HeyPao Back to home

Legal

Privacy Policy

Last updated: June 20, 2026

This Privacy Policy explains how HeyPao ("HeyPao", "we", "us", or "our") collects, uses, discloses, and protects your information when you use the HeyPao mobile application, our website at pao-app.com, and any related features or services (together, the "Service"). It also describes the privacy rights and choices available to you. Please read it carefully. If you do not agree with this Policy, please do not use the Service.

The short version. HeyPao is an AI race-pace planning app for runners. We collect the information needed to create your account, build your pacing plans, run our social features, and keep the Service working and safe.

We do not sell your personal information, and we do not share it with advertising networks or use it to build advertising profiles. You can access, correct, or delete your data — including deleting your whole account — at any time, and you can contact us with any question at support@pao-app.help. The sections below give the full detail.

Contents

  1. Who we are & what this covers
  2. Information we collect
  3. How we use your information
  4. Legal bases for processing (EEA/UK)
  5. Cookies & similar technologies
  6. How we share your information
  7. Social & public features
  8. Third-party services & links
  9. Data retention
  10. How we protect your information
  11. International data transfers
  12. Your privacy rights & choices
  13. Region-specific disclosures
  14. Children's privacy
  15. Communications & marketing
  16. Automated processing & pacing plans
  17. Do Not Track
  18. Changes to this Policy
  19. How to contact us

1. Who we are & what this covers

HeyPao provides personalised race pace plans and related running features through our iOS app and website. For the purposes of data-protection law, HeyPao is the "controller" of the personal information described in this Policy. This Policy applies to all users of the Service worldwide. Where we act only as a "processor" on behalf of another party, that party's privacy policy governs instead.

This Policy does not cover the practices of third parties we do not own or control — for example Strava, race organisers, or other websites and apps you may link to from the Service. Their use of your information is governed by their own privacy policies.

2. Information we collect

We collect information in three ways: information you give us, information we collect automatically when you use the Service, and information we receive from third parties you connect.

2.1 Information you provide to us

  • Account information — your name, email address, a username, and a password when you create an account. If you sign in through a third-party provider (such as Apple), we receive the basic account identifiers that provider shares with us.
  • Profile information — details you add to your profile, such as your display name, country or region, distance preferences, and any profile photo or avatar you upload.
  • Race & planning data — the races you browse, save, wishlist, or set reminders for; your goal times and pacing preferences; the pacing plans generated for you; and post-race information such as results or debriefs you record.
  • Social content — posts and activity you create, comments, likes, the accounts you follow or that follow you, follow requests, blocks, and any messages you send through in-app messaging.
  • Communications & support — information you provide when you contact us, respond to a survey, or report a problem, including the contents of your messages.

2.2 Information we collect automatically

  • Usage data — how you interact with the Service, such as features used, screens viewed, searches run, and actions taken.
  • Device & technical data — device type and model, operating-system version, app version, language and time-zone settings, and similar technical identifiers needed to deliver and secure the Service.
  • Diagnostics — crash reports and performance data that help us find and fix bugs.
  • Approximate location — a general location (such as country or region) that you provide or that may be inferred from your device or network, used to show relevant races and to operate the Service. We do not continuously track your precise GPS location for advertising.
  • Cookies & local storage — small amounts of data stored on your device or browser as described in our Cookie Policy.

2.3 Information from third parties

  • Connected services (Strava) — if you choose to connect Strava, we access only the activity data you authorise — for example your runs, pace, distance, splits, heart-rate, and route or elevation data — so we can analyse your own fitness and personalise your pacing. We use this data only for your benefit, never to train models on other people's behalf, and you can disconnect at any time, which stops further access.
  • Service providers — our infrastructure and authentication providers may pass us technical information (such as a verified email or security signals) needed to run and secure your account.

We do not knowingly collect more information than we need to provide the Service.

3. How we use your information

We use the information we collect to:

  • Create and manage your account and authenticate you when you sign in.
  • Provide the core Service — generating, saving, and displaying your personalised race pace plans.
  • Operate social features such as profiles, following, the activity feed, comments, and messaging, according to your privacy settings.
  • Personalise your experience, including using connected fitness data you authorise to tailor your plans.
  • Send you transactional and service messages — for example email verification codes, password-reset links, username reminders, security alerts, and important changes to the Service.
  • Send optional notifications you have enabled, such as race-registration or race-week reminders and activity from people you follow.
  • Provide customer support and respond to your requests.
  • Maintain, debug, secure, and improve the Service, and develop new features.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful or unlawful activity.
  • Comply with our legal obligations and enforce our terms.

Where we use de-identified or aggregated information (which can no longer reasonably identify you), we may use it for any purpose permitted by law.

4. Legal bases for processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we process your personal information only where we have a legal basis to do so. Depending on the situation, our legal bases are:

  • Performance of a contract — to provide the Service you have asked for, including creating your plans and managing your account.
  • Legitimate interests — to secure and improve the Service, prevent abuse, and communicate with you, where those interests are not overridden by your rights.
  • Consent — for optional activities such as connecting Strava, enabling certain notifications, or any non-essential cookies. You may withdraw consent at any time.
  • Legal obligation — where we must process information to comply with the law.

5. Cookies & similar technologies

We and our service providers use a limited set of cookies and similar local-storage technologies to keep you signed in, remember your preferences, and secure forms. We do not use them for advertising. For the full list and your choices, see our Cookie Policy. You can manage or clear cookies at any time using your browser's settings.

