Data Processing & Retention Policy

iOS Application Only

Version: 4.0.0 | Effective Date: March 5, 2026

Jurisdiction: United Kingdom (England & Wales) | Age Restriction: 13+

1. PURPOSE

This Data Policy establishes internal procedures for handling user data in compliance with global privacy regulations including GDPR, CCPA, COPPA, and App Store requirements.

2. DATA CLASSIFICATION

2.1 Personal Data Categories

  • PII (Personally Identifiable Information): Email, display names, Firebase UIDs
  • Location Data: GPS coordinates, route polylines, background tracking
  • Device Data: iOS device IDs, usage analytics, performance metrics
  • Biometric Data: Speed, pace, distance, activity patterns

2.2 Sensitive Data

  • Children's Data: Any data from users under 18 (COPPA compliance)
  • Location Data: Precise GPS coordinates (privacy protection)
  • Health Data: Fitness metrics and performance data

3. DATA PROCESSING PRINCIPLES

3.1 Lawfulness, Fairness, Transparency

  • Data collected only for legitimate purposes
  • Clear privacy notices and consent mechanisms
  • Transparent data processing practices

3.2 Purpose Limitation

  • Data used only for stated purposes
  • Additional uses require new consent
  • Regular purpose limitation audits

3.3 Data Minimization

  • Collect only necessary data
  • Regular data minimization reviews
  • Automatic data cleanup procedures

3.4 Accuracy

  • Data validation at collection point
  • User ability to correct inaccurate data
  • Regular data accuracy audits

3.5 Storage Limitation

  • Data retained only as long as necessary
  • Automatic deletion procedures
  • Retention schedule compliance

3.6 Integrity and Confidentiality

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security assessments

3.7 Accountability

  • Data processing records maintained
  • Regular compliance audits
  • Incident response procedures

4. USER RIGHTS IMPLEMENTATION

4.1 Right to Access

  • Complete data export functionality
  • User-friendly data presentation
  • Response within 30 days

4.2 Right to Rectification

  • In-app data editing capabilities
  • Profile update functionality
  • Change request processing

4.3 Right to Erasure ("Right to be Forgotten")

  • One-click account deletion
  • Complete data removal procedures
  • Third-party data deletion coordination

4.4 Right to Data Portability

  • JSON export format
  • Complete data inclusion
  • Machine-readable format

4.5 Right to Object/Withdraw Consent

  • Granular consent controls
  • Easy opt-out procedures
  • Consent withdrawal confirmation

4.6 Right to Restriction of Processing

  • Data processing pause functionality
  • Limited processing during disputes
  • Processing restriction notifications

5. CHILDREN'S DATA PROTECTION (COPPA)

5.1 Age Verification

  • Mandatory age verification on first launch
  • Parental consent for users 13-17
  • Age category data segregation

5.2 Separate Processing

  • Children's data processed separately
  • Limited analytics for minors
  • Parental access controls

5.3 Parental Rights

  • Data access and review capabilities
  • Consent withdrawal procedures
  • Data deletion on parental request

6. DATA SECURITY MEASURES

6.1 Technical Safeguards

  • HTTPS/TLS encryption for all data transmission
  • iOS Keychain for sensitive credential storage
  • Firebase Security Rules for access control
  • Regular security penetration testing

6.2 Administrative Safeguards

  • Role-based access controls
  • Employee training and awareness
  • Background check procedures
  • Regular security audits

6.3 Physical Safeguards

  • Secure data center facilities
  • Access logging and monitoring
  • Disaster recovery procedures
  • Business continuity planning

7. DATA BREACH PROCEDURES

7.1 Incident Detection

  • 24/7 monitoring and alerting
  • Automated anomaly detection
  • User report handling procedures

7.2 Incident Response

  • Immediate containment procedures
  • Forensic investigation protocols
  • Communication templates and procedures

7.3 Notification Requirements

  • Regulatory notification within 72 hours
  • Affected user notification within 30 days
  • Clear breach description and remediation steps

7.4 Post-Incident Review

  • Root cause analysis procedures
  • Corrective action implementation
  • Prevention measure updates

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions for approved countries
  • Binding Corporate Rules where applicable

8.2 Transfer Risk Assessment

  • Country-specific privacy assessments
  • Local law compliance reviews
  • Transfer mechanism effectiveness evaluation

8.3 Ongoing Compliance

  • Annual transfer mechanism reviews
  • Local law monitoring and updates
  • User consent for high-risk transfers

9. VENDOR AND THIRD-PARTY MANAGEMENT

9.1 Vendor Assessment

  • Privacy and security capability evaluation
  • Contractual safeguard requirements
  • Regular vendor compliance audits

9.2 Sub-Processor Management

  • Complete sub-processor inventory
  • Data processing agreement requirements
  • Incident notification procedures

9.3 Contractual Requirements

  • Data protection clause templates
  • Liability and indemnification provisions
  • Termination and data return procedures

10. AUDIT AND COMPLIANCE MONITORING

10.1 Regular Audits

  • Annual comprehensive privacy audits
  • Quarterly compliance assessments
  • Monthly data processing reviews

10.2 Documentation Requirements

  • Data processing records maintenance
  • Privacy impact assessment procedures
  • Consent record retention

10.3 Continuous Improvement

  • Privacy program maturity assessments
  • Emerging regulation monitoring
  • Best practice adoption procedures

11. TRAINING AND AWARENESS

11.1 Employee Training

  • Annual privacy and security training
  • Role-specific training requirements
  • Certification and testing procedures

11.2 Contractor Requirements

  • Equivalent training for contractors
  • Confidentiality agreement requirements
  • Background check procedures

11.3 Ongoing Education

  • Privacy policy updates and training
  • Incident response training
  • Emerging threat awareness

12. POLICY MAINTENANCE

12.1 Regular Review

  • Annual policy review and update
  • Regulatory change monitoring
  • User feedback incorporation

12.2 Change Management

  • Policy change approval procedures
  • Communication and training requirements
  • Implementation timeline management

12.3 Version Control

  • Policy version tracking
  • Change history maintenance
  • Archive retention procedures

This Data Policy applies exclusively to the iOS version of Are You Faster.

Privacy Policy Terms of Service Contact Support Back to Home