Privacy notice

Who is responsible

OINK is operated by Kekeno Tech Ltd. For privacy questions, account requests, or data rights requests, contact us through the support form or email enquire@kekeno.tech.

Data we collect

We collect and store the information needed to provide OINK's run coordination, profile, messaging, training planner, integration, and support features. Depending on how you use OINK, this may include:

• Account and profile details, such as name, email address, optional phone number, profile image, region, public visibility preferences, profile links, theme preference, email preferences, password login status, and account activity timestamps.
• Run coordination and mission report data, such as runs you create, meeting points, route links or GPX files, uploaded run and report images, post-run photo gallery uploads and captions, invite lists, RSVP status, attendee visibility preferences, reminders, comments, reactions, post-run reviews, mission report stories, Strava links, and report access settings.
• Creator Picks data, such as submitted running links, moderation status, and reactions to published links.
• Event page and event signup data, such as event details, organiser details, event images, route files, signup answers, attendee display preferences, phone number, emergency contact details, medical issue flags and details you choose to provide, consent acceptance, participant messages, and entrant export records.
• Payment-related event data, such as requested entry fee, assigned Stripe Product/Price metadata, payment method, payment status, Stripe Checkout session IDs, Stripe payment intent IDs, payment timestamps, and bank transfer instructions where an organiser provides them. OINK does not store full card numbers, CVCs, or card expiry details.
• Directory, buddy, group, and message data, such as run buddy requests, private invite groups, direct messages, and related message metadata.
• Training planner data, such as calendar sessions, weekly focus notes, imported workout details, completion status, completion notes, comments on shared training calendar events, training goals, race and mission plans, planner chat sessions, chat messages, saved AI memory preferences, and AI-generated draft suggestions you choose to save.
• Notification data, such as notification titles, bodies, read status, links, unread counts, notification digest email preference, and the time a weekly unread-notification digest email was last sent successfully.
• Optional private athlete context for AI, such as gender, age, height, and weight, when you add those details to your profile.
• Integration data, such as Strava athlete profile details, OAuth scopes, access and refresh tokens, cached recent activity summaries, sync attempt and success timestamps, Google Calendar account details, calendar IDs, OAuth scopes, access and refresh tokens, linked calendar event IDs, Final Surge calendar sync URLs, and imported Final Surge workout metadata.
• Security and diagnostic data, such as login method, IP address, user agent, mobile session device name, mobile session expiry/revocation/last-used timestamps, trusted account and admin device records, support enquiries, and operational logs.
• Analytics data, such as Firebase Analytics events and technical identifiers when analytics is enabled.

Purposes and lawful basis

We process personal data for the following purposes:

• To create and manage your account, authenticate you, and keep the service secure. Lawful basis: performance of a contract and legitimate interests in account security.
• To organise runs, send invites, manage RSVPs, show attendee status, support comments, reminders, reviews, post-run photo galleries, groups, buddy requests, and run-related messages. Lawful basis: performance of a contract and legitimate interests in providing run coordination features.
• To create event pages, manage event signups, collect event safety and consent information, send participant updates, export entrant lists for organisers, and record event payment status. Lawful basis: performance of a contract and legitimate interests in event coordination, safety, payment reconciliation, accounting, manual organiser settlement, and dispute handling.
• To show profile, directory, buddy, and attendee information according to your visibility settings and the run context. Lawful basis: performance of a contract and legitimate interests in helping runners coordinate safely.
• To provide the training planner, save and import training calendar entries, track weekly focus notes and completion notes, support comments on shared training calendar events, support training goals, and let you keep race or mission planning details. Lawful basis: performance of a contract and legitimate interests in supporting planning.
• To provide AI planner chat and draft suggestions using your prompt, recent conversation history from the active chat session, saved AI memory preferences, planner context, weekly focus notes, completion notes, optional private athlete context, and linked Strava summaries where available. Lawful basis: your choice to use the AI feature and our legitimate interests in providing the feature; for optional private athlete context and AI memory, your consent or explicit action in adding those details.
• To connect optional integrations such as Strava, Google Calendar, and Final Surge calendar import. Lawful basis: your consent or explicit action in connecting the integration, and performance of the requested integration feature.
• To send service emails, account emails, invite emails, run coordination emails, weekly unread-notification digest emails where enabled, and optional product updates. Lawful basis: performance of a contract for account and coordination emails, legitimate interests for necessary service notices and notification digests, and consent or preference-based opt-in for optional update emails.
• To respond to support requests and privacy requests. Lawful basis: legitimate interests in support and compliance with legal obligations.
• To understand usage, diagnose issues, improve the product, and protect the service from abuse. Lawful basis: legitimate interests, except where consent is required for analytics or similar technologies.

AI and training context

If you use planner chat, OINK may send your prompt and relevant context to an AI service provider so the feature can respond. Context can include upcoming planner entries, weekly focus notes, recent planner completion outcomes and completion notes, active goals, saved AI memory preferences, optional private athlete context, cached Strava activity summaries, and recent chat history from the active chat session.

