Paced
Back to app

Data Processing Addendum

Effective: 3 June 2026 Last updated: 3 June 2026

Overview

When you use Paced to track your rides, we process the account and ride data you provide. In this context:

  • You are the data subject — the data we hold relates to you and the rides you log.
  • Paced is the data controller for your account, and engages the sub-processors listed below to store and process that data on our behalf.

This Data Processing Addendum ("DPA") describes the technical and organisational measures Paced has implemented to protect the data it processes.

Data we process

Paced processes the following categories of data:

Account data

  • Email address used to create and sign in to your account.
  • Authentication data managed by Firebase Authentication.

Ride data

  • Ride distance and duration.
  • Elevation gained.
  • Route name.
  • Ride type.
  • Any notes you choose to add to a ride.

Technical data

  • IP addresses are used for rate limiting and security during request processing but are not stored long term.

We do not process special categories of personal data (sensitive data) as part of this service.

Processing purposes

Paced processes your data strictly to:

  • Authenticate you and maintain your account.
  • Store the rides you log and display them back to you.
  • Calculate your personal statistics and records.
  • Maintain service integrity and prevent abuse.

We will not use this data for any other purpose, including advertising, profiling, or selling to third parties.

Technical and organisational measures

Paced has implemented the following measures to protect the data it processes:

  • HTTPS encryption for all data in transit.
  • Cloud Firestore data isolation — your data is stored under paths scoped to your unique account identifier and is not accessible by other users.
  • Firebase Authentication for account access.
  • Server-side authentication for all API access.
  • Role-based access controls limiting internal access to user data.

Sub-processors

We engage the following sub-processors to store and process your data:

  • Google Firebase / Google Cloud — authentication and database (Cloud Firestore) (see Subprocessors page).
  • Vercel — serverless hosting and compute.

We will notify you of any intended changes to our sub-processor list by updating the Subprocessors page. You may object to a new sub-processor within 30 days of notification.

Retention and deletion

  • Account data: retained for the duration of your account.
  • Ride data: retained until you delete it or close your account.

Upon account termination, all remaining data is deleted within 30 days.

You can permanently delete your account and all associated data at any time from your account settings.

Data subject requests

You may exercise your data rights (such as access, correction, or erasure) at any time. Where you ask us to confirm what data we hold or to delete specific records, we will do so upon your written request via the support form, within a reasonable timeframe and at no additional charge.

Full DPA document

A summary of how Paced processes your data is set out on this page and forms part of our Terms of Service.

The full DPA includes Standard Contractual Clauses (SCCs) covering international data transfers to our subprocessors.

Contact

You can manage and delete your data from your account settings. For more, see our support page.