6. How we share your information

We do not sell your personal information. We share it only in the limited circumstances below:

  • Service providers (processors) — companies that perform services for us under contracts requiring them to protect your data and use it only on our instructions. These include Google Firebase (authentication, database, file storage, hosting, crash reporting, and push notifications) and our transactional email provider, among others.
  • Connected services you authorise — when you connect Strava, we exchange the data needed to provide the integration you requested.
  • Other users — information you choose to make visible through social features (see Section 7).
  • Legal, safety & rights protection — when we believe disclosure is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our terms; or to protect the rights, property, or safety of HeyPao, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, financing, reorganisation, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.
  • Aggregated or de-identified information — which does not identify you and may be shared freely.

7. Social & public features

HeyPao includes social features. Depending on your privacy settings, certain information — such as your display name, username, profile photo, and the activity, comments, or races you choose to post — may be visible to other users. If your account is private, your posts are limited to your approved followers. Direct messages are visible to the people in the conversation. Please be thoughtful about what you share, and remember that other users may see, save, or re-share content you make visible to them. You can adjust your visibility, block other users, and delete content you have posted.

8. Third-party services & links

The Service relies on, links to, or integrates with third parties such as Strava, race organisers, app stores, and cloud providers. When you interact with those third parties, their own privacy policies and terms apply, and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party service you connect or visit.

9. Data retention

We keep your personal information for as long as your account is active or as needed to provide the Service, and afterwards only as long as necessary to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements. When information is no longer needed, we delete it or de-identify it. If you delete your account, we delete or de-identify your personal information within a reasonable period, except where we are required or permitted by law to retain it (for example, limited security or transaction logs).

10. How we protect your information

We use technical and organisational measures designed to protect your information, including encryption of data in transit, access controls, server-side security rules that restrict who can read or write data, and app-integrity checks on requests to our backend. Sensitive credentials such as connected-service tokens are stored on our servers and are not exposed to other users or to your device. No method of transmission or storage is completely secure, however, so we cannot guarantee absolute security. Please help protect your account by using a strong, unique password and keeping it confidential.

11. International data transfers

HeyPao is operated with infrastructure located primarily in the United States, and our service providers may process and store information in the United States and other countries. These countries may have data-protection laws that differ from those where you live. Where we transfer personal information from the EEA, UK, or other regions with transfer restrictions, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses or another lawful transfer mechanism — to protect that information.

12. Your privacy rights & choices

Subject to your location and applicable law, you may have some or all of the following rights:

  • Access — request confirmation of whether we process your information and a copy of it.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — ask us to delete your information, including by deleting your account.
  • Portability — request a copy of certain information in a portable format.
  • Objection & restriction — object to or ask us to restrict certain processing.
  • Withdraw consent — where we rely on consent, withdraw it at any time (this does not affect processing already carried out).

You can exercise many of these directly in the app: edit your profile to correct information, disconnect Strava, manage notifications, or delete your account entirely from Settings → Delete My Account. For any other request, email us at support@pao-app.help. We will respond within the time required by applicable law and may need to verify your identity first. You will not be treated differently for exercising your rights.

13. Region-specific disclosures

13.1 California (CCPA/CPRA)

If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, the sources, the business purposes for collecting it, and the categories of third parties with whom we share it; to request deletion or correction; and to be free from discrimination for exercising your rights. In the preceding 12 months we may have collected the categories described in Section 2 (such as identifiers, account and profile details, internet/usage activity, approximate location, and content you provide).

We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising, as those terms are defined under California law. We do not use or disclose sensitive personal information for purposes that require an opt-out right. To exercise your rights, contact us at support@pao-app.help; you may also use an authorised agent, and we may ask you to verify your identity or your agent's authority.

13.2 EEA & UK (GDPR)

If you are in the EEA or the UK, you have the rights listed in Section 12, and you may lodge a complaint with your local data-protection supervisory authority if you believe we have not handled your information lawfully. Our legal bases are described in Section 4. You can contact us about any of these rights at support@pao-app.help.

13.3 Other U.S. state rights

Residents of certain other U.S. states (such as Virginia, Colorado, Connecticut, Utah, and others with comprehensive privacy laws) may have rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of certain processing. We do not sell personal information or use it for targeted advertising. To exercise these rights, contact us at support@pao-app.help.

13.4 Nevada

Nevada residents have the right to opt out of the sale of certain covered information. We do not sell your covered information as defined under Nevada law, but you may submit a request to us at support@pao-app.help.

14. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. In some regions, the minimum age may be higher, and users under the age of digital consent should only use HeyPao with the involvement of a parent or guardian. If you believe a child has provided us with personal information, please contact us at support@pao-app.help and we will take steps to delete it.

15. Communications & marketing

We send service and transactional messages (such as verification codes, password resets, and security or account notices) that are necessary to operate your account; these are not promotional and cannot be opted out of while you have an account. You control optional notifications — such as race reminders and activity from people you follow — in the app's notification settings and in your device settings. If we ever send promotional emails, each will include an unsubscribe link.

16. Automated processing & pacing plans

HeyPao uses automated calculations to generate your pacing plans from the course profile, your goals, and the fitness data you provide. These outputs are informational recommendations to help you plan a race; they do not produce legal or similarly significant effects about you, and a human is not required to review each plan. The plans are not medical advice — please see the health disclaimer in our Terms of Service.

17. Do Not Track

Some browsers offer a "Do Not Track" signal. Because there is no common industry standard for how to respond, we do not currently respond to those signals. We do not track you across third-party websites or apps for advertising regardless.

18. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version here with a new "Last updated" date and, where appropriate, notify you in the app or by email. Your continued use of the Service after an update means you accept the revised Policy.

19. How to contact us

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your information, please contact us at support@pao-app.help. If you are in the EEA or the UK and are not satisfied with our response, you also have the right to complain to your local data-protection supervisory authority.

HeyPao

AI race pace planning for runners.

Company

  • Careers
  • Contact Us

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
© HeyPao · pao-app.com