Privacy Policy
Effective Date: March 31, 2026
Last Updated: March 31, 2026
This Privacy Policy describes how Role Run (“we,” “us,” or “our”) collects, uses, stores, and shares information when you use the Role Run mobile application (“App” or “Service”). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
1. Information We Collect
We collect information in the following categories:
1.1. Account Information
When you create an account, we collect your email address for authentication purposes. If you sign in via Apple ID or Google OAuth, we receive an authentication token to establish your session. OAuth tokens are not stored; they are exchanged for a session credential and discarded.
1.2. Profile Information
You may provide personal information for story personalization, including your first name, age range, job role, the name of an important person in your life, emotional triggers, and motivations. This data is stored locally on your device using Apple's SwiftData framework and is not transmitted to our servers except as described in Section 3.
1.3. Fitness Data
The App collects running metrics including distance, pace, and duration as part of its core functionality. In outdoor mode, the App also collects GPS location data to calculate distance and map your route. All fitness data is stored locally on your device.
1.4. Health Data
With your explicit authorization, the App may read from and write to Apple HealthKit. Data accessed through HealthKit may include distance, active calories, and heart rate. HealthKit data is managed exclusively by Apple and is not transmitted to our servers or any third party. See Section 7 for additional detail.
1.5. Usage Preferences
The App records your preferred genres, intensity settings, narration voice preference, and music preferences. These settings are stored locally on your device using SwiftData.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Authentication. Your email address and authentication tokens are used solely to create and manage your account session via Supabase.
- Story Generation. A subset of your Profile Information is transmitted to our AI provider to generate personalized stories. See Section 3 for details.
- Core Functionality. Fitness data (distance, pace, duration, GPS coordinates) is used to power the App's run tracking and story progression features.
- Workout Export. With your authorization, completed workout data is written to Apple HealthKit.
- Personalization. Usage preferences are used to customize your experience within the App.
3. Data Transmitted to Servers
The following data is transmitted from your device to external servers during normal use of the Service:
3.1. Authentication Credentials
Your email address and session tokens are transmitted to Supabase for account authentication and session management. This data is stored server-side by Supabase as part of its authentication service.
3.2. Story Generation Data
To generate personalized stories, a subset of your Profile Information — specifically your first name, job role, fears, motivations, and the name of an important person — is transmitted to a Supabase Edge Function, which forwards it to OpenRouter (our third-party AI provider, currently using the Claude 3.5 Haiku model) as part of a generation prompt.
This data is transient. It is included in the API request payload, used to generate the story response, and is not persisted on our servers, in our database, or by OpenRouter beyond the duration of the request. We do not log, cache, or retain this data after the story has been delivered to your device.
4. Data Stored on Your Device
The majority of your data remains on your device and is never transmitted to our servers. On-device data includes:
- Profile information (SwiftData)
- Run session history and metadata (SwiftData)
- Generated stories, chapters, and checkpoints (SwiftData)
- GPS location points recorded during runs
- HealthKit data (managed by Apple)
- App preferences and settings (SwiftData)
This data can be permanently removed by uninstalling the App from your device.
5. Third-Party Services
The Service relies on the following third-party services, each of which maintains its own privacy policy:
| Provider | Purpose | Data Received |
|---|---|---|
| Supabase | Authentication, edge function hosting | Email, session tokens |
| OpenRouter | AI story generation | Profile subset (transient, not persisted) |
| Apple HealthKit | Workout data read/write | Distance, calories, heart rate (user-authorized) |
| RevenueCat | Subscription management | Purchase receipts, subscription status |
6. Data Sharing
We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. We share data with third parties only as described in this Privacy Policy — namely, for authentication (Supabase), story generation (OpenRouter), and subscription management (RevenueCat). Each third-party provider receives only the minimum data necessary to perform its designated function.
7. Apple HealthKit Compliance
7.1. Access to HealthKit data is optional and requires your explicit, informed consent through the standard iOS HealthKit authorization prompt.
7.2. We do not use HealthKit data for advertising, data brokerage, or any purpose other than providing health and fitness functionality within the App.
7.3. HealthKit data is never transmitted to our servers, stored in our databases, or shared with any third party.
7.4. HealthKit data remains within Apple's HealthKit framework on your device and is subject to Apple's privacy policies and your device's security protections.
8. Data Retention
8.1. Server-side data (email address, authentication session) is retained for as long as your account is active. Upon account deletion, this data is permanently removed from our systems.
8.2. On-device data is retained until you uninstall the App or manually clear the App's data through your device settings.
8.3. Story generation data transmitted to OpenRouter is transient and is not retained after the completion of the API request.
9. Your Rights and Choices
9.1. Account Deletion. You may request deletion of your account and all associated server-side data by contacting us at the address provided in Section 13.
9.2. On-Device Data. You may delete all on-device data at any time by uninstalling the App.
9.3. HealthKit Permissions. You may revoke HealthKit access at any time through your device's Settings → Privacy & Security → Health.
9.4. Location Permissions. You may revoke location access at any time through your device's Settings → Privacy & Security → Location Services.
10. Data Security
We implement commercially reasonable technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. On-device data benefits from Apple's built-in device encryption. Server-side data is protected by Supabase's security infrastructure, including encryption in transit (TLS) and at rest. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
11. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.
12. App Store Privacy Labels
In accordance with Apple's App Store requirements, we disclose the following privacy nutrition labels:
| Category | Data |
|---|---|
| Data Used to Track You | None |
| Data Linked to You | Email address (account), Name (profile) |
| Data Not Linked to You | Fitness data, Location, Health |
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Last Updated” date at the top of this page and, where practicable, by providing notice through the App. Your continued use of the Service after the revised Privacy Policy becomes effective constitutes your acceptance of the revised policy.
14. Contact
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: support@rolerun.app