Privacy Policy

1. Data Controller

The data controller for personal data collected through the Lap2runmobile application (hereinafter, the "App") and the website lap2run.com is DBLV LLC, a company incorporated in the state of Wyoming (United States), EIN 32-0832788, with registered address at 30 N Gould St Ste R, Sheridan, WY 82801, USA, represented by its sole manager David Bello López-Valeiras.

Contact and operations: hola@lap2run.com.

Although DBLV LLC is incorporated in the United States, it actively offers its services to residents of the European Union, and therefore complies with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and any other applicable regulation.

2. Data We Collect

We only process data strictly necessary to provide the service:

• Account data: name, nickname, email, date of birth, city, profile photo, sports practiced and self-declared level.
• Health and physical activity data: heart rate, distance covered, steps, calories, training duration, pace, cadence, elevation and exercise type, obtained with your express consent through Apple HealthKit (iOS) or Health Connect (Android), or recorded during the activity by the device and connected sensors.
• Location data:GPS coordinates during activities, real-time position when you enable the live broadcast or "nearby encounters" features, and approximate location (city) to match you with other athletes and filter invitations by geographic radius.
• Published content: photos, videos, text, comments, likes, reactions, private messages and feed posts.
• Technical data: device identifier, operating system, App version, push notification tokens, error logs and aggregated usage metrics.

We do not collect banking data, ID document numbers, nor special categories of data beyond the health and physical activity data you have explicitly authorized.

3. How We Use Your Data

• Create and manage your user account.
• Match you with other athletes by sport, level and proximity.
• Record, analyze and display your sports activities (routes, metrics, records, rankings).
• Generate personalized training analysis and recommendations through an AI assistant (see section 11).
• Allow direct and public training invitations by geographic radius.
• Show the social feed and manage interactions (likes, comments, chats, stories, live broadcasts).
• Send push notifications related to your account activity (matches, nearby encounters, challenges, training reminders).
• Prevent fraud, abuse and protect the community.
• Comply with legal obligations.

4. Legal Basis

• Express consent (art. 6.1.a and 9.2.a GDPR) for health, location, published content and AI assistant processing data. You can withdraw it at any time from the App settings.
• Contract performance (art. 6.1.b GDPR) for account management and providing the core features.
• Legitimate interest (art. 6.1.f GDPR) for security, abuse prevention, crash detection and service improvement through anonymized metrics.
• Legal compliance (art. 6.1.c GDPR) when required by law.

5. Who We Share Your Data With

We share data only with strictly necessary providers, acting as data processors under our instructions:

• Supabase Inc. (USA, with Standard Contractual Clauses) — backend, PostgreSQL database, authentication and real-time communications.
• Cloudflare, Inc. (USA/EU) — photo, video and audio storage (R2) and content delivery network.
• Anthropic PBC (USA, with SCC) — training analysis and recommendations via the Claude model (see section 11). Only aggregated activity metrics are sent, no personal content nor direct identifiers.
• ElevenLabs Inc. (USA, with SCC) — voice synthesis for in-workout audio cues over headphones (km, pace, intervals, rest). No personal data is sent, only the text to synthesize.
• Resend Inc. (USA, with SCC) — transactional emails (account verification, password reset, alerts).
• Apple Inc. — HealthKit, Sign In with Apple, push notifications (APNs), App Store distribution and in-app subscription processing.
• Google LLC — Health Connect, Sign In with Google, Google Play distribution and in-app subscription processing.
• Sentry (Functional Software, Inc.) (USA, with SCC) — crash and error capture for stability improvement. No direct identifiers are sent by default.
• Expo (650 Industries, Inc.) — build infrastructure and binary delivery for the App. Does not process end-user personal data.

We never sell your data nor transfer it to third parties for advertising purposes. Your content is only shown to other users within the normal functioning of the App (e.g. public feed, profile visible according to your settings, location during a live broadcast that you have started).

6. International Transfers

Most of the providers listed are located outside the European Economic Area. In those cases we use Standard Contractual Clauses approved by the European Commission or equivalent guarantees provided for in Chapter V of the GDPR, supplemented by the additional technical and organizational measures each provider publishes (in-transit and at-rest encryption, role-based access control, activity logging).

7. Retention

We retain your data while your account is active. If you delete the account from the App (Settings > Account > Delete account), we erase your identifying personal data within a maximum period of 30 days, except for those we are required to retain by legal obligation (e.g. tax or security records, for the minimum period required by law).

Your activities, photos, videos and feed posts are deleted along with your account. Private messages you sent to other users remain visible to them until they delete them, but become disassociated from your identity.

8. Your Rights

At any time you may exercise your rights of:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten").
• Objection and restriction of processing.
• Data portability.
• Withdrawal of consent.
• Not being subject to automated individual decisions with legal effects (art. 22 GDPR): the Lap2run AI assistant does not make decisions with legal or significant effects on you, it only issues informative recommendations.
• Complaint to the Spanish Data Protection Agency (aepd.es).

To exercise them, email us at hola@lap2run.com indicating the right you want to exercise. From the App you can also delete your account directly from Settings > Account.

9. Security

We apply adequate technical and organizational measures: in-transit (HTTPS/TLS) and at-rest encryption, JWT token authentication with rotation, secure local storage of credentials on the device, Row Level Security policies in the database, continuous monitoring and periodic security audits.

10. Minors

Lap2run is intended for people aged 16 or over. We do not allow the use of the App by minors under 16. During registration we ask for the date of birth and block accounts that do not meet this requirement. If we detect an account of a minor under 16, we will suspend it and erase the associated data.

If you are a parent or legal guardian and you believe your child has registered without meeting this requirement, contact us at hola@lap2run.com and we will proceed with immediate deletion.

11. AI Assistant

Lap2run includes an assistant that uses the Claude language model (Anthropic PBC) to generate personalized training analysis and recommendations after your activities. For this we send Anthropic aggregated activity metrics (sport, distance, duration, pace, heart rate, splits) and, where applicable, an anonymous reference to your recent activities. We do not send your name, email, photos, private messages, nor the literal GPS route.

Anthropic is contractually committed to us not using that data to train their models. The recommendations generated are informative; they never constitute medical diagnosis nor professional advice, and the final decision on any training routine is always yours.

You can disable the AI assistant in Settings > Privacy > AI Assistant. If you disable it, we will not send more data to Anthropic associated with your account.

12. Changes to This Policy

We may update this policy to reflect legal, technical or service changes. We will notify you within the App when there are substantial modifications and the current version will always be available at this same URL.