Privacy Policy – Contoura

Contoura is an intelligent training and race-analysis platform for orienteering athletes. We are committed to protecting your personal data in accordance with the Swiss Federal Act on Data Protection (nDSG / revDSG, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

We will never sell your personal data to third parties. We collect only what is necessary to operate and improve the Service.

Data Controller
Janis Kuhn
Lindenhofstrasse 9b, 8624 Grüt (Gossau ZH), Switzerland
privacy@contoura.app · contoura.app

For questions about this policy or to exercise your data protection rights, contact us at privacy@contoura.app. We will respond within 30 days.

1 Data We Collect

We collect data you provide directly and data generated automatically when you use the Service or visit our website. The table below specifies what is collected, where it comes from, and whether it is required.

Category	Data	Source	Required?
Account data	Name, email address, password hash, role (athlete / coach), performance level	Provided by you at registration	Required to use the Service
Waitlist data	Name, email, role, level — from the signup form on contoura.app	Provided by you voluntarily	Voluntary
Race data	IOF XML files, split times, control sequences, event metadata, results	Uploaded by you	Optional
Training data	Session logs, distance, duration, terrain type, technical focus, error type notes	Entered by you	Optional
GPS tracks	GPX files uploaded for route analysis	Uploaded by you	Optional
External links	URLs to third-party services (e.g. Livelox GPS track links) attached to entries	Entered by you	Optional
Usage & log data	Feature interactions, error logs, IP address, device type, browser version (no persistent personal identifiers beyond session)	Collected automatically when you use the Service or visit our website	Automatic

We do not collect health or biometric data, financial credentials, or any sensitive personal data as defined by Art. 5(c) nDSG.

Note on IOF XML files: Race result files produced by third-party event management systems may contain split times, control sequences, and competitor identifiers. We process this data solely to generate your performance analysis and are not responsible for the accuracy of data in files exported by third-party systems.

Note on third-party data: If you upload content containing data about other individuals (e.g. a coach uploading an athlete's files), you are responsible for ensuring you have the required legal basis to do so.

2 How We Use Your Data

Create and manage your account and authenticate you securely.
Provide core features: split analysis, training log, progress tracking, and coach tools.
Generate AI-powered race insights using the Anthropic Claude API. Your data is sent to Anthropic solely to generate your insight — it is not used to train Anthropic's models.
Send transactional emails (account verification, password reset) via Sender.net.
Send product update and newsletter emails if you have opted in. You may unsubscribe at any time via the link in each email.
Monitor platform health, detect errors, and prevent abuse.
Process payments when paid plans are introduced (via Stripe).
Comply with legal obligations under Swiss law and, where applicable, EU law.

We do not use your data for advertising, behavioural tracking, or profiling beyond the AI race insights described in Section 7.

3 Legal Basis for Processing

We process your personal data on the following legal bases under the Swiss nDSG and, where applicable, the EU GDPR:

Contract performance (Art. 31(2)(a) nDSG / Art. 6(1)(b) GDPR) — processing necessary to provide the Contoura Service you signed up for, including account management, race analysis, and training logs.
Legitimate interests (Art. 31(1) nDSG / Art. 6(1)(f) GDPR) — security monitoring, fraud prevention, platform improvement, and loading web fonts for page rendering. We have assessed that these interests are not overridden by your rights and freedoms.
Consent (Art. 31(2)(b) nDSG / Art. 6(1)(a) GDPR) — marketing emails and optional features. You may withdraw consent at any time without affecting prior processing.
Legal obligation (Art. 6(1)(c) GDPR) — compliance with applicable Swiss and EU law, including financial record-keeping obligations.

4 Third-Party Service Providers

We share data only with the following service providers. Each is bound by their own privacy policy and standard contractual terms, which we have reviewed prior to use. They process data only for the stated purpose and in compliance with applicable data protection law.

For transfers to the USA: these are covered by Standard Contractual Clauses (SCCs) approved by the European Commission. Switzerland recognises an equivalent level of protection via the Federal Council's adequacy list (fedlex.admin.ch).

