Privacy Policy

Controller

The controller within the meaning of the General Data Protection Regulation is Mats Echterhoff, c/o Chatbyte GmbH, Mühlenkamp 31, 22303 Hamburg, Germany.

Privacy contact

For privacy questions and to exercise your rights, you can contact us at privacy@endufueler.com.

General information and legal bases

Endufueler processes personal data to operate the website and app, provide account access, generate and save race fueling plans, maintain security, respond to requests, and comply with legal obligations.

Depending on the context, processing is carried out for the performance of a contract or pre-contractual measures pursuant to Art. 6(1)(b) GDPR, to comply with legal obligations pursuant to Art. 6(1)(c) GDPR, on the basis of consent pursuant to Art. 6(1)(a) GDPR, or on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. We do not sell personal data.

Website visits, app use, and technical logs

When you visit the website or use the app, technical data may be processed, including IP address, date and time of access, requested URL, referrer, browser and device information, operating system, language settings, request headers, and comparable server log data.

This processing is necessary to provide the website and app, detect errors, protect availability, prevent misuse, investigate security events, and operate requested functions.

Cookies and local storage

Endufueler uses technically necessary cookies and comparable storage technologies for authentication, password reset, passkey flows, security, account sessions, app settings, and the operation of requested functions.

The app may store data locally in your browser so requested functions can load reliably. You can delete browser storage through your browser settings, but some app functions may stop working or require you to sign in again.

Accounts, authentication, passkeys, and sessions

If you create an account or sign in, we process account and authentication data such as name, email address, password data, verification status, account timestamps, session tokens, session expiry, IP address, user agent, and comparable access metadata.

If you add or use passkeys, we process passkey records such as credential identifiers, public keys, counters, device type, backup status, transports, creation time, and related security metadata. We do not receive your biometric data or device unlock secrets.

We use this data to create and secure your account, keep you signed in, support passkey sign-in, prevent misuse, and provide the functions you request.

Race cards, generated fueling plans, and athlete context

When you create or save a race card, we process the information you enter and the generated planning results. This may include sport, race name, distance, expected duration, intensity, temperature band, fueling preferences, product choices, aid or water station details, planned carbs, fluid, sodium, caffeine choices, packing lists, and generated timelines.

The app may also process optional athlete context and preferences such as gender, age, body weight, height, salt-loss indication, fueling experience, unit system, date format, and time format. This information is used to calculate and display race fueling plans and app preferences.

Race cards, generated plans, user preferences, and related account data are persisted in PostgreSQL where database persistence is configured.

Password reset and support

If you request a password reset, Endufueler may send the reset link through a configured password reset webhook. This can involve processing the recipient email address, reset URL, message metadata, and delivery status needed to send the transactional message.

If you contact support, we process your email address, message content, and information you voluntarily provide so we can respond to your request. Support requests can be sent to support@endufueler.com.

Account deletion, audit events, and retention

You can request account deletion through the app where available. Endufueler uses soft account deletion to block further access, record the deletion request, remove active sessions, and retain limited audit records where necessary for security, abuse prevention, legal obligations, and proof of deletion handling.

Audit records may include event type, timestamps, actor and subject identifiers, hashed email information, IP address, user agent, and metadata about the deletion event. Certain data may remain in backups, logs, audit records, or other systems where this is necessary or legally permitted.

We store personal data only as long as needed for the purposes described in this privacy policy or as required by law. Technical logs are generally kept only for a limited period for security and troubleshooting.

Recipients, service providers, and international transfers

We disclose personal data only where this is necessary to provide Endufueler, where a legal obligation exists, or where this is necessary to protect rights, security, and the integrity of the service.

Personal data may be accessed by persons and service providers involved in hosting, infrastructure, database operation, authentication, email delivery, support, security, maintenance, and product development, but only where access is necessary for their role.

We select service providers with appropriate care and, where required, enter into data processing agreements. If you have questions about the service providers used for Endufueler, contact privacy@endufueler.com.

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses, and supplementary protection measures where required.

Requirement to provide data

You are not required to provide personal data. If you do not provide certain data, we may be unable to provide the website, account access, saved race cards, generated fueling plans, password reset, support, or individual app functions, or may only be able to provide them in a limited way.

Your rights and complaints

Under the GDPR, you may request access, correction, deletion, restriction of processing, data portability, objection to processing, and withdrawal of consent. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

Privacy and data subject rights requests can be sent to privacy@endufueler.com.

You also have the right to lodge a complaint with a competent data protection supervisory authority. For Hamburg, this is Der Hamburgische Beauftragte fuer Datenschutz und Informationsfreiheit, Ludwig-Erhard-Strasse 22, 20459 Hamburg, Germany, mailbox@datenschutz.hamburg.de.

Changes

We may update this privacy policy from time to time when Endufueler, our processing activities, or legal requirements change.