Privacy Policy
Overview
PESSAGE ("we," "our," or "the Service") is a running lifestyle platform that curates editorial content, running routes, race calendars, gear, and recovery data for runners. We are committed to protecting your personal information and being transparent about how we collect and use it.
This Privacy Policy applies to all users of the PESSAGE web application accessible at pessage.run. By using the Service, you agree to the practices described herein.
Data We Collect
We collect information only necessary to provide the Service. The categories of personal data we process are as follows:
Social Login Information
Collected from OAuth providers
| Provider | Data Collected |
|---|---|
| Display name, email address, profile photo URL | |
| Kakao | Nickname, email address (if provided), profile photo URL |
| Naver | Name, email address, profile photo URL |
Exercise & Activity Data
Collected via Strava OAuth (user-initiated connection only)
| Category | Data Collected |
|---|---|
| Recent Activities | Activity name, date, distance (km), moving time, pace (min/km) |
| Heart Rate | Average heart rate, maximum heart rate (only when HR monitor is connected to device) |
| Calories | Estimated caloric expenditure per activity |
| Annual Stats | Year-to-date total running distance |
| Athlete Profile | First name, last name, profile photo (from Strava) |
Device integrations (Garmin, COROS, Suunto)
When you connect a supported wearable device (Garmin, COROS, or Suunto), PESSAGE may collect the following data via the device's official API:
- Activity data: distance, pace, duration, heart rate
- Recovery metrics: sleep score, HRV, training load
- GPS route data (for route visualization)
This data is used solely to provide personalized training insights and recovery recommendations within the Service.
Automatically Collected Data
- Firebase Authentication tokens and session state
- Standard web server logs (IP address, user agent, page requests) maintained by Vercel infrastructure
Purpose of Use
| Purpose | Description |
|---|---|
| Authentication | To identify you and maintain your logged-in session across the Service |
| Personalization | To display your name and profile photo; to restore your saved articles and gear |
| Recovery Features | To calculate your Ritual Score and display real running metrics on the Recovery Ritual page using Strava and connected device data |
| AI Content | To generate personalized recovery ritual recommendations using your activity data as context (processed via Google Gemini API) |
| Service Improvement | To understand how the Service is used and to fix technical issues |
Third-Party Sharing
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
Third-party services involved in the Service
| Service | Role |
|---|---|
| Google Firebase | Authentication (Google login), user session management, and cloud database (Firestore) for user preferences, saved content, and device connections |
| Kakao Developers | OAuth authentication for Kakao users |
| Naver Developers | OAuth authentication for Naver users |
| Strava | Exercise data retrieval (only when you explicitly connect your account) |
| Google Gemini API | AI-generated recovery ritual text (activity context sent as prompt input) |
| Sanity.io | Content management system for editorial articles, routes, and gear |
| Vercel | Cloud hosting and serverless function infrastructure |
| Garmin Connect API | Activity & recovery data (only when you explicitly connect your device) |
| COROS API | Activity & recovery data (only when you explicitly connect your device) |
| Suunto API | Activity & recovery data (only when you explicitly connect your device) |
When you use the AI Ritual feature, a text prompt containing your running statistics (distance, pace, heart rate) is sent to Google Gemini API. No personally identifiable information (name, email) is included in these prompts.
Data Retention
| Data Type | Retention Period |
|---|---|
| Firebase Auth credentials | Until you log out or delete your account |
| Strava tokens & activity data | Stored in Firestore; deleted when you disconnect Strava or delete your account |
| Device connections (Garmin, COROS, Suunto) | Stored in Firestore; deleted when you disconnect the device or delete your account |
| Saved articles & gear | Stored in Firestore; deleted when you delete your account |
| AI-generated content | Stored in Firestore; deleted when you delete your account |
| Server logs | Retained by Vercel infrastructure per their standard log retention policy |
PESSAGE uses Google Firebase Firestore as its cloud database to store user preferences, saved content, device connections, and activity data. All personal data stored in Firestore is deleted when you delete your account.
Your Rights
You have the following rights regarding your personal information:
- Access — You may request a copy of the personal data we hold about you.
- Correction — You may update your display name directly within the PESSAGE app profile settings.
- Deletion — You may delete your account and all associated Firestore data from the Profile page. You may also revoke OAuth access through Google, Kakao, Naver, or Strava account settings.
- Withdrawal of Consent — You may disconnect Strava or wearable devices at any time via the Profile page. You may revoke Google Firebase authentication via your Google account's connected apps page.
- Portability — Exercise data remains in your Strava account and connected device platforms (Garmin, COROS, Suunto) and can be exported directly from those services.
To exercise any of these rights or for privacy inquiries, please contact us at the address below.
Cookies & Local Storage
PESSAGE uses Firebase Authentication tokens and browser localStorage to maintain your login state. User data (saved content, device connections, activity data) is stored in Firebase Firestore, not in browser storage.
Firebase Authentication may use cookies or local storage as part of its standard authentication flow. You can clear these at any time through your browser settings.
We do not use advertising cookies or third-party tracking scripts.
Children's Privacy
PESSAGE is not directed at children under the age of 14. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.