AI planner output is planning support only. Avoid entering medical, highly sensitive, or unnecessary private information into planner chat.

Who we share data with

We do not sell your personal data. We do not share your personal data with third parties for their own advertising. We use service providers and integration partners needed to operate OINK, including:

• Hosting, database, logging, and infrastructure providers.
• Private file storage providers for uploaded profile images, run images, post-run photo gallery images, event images, and route files.
• Email delivery providers for account, invite, notification, support, and product emails.
• Analytics providers, such as Firebase Analytics, where analytics is enabled.
• AI service providers, such as OpenAI, when you use AI planner chat or AI-assisted planning features.
• Strava, when you connect or refresh Strava activity data.
• Google Calendar, when you connect calendar sync or mirror planner events to your calendar.
• Final Surge, when you connect a calendar sync URL and request workout import.
• Stripe, when you use Stripe Checkout for event entry payments. Stripe processes payment details and returns payment status metadata to OINK.

Other OINK users may see limited information according to the feature being used: organisers can see invite and RSVP details for their runs; eligible post-run RSVP holders can see run photos, uploader names, and captions shared to that run's photo gallery; event organisers can see entrant signup, safety, consent, payment status, and custom answer details for events they manage; attendees may see public attendee names unless someone chooses to appear anonymous; run buddies may see profile, training information, reactions, or training calendar comments only where your settings and relationship allow it.

Race and Mission Plans are private to you unless you export the plan and share it yourself outside OINK. OINK does not store emergency contacts for Race or Mission Plans and does not send those plans to nominated contacts.

Retention

We keep personal data only for as long as needed for the purposes above, unless a longer period is required for security, legal, accounting, dispute resolution, or service integrity reasons.

• Account, profile, planner, integration, message, group, invite, review, run, run photo, event, signup, notification, digest status, and event payment metadata is generally kept while your account remains active or while the related event or run record remains needed for coordination, accounting, dispute handling, or service integrity.
• Event emergency contact and medical details are normally cleared 90 days after the event. Event participant messages are normally deleted 24 months after the event. Event payment and accounting metadata may be retained separately where needed for accounting, dispute handling, or business record requirements.
• OAuth tokens and cached integration data are kept while the integration remains connected. If you unlink Strava or Google Calendar, OINK removes the local connection record and attempts to revoke access where supported. While OINK is at Strava's connected-athlete quota, inactive Strava links may also be deauthorized and removed after 7 days without OINK activity.
• Support enquiries, security logs, login events, operational logs, and admin security records may be kept for a limited period needed to operate and protect the service.
• If you delete your account, OINK deletes your profile and associated account data where practical. Some records may remain where deletion would affect another user's run history, message thread, legal rights, or service integrity; where practical, those records will be deleted or minimised.
• Backups may retain deleted data for a limited backup lifecycle before being overwritten.

International transfers

OINK is operated from New Zealand and uses cloud, email, analytics, AI, and integration providers that may process data in other countries. Where required, we rely on appropriate safeguards such as provider data processing terms, standard contractual clauses, adequacy decisions, or equivalent transfer mechanisms.

Your choices and rights

You can update much of your personal data from your profile and download a JSON copy of personal data linked to your account. You can also change visibility settings, email preferences including weekly unread-notification digest emails, Strava and Google Calendar connections, training calendar sharing, optional private AI profile details, and saved AI memory preferences.

Depending on where you live, you may have rights to request access to your personal data, correction, deletion, restriction, objection, portability, withdrawal of consent, and review by a human where automated decisions have legal or similarly significant effects. OINK does not currently make automated decisions with legal or similarly significant effects about users.

You can delete your account from your profile. You can also contact us for help with data access, correction, deletion, export, objection, or privacy concerns.

Children

OINK is intended for runners who can responsibly use run coordination and training planning features. If you believe a child has provided personal data without appropriate permission, contact us so we can review and remove it where appropriate.

How we govern privacy internally

We maintain an internal data map that records the types of personal data we process, the purposes and lawful bases for that processing, the systems and third-party providers involved, retention periods, security controls, and known privacy risks. We use this data map to keep this notice accurate, review our processors, apply retention rules, and assess new features such as AI-assisted training support, Strava integration, Google Calendar sync, analytics, and email notifications.

We have designed OINK's privacy controls to align with GDPR principles, including transparency, data minimisation, purpose limitation, security, retention control, and user rights. We are working through the final operational steps toward GDPR compliance, including processor documentation, transfer safeguards, internal procedures, and ongoing review of retention and deletion handling.

The internal data map is not published in full because it contains operational and security details, but the key information relevant to you is summarised in this privacy notice. You can contact us if you would like more information about how your personal data is processed.

Changes to this notice

We may update this notice as OINK changes. The latest version will be posted on this page with the updated date above.

Contact

For privacy requests, use the support form or email enquire@kekeno.tech. If you are in a jurisdiction with a data protection authority, you may also have the right to complain to that authority.