Skip to content
Lighthold

Privacy Policy

Last updated: May 6, 2026

1. Privacy Summary

YouRun is a running and fitness recording service. This Privacy Policy explains how Lighthold UG (haftungsbeschränkt) ("we", "us", or "our") collects, uses, shares, and protects personal data when you use our mobile apps, web app, APIs, wearable integrations, import/export tools, and related services (the "Service").

In short:

  • We collect account data, workout data, GPS route data, device data, and optional profile data to provide the Service.
  • Health and fitness metrics such as heart rate, cadence, power, active energy, respiratory rate, stride length, and similar workout metrics are used only when you provide or permit them.
  • Precise location is used for recording, importing, mapping, route, segment, safety-sharing, and workout analysis features. You can control device location permissions and activity visibility.
  • Workouts and profiles are private by default unless you choose to make them visible through sharing, clubs, leaderboards, public links, or public/indexable settings.
  • We do not sell personal data. We do not share health data for advertising. We do not use advertising cookies or tracking pixels.
  • We use service providers for hosting, storage, analytics, payments, messaging, email, push notifications, and app distribution.
  • You can request access, export, correction, deletion, restriction, portability, objection, and consent withdrawal as described below.

2. Controller and Contact

We are the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (GDPR) and applicable German data protection law.

  • Data Controller: Lighthold UG (haftungsbeschränkt)
  • Managing Director: Jens Mansfeld
  • Registered Office: Campus Gebäude A1 1, 66123 Saarbrücken, Germany
  • Email: contact@lighthold.io
  • Data Protection Contact: contact@lighthold.io
  • Commercial Register: Amtsgericht Saarbrücken, HRB 111018
  • VAT ID: DE452598316

3. Scope

This Privacy Policy applies to personal data processed in connection with the Service, including iOS, Android, web, wearable, workout import, workout export, subscription, support, safety, coaching, route, segment, leaderboard, challenge, club, and community features.

This policy should be read together with our Terms of Service and Cookie Policy. Where a feature requires consent, such as precise location, optional analytics, push notifications, certain health data processing, or optional AI coaching inputs, we ask for that consent separately. You can withdraw consent at any time, although withdrawal does not affect processing that already occurred lawfully before withdrawal.

4. Data We Collect

We collect data from you, from your device, from workouts you record or import, from connected services you authorize, and from your use of the Service.

4.1 Account and Profile Data

  • Account data: email address, authentication identifiers, login/session data, account status, accepted legal versions, subscription state, and security events.
  • Optional profile data: display name, biography, avatar, preferred sport types, goals, experience level, units, language, time zone, and profile visibility settings.
  • Social and community data: follows, clubs, comments, reactions, messages, reports, appeals, challenge participation, segment efforts, leaderboard placements, and moderation records.
  • Support and feedback data: information you provide when contacting support, reporting a problem, appealing a decision, or responding to surveys.

4.2 Workout and Activity Data

Workout data may include:

  • Activity type, title, notes, start/end time, duration, distance, elevation, pace, speed, splits, laps, perceived effort, training plan status, and workout source.
  • GPS and route data, including latitude, longitude, altitude, timestamps, accuracy, route previews, map redactions, private zones, and start/end hiding settings.
  • Sensor and performance data, if provided: heart rate, cadence, power, stride length, ground contact time, respiratory rate, active energy, temperature, device battery/status, and similar metrics.
  • Device and provenance data: device type, app version, watch/wearable identifiers, original file metadata, import parser, duplicate detection signals, and data quality flags.
  • Original workout files and exports, such as FIT, GPX, TCX, CSV, HealthKit, Health Connect, or compatible wearable payloads, when you import, sync, or request an export.

Some workout metrics can reveal information about health or physical condition. We process these metrics only for the purposes described in this policy and, where required, based on your explicit consent.

4.3 Location Data

We process precise location when you record outdoor GPS activities, import route files, use map/route features, opt into live location sharing, or participate in location-based features such as segments and leaderboards. We do not need precise location for every feature, and you can disable location access in your device settings.

If live location sharing is offered, each share must be started by you, can be stopped by you, and expires automatically. It is a convenience feature only and is not an emergency, dispatch, rescue, crash detection, or medical monitoring service.

4.4 Device, Usage, Log, and Diagnostic Data

We collect technical data necessary to operate, secure, debug, and improve the Service, including IP address, request timestamps, device type, operating system, browser, app version, crash reports, performance metrics, feature usage, language, approximate region, and security/rate-limit signals.

