Last updated: June 2026
Privacy Policy
Controller
Martin Respondek, Kartäuserstr. 16, 55116 Mainz, Germany.
Email: [email protected]
Our Principles
myrotation.run is a non-commercial, ad-free service. No data is shared with advertisers. No user profiles are created for marketing purposes.
Sign-in via Google OAuth
You can create an account by signing in with Google. Data stored: name, email address, Google profile ID, profile picture URL. Used exclusively to provide the service, not shared with third parties.
Legal basis: Art. 6(1)(b) GDPR.
Note: Google's Privacy Policy also applies during the OAuth flow.
Sign-in via Strava OAuth
You can also create an account by signing in with Strava. Data stored: first name, last name, Strava athlete ID, profile picture URL. Email address is not stored — Strava accounts and Google accounts are kept entirely separate.
Strava accounts are identified solely by Strava athlete ID. If you later sign in with Google using the same email, a separate account is created.
Legal basis: Art. 6(1)(b) GDPR.
Note: Strava's Privacy Policy also applies during the OAuth flow.
Strava Gear Data
When signing in with Strava, you can optionally import your running shoe gear from your Strava profile. The following data is fetched via the Strava API and stored in our database:
- Shoe name (as entered in your Strava gear list)
- Cumulative distance per shoe (in metres)
- Retired status
This data is fetched when you first connect your Strava account and is automatically refreshed each time you open the Edit page, so your km totals stay up to date. It is used solely to pre-fill and display your shoe rotation with distance information. It is not shared with third parties. You can remove it at any time by deleting your account.
The Strava API access scope used is read,profile:read_all, which covers basic profile information and gear data only. No activity data (routes, GPS, heart rate, etc.) is accessed.
Legal basis: Art. 6(1)(b) GDPR.
Profile Visibility and Sharing Controls
Profiles are accessible at myrotation.run/u/yourname. Each user controls exactly what is visible to whom via granular sharing settings in their Edit page. The following visibility levels apply to each section of the profile:
- Public — visible to anyone, including search engines
- Members — visible only to logged-in users
- Private — visible only to you
Sections that can be controlled individually: Rotation, Hall of Fame, Wishlist, Archive, shoe photos, notes, and activity data (km). Email and account credentials are never public.
Accounts can be deleted in profile settings — all data is permanently removed on deletion.
Legal basis: Art. 6(1)(b) GDPR.
Notes on Shoes
Users can add a personal text note to each shoe in their Rotation, Wishlist, and Archive. Notes are limited to 300 characters, may not contain URLs or HTML, and are plain text only.
Notes can be set to Members (visible to logged-in users) or Private (only you). Notes can never be set to Public — they are not indexed by search engines.
Notes are not encrypted at the application level. They are protected by access control and the security of the underlying database infrastructure. Do not store sensitive personal information in notes.
Legal basis: Art. 6(1)(b) GDPR.
Shoe Photos
Users may optionally upload a photo for each shoe in their Rotation, Hall of Fame, or Archive. Photos are stored on Vercel Blob (US servers operated by Vercel Inc.) and referenced by URL in the database.
Photo visibility is controlled via the sharing settings: Members only (default), Public, or Private. Public photos are accessible to anyone, including search engines. Members-only photos require a logged-in account to view.
Copyright and rights confirmation: Before uploading a photo for the first time, users must confirm that they own the rights to the image and that it was taken by them. Photos of third-party brand product shots or images sourced from the web are not permitted.
We do not systematically review uploaded photos. If you believe a photo infringes your copyright, please contact us at [email protected] and we will remove it promptly.
All photos are permanently deleted when the associated account is deleted. Individual photos can be removed at any time from the Edit page.
Legal basis: Art. 6(1)(b) GDPR.
Social Features (Follows and Likes)
Logged-in users can follow other profiles and like them. Data stored: follow relationships (which profiles a user follows) and like interactions (which profiles a user has liked), each with a timestamp.
These interactions are not publicly attributed — other users only see aggregate counts (number of followers, number of likes), never who specifically followed or liked a profile.
All social interaction data is permanently deleted when the associated account is deleted.
Legal basis: Art. 6(1)(b) GDPR.
Compatibility Score
When a logged-in user visits another user's public profile, a compatibility score (0–100 %) is calculated and displayed. The score compares the two users' shoe selections across rotation, hall of fame, wishlist, and archive.
No additional data is stored for this feature. The score is derived exclusively from profile data that is already visible to the viewer under the applicable sharing settings, and is computed on-the-fly on our server. The result is symmetric — both users would see the same value.
Legal basis: Art. 6(1)(b) GDPR.
Cookies and Session Data
Only strictly necessary and functional cookies are used: a session cookie (via NextAuth.js) and a functional cookie storing your light/dark theme preference. The theme cookie contains only the value light, dark, or system — no identifiers. No tracking, analytics, or advertising cookies. No cookie consent required under current EU and German law.
Server Logs
The hosting provider records IP address (anonymised), date/time, URL, HTTP status, data volume, referrer, and user agent. Used for error analysis and security only, deleted after 30 days.
Legal basis: Art. 6(1)(f) GDPR.
Hosting
Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA. DPA in place. Data transfers to USA based on EU Standard Contractual Clauses.
Your Rights
Under GDPR you have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17 — via profile settings), restriction (Art. 18), objection (Art. 21), and complaint to a supervisory authority.
To request a copy of your data, contact [email protected] — response within 30 days.
Changes
The "last updated" date at the top of this page reflects the most recent revision.