Privacy Policy

This Privacy Policy explains how KeiroLabs ("we", "us", "our") collects, uses, and protects your personal information when you use our triathlon race simulation platform ("Service").

We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

The data controller responsible for your personal data is:

KeiroLabs Sandhamnsgatan 23 11560 Stockholm Sweden

Email: [email protected]

For data protection inquiries, please contact us at the email address above.

We collect the following categories of personal data:

Account Information: • Name • Email address • Password (encrypted)

Athlete Profile Data: • Nationality • Birth year • Sex • Weight and height • Performance metrics (FTP, CSS, run pace) • Aero position skill level • Riding style preferences

Gear Configuration: • Bike type and specifications • Wheel configurations • Helmet and clothing selections • Equipment weights

Usage Data: • Race plans and simulation results • Saved events and preferences • Feature usage patterns • Session duration and frequency

Technical Data: • IP address • Browser type and version • Device information • Operating system • Referral source

We collect data through:

Direct Input: • Account registration forms • Profile and gear configuration • Race planning inputs • Support communications

Automated Collection: • Cookies and similar technologies • Server logs • Analytics tools

Third-Party Sources: • Authentication providers (if using social login) • Payment processor (Stripe) for billing information

We process your personal data under the following legal bases (GDPR Article 6):

Contract Performance (Article 6(1)(b)): • Providing the Service you subscribed to • Managing your account • Processing payments

Legitimate Interests (Article 6(1)(f)): • Improving and optimizing the Service • Preventing fraud and abuse • Analytics and performance monitoring

Consent (Article 6(1)(a)): • Marketing communications (where required) • Non-essential cookies • Optional data processing features

Legal Obligation (Article 6(1)(c)): • Tax and accounting requirements • Responding to legal requests

You may withdraw consent at any time without affecting the lawfulness of prior processing.

We use your personal data to:

Provide the Service: • Generate race simulations and pacing strategies • Store and display your profiles and gear configurations • Process subscription payments • Send transactional emails (confirmations, receipts)

Improve the Service: • Analyze usage patterns and performance • Develop new features • Fix bugs and optimize performance • Conduct research (using anonymized data)

Communicate with You: • Respond to support requests • Send service updates and announcements • Provide race reminders (if enabled) • Send marketing communications (with consent)

Ensure Security: • Detect and prevent fraud • Monitor for unauthorized access • Enforce our Terms of Service

We share your data only with:

Service Providers: • Supabase (database hosting, authentication) — EU/US • Stripe (payment processing) — US • Visual Crossing (weather data) — US • Vercel (hosting) — US/EU

Legal Requirements: • When required by law or legal process • To protect our rights or property • To prevent harm or illegal activity

Business Transfers: • In connection with merger, acquisition, or sale

We do NOT: • Sell your personal data • Share data with advertisers • Use data for third-party marketing

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

When we transfer data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission • Data Processing Agreements with all processors • Compliance with the EU-US Data Privacy Framework where applicable

You can request copies of our safeguards by contacting [email protected].

We retain your data for:

Active Accounts: • As long as your account remains active • Until you request deletion

After Account Deletion: • Transaction records: 7 years (legal requirement) • Anonymized analytics: Indefinitely • Backups: Up to 90 days

Inactive Accounts: • We may delete accounts inactive for 24+ months after notification

You can request earlier deletion at any time, subject to legal retention requirements.

Under GDPR, you have the following rights:

Right of Access (Article 15): Request a copy of your personal data

Right to Rectification (Article 16): Correct inaccurate or incomplete data

Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")

Right to Restrict Processing (Article 18): Limit how we use your data

Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format

Right to Object (Article 21): Object to processing based on legitimate interests

Right to Withdraw Consent: Withdraw consent at any time for consent-based processing

Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, contact [email protected]. We will respond within 30 days.

We use cookies and similar technologies for:

Essential Cookies: • Authentication and session management • Security features • Service functionality

Analytics Cookies: • Usage statistics and performance monitoring • Feature usage tracking

Preference Cookies: • Remembering your settings and preferences

You can control cookies through: • Your browser settings • Our cookie consent banner • Account privacy settings

Note: Disabling essential cookies may affect Service functionality.

We implement appropriate technical and organizational measures to protect your data:

Technical Measures: • Encryption in transit (TLS/SSL) • Encryption at rest • Secure authentication • Regular security updates

Organizational Measures: • Access controls and authentication • Employee confidentiality agreements • Regular security reviews • Incident response procedures

While we strive to protect your data, no system is completely secure. We will notify you and relevant authorities of any breach as required by law.

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have collected data from a child under 16, please contact us immediately at [email protected]. We will take steps to delete such data.

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on our website • Updating the "Last updated" date • Sending an email notification for material changes

We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related questions or concerns:

Contact Us: KeiroLabs Sandhamnsgatan 23 11560 Stockholm Sweden Email: [email protected]

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with a data protection authority. In Sweden:

Integritetsskyddsmyndigheten (IMY) Box 8114 104 20 Stockholm Sweden https://www.imy.se