4.5 Payments and Subscriptions

We do not store full payment card numbers. Apple, Google, or Stripe process payments. We receive purchase confirmations, subscription status, transaction identifiers, product identifiers, billing metadata, tax/accounting records, and refund/cancellation signals needed to provide paid features and meet legal obligations.

4.6 Data From Third Parties and Connected Services

If you choose to connect a third-party account, wearable, platform, or import source, we process the information that the provider makes available according to your permissions. This may include workout summaries, route samples, sensor streams, device metadata, and account identifiers from services such as Apple Health, Health Connect, Wear OS, or other fitness platforms you authorize.

If you share YouRun activities to external services or social platforms, those services process the shared data under their own terms and privacy policies.

5. Purposes and Legal Bases

We process personal data only when we have a legal basis under GDPR and applicable law.

  • Account creation, authentication, legal consent records, and account administration. Legal basis: Art. 6(1)(b) GDPR.
  • Recording, syncing, importing, storing, displaying, exporting, and deleting workouts. Legal basis: Art. 6(1)(b) GDPR; for precise location and health metrics where required, Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR.
  • GPS maps, route previews, redaction, private zones, segments, leaderboards, challenges, clubs, and public sharing controls. Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(a) GDPR where consent is required, and Art. 6(1)(f) GDPR for abuse prevention and integrity checks.
  • Safety-sharing features started by you. Legal basis: Art. 6(1)(b) GDPR and, where precise location is required, Art. 6(1)(a) GDPR.
  • Training insights, deterministic performance analysis, and optional coaching features. Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(a) GDPR depending on the feature; for health metrics where required, Art. 9(2)(a) GDPR.
  • Messaging, comments, clubs, reports, appeals, and community interactions. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
  • Competitive integrity, anti-cheat review, duplicate detection, GPS quality checks, abuse detection, and enforcement of the Terms. Legal basis: Art. 6(1)(f) GDPR.
  • Security, fraud prevention, rate limiting, troubleshooting, service stability, and audit logs. Legal basis: Art. 6(1)(f) GDPR.
  • Subscription management, payment fulfilment, invoices, tax, and accounting. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR.
  • Push notifications and service communications. Legal basis: Art. 6(1)(b) GDPR; device push permission is controlled by your operating system.
  • Optional analytics and product improvement. Legal basis: Art. 6(1)(a) GDPR where consent is required and Art. 6(1)(f) GDPR for strictly necessary operational diagnostics.
  • Legal compliance, rights enforcement, dispute resolution, and response to lawful authority requests. Legal basis: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR.

We do not make solely automated decisions that produce legal or similarly significant effects without human review. Automated quality, safety, and anti-cheat signals may affect whether a workout is temporarily eligible for competitive surfaces, but significant enforcement decisions can be reviewed or appealed.

6. Visibility, Sharing, and Privacy Controls

You control how much of your activity data is visible.

  • Workouts are private by default unless you change their visibility.
  • Activity visibility and map visibility are separate controls.
  • The owner can see the full route. Public or shared surfaces may use redacted geometry.
  • You may hide start/end areas, use private zones, hide maps from shared views, or make an activity private.
  • Public, club, follower, link-only, leaderboard, challenge, and indexable surfaces may expose different information depending on your settings.
  • If you share an activity outside the Service, we cannot control how recipients or third-party platforms use or copy it.
  • Some public or community surfaces, such as public routes, clubs, challenges, comments, segment records, or leaderboard entries, may remain visible or be retained in limited form after account deletion where necessary for integrity, safety, legal compliance, or other users' experience.

7. Recipients and Sharing

We share personal data only as necessary to provide, secure, improve, and administer the Service, or where required by law.

  • Hosting, database, authentication, and storage providers, including Supabase Inc. and Cloudflare Inc.
  • Caching, rate limiting, queueing, and messaging infrastructure providers, including Upstash Inc.
  • Product analytics and diagnostics providers, including PostHog Inc., only where enabled and permitted.
  • App platform, purchase, and push-notification providers, including Apple Inc. and Google LLC.
  • Payment providers, including Stripe Inc., for web payments.
  • Transactional email providers, including Amazon Web Services EMEA SARL.
  • Other users and the public, according to your visibility, sharing, club, challenge, leaderboard, comment, and messaging choices.
  • Connected services and third-party apps, when you choose to connect, import from, export to, or share with them.
  • Professional advisers, courts, authorities, and law enforcement where legally required or reasonably necessary to protect rights, safety, security, or prevent abuse.
  • Successors or acquirers if we are involved in a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate safeguards.

We do not sell your personal data. We do not share health data for advertising. We do not share your contact details with third parties for their own marketing.

