Privacy
We built Shooson to be a private running coach — not a data business. This page explains exactly what information Shooson holds about you, why we need it, and what your rights are. We've written it in plain English on purpose.
Who we are
Shooson is operated by Shooson Ltd. For the purposes of data-protection law, Shooson Ltd is the data controller — the company responsible for deciding how your personal information is used. If you have any privacy question or request, email privacy@shooson.com.
What we collect and why
We collect the minimum information required to provide the service:
- Your email address — used to identify your account and for the occasional service email (e.g. a weekly plan summary or important account notice). No marketing emails.
- Your run history — imported from Strava with your permission, or recorded directly by the app. Used by the coach to build and adapt your training plan.
- Your training plan — the weekly schedule the coach creates for you. Stored so it is available across your devices and watch.
- Your device push-notification token — an opaque code supplied by your phone's operating system, used only to deliver run reminders and your weekly plan. Rotated automatically by the OS.
The lawful basis for this processing is performance of your contract with us — this information is what you signed up for and without it the service cannot work.
App permissions
The Shooson mobile app and watch apps request the following permissions. All of them are used only while you are actively recording a run — never in the background for advertising, analytics, or any other purpose.
Location (GPS)
Location access is used to track your route while you run. It is only active when you start a workout and stops the moment you finish. GPS data from a run is stored as part of your activity record so you can see your route later and so the coach can measure your pace accurately.
You are never tracked outside of a run. The app does not access location in the background.
On Apple Watch and Wear OS, location is collected by the watch during the run through the operating system's standard GPS APIs. On Garmin, GPS data is held on-device by Garmin; Shooson only receives the finished activity data (distance, duration, heart rate) that Garmin passes to Strava after the run — not the raw GPS track.
Push notifications
We send push notifications to remind you of upcoming sessions and to deliver your weekly plan every Monday. We use Firebase Cloud Messaging (provided by Google) to deliver these. You can turn notifications off at any time in your device settings. If you do, the app continues to work — you just won't receive reminders.
Firebase only receives the notification token and the message content. No personal data beyond that is shared with Google for this purpose, and Google processes it only as our data processor (under a data processing agreement).
Heart rate
Heart-rate data from your watch is used to track effort during a run and is stored as part of your activity record. It is not shared with anyone and is not used for any purpose other than your own coaching insights.
Strava connection
If you connect Strava, we import your recent runs (the last 90 days by default, or further back if you choose to in Settings) so the coach has context for your fitness level. Your Strava OAuth token is stored encrypted (AES-256-GCM) and is only ever used to fetch your run data.
Disconnecting Strava — from the Settings screen in the app, or by revoking access at strava.com/settings/apps — deletes every piece of Strava-derived data we hold for you (activities, tokens, import history) within 24 hours, as required by the Strava API Agreement.
Sharing a run (privacy buffer)
If you choose to share a run — for example, as an image or a link — Shooson automatically removes the first and last 200 metres of the GPS track from anything shared outside the app. This means your home, office, or regular start point is never revealed. This is applied automatically; you don't need to configure anything.
No social features, no aggregate use
Shooson has no social feed, leaderboards, or community features. Your data is yours alone.
We do not aggregate, anonymise, or analyse data across users for any purpose — not for product research, trend analysis, or anything else. Your run history, plan, and health data are used only to power your own service.
This website
The shooson.com website ships no analytics trackers, no advertising pixels, and no third-party scripts that track you. We don't set cookies. We don't log your IP address for profiling purposes.
Where your data is stored
Shooson's servers are located in the European Union. Your data does not leave the EU except for the Firebase notification token (handled by Google under their EU data processing terms). We do not transfer personal data to the US or other third countries for any other purpose.
How long we keep your data
We keep your data for as long as you have an active account. If you delete your account, all data is permanently deleted within 30 days — including your run history, training plans, connected account tokens, and notification tokens. There is no archive or backup retention beyond this period.
Deleting your account
You can request account deletion at any time by emailing privacy@shooson.com from your registered address. When your account is deleted:
- All personal data is permanently removed from our servers.
- Your Strava connection is revoked and all Strava-derived data is deleted.
- All other third-party account links are removed.
- Your push-notification token is deleted.
Deletion is irreversible. We do not retain any identifiable information after this process completes.
Your rights under GDPR
If you are in the UK or EU, you have the following rights regarding your personal data:
- Access — you can ask us for a copy of the data we hold about you.
- Correction — you can ask us to fix inaccurate data.
- Erasure — you can ask us to delete your data (see "Deleting your account" above).
- Portability — you can ask for your data in a machine-readable format.
- Restriction — you can ask us to stop processing your data while a dispute is resolved.
- Objection — you can object to processing based on legitimate interests.
To exercise any of these rights, email privacy@shooson.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority — in the UK that is the Information Commissioner's Office (ICO).
A note on GDPR compliance
We believe the current version of Shooson is broadly GDPR-compliant, but we want to be transparent about areas where we are still maturing:
- In-app deletion flow — account deletion currently requires an email request. A self-service delete button inside the app is on our roadmap; GDPR does not require it to be automated, but it is better practice.
- Data export — we do not yet have a one-click data export. You can request a copy by email and we will provide it within 30 days.
- Firebase Cloud Messaging — Google processes notification tokens on our behalf. We operate under Google's standard data processing terms, which cover EU transfers. If you disable notifications, no data is passed to Google for this purpose.
If you spot anything that concerns you, please email privacy@shooson.com and we will address it promptly.
Changes to this policy
If we make material changes to this policy we will update the date at the top of this page and, where appropriate, notify you by email or in-app message.
Contact
For any privacy question, data request, or concern: privacy@shooson.com