Skip to main content

GDPR Compliance

General Data Protection Regulation

Last updated: September 1, 2025

Table of Contents

  1. Introduction to GDPR
  2. Our Commitment to Data Protection
  3. Legal Basis for Processing
  4. Your Data Protection Rights
  5. Personal Data We Process
  6. Sources of Personal Data
  7. When We Share Your Data
  8. Data Retention Periods
  9. International Data Transfers
  10. How to Exercise Your Rights
  11. Data Protection Officer
  12. Supervisory Authority
  13. Children's Data Protection
  14. Automated Decision Making
  15. Data Breach Procedures
  16. Contact Information

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all companies processing personal data of individuals in the European Union, regardless of where the company is located.

At NuroStride, we are committed to protecting your privacy and ensuring full compliance with GDPR requirements. This page explains how we handle your personal data in accordance with GDPR principles and your rights as a data subject.

GDPR Principles We Follow:

  • Lawfulness, Fairness, and Transparency: We process data lawfully and transparently
  • Purpose Limitation: Data is collected for specific, legitimate purposes
  • Data Minimization: We only collect data that is necessary
  • Accuracy: We keep personal data accurate and up to date
  • Storage Limitation: Data is kept only as long as necessary
  • Integrity and Confidentiality: We ensure appropriate security
  • Accountability: We can demonstrate compliance with GDPR

2. Our Commitment to Data Protection

NuroStride is committed to the highest standards of data protection. Our commitment includes:

Privacy by Design

We integrate privacy considerations into all aspects of our product development and business operations from the ground up.

Transparency

We provide clear, accessible information about our data processing activities and your rights.

Data Security

We implement robust technical and organizational measures to protect your personal data.

User Control

We give you meaningful control over your personal data and how it's processed.

2.1 GDPR Compliance Measures

  • Regular privacy impact assessments
  • Data protection officer appointment
  • Staff training on data protection principles
  • Vendor due diligence and data processing agreements
  • Incident response and breach notification procedures
  • Regular compliance audits and reviews

4. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Information

You have the right to be informed about the collection and use of your personal data through this privacy notice.

Right of Access

You can request a copy of your personal data and information about how we process it.

Right to Rectification

You can request that we correct inaccurate personal data or complete incomplete data.

Right to Erasure

You can request deletion of your personal data in certain circumstances (also known as the "right to be forgotten").

Right to Restrict Processing

You can request that we temporarily stop processing your personal data in certain situations.

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used format for transfer to another service.

Right to Object

You can object to processing based on legitimate interests, direct marketing, or research and statistics.

Rights Related to Automated Decision Making

You have rights regarding automated decision-making and profiling that produces legal or significant effects.

4.1 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.2 Limitations on Rights

These rights are not absolute and may be limited in certain circumstances, such as:

  • When processing is necessary for compliance with legal obligations
  • For the establishment, exercise, or defense of legal claims
  • To protect the rights and freedoms of others
  • For reasons of public interest or scientific research

5. Personal Data We Process

We process various categories of personal data depending on your use of our services:

Identity Data

  • Name and username
  • Date of birth
  • Gender
  • Profile photo
  • Account preferences

Contact Data

  • Email address
  • Phone number (optional)
  • Communication preferences
  • Support correspondence

Financial Data

  • Payment method information
  • Billing address
  • Transaction history
  • Subscription details

Fitness and Health Data

  • Running activities and metrics
  • Performance data (pace, distance, elevation)
  • Heart rate data (if provided)
  • Training goals and achievements
  • Body measurements (if provided)

Technical Data

  • IP address and location data
  • Device information and identifiers
  • Browser type and version
  • Operating system
  • App usage data

Usage Data

  • Platform interaction data
  • Feature usage patterns
  • Click-through rates
  • Session duration
  • Error logs

5.1 Special Categories of Data

Fitness and health data are considered "special categories" of personal data under GDPR, requiring additional protection. We process this data based on:

