Privacy Policy
Last updated: June 30, 2026
This Privacy Policy explains how elan collects, uses, stores, and shares your personal information when you use our fitness and social platform.
1. Introduction
This Privacy Policy explains how elan ("we", "us", or "our") collects, uses, stores, and shares your personal information when you use our fitness and social platform ("the App"). By creating an account or using the App, you agree to the practices described in this policy. If you do not agree, please do not use the App.
This policy applies to all versions of the App on iOS and to any additional platforms we may support in the future. It also covers our marketing website at elan.run and the waitlist you can join there — see the Website & Waitlist section immediately below. The remaining numbered sections describe our practices for the App.
Website & Waitlist
This section covers our marketing website at elan.run and the pre-launch waitlist — separate from the App, which the numbered sections below describe. If you only visit the website or join the waitlist, this is the part of the policy that applies to you.
What we collect. When you join the waitlist, we collect the email address you submit. That is the only personal information the website asks you for. We do not use advertising or tracking cookies on the website, and we do not build advertising profiles.
How we use it, and our legal basis. We use your email address solely to notify you when elan launches and to send occasional related updates. Our legal basis is your consent, which you give by submitting the form and confirming your subscription.
Email provider (processor). Waitlist emails are managed through MailerLite, an email marketing service that stores your address and delivers our messages on our behalf under a data-processing agreement. When you sign up, MailerLite sends a confirmation email (double opt-in) — your address is only added to the list once you confirm. MailerLite's Privacy Policy: mailerlite.com/legal/privacy-policy
Hosting. The website is hosted on Cloudflare Pages. As part of delivering and securing the site, Cloudflare processes standard technical request data (such as IP address and browser type) in its capacity as our hosting and content-delivery provider. Cloudflare's Privacy Policy: cloudflare.com/privacypolicy
Unsubscribing and removal. Every email we send includes an unsubscribe link, and you can opt out at any time. To have your waitlist data deleted, use the unsubscribe link or email us at [email protected].
Retention. We keep your waitlist email address until elan launches or until you unsubscribe or ask us to delete it, whichever comes first.
2. Information We Collect
2.1 Account InformationWhen you register, we collect your display name, username, email address, and password. Passwords are never stored in plain text — Firebase Authentication stores a cryptographic hash only. You may also optionally provide a profile photo (uploaded to Firebase Storage) and a short bio. If you sign in with Apple, we receive your name and email address from Apple (you may choose to hide your email using Apple's relay service, in which case we receive the relay address).
2.2 Activity and Fitness DataThe App records fitness activities you choose to log. This includes:
- Activity type (run, cycle, hike, walk, workout, swim, yoga, sport)
- Duration and timestamp of each activity
- Distance, pace, and average speed (GPS activities)
- Elevation gain (GPS activities, derived from barometric or GPS altitude)
- Estimated calories burned (calculated on-device using MET-based formulas from your activity type, duration, and distance — not sent to any external calorie service)
- Workout sessions including exercises, sets, repetitions, load (weight), and volume
- Activity title, caption, and any location tag you optionally add to a post
Activity data is stored in your Firestore account document and in the public posts collection if you choose to publish. Private posts are stored in a separate subcollection accessible only by your account.
2.3 GPS and Location DataWhen you start a GPS-tracked activity (run, cycle, hike, or walk), the App requests access to your device's location using the iOS CoreLocation / Android Location API via the expo-location library. Specifically:
- GPS coordinates are sampled in real time to compute distance, pace, and elevation. Raw coordinate sequences are processed on-device and are NOT stored to Firestore or transmitted to our servers. Only the derived statistics (total distance, average pace, total elevation, calories) are saved with your activity record.
- We request "when in use" location permission. If you enable background location (optional, iOS only), the App continues sampling GPS when your screen turns off so that distance accumulation is not interrupted mid-workout. This background access is used solely for the active workout session and ceases when you finish or pause.
- If you add a location tag to a post, you type a place name and select from geocoding results. We store only the human-readable place name you select, not GPS coordinates.
- We do not track your location at any time other than during an active GPS workout.
The App may access health and sensor data in the following ways:
Apple HealthKit (iOS)
With your permission, the App reads step count and sleep data from Apple Health to populate the Health dashboard. With your permission, the App writes workout summaries back to Apple Health when you complete a GPS activity. HealthKit data is never shared with third parties or used for advertising. You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health.
Pedometer / Motion
The App uses the device's motion coprocessor (Core Motion on iOS) to count steps during specific morning wake-up challenges. Step-counting runs only while a wake-up challenge is active and in the foreground. Step data is not stored beyond the current session.
Microphone
One morning routine step optionally uses your microphone to detect a clap or loud sound (e.g., shouting) as a way to prove you are awake. Audio is processed entirely on-device using the device's audio input level — no audio is recorded, stored, or transmitted. Microphone access is only active during the specific routine step that requires it.
