Privacy Policy
How SportIn.io SRL collects, uses, and protects your personal data.
Contents
- Who we are
- What this policy covers
- Data we collect
- How we use your data and legal basis
- Apple HealthKit data
- Location data
- Wearables and Spike
- AI voice commentary (ElevenLabs)
- Map tiles (Mapbox)
- Sharing your data
- International transfers
- Retention
- Your rights
- How to delete your account
- Children
- Security
- Right to complain
- Changes
- Contact
1. Who we are
SportIn.io SRL ("SportIn", "we", "us", "our") is a Romanian company. We are the data controller for the personal data described in this policy.
Email: hello@sportin.io
Privacy contact: privacy@sportin.io
2. What this policy covers
This Privacy Policy applies to the SportIn mobile application (iOS and Android), the website at sportin.io and try.sportin.io, and the SportIn web application at app.sportin.io (together, the "Service").
3. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email, display name, password hash, Apple ID identifier (when you Sign in with Apple), profile photo, country | You |
| Movement data | Step count, walking and running distance, workout duration, pace, splits, calculated Movement Index | Apple HealthKit, your phone's Core Motion sensor, our eMotion engine, connected wearables via Spike (Garmin, Fitbit) |
| Location data | Precise GPS location and route polyline collected only during an active workout you start | Your device's location services |
| Social data | Friend graph, posts, photos, comments, reactions, reports, blocks | You and other users |
| Competition data | Team affiliation, House or Brand Team membership, leaderboard rank, race participation, lap times | Generated by your use of the Service |
| Rewards data | Vouchers earned, redemption events, sponsor offers viewed | Your use of the Service |
| Notifications | APNs push token, your notification preferences | Your device |
| AI commentary data | Stats we send to a third-party speech provider to synthesize voice commentary about your performance — we do not include personally identifying information in those prompts | Generated by your use of the Service |
| Wearable connection metadata | OAuth tokens for Garmin, Fitbit, and other providers (held by Spike on our behalf), connection status | Spike |
| Compliance data | Terms acceptance time and version, account deletion requests, ban status | Your use of the Service |
| Technical data | App version, OS version, language, crash diagnostics provided by Apple, Mapbox map-tile request metadata | Apple, Mapbox, your device |
4. How we use your data and the legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and manage your account | Performance of contract — Art. 6(1)(b) |
| Track movement, calculate the Movement Index, show your activity | Performance of contract; explicit consent for HealthKit data |
| Show your route on the map and replay your run | Explicit consent (location services) |
| Place you on leaderboards, run competitions, calculate winners | Performance of contract |
| Generate AI voice commentary | Legitimate interest (entertainment), with transparency |
| Send transactional and competition emails | Performance of contract |
| Send marketing emails | Consent (you can withdraw at any time) |
| Send push notifications about your runs, leaderboards, and races | Performance of contract; marketing pushes only with consent |
| Detect cheating via SafeGuard AI | Legitimate interest in maintaining fair competition |
| Comply with legal obligations (accounting, anti-fraud, regulator requests) | Legal obligation — Art. 6(1)(c) |
| Account deletion fulfillment | Legal obligation; performance of contract |
5. Apple HealthKit data
SportIn reads step count and walking and running distance from Apple Health when you grant permission.
- Health data is used solely to display your activity in the app, calculate your Movement Index, and rank you in competitions.
- We do not use Health data for advertising or marketing of any kind.
- We do not sell, rent, or trade Health data to any third party.
- We do not share Health data with third parties for their own purposes.
- You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → SportIn.
6. Location data
SportIn collects precise GPS location only while a workout is active — that is, from when you tap Start until you tap Stop. We use this to show your route on the map, calculate distance, and verify the integrity of activities for competitions.
- We use When In Use location authorization. Background location collection is permitted only while a workout is active, so the recording can continue when your screen is off.
- We retain the route polyline as part of your activity history. You can delete an individual activity from the app, which deletes its route.
- You can revoke location access at any time in iOS Settings → Privacy & Security → Location Services → SportIn.
7. Wearables and Spike
If you connect a wearable such as Garmin or Fitbit, we use Spike (TryTerra Inc.) as our integration provider. Connecting a wearable shares your activity data (steps, distance, sessions) with us via Spike. You can disconnect any wearable from the Connections screen in your profile, which revokes the Spike token.
Spike processes data on our behalf as a sub-processor under a data processing agreement.
8. AI voice commentary (ElevenLabs)
We use ElevenLabs Inc. to synthesize voice commentary about your performance. We send a short text prompt containing your stats (such as distance, pace, time, and a few descriptive words) to ElevenLabs, which returns audio. We do not include your name, email, or other identifying details in that prompt.
The output is generative AI: it can be inaccurate. It is provided for entertainment only and is not coaching, medical, or training advice.
9. Map tiles (Mapbox)
We use Mapbox to render the map. Mapbox receives the data necessary to deliver appropriate map tiles. We do not use Mapbox's product analytics for our own purposes.
10. Sharing your data
We share personal data only with:
- Service providers acting as our processors under data-processing agreements: Supabase Inc. (database, auth, hosting), ElevenLabs Inc. (text-to-speech), Spike / TryTerra Inc. (wearable integrations), Mapbox Inc. (map tiles), Apple Inc. (push notifications), and similar infrastructure partners.
- Sponsors and brand partners — only aggregated, non-identifying competition statistics. We do not share your name, email, or activity data with brand partners unless you explicitly opt in (for example, to redeem a sponsor reward, in which case we share what is necessary to fulfill that reward).
- Authorities — when legally required.
11. International transfers
Some of our processors are based outside the European Economic Area, including in the United States. For these transfers we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, adequacy decisions, with supplementary measures where appropriate.
12. Retention
- Account data: until you delete your account, then up to 30 days for backup expiration.
- Movement and location data: same as account, unless you delete the activity sooner.
- Compliance records (Terms acceptance, deletion requests): up to 5 years for legal proof.
- Accounting and invoicing records: 10 years (Romanian fiscal law).
- Push tokens: until rotation or deletion.
- Crash diagnostics (Apple): per Apple's policy.
13. Your rights
Under the GDPR you have the right to:
- access your personal data;
- correct inaccurate data;
- delete your data ("right to be forgotten");
- restrict or object to processing;
- data portability;
- withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email privacy@sportin.io. We respond within one month and may extend by two further months for complex requests, with notice.
14. How to delete your account
- In the app: Settings → Account → Delete account. Deletion is irreversible.
- By email: privacy@sportin.io. We confirm and complete within 30 days.
Account deletion removes your profile, posts, activities, route history, and rewards balance, except records we are legally required to retain.
15. Children
SportIn is intended for users 16 years of age and older. We do not knowingly collect personal data from anyone under 16. If you believe a minor has registered, contact privacy@sportin.io and we will delete the account.
16. Security
We use TLS in transit, encrypted storage at rest, role-based access, and Supabase Row-Level Security policies. No system is perfectly secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) per GDPR Articles 33–34.
17. Right to complain
You may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania — www.dataprotection.ro — or with the supervisory authority of your country of residence.
18. Changes
We will notify material changes to this Privacy Policy by email or in-app. The "Last updated" date at the top of this page reflects the current version.
19. Contact
SportIn.io SRL · Romania
Email: hello@sportin.io
Privacy: privacy@sportin.io