Privacy Policy

Last updated: 26 June 2026

1. Who We Are

longrunshoes.ai (“we”, “us”, “our”) is an AI-powered running shoe recommendation service accessible at longrunshoes.ai. We are the data controller for the personal data you provide when using this service.

This policy applies to users in the European Union (EU GDPR 2016/679) and the United Kingdom (UK GDPR as retained in UK law). Where both apply, references to “GDPR” cover both regimes.

For any questions about this Privacy Policy or to exercise your rights, contact us via our contact form.

2. What Data We Collect

We collect the following categories of personal data:

  • Account data: First name, last name, email address — provided when you register or update your profile.
  • Authentication data: A one-time verification code sent to your email, and a session token stored in your browser after successful login. We do not use passwords.
  • Behavioural preferences: Running shoes and articles you mark as favourites, synced to our servers and tied to your account.
  • AI assistant prompts and profile: Free-text prompts you enter in the AI assistant, together with the generated preference profile (pace, cushioning, rebound, stability, brand, drop) and a textual summary. This constitutes automated profiling of your running preferences — see §12 for details.
  • Contact messages: Topic and text of messages sent via the “Write Us” form. This form does not require login — messages may be anonymous if you are not signed in.
  • IP address and server logs: Your IP address is recorded in server logs on every request to api.longrunshoes.ai and in AWS access logs for the CloudFront image CDN. These logs may also include request timestamps, HTTP method, and User-Agent string.
  • Browser-only usage data: The last page you visited before navigating to your profile, and shoe comparison selections — stored only in your browser (sessionStorage) and never sent to our servers.
  • Analytics data: If you consent: page views, session duration, clicks, and device/browser type — collected by Google Analytics and Microsoft Clarity.

3. Legal Basis and Purpose of Processing

We process your data on the following legal bases (GDPR Art. 6):

Contract performance (Art. 6(1)(b))

Registration, authentication (sending verification codes), profile management, favourites sync, and AI recommendation delivery — necessary to provide the service you signed up for.

Consent (Art. 6(1)(a))

Analytics and behavioural tracking via Google Analytics and Microsoft Clarity. We will ask for your explicit consent before activating these tools. You may withdraw consent at any time — see §10 for how.

Legitimate interests (Art. 6(1)(f))

Three purposes, each limited to what is strictly necessary:

  • — Responding to “Write Us” contact messages (topic + text only).
  • — Maintaining server logs (IP, timestamp, User-Agent) for security, abuse prevention, and debugging. Logs are retained for 90 days.
  • — Reviewing anonymised AI prompts to improve recommendation quality. Prompts are not linked to identifiable users during review.

4. Transactional Emails

Authentication on longrunshoes.ai is passwordless. When you register or log in, we send a one-time verification code to your email address via smtp.gmail.com (Google SMTP service).

These emails contain only the verification code. We do not send marketing emails. Google processes the email in transit as a data processor under its GDPR-compliant terms. Sent messages are not stored by us beyond what is needed to complete authentication.

5. Analytics and Tracking

We use two analytics tools, activated only with your consent (see §3):

Google Analytics 4 (Google LLC)

Measurement ID: G-NB8JQ2RL8R

Collects anonymised data about page views, session duration, traffic sources, and device type. Data is processed by Google on servers that may be located outside the EU/EEA. Google operates under Standard Contractual Clauses (SCCs) for international transfers. Retention: 14 months (default GA4 setting).

Google privacy policy: policies.google.com/privacy

Microsoft Clarity (Microsoft Corporation)

Project ID: vc8k1ts0uh

Records anonymised session replays, heatmaps, and click patterns to help us understand how users interact with the interface. Clarity does not collect form input content. Data may be processed on servers outside the EU/EEA under Microsoft SCCs. Retention: 30 days (default Clarity setting).

Microsoft privacy policy: privacy.microsoft.com

Both tools are currently disabled and will be activated only after you have given consent via the cookie banner.

6. What We Do Not Track

The following actions are processed locally in your browser and never sent to our servers:

  • Shoe comparison: Shoes added to Compare are stored in sessionStorage only. No comparison data is transmitted to the backend.
  • Filter preferences: Article and brand filter selections (articles-filters-local-storage, brands-filters-local-storage) are stored locally to remember your preferences between visits and are never sent to our servers.
  • Navigation history: The last non-profile page you visited is stored in sessionStorage and cleared when you close the tab.