Camera
The App uses your camera in the following limited contexts:
- Morning routine QR-scan step: the camera scans a QR code (e.g., printed near your bathroom) to confirm you have physically left your bed. No image is captured or stored.
- Morning routine mirror-selfie step: the camera displays a live preview so you can see yourself. No image is captured or stored unless you explicitly take a photo.
- Post photos: when composing an activity post, you may take a photo or select one from your photo library. This image is uploaded to Firebase Storage and linked to your post. It is never processed or analysed beyond storage and display.
The App includes a sleep logger where you can manually record bedtime, wake time, sleep quality rating, and notes. This data is stored in your Firestore account under a private subcollection (sleep_entries) accessible only by your account. If you grant HealthKit access, sleep data from Apple Health is also read and displayed in the Health dashboard but is not written back.
2.6 Nutrition DataThe nutrition log allows you to search for food items and log calorie and macro-nutrient intake (protein, carbohydrates, fat, fibre). Nutrition entries are stored in your private Firestore subcollection (nutrition_entries). Food searches use the USDA FoodData Central API and the Open Food Facts API — search terms are transmitted to these services; no personal identifiers accompany the queries.
2.7 Alarm and Morning Routine DataAlarm schedules (time, days of the week, ringtone, challenge type) are stored in your Firestore account document. Routine configurations (the sequence of wake-up steps you design) are stored in your routines subcollection. Wake-up completion logs (whether you successfully completed each alarm, time taken, challenge outcomes) are stored in your wake_history subcollection. This data is private to your account.
2.8 Social and Community DataWe store the following social data you create within the App:
- Activity posts (title, caption, activity stats, optional photo, optional location name, visibility setting — public or private)
- Stories (24-hour short-form updates; automatically deleted from our servers after 24 hours)
- Comments and likes on posts
- Direct messages between you and other users (stored in encrypted Firestore documents; not actively monitored except where reported for abuse or required by law)
- Buddy connections (mutual follow relationships — stored as UID arrays in both users' documents)
- Group and clan memberships, posts within those communities, and your role (member, admin, owner)
- Collaborative activity links — when you start a collaborative workout with a buddy, a reference to your buddy's UID is associated with your activity record.
The App records points earned per activity, daily challenge results (Wordle, Color Match, Sound ID, Price Tag, Shape, Trivia, Time), morning routine completion, and current streak. This data powers leaderboards and monthly rankings visible to other users. Daily challenge answers and outcomes are stored per-user in the daily_challenge_results subcollection.
2.10 Device and Usage DataWe may collect your device type, operating system version, App version, and interaction logs (screens viewed, features used, crash reports) for the purpose of fixing bugs and improving the product. This data is processed through Firebase Crashlytics and is associated with an anonymised device identifier, not your account identity.
2.11 Push Notification TokensIf you grant notification permission, we store your device's FCM (Firebase Cloud Messaging) push token in your Firestore user document to deliver activity alerts, social notifications (likes, comments, buddy requests), and alarm-related reminders. You can revoke notification permission at any time in your device settings.
3. How We Use Your Information
We use your data only to provide and improve the App. Specifically:
- To create, authenticate, and manage your account
- To display your activity feed, posts, stories, and social interactions to you and (for public content) to other users
- To calculate and display fitness statistics — distance, pace, elevation, calories — derived from GPS and activity data
- To operate alarms, morning routines, and wake-up challenges
- To log and display sleep, nutrition, and health dashboard data
- To award points, maintain leaderboards, and run daily challenges
- To enable collaborative activities and buddy connections
- To send push notifications you have opted into
- To write workout summaries to Apple Health (with your explicit HealthKit permission)
- To investigate and fix technical problems and crashes
- To comply with legal obligations
We do not use your health, activity, fitness, sleep, nutrition, location, microphone, or camera data for advertising. We do not build advertising profiles. We do not sell your data to third parties.
4. Third-Party Services
The App is built on the following third-party infrastructure. By using the App you are also subject to their respective privacy policies.
Firebase / Google LLC
We use Firebase Authentication (account management and password hashing), Cloud Firestore (structured data storage), Firebase Storage (photo and media uploads), and Firebase Cloud Messaging (push notifications). All Firestore and Storage data is stored on Google's servers in the United States and/or other regions depending on your Firestore location settings. Google's Privacy Policy: policies.google.com/privacy
Apple HealthKit (iOS)
HealthKit data is read and written on your device via Apple's HealthKit APIs. Apple's HealthKit terms prohibit us from using HealthKit data for advertising or from disclosing it to third parties other than for the purposes of improving health or fitness. Apple's Privacy Policy: apple.com/legal/privacy
OpenStreetMap Foundation / Nominatim
Location search (for post geo-tags) uses the public Nominatim geocoding API. Search queries you type in the location field are sent to Nominatim. No personal identifiers accompany these queries. Nominatim Privacy Policy: osmfoundation.org/wiki/Privacy_Policy
USDA FoodData Central
Nutrition food search uses the public USDA FoodData Central API. Search terms are sent to USDA servers. No personal identifiers accompany queries. USDA Privacy Policy: usda.gov/privacy-policy
Open Food Facts
Nutrition search also queries the Open Food Facts API for additional food items. Search terms are sent to Open Food Facts servers. No personal identifiers accompany queries. Open Food Facts Privacy Policy: world.openfoodfacts.org/privacy
Expo / Expo Inc.
