Privacy Policy
Last updated: 6 July 2026 · Version: 1.0
1. Who's responsible for your data
The data controller for the personal data described in this policy is Dylan Janssens, h.o.d.n. Tempo / Swipe Your Bite, a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce (KvK 81923201), VAT BTW NL003619262B91. Contact us about your data at hello@withtempo.run.
Data Protection Officer (DPO). We have not appointed a Data Protection Officer. As a sole proprietorship we are not a public authority, our core activities do not consist of large-scale regular and systematic monitoring of data subjects, and our core activities do not consist of large-scale processing of special-category data within the meaning of Art. 37(1) GDPR. The privacy contact above is the responsible person for data-protection questions and rights requests.
2. What we collect
2.1 Account data
Email address, hashed password, language preference, sign-up date.
2.2 Profile and training data you give us
Name (first name only is sent to the AI; see § 4), date of birth (optional), goals, race history, training preferences, injury notes, free-text journal entries.
2.3 Activity and health data from connected devices
If you connect a wearable via Terra (Garmin, WHOOP, Oura, Apple Health, etc.), we ingest activity records (runs, rides, swims), heart rate, HRV, sleep, body composition, and — only if you explicitly opt in — menstrual-cycle data. Heart-rate, HRV, sleep and cycle data are special-category personal data ("data concerning health") within the meaning of Art. 9 GDPR.
2.4 Conversations
Every message you exchange with Tempo. We need this to maintain context across sessions; this is the core of the product. Free-text conversations may incidentally contain health information you choose to share, which we then process under Art. 9(2)(a) explicit consent — see § 3.
2.5 Subscription and payment data
Subscription tier, billing dates, plan changes, cancellation reasons. We never see or store your full card number. Stripe handles all card data directly as an independent controller for payment-card data and as our processor for subscription metadata.
2.6 Usage analytics (optional, requires explicit consent)
Anonymized event data (which screens you visit, which features you use, error counts) — only after you tap "Allow" on the in-app consent prompt. The default state is off. You can revoke consent anytime in Profile → Privacy and we'll stop sending events immediately and delete identifiable past events on request.
2.7 Crash and error data
If the app crashes or hits an unexpected error, we capture the technical details (stack trace, OS version, app version). No content from your conversations or training data is included in crash reports.
3. Why we use your data — and the legal basis
We process your personal data only where we have a valid legal basis under Article 6 GDPR (and, for special-category data, Article 9 GDPR). The table below maps every purpose to its specific basis. "Improving our service" is not, on its own, a legal basis — service-improvement work that uses identifiable data is performed only on the basis of an Art. 6 ground listed below, and product analytics are run only with consent.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Provide chat responses, store your training history, run the chat (the core Service) | Account, profile, conversations, activity | Performance of a contract — Art. 6(1)(b) GDPR |
| Process payments, manage your subscription, prevent payment fraud | Subscription, payment metadata | Performance of a contract — Art. 6(1)(b) GDPR; legitimate interests in fraud prevention — Art. 6(1)(f) GDPR |
| Send transactional emails (welcome, trial-ending, payment-failed, account changes, security notices) | Account | Performance of a contract — Art. 6(1)(b) GDPR |
| Process health data from your wearable (HRV, sleep, heart rate) to inform Tempo's responses | Health (special category) | Explicit consent — Art. 9(2)(a) GDPR, given when you connect the wearable; underlying processing on Art. 6(1)(b) GDPR |
| Process menstrual-cycle data to contextualize Tempo's responses | Health (special category) | Explicit consent — Art. 9(2)(a) GDPR, given via a separate, specific opt-in toggle. You can withdraw at any time in Profile → Privacy → Cycle tracking, with no effect on the rest of the Service. |
| De-identified, aggregated analysis to improve Tempo's prompts and evaluations (no model is trained on your raw conversations; data is aggregated and not linked back to you) | De-identified derivatives of conversations and training data | Legitimate interests — Art. 6(1)(f) GDPR (improving service quality), balanced against your interests; you may object under Art. 21 GDPR |
| Product analytics (PostHog) — understanding which features are used | Anonymized usage events | Explicit consent — Art. 6(1)(a) GDPR; opt-in only |
| Crash and error reporting, abuse prevention, security monitoring | Technical logs, app/OS version | Legitimate interests — Art. 6(1)(f) GDPR (running a secure, reliable Service) |
| Comply with Dutch tax, accounting, and consumer-law record-keeping obligations | Invoices, subscription history | Legal obligation — Art. 6(1)(c) GDPR (notably Art. 52 AWR) |
| Defend, exercise, or establish legal claims | Whatever is strictly necessary | Legitimate interests — Art. 6(1)(f) GDPR; for special-category data, Art. 9(2)(f) GDPR |
Withdrawing consent. Where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), you may withdraw it at any time, with no effect on the lawfulness of processing already carried out. Toggle controls live in Profile → Privacy.
4. Privacy-preserving design choices
Two specific choices are worth surfacing because they shape what leaves our infrastructure:
- AI inputs are sanitized. Before any prompt is sent to the Google Gemini API, we strip identifiers — only your first name is included, never your email, surname, phone, address, or precise location. The conversation context is also capped at the most recent ~20 messages to limit data exposure.