8. International Transfers

Some recipients are located outside the European Economic Area. Where personal data is transferred to a country without an adequacy decision, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses, Data Privacy Framework participation where applicable, and contractual commitments requiring GDPR-level protection.

You may request information about the applicable transfer safeguards by contacting us.

9. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.

  • Account and profile data: while your account is active; generally deleted within 30 days after final account deletion.
  • Workout summaries and activity records: while your account is active or until you delete the workout, subject to backups and legal retention.
  • GPS route streams, map previews, redacted route projections, private zones, and original import files: while needed to provide activity, export, privacy, and integrity features, or until deleted by you where available.
  • Public/community records such as comments, clubs, challenges, routes, segment efforts, and leaderboard records: while visible or necessary for community integrity; may be anonymized, restricted, or retained in limited form after deletion.
  • Messages: retained until deletion or account deletion; delivered messages may remain available to recipients unless removed under applicable law or moderation rules.
  • Session and login logs: up to 30 days.
  • Security, audit, fraud, anti-cheat, moderation, report, and appeal records: up to 3 years, or longer where needed for legal claims or serious abuse investigations.
  • Payment, invoice, tax, and accounting records: up to 10 years where required by German tax and commercial law.
  • Support correspondence: up to 1 year after resolution, or longer where needed for legal claims.
  • Analytics events: up to 13 months or until consent is withdrawn, unless aggregated or deidentified earlier.
  • Push notification tokens: until permission is revoked, the token expires, or the account is deleted.
  • Consent records: for the duration of the account relationship and up to 3 years thereafter.
  • Backups and CDN caches: may persist for up to 30 additional days before being overwritten or expired.

When you delete your account, we may provide a 30-day recovery period. After the recovery period, deletion proceeds according to this policy. Deleted data cannot always be restored.

10. Your Rights

Subject to statutory conditions and exceptions, you have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Rights regarding automated decisions (Art. 22 GDPR)
  • Right to withdraw consent at any time (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You can access, correct, export, or delete many categories of data through account, privacy, and workout settings. To exercise rights that are not available in-product, contact contact@lighthold.io. We may need to verify your identity. We will respond within one month unless the law permits an extension.

11. Communications

We send service messages such as login, security, purchase, subscription, privacy, moderation, support, workout, challenge, and notification messages. These are part of the Service.

We may send emails about our own similar products or features where permitted by law. You can unsubscribe from marketing messages at any time. We do not send third-party advertising.

12. Security

We use technical and organisational measures under Art. 32 GDPR, including TLS, encryption at rest where appropriate, access controls, least-privilege permissions, logging, monitoring, rate limiting, abuse detection, backup controls, and review of security-sensitive operations.

No online service is completely secure. You should protect your credentials, keep devices updated, and contact us immediately if you suspect unauthorized access.

13. Cookies and Similar Technologies

We use strictly necessary cookies and similar technologies for authentication, security, preferences, payments, and core web functionality. Optional analytics technologies are used only where enabled and permitted. We do not use advertising cookies, tracking pixels, or social media plugins.

For details and preference management, see our Cookie Policy.

14. Children

The Service is intended for users aged 16 and over, unless a higher minimum age applies in your country or for a specific feature. We do not knowingly collect personal data from anyone below the applicable minimum age. If we learn that an underage user has created an account, we will suspend the account and delete associated personal data.

We maintain a zero-tolerance policy toward child sexual abuse and exploitation. Relevant content or conduct will be removed, accounts may be banned, and reports may be made to the appropriate authorities.

15. Third-Party Services

Third-party services, app stores, payment providers, wearable platforms, fitness platforms, mapping providers, or social networks have their own terms and privacy policies. This policy does not apply to third-party processing after you choose to connect, import from, export to, or share with them.

16. Changes to This Policy

We may update this Privacy Policy as the Service, technology, legal requirements, or our data practices change. The latest revision date appears at the top.

Where changes are material, we will notify you by email, in-app notice, website notice, or another appropriate method before or when the changes take effect. Where required by law, we will request consent.

17. Contact and Supervisory Authority

For questions, privacy requests, or concerns:

  • Lighthold UG (haftungsbeschränkt)
  • Data Protection Enquiries
  • Email: contact@lighthold.io
  • Address: Campus Gebäude A1 1, 66123 Saarbrücken, Germany

Our single point of contact for users and authorities under the Digital Services Act is: contact@lighthold.io.

You may lodge a complaint with a data protection supervisory authority. Our competent supervisory authority is:

  • Independent Data Protection Centre Saarland
  • Fritz-Dobisch-Straße 12, 66111 Saarbrücken
  • Phone: +49 681 94781-0
  • Website: https://www.datenschutz.saarland.de

The European Commission provides an Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr/.