Provider	Purpose	Data transferred	Location
Supabase	Database, authentication, file storage	All user, race, and training data	EU — Frankfurt
Google Fonts	Web font delivery (Inter typeface used across all pages)	IP address, browser metadata sent to Google's CDN on each page load	USA — SCCs
GitHub Pages	Static website hosting (contoura.app landing page)	IP address, browser metadata (standard server logs)	USA — SCCs / Global CDN
Cloudflare	DDoS protection, DNS, CDN	IP address, request metadata	USA — SCCs
Formspree	Waitlist form submission handling	Name, email address, role, level	USA — SCCs
Anthropic	AI-generated race insights (Claude API)	Race & training data (anonymised where possible).	USA — SCCs
Sender.net	Transactional & newsletter emails	Name, email address	EU — Lithuania
Namecheap	Domain registration	Domain-level metadata only	USA — SCCs
Stripe (planned)	Payment processing for future paid plans	Payment data handled entirely by Stripe — we never store card numbers	USA — SCCs

How to limit data transfers to specific third parties

Google Fonts: You can block requests to Google's font servers using a browser extension such as uBlock Origin, or by enabling your browser's built-in content blocking. Doing so may affect how the page is rendered (a system font will be used as fallback). Legal basis for this transfer: legitimate interest (Art. 31(1) nDSG / Art. 6(1)(f) GDPR).
GitHub Pages / Cloudflare: These process your IP address as part of delivering the website — this is technically necessary for the Service to function and cannot be avoided while using contoura.app.
Formspree: You can choose not to submit the waitlist form. No data is sent to Formspree unless you actively submit the form.
Anthropic (AI Insights): You can opt out of AI-generated insights in your account settings. Opting out does not restrict access to the manual split analysis features.
Sender.net (newsletter): You can unsubscribe at any time via the unsubscribe link in any email. Transactional emails (e.g. password resets) are necessary for the Service and cannot be opted out of while maintaining an account.

Third-party links (e.g. Livelox): The Service allows you to attach external URLs to your entries. We store these URLs as part of your content. When you click such a link, you leave Contoura and are subject to that third party's own privacy policy. We do not transmit any personal data to linked third-party platforms.

Links to other websites: Our website may contain links to third-party websites. We have no control over those sites and are not responsible for their privacy practices. We encourage you to read their privacy policies directly.

5 Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law.

Account & profile data — retained for the duration of your account, deleted within 30 days of account deletion.
Race & training data — retained for the duration of your account; deleted within 30 days upon account deletion or explicit deletion request.
GPS tracks & uploaded files — retained until you delete them or your account is closed.
Usage & log data — retained for up to 12 months for security and debugging purposes, then deleted or anonymised.
Waitlist submissions — retained until the platform launches publicly or until you request removal, whichever comes first.
Financial records — retained for 10 years as required by Swiss law (OR Art. 958f).

You may request deletion of your data at any time by emailing privacy@contoura.app. Deletions are completed within 30 days, subject to legal retention obligations listed above.

6 Cookies

Contoura uses only technically necessary cookies. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required under the Swiss nDSG for strictly necessary cookies.

Session cookie — keeps you logged in. HttpOnly, SameSite=Strict. Expires on browser close or after 30 days if "remember me" is selected.
CSRF token — protects form submissions against cross-site request forgery attacks. Strictly necessary.

You can clear or block cookies at any time in your browser settings. Clearing session cookies will log you out of Contoura. Blocking all cookies may prevent login from working.

7 AI-Generated Insights & Automated Processing

Contoura uses the Anthropic Claude API to generate automated race insights. This process analyses your split data to assess navigation patterns — which constitutes profiling under Art. 5(f) nDSG and falls within the scope of automated processing under GDPR Art. 22.

This profiling is not high-risk profiling (Art. 5(g) nDSG) and does not constitute a solely automated decision with legal or similarly significant effects on you within the meaning of GDPR Art. 22(1). AI Insights are informational and supplementary — they do not determine your eligibility for anything, nor are they shared with third parties to make decisions about you.

You can opt out of AI-generated insights at any time in your account settings. Opting out does not affect access to the manual split analysis features. Should fully automated decision-making ever be introduced, we will notify you and obtain explicit consent before activating it for your account.

8 Your Rights & Choices

Under Swiss nDSG (Art. 25–32) and, where applicable, EU GDPR (Art. 15–22), you have the following rights. We fulfil all requests within 30 days at no charge.

Right of access (Art. 25 nDSG / Art. 15 GDPR) — request a copy of all personal data we hold about you, including information on its source, purpose, and any third parties it has been shared with.
Right to rectification (Art. 32 nDSG / Art. 16 GDPR) — correct inaccurate or incomplete data. You can manage most profile data directly on your Profile page without contacting us.
Right to erasure (Art. 32 nDSG / Art. 17 GDPR) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations outlined in Section 5.
Right to data portability (Art. 28 nDSG / Art. 20 GDPR) — receive your data in a machine-readable format (JSON / CSV), or request transfer to another controller.
Right to restriction (Art. 18 GDPR) — limit our processing of your data in certain circumstances (e.g. while a correction request is pending).
Right to object (Art. 32 nDSG / Art. 21 GDPR) — object to processing based on legitimate interests, including profiling for AI insights.
Right to withdraw consent — withdraw consent (e.g. for marketing emails) at any time without affecting prior processing. Use the unsubscribe link in any email or contact privacy@contoura.app.
Right not to be subject to solely automated decisions — as noted in Section 7, our AI features do not produce solely automated decisions with legal effects.