- Observability data is decoupled from identity. Langfuse receives prompt/response pairs for quality monitoring but not your email or full name.
5. Who we share your data with (sub-processors)
We do not sell your data, and we do not share it with advertisers or data brokers. We do use carefully chosen sub-processors to run the Service. Each is bound by a written data processing agreement (Art. 28 GDPR) and, where data leaves the EEA, by appropriate safeguards (see § 6).
| Provider | What they do for us | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Stripe | Payment processing, subscription billing | EU + USA (SCCs + EU-U.S. DPF where applicable) |
| Google (Gemini AI) | AI inference for chat responses (we send sanitized data — first name only, no email/phone/surname/address) | USA (SCCs + EU-U.S. DPF where applicable) |
| Terra | Wearable data ingestion (only if you connect a device) | EU + USA (SCCs) |
| PostHog | Anonymized product analytics (only with your explicit in-app consent) | EU |
| Resend | Transactional email delivery | EU + USA (SCCs) |
| Vercel | Marketing website hosting (this page!) | USA (SCCs) |
| Langfuse | AI observability — captures the prompts and model responses, not your email or full name | EU |
| Sentry | Crash and error reporting | EU |
6. International transfers
Some sub-processors above are based in, or may transfer data to, countries outside the European Economic Area — principally the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) as the primary safeguard under Art. 46(2)(c) GDPR, and on the EU-U.S. Data Privacy Framework adequacy decision (Implementing Decision (EU) 2023/1795) where the relevant US sub-processor is certified. Where additional supplementary measures are warranted, we apply technical measures (sanitization of AI inputs, encryption in transit, EU-region selection where available) and contractual measures (DPA terms requiring breach notice and deletion on request). You can request a copy of the relevant SCCs by emailing hello@withtempo.run.
7. How long we keep your data
- Account, profile, and conversation history: as long as your account is active. When you delete your account in-app, identifiable data is removed from the live database immediately; references in encrypted backups roll off within up to 90 days as backups are rotated.
- Activity and wearable data: same as above.
- Cycle-tracking data: same as above; you may also delete it independently via Profile → Privacy → Cycle tracking without deleting your account.
- Payment records and invoices: 7 years (Dutch tax law, Art. 52 AWR).
- Crash and error logs: 30 days.
- AI observability data (Langfuse): 90 days.
- Anonymous analytics (PostHog): aggregated metrics indefinitely; individual events 1 year.
8. Data breach notification
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, without undue delay, in clear and plain language, in accordance with Art. 34 GDPR.
9. Your rights under GDPR
You have the right to:
- Access (Art. 15) — request a copy of your personal data (Profile → Privacy → Export my data).
- Rectification (Art. 16) — correct inaccurate data via Profile, or by emailing us.
- Erasure / "right to be forgotten" (Art. 17) — delete your account at Profile → Privacy → Delete account. This removes your identifiable data immediately from the live database; backup roll-off is described in § 7.
- Restriction of processing (Art. 18) — pause certain uses; contact us.
- Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (JSON / CSV) via the export feature.
- Object (Art. 21) — to processing based on legitimate interests, including the de-identified product-improvement use described in § 3.
- Withdraw consent (Art. 7(3)) — for analytics, cycle tracking, and any other consent-based processing, in Profile → Privacy. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Not be subject to fully automated decisions with legal or similarly significant effects (Art. 22) — Tempo provides AI-generated dialogue, but no decision with legal or similarly significant effect on you is taken solely by automated processing. Tempo's suggestions are advisory; you decide whether to act on them.
- Lodge a complaint (Art. 77) with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority of your EU country of habitual residence or place of work.
To exercise any of these rights, email hello@withtempo.run. We will respond within one month of receiving your request (Art. 12(3) GDPR), with a possible extension of two further months for complex or numerous requests, in which case we'll notify you of the extension within the first month.
10. Cookies and similar technologies
The marketing site (this page) uses no tracking cookies. The Tempo app uses local storage only for app function (your auth session, your preferences). We use no advertising cookies, no cross-site trackers. The optional PostHog analytics, when you enable it, uses an anonymous device identifier that does not follow you across other sites.
11. Children
Tempo is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18, and we do not direct the Service to children. If you are a parent or guardian and you believe a child has provided us with personal data, contact hello@withtempo.run and we will delete the account and any related data without undue delay. We do not rely on Art. 8 GDPR (information-society services to children) because we do not knowingly process children's data at all.
12. Security
Data in transit is encrypted with TLS 1.2+. Data at rest in Supabase is encrypted. Authentication uses bcrypt-hashed passwords. We follow least-privilege access for staff (currently a single founder-operator) and rotate credentials when third-party access changes. We log access to production systems. No system is perfectly secure — if you spot a vulnerability, please report it responsibly to hello@withtempo.run and give us a reasonable window to remediate before public disclosure.
13. Changes to this policy
Material changes will be communicated by email and/or in-app notice at least 30 days before they take effect. Non-material changes (clarifications, sub-processor link updates) take effect on posting. The "Last updated" date at the top of this page reflects the most recent revision.
Privacy questions? hello@withtempo.run
Tempo is a trade name of Dylan Janssens, KvK 81923201, BTW NL003619262B91.