  • Your explicit consent
  • Necessity for health or social care purposes
  • Public interest in public health

6. Sources of Personal Data

We collect personal data from various sources:

6.1 Direct Collection

  • Information you provide during account registration
  • Data you enter when using our services
  • Communications with customer support
  • Survey responses and feedback
  • Marketing communication interactions

6.2 Automated Collection

  • Website and app usage through cookies and analytics
  • Device and browser information
  • Location data (with your consent)
  • Performance and error logs

6.3 Third-Party Sources

  • Strava: Running activities and profile data (with your authorization)
  • Social Media: Public profile information when you connect accounts
  • Payment Providers: Transaction and billing information
  • Marketing Partners: Lead generation and campaign data

7. When We Share Your Data

We may share your personal data in the following circumstances:

7.1 Service Providers

We share data with trusted service providers who process data on our behalf:

  • Cloud hosting and infrastructure (AWS, Google Cloud)
  • Payment processing (Stripe, PayPal)
  • Email services (SendGrid, Mailgun)
  • Analytics providers (Google Analytics, Mixpanel)
  • Customer support tools (Zendesk, Intercom)

All service providers are bound by data processing agreements that ensure GDPR compliance.

7.2 Legal Requirements

We may disclose data when required by law or to:

  • Comply with legal processes
  • Respond to government requests
  • Protect our rights and property
  • Ensure user safety
  • Investigate fraud or security issues

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections.

7.4 With Your Consent

We may share data with third parties when you explicitly consent to such sharing.

8. Data Retention Periods

We retain personal data for different periods depending on the purpose and legal requirements:

Data Category Retention Period Reason
Account and profile data Until account deletion + 30 days Service provision and backup recovery
Running and fitness data Until account deletion + 1 year Service provision and analytics
Payment and billing records 7 years Tax and accounting requirements
Support communications 3 years Quality assurance and legal protection
Marketing data Until consent withdrawal + 30 days Marketing campaigns and analytics
Usage and analytics data 2 years (anonymized after 6 months) Service improvement
Security logs 1 year Security monitoring and fraud prevention

8.1 Anonymization

Where possible, we anonymize personal data after the initial retention period to use it for statistical and research purposes without compromising your privacy.

9. International Data Transfers

NuroStride operates globally, and your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

9.1 Safeguards for International Transfers

We ensure adequate protection for international data transfers through:

  • Standard Contractual Clauses (SCCs): European Commission-approved contracts
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU
  • Binding Corporate Rules: Internal data transfer rules for multinational companies
  • Certification Schemes: Industry-recognized privacy certifications

9.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments to evaluate the level of protection in destination countries and implement additional safeguards where necessary.

10. How to Exercise Your Rights

You can exercise your GDPR rights through multiple channels:

Online Self-Service

  • Access your account settings
  • Download your data
  • Update personal information
  • Manage communication preferences
  • Delete your account

Email Request

Send an email to gdpr@nurostride.com with:

  • Clear description of your request
  • Verification of your identity
  • Specific data or processing activities involved

Data Protection Officer

Contact our DPO at dpo@nurostride.com for complex privacy matters or complaints.

10.1 Response Timeframes

  • Standard Requests: Within 30 days
  • Complex Requests: Up to 90 days (with notification)
  • Identity Verification: May require additional time
  • Urgent Requests: Expedited processing when possible

10.2 Verification Process

To protect your privacy, we may need to verify your identity before processing certain requests. This may involve:

  • Confirming account details
  • Answering security questions
  • Providing additional identification documents

11. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and serve as a point of contact for data protection matters.

Our DPO's Responsibilities:

  • Monitoring compliance with GDPR and other data protection laws
  • Conducting privacy impact assessments
  • Providing guidance on data protection matters
  • Serving as contact point for supervisory authorities
  • Training staff on data protection principles
  • Handling data subject complaints and requests

Contact our DPO:

  • Email: dpo@nurostride.com
  • Subject Line: Include "DPO Inquiry" or "GDPR Request"
  • Response Time: Within 5 business days

12. Supervisory Authority

If you are not satisfied with how we handle your personal data or privacy concerns, you have the right to lodge a complaint with a supervisory authority.

