Privacy Policy

Last Updated: May 9, 2026

1. Introduction

Welcome to CreateRunPlan ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at createrunplan.com (the "Service").

2. Information We Collect

2.1 Personal Information You Provide

We collect the following personal information when you:

  • Create an account: Name, email address, and profile picture from your sign-in provider when available
  • Strava sign-in: Your Strava athlete ID, approved scopes, and OAuth tokens needed to authenticate you through Strava
  • Enable live calendar sync: Your selected calendar provider, selected calendar ID and name, calendar sync preferences, Google Calendar OAuth tokens when you connect Google Calendar, Apple Calendar username and app-specific password when you connect Apple Calendar, synced event IDs, workout event titles, descriptions, dates, times, and sync status
  • Submit a contact form: Name, email address, subject, and message
  • Generate running plans: Running goals, experience level, preferences, and other fitness-related information you provide

2.2 Information Automatically Collected

When you use our Service, we automatically collect certain information:

  • Usage Data: Pages visited, time spent on pages, and interaction with features
  • Device Information: Browser type, operating system, IP address
  • Cookies and Tracking: Session cookies and analytics tracking via Google Analytics, PostHog, and Vercel Analytics

2.3 Payment Information

Payment information is processed through Stripe. We do not store your credit card information directly. We only retain a Stripe customer ID to manage your subscription and billing.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain our Service
  • Generate personalized running plans using AI based on your inputs
  • Process payments and manage subscriptions
  • Send you welcome emails and important service notifications
  • Respond to your inquiries and support requests
  • Analyze usage patterns to improve our Service and user experience
  • Provide export and calendar features, including PDF downloads, calendar file downloads, listing calendars you can choose from, creating, updating, re-syncing, and deleting workout events in the calendar you select
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

If you choose Strava sign-in, we use Strava OAuth data only for athlete-authorized authentication. We do not currently import Strava activities or provide a separate user-facing feature to link Strava to an existing non-Strava account. We do not use Strava API data to train, fine-tune, benchmark, or improve AI or machine learning models, and we do not send Strava API data to Google Generative AI for plan generation.

Strava may also collect and use data related to our access to the Strava API and Strava Platform in connection with our application, as described in Strava's API Agreement.

If you connect Google Calendar, we use Google Calendar data only to provide the calendar sync features visible in the Service. We do not sell Google Calendar data, use it for advertising or retargeting, use it to determine creditworthiness, or use it to train, fine-tune, benchmark, or improve AI or machine learning models.

4. Third-Party Services

We use the following third-party services that may collect and process your information:

  • Google OAuth: For authentication and account creation
  • Google Calendar API: For optional live calendar sync, including listing your calendars and creating, updating, re-syncing, or deleting workout events in the calendar you select
  • Apple Calendar via CalDAV: For optional live calendar sync when you provide an Apple app-specific password
  • Stripe: For payment processing and subscription management
  • Strava: For athlete-authorized authentication
  • Google Analytics: For website traffic analysis, marketing performance tracking, and understanding user behavior
  • Google Ads: For conversion tracking and measuring advertising campaign effectiveness. When you accept marketing cookies, we send conversion events (such as sign-ups and purchases) to Google Ads. We may also send hashed email addresses to improve conversion matching accuracy (Enhanced Conversions). You can opt out of personalized advertising at adssettings.google.com
  • PostHog: For product analytics, feature usage tracking, and user experience optimization
  • Vercel Analytics: For privacy-friendly website analytics and performance insight
  • Google Generative AI: For generating personalized running plans based on your inputs
  • Email Service Provider: For sending transactional emails (via Nodemailer)

Each of these services has its own privacy policy governing how they handle your data. We encourage you to review their policies.

5. Data Storage and Security

Your data is stored in a secure PostgreSQL database. We implement reasonable security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. Credentials, including Strava OAuth tokens, Google Calendar OAuth tokens, and Apple Calendar app-specific passwords, are encrypted before they are stored. However, no method of transmission over the internet or electronic storage is 100% secure.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for:

  • Session Management: To keep you logged in and maintain your session
  • Analytics: To understand how you use our Service (via Google Analytics, PostHog, and Vercel Analytics)
  • Performance Monitoring: To track website performance and identify technical issues
  • Marketing & Advertising: To measure the effectiveness of our advertising campaigns, track conversions from Google Ads, and understand traffic sources

We also use browser storage such as localStorage and sessionStorage to remember cookie preferences, attribution context, temporary create-plan form data, and anonymous plan drafts for a limited time. These browser storage items help preserve your flow across navigation, sign-in redirects, and short interruptions.

You can control cookies through your browser settings or our cookie consent banner. Please note that disabling certain cookies may affect your ability to use some features of our Service. For more details, see our Cookie Policy.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. If you close your account, we will delete or anonymize your personal information within a reasonable timeframe, except where we are required to retain it for legal or compliance purposes.

If you revoke or cancel our Strava access, close your account, or request deletion, we delete stored Strava OAuth credentials and any other Strava API data in our possession or control from active systems promptly, except where retention is required by law. If Strava data is deleted from Strava and we have stored a copy, we stop displaying it and reflect the deletion expeditiously and, in all cases, within 48 hours where required by Strava.

If you disable live calendar sync, disconnect a calendar provider, or request deletion, we remove stored calendar sync settings, calendar credentials, and synced event records from our active systems within a reasonable timeframe. When you choose to remove synced events, we attempt to delete the workout events we created from the selected external calendar. Calendar files you download and import yourself remain controlled by your calendar application or provider.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Data Portability: Request transfer of your data to another service
  • Opt-Out: Opt out of marketing communications

To exercise these rights, please contact us at support@createrunplan.com.

9. Children's Privacy

Our Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those of your country. By using our Service, you consent to such transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at:

Email: support@createrunplan.com