Your choices about data processing

Race and training data fields are optional — you may use only the features you need.
Newsletter and marketing emails: opt in during registration or unsubscribe at any time.
AI Insights: opt out in account settings without losing other functionality.
Account deletion: you may close your account and request full deletion of your data at any time by emailing privacy@contoura.app.

To exercise any of the above rights, email privacy@contoura.app with your request. We may ask you to verify your identity before fulfilling the request.

Supervisory authority complaints: If you are located in Switzerland, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (EDÖB) at edoeb.admin.ch. If you are located in an EU member state, you may lodge a complaint with your local data protection authority — a full list is available at edpb.europa.eu.

9 International Users & GDPR

Contoura is operated from Switzerland and is primarily governed by Swiss nDSG. Because we serve users across Europe — including EU member states — we also comply with the EU GDPR to the extent it applies to our processing of EU residents' data.

EU-to-Switzerland transfers: Switzerland is recognised by the European Commission as a country providing an adequate level of data protection (Commission Decision 2000/518/EC, assessed under GDPR Art. 45). No additional safeguards are required for EU-to-Switzerland transfers. For onward transfers to the USA (via Anthropic, Cloudflare, and other providers in Section 4), Standard Contractual Clauses apply.

EU data protection authorities: EU residents have the right to lodge a complaint with their local supervisory authority. You do not need to use Swiss channels. A list of EU DPAs is available at edpb.europa.eu.

GDPR Art. 27 representative: Given the current small-scale, beta nature of the Service and the limited, non-systematic nature of EU data processing, we have not yet designated a formal EU representative under GDPR Art. 27. We will assess this requirement as the Service grows and designate a representative if required.

10 Data Security

We implement appropriate technical and organisational measures (TOMs) as required by Art. 8 nDSG and GDPR Art. 32:

All data in transit is encrypted using TLS 1.3.
All data at rest is encrypted using AES-256 (via Supabase).
Passwords are hashed using bcrypt (minimum 12 rounds) — never stored in plaintext.
Authentication tokens are stored in HttpOnly, SameSite=Strict cookies.
Row-Level Security (RLS) ensures each user can only access their own data.
CSRF protection is applied to all state-changing API endpoints.
Uploaded files are validated using magic bytes verification.

Data breach notification: In the event of a personal data breach likely to result in a risk to your rights, we will notify the EDÖB without undue delay (Art. 24 nDSG) and, for EU residents, the competent EU supervisory authority within 72 hours (GDPR Art. 33). For breaches posing a high risk, we will also notify affected users directly, describing the nature of the breach and steps taken to address it. All incidents are documented as required by law.

11 Children's Privacy

Contoura is available to users aged 13 and above. Users between the ages of 13 and 18 should obtain appropriate parental or guardian consent as required by local law before registering.

We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact privacy@contoura.app and we will delete the account promptly.

12 Applicable Law

This Privacy Policy is governed by the following legal framework:

Swiss Federal Act on Data Protection (nDSG / revDSG) — primary applicable law, in force since 1 September 2023. Governs all data processing activities carried out by Contoura from Switzerland.
EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) — applies to the extent that Contoura processes personal data of individuals located in EU member states, in accordance with Art. 3(2) GDPR.
Swiss Code of Obligations (OR) — governs financial record retention (Art. 958f OR).

In the event of any conflict between Swiss nDSG and EU GDPR requirements, we apply the standard that provides a higher level of protection for the data subject. Disputes arising under this Privacy Policy shall be governed by Swiss law, with jurisdiction in the courts of Zurich, Switzerland, unless mandatory EU consumer law provides otherwise for EU residents.

13 Changes to This Policy

We may update this Privacy Policy when necessary. The updated date at the top of this page reflects the most recent revision. For material changes that significantly affect your rights or the way we process your data, we will notify you by email at least 14 days before the change takes effect. Continued use of Contoura after a change takes effect constitutes acceptance of the updated policy.

Previous versions of this policy are available upon request by emailing privacy@contoura.app.

14 Contact

Privacy requests & rights: privacy@contoura.app
General contact: hello@contoura.app
Website: contoura.app
Postal address: Janis Kuhn, Lindenhofstrasse 9b, 8624 Grüt (Gossau ZH), Switzerland

Swiss supervisory authority: edoeb.admin.ch (EDÖB)
EU supervisory authorities: edpb.europa.eu