12.1 EU Supervisory Authorities

You can contact the supervisory authority in your EU member state. For a list of authorities, visit: European Data Protection Board

12.2 Lead Supervisory Authority

As we serve customers across the EU, our lead supervisory authority is determined based on our main establishment in the EU or the location where most of our EU processing activities take place.

12.3 Before Filing a Complaint

We encourage you to contact us first to resolve any concerns. However, you have the right to lodge a complaint at any time without first contacting us.

13. Children's Data Protection

We are committed to protecting the privacy of children under the age of 16 (or lower age in some EU member states).

13.1 Consent Requirements

  • Children under 16 need parental consent for data processing
  • We verify parental consent through appropriate methods
  • Parents can withdraw consent at any time
  • We take reasonable efforts to verify the child's age

13.2 Parental Rights

Parents or guardians have the right to:

  • Access their child's personal data
  • Request rectification or erasure
  • Withdraw consent for data processing
  • Object to certain processing activities

13.3 Special Protections

  • Enhanced privacy notices for children
  • Stricter data minimization practices
  • Additional security measures
  • Limited data sharing with third parties

14. Automated Decision Making

We use automated processing to provide personalized running insights and recommendations. Here's what you need to know:

14.1 Types of Automated Processing

  • Training Recommendations: AI algorithms suggest optimal training plans
  • Injury Risk Assessment: Analysis of patterns that may indicate injury risk
  • Performance Predictions: Forecasting future performance based on current data
  • Content Personalization: Customizing content based on your interests

14.2 Your Rights Regarding Automated Processing

You have the right to:

  • Not be subject to decisions based solely on automated processing that produce legal or significant effects
  • Request human intervention in the decision-making process
  • Express your point of view regarding automated decisions
  • Contest automated decisions and request manual review

14.3 Safeguards

  • Regular algorithm auditing for bias and accuracy
  • Human oversight of significant automated decisions
  • Clear explanations of automated decision logic
  • Ability to opt out of certain automated processing

15. Data Breach Procedures

We have comprehensive procedures in place to detect, assess, and respond to personal data breaches.

15.1 Breach Response Process

  1. Detection and Assessment: Immediate identification and risk assessment
  2. Containment: Steps to prevent further data compromise
  3. Investigation: Thorough analysis of the breach cause and scope
  4. Notification: Reporting to authorities and affected individuals as required
  5. Remediation: Measures to prevent similar incidents

15.2 Notification Requirements

  • Supervisory Authority: Within 72 hours of becoming aware
  • Data Subjects: Without undue delay if high risk to rights and freedoms
  • Partners: Notification to relevant business partners and vendors

15.3 Information Provided

Breach notifications include:

  • Nature and scope of the breach
  • Categories and number of data subjects affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Steps you can take to protect yourself

16. Contact Information

For GDPR-related questions, requests, or concerns, please contact us:

General GDPR Inquiries

Email: gdpr@nurostride.com

Subject Line: Include "GDPR" and the type of request

Response Time: Within 30 days

Data Protection Officer

Email: dpo@nurostride.com

For: Complex privacy matters, complaints, guidance

Response Time: Within 5 business days

Legal Department

Email: legal@nurostride.com

For: Legal notices, compliance questions

Response Time: Within 48 hours

16.1 Request Information

When contacting us about GDPR matters, please include:

  • Your full name and email address associated with your account
  • Clear description of your request or concern
  • Any relevant account or reference numbers
  • Preferred communication method for our response

Disclaimer: This GDPR compliance information is for general guidance only. Consult with a qualified attorney for legal advice specific to your situation and jurisdiction. GDPR requirements may vary based on specific circumstances and evolving regulations.