Privacy Policy

Last updated: February 2026

1. Introduction

Koru is a fitness tracking and training platform designed for runners, cyclists, swimmers, and hikers. We help you consolidate activity data from multiple sources, analyze your performance, and plan your training — all in one place.

We believe your data belongs to you. This Privacy Policy explains what information we collect, how we use it, and the rights you have over it. We are committed to transparency, minimal data collection, and never selling your personal information.

2. Information We Collect

2.1 Waitlist Information

When you sign up for the Koru waitlist, we collect your email address. If you use a referral link, we also store the referral code and the UTM source parameter associated with how you found Koru.

2.2 Account Information

When you create a Koru account, we collect your name, email address, and authentication credentials. If you sign in through a third-party provider (such as Google or Strava), we receive basic profile information from that provider.

2.3 Fitness and Health Data

Koru integrates with fitness platforms and devices to import your activity data. This may include:

  • Activity data — runs, rides, swims, hikes, and other workouts including distance, duration, pace, speed, elevation, cadence, and power.
  • GPS and route data — latitude, longitude, and elevation tracks recorded during outdoor activities.
  • Heart rate data — resting heart rate, active heart rate zones, and heart rate variability.
  • Sleep data — sleep duration, sleep stages, and sleep quality scores.
  • Daily health metrics — step count, calories burned, body metrics, and stress levels.
  • Gear and equipment — shoe mileage, bike components, and other tracked gear.

This data may come from Garmin Connect, Strava, Apple Health, or manual GPX/FIT file imports. We only import data you explicitly authorize.

2.4 Usage Analytics

We collect anonymized usage data to understand how people use Koru. This includes pages visited, features used, and general interaction patterns. We do not track you across other websites.

3. How We Use Your Data

We use the information we collect to:

  • Provide, maintain, and improve the Koru platform.
  • Import and synchronize your fitness data from connected services.
  • Generate training analytics, performance trends, and insights.
  • Send you service-related communications (account confirmations, security alerts, product updates).
  • Send waitlist updates and launch notifications if you opted in.
  • Diagnose technical issues and improve platform reliability.

We do not use your data for advertising. We do not build advertising profiles. We do not sell or rent your personal information to third parties.

4. Data Ownership

Your data is yours. Period.

Koru is built on the principle that athletes should own and control their fitness data. We are a tool that helps you organize and understand your data — we do not claim any ownership over it.

  • Export anytime — you can export all of your data in standard formats at any time, at no cost.
  • Delete anytime — you can delete individual activities or your entire account, and we will permanently remove your data from our systems.
  • No lock-in — we will never hold your data hostage or make it difficult to leave. Portability is a core value.

5. Third-Party Services

Koru integrates with the following third-party services. Each has its own privacy policy that governs data on their platform:

  • Garmin Connect — to import activities, health metrics, sleep data, and heart rate data via the Garmin API.
  • Strava — to import activities, routes, and performance data via the Strava API.
  • Apple Health — to import workouts, heart rate, sleep, and step data (with your explicit permission on your device).
  • Resend — to deliver transactional emails such as waitlist confirmations and account notifications.
  • Hosting provider — our application and database are hosted on reputable cloud infrastructure with appropriate security certifications.

We only share the minimum data necessary for each integration to function. We do not share your fitness data with any service beyond what is required to operate the features you use.

6. Data Storage and Security

Your data is stored in a PostgreSQL database with encrypted connections (TLS). We implement industry-standard security practices including:

  • Encryption in transit for all data transmitted between your browser and our servers.
  • Encryption at rest for sensitive data stored in our database.
  • Secure authentication using OAuth 2.0 for third-party integrations.
  • Regular security reviews and dependency updates.
  • Access controls limiting who on our team can access production data.

We do not sell, trade, or otherwise transfer your personal information to outside parties. This does not include trusted third parties who assist us in operating our platform, provided they agree to keep this information confidential.

7. Cookies

Koru uses minimal, essential cookies. We use session cookies to keep you signed in and to remember your preferences (such as theme and unit settings). We do not use advertising cookies, tracking pixels, or third-party analytics cookies that follow you across the web.

8. Data Retention

We retain your fitness data and account information for as long as your account is active. You can delete individual activities or your entire account at any time, and we will remove the associated data from our systems within 30 days.

Waitlist data (email address and referral information) is retained until our public launch, at which point we will either convert your signup into a full account (with your consent) or delete the waitlist entry.

9. Your Rights

You have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Export — download your fitness data in standard formats (GPX, CSV, JSON).
  • Correct — update or correct inaccurate personal information.
  • Delete — request permanent deletion of your account and all associated data.
  • Opt out — unsubscribe from non-essential communications at any time.

To exercise any of these rights, contact us at the email address listed below. We will respond to your request within 30 days.

10. Children's Privacy

Koru is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you by email or through a prominent notice on our platform. Your continued use of Koru after such changes constitutes acceptance of the updated policy.

12. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

privacy@koruapp.cc