4. Sentry

We use Sentry to monitor applications and to track errors in applications or on websites. The provider is Functional Software, Inc., 132 Hawthorne Street San Francisco, CA 94107, USA. The provider processes usage data (e.g. web pages visited, interest in content, access times), content data (e.g. entries in online forms), and meta/communication data (e.g. device information, IP addresses) in the USA.

The legal basis for the transfer to a country outside the EEA are adequacy decision. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed because the EU Commission has decided as part of an adequacy decision in accordance with Art. 45 para. 3 GDPR that the third country ensures an adequate level of protection.

2.11.5. Mixpanel

We use Mixpanel for analytics. The provider is Mixpanel, Inc., One Front Street, Floor 28, San Francisco, CA 94111, USA. The provider processes contact data (e.g. e-mail addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses), and master data (e.g. names, addresses) in the USA.

2.11.6. Mailjet

We use Mailjet to send functional e-mails (for resetting passwords, confirmation links). The provider is Mailjet GmbH, Friedrichstraße 68, 10117 Berlin. The provider processes meta/communication data (e.g. IP addresses) and email addresses in the EU.

The legal basis of the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. We have a legitimate interest in providing users with a way to reset their password so that they can access the app.

The data is deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information is available in the provider's privacy policy at https://www.mailjet.com/legal/privacy-policy/.

2.11.7. OneSignal

We use OneSignal for push-notifications in the app. The provider is OneSignal, 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA. The provider processes content data (e.g. entries in online forms), contact data (e.g. e-mail addresses, telephone numbers), and meta/communication data (e.g. device information, IP addresses) in the US.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in optimizing the interaction with our customers and others.

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR) adopted by the EU Commission in accordance with the examination procedure under Art. 93 para. 2 of the GDPR, which we have agreed to with the provider.

We delete the data when the purpose for which it was collected no longer applies. Further information is available in the provider's privacy policy at https://onesignal.com/privacy_policy.