Privacy Policy

Last updated: April 2025

Who we are

BuildYourRun ("we", "us") is a free running training plan tool. We take your privacy seriously. This policy explains what data we collect, why, and how it is protected.

What data we collect

Without an account: No personal data is collected. The plan builder runs entirely in your browser. If you consent to analytics cookies, we collect anonymous usage data via Google Analytics (pages visited, features used). We never use advertising trackers.

With an account: We store your email address, a bcrypt-hashed password (irreversibly encrypted — we cannot read your password), your display name (optional), and the training plans you save.

Technical data: When you log in, your IP address and browser user-agent are stored with your session for security purposes (detecting suspicious access). This data is deleted automatically after 30 days of inactivity.

Cookies

Functional cookie (always active)

We use one functional cookie (byr_session) to keep you logged in. This cookie is:

  • HttpOnly — not readable by JavaScript
  • Secure — only sent over HTTPS
  • SameSite=Strict — cannot be sent by third-party sites
  • Expired after 30 days of inactivity

Analytics cookies (only with your consent)

If you click "Accept all" on the cookie banner, we load Google Analytics 4 (GA4) to understand how people use the site — which pages are visited, which features are used, and where visitors come from. This helps us improve the product. GA4 is provided by Google Ireland Limited.

  • IP anonymisation is enabled — your full IP address is never stored
  • No advertising features or remarketing are enabled
  • Data is processed by Google in accordance with their privacy policy
  • You can opt out at any time by clicking "Functional only" on the cookie banner, or by installing the Google Analytics opt-out browser add-on

If you click "Functional only", Google Analytics is never loaded and no analytics cookies are set.

How we protect your data

  • Passwords are hashed with bcrypt (cost factor 12) — irreversible. Even we cannot read them.
  • All connections are encrypted via HTTPS/TLS.
  • All database queries use prepared statements to prevent SQL injection.
  • Login attempts are rate-limited to prevent brute-force attacks.
  • Your plan data is only accessible to your account.

Your rights (GDPR)

Under GDPR you have the right to access, correct, or delete your personal data at any time. You can delete your account and all associated plans from your dashboard. For other requests, contact us at the email below.

Data retention

Account data is retained until you delete your account. Inactive sessions are purged after 30 days. Rate-limit records are purged after 1 hour.

Contact

Questions about this policy? Email us at privacy@buildyourrun.com.