The App is built with Expo and React Native. Expo may collect anonymised telemetry about build and runtime performance. Expo Privacy Policy: expo.dev/privacy
5. Data Sharing
We do not sell, rent, or share your personal information with third parties for their marketing purposes. We may share data only in the following limited circumstances:
- With other users (public content) — posts, stories, comments, and profile information you choose to make public are visible to other App users. Your display name, username, and profile photo are always public. Private posts, sleep entries, nutrition entries, alarm schedules, and wake history are never visible to other users.
- Collaborative activity partners — when you start a collaborative activity and invite a buddy, that buddy can see that you are active and your public display name. Real-time GPS coordinates are not shared with buddies.
- Service providers — the third-party infrastructure listed in Section 4 processes data on our behalf under contractual data-processing agreements.
- Legal compliance — we may disclose data if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business transfers — if the App or its business is acquired or merged, your data may transfer to the new owner subject to the same or stricter protections. We will provide you with notice before this occurs.
6. Data Retention
We retain your account data for as long as your account is active.
Stories are automatically deleted from our servers after 24 hours from the time they were posted.
Private and archived posts are retained until you manually delete them or delete your account.
Activity logs, sleep entries, and nutrition entries are retained indefinitely while your account is active to power your personal history and statistics.
Wake history and alarm schedules are retained while your account is active. You can delete individual records within the App.
Account deletion — if you delete your account, we will delete or anonymise your personal information from our active Firestore database within 30 days. Residual copies in automated backups may persist for up to 90 days before being purged. Aggregated, anonymised statistical data derived from your activity may be retained indefinitely.
Notification tokens are deleted when you delete your account or when the token is invalidated by the operating system.
7. Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encrypted transmission (TLS/HTTPS) for all data in transit
- Firebase Authentication's cryptographic password hashing — we never store or transmit your raw password
- Firestore Security Rules that restrict read and write access to authenticated users and enforce per-user data isolation (you cannot read another user's private posts, sleep entries, nutrition data, alarms, or wake history)
- Firebase Storage security rules that prevent unauthorised uploads or downloads
- HealthKit data isolation enforced by iOS — only the App can read the HealthKit data it has been granted access to
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any confirmed breach.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — update inaccurate data via the Edit Profile screen or by contacting us
- Deletion — delete your account and associated personal data (see Section 6 for timing)
- Restriction — object to or restrict certain processing
- Portability — request a machine-readable export of your personal data
- Withdraw consent — revoke any permission (location, camera, microphone, notifications, HealthKit) at any time in device settings without affecting the legality of prior processing
To exercise any of these rights, contact us at the address in Section 12. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
California residents (CCPA/CPRA)
You have the right to know what personal information we collect, disclose, and sell (we do not sell personal information). You have the right to request deletion of your personal information and the right not to be discriminated against for exercising your rights.
EU/EEA and UK residents (GDPR/UK GDPR)
Our legal bases for processing are: contract performance (account and App functionality), legitimate interests (security, fraud prevention, product improvement), and your explicit consent (HealthKit access, location access, camera, microphone, push notifications). You have the right to lodge a complaint with your local data protection supervisory authority.
9. Children's Privacy
The App is not directed at children under the age of 13 (or 16 in certain jurisdictions, including EU/EEA member states). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided personal information without parental consent, please contact us and we will delete that information promptly.
Users aged 13–17 must have parental or guardian consent before using the App. By registering, users in this age group represent that their parent or guardian has agreed to these terms and our Privacy Policy on their behalf.
10. International Data Transfers
Firebase stores data in Google data centres, which may be located outside your country of residence. By using the App, you acknowledge that your data may be transferred to, and stored in, countries with different data protection laws. Google participates in recognised international data transfer frameworks, including EU Standard Contractual Clauses, to protect transferred data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and, where required by applicable law, by sending you an email notification. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the App after changes take effect constitutes your acceptance of the revised policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy, the data we hold about you, or to exercise any of the rights described in Section 8, please contact:
elan
Email: [email protected]
For EU/EEA and UK residents: if you believe we have not handled your data lawfully you have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).