7. Data Retention

We retain your data only as long as necessary:

  • Account & profile data: Until you request account deletion, then removed within 30 days.
  • AI assistant results: Until you delete them from your profile, or upon account deletion.
  • Favourites: Until you remove them or delete your account.
  • Contact messages: Up to 12 months from receipt, then permanently deleted.
  • Server logs (IP, User-Agent, timestamps): 90 days, then automatically purged.
  • Authentication token: Stored in browser localStorage until you log out or clear browser data. No server-side session is kept.
  • Google Analytics data: 14 months (GA4 default).
  • Microsoft Clarity data: 30 days (Clarity default).
  • Inactive accounts: Accounts with no login activity for 2 years will receive an email notice. If no response is received within 30 days, the account and all associated data will be permanently deleted.

8. Cookies and Browser Storage

We use browser storage to operate the service. The table below lists everything we store, organised by whether it requires consent.

Essential (no consent required)

KeyStoragePurpose
cookie_consentlocalStorageRecords your cookie consent decision
auth-longrunshoes-local-storagelocalStorageStores your session token to keep you logged in
ai-assistant-longrunshoes-local-storagelocalStorageCaches your last AI query and result locally
articles-filters-local-storagelocalStorageRemembers article filter preferences (local only, not sent to server)
brands-filters-local-storagelocalStorageRemembers brand filter preferences (local only, not sent to server)
run-shoes-local-storagesessionStorageCaches shoe catalog data for the current session
articles-local-storagesessionStorageCaches article data for the current session
compare-shoes-filters-local-storagesessionStorageStores shoe comparison selections (local only, not sent to server)
lastNonProfilePathsessionStorageRemembers the last page before navigating to profile

Analytics (requires consent)

CookieSet byPurpose
_ga, _ga_*Google AnalyticsDistinguishes users and persists session state
_clck, _clskMicrosoft ClarityIdentifies users and sessions for session recording
CLID, MUID, ANONCHKMicrosoft ClarityAnonymous user identification across sessions

Analytics cookies are only set after you click “I agree” in the cookie banner.

9. Third Parties and International Transfers

We work with the following third-party processors. Where data leaves the UK/EU, transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46.

Backend server — api.longrunshoes.ai — UK

Processes all account, AI, and favourites data. Hosted on AWS eu-west-2 (London, UK) — within the UK GDPR jurisdiction. Personal data stays on this server and does not leave the region. AWS server logs (including your IP address) are retained for 90 days.

Google SMTP (smtp.gmail.com) — USA

Sends one-time verification codes to your email. Google processes the message in transit only. Covered by Google SCC-based DPA. Your email address is transmitted to Google solely to deliver the authentication code.

Amazon CloudFront (AWS) — USA / global CDN

Serves product images from dk77h2n4w9bw.cloudfront.net. No personal data is included in CDN requests — only image files are served. AWS CloudFront access logs may record your IP address; these are governed by AWS SCCs and retained for 90 days.

Google Analytics (Google LLC) — USA

Collects anonymised usage data when consent is given. Covered by Google SCC-based DPA. You can opt out globally at tools.google.com/dlpage/gaoptout.

Microsoft Clarity (Microsoft Corp.) — USA

Records anonymised session replays and heatmaps when consent is given. Covered by Microsoft SCCs. Does not capture form input or passwords.

We do not sell your personal data to any third party.

10. Your Rights

Under EU GDPR (2016/679) and UK GDPR you have the following rights. To exercise any of them, contact us via our contact form with subject GDPR Request: [type] and include the email address linked to your account. We will respond within 30 days. For complex or multiple requests we may extend this by a further 2 months (Art. 12(3)) and will notify you within the initial 30 days if an extension is needed.

Right of access (Art. 15)

Request a copy of all personal data we hold about you, including your AI preference profile.

Right to rectification (Art. 16)

Correct inaccurate data — you can also update your name and email directly in your profile settings.

Right to erasure (Art. 17)

Request deletion of your account and all associated data. AI results can also be deleted individually from your profile.

Right to restriction (Art. 18)

Ask us to pause processing your data while a dispute is resolved.

Right to data portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON).

Right to object (Art. 21)

Object to processing based on legitimate interests (e.g. server logging, contact message handling, AI prompt review).

Rights related to profiling (Art. 22)

The AI assistant creates a preference profile of your running characteristics. This is not used for any automated decision that produces legal or similarly significant effects — it solely generates shoe recommendations. You may request deletion of your AI profile at any time from your profile page or by emailing us.

Right to withdraw consent

Withdraw consent for analytics cookies (Google Analytics, Microsoft Clarity) at any time without affecting prior lawful processing. Essential cookies remain active as they are required for the service to function.

You also have the right to lodge a complaint with your local supervisory authority — in the EU at edpb.europa.eu, in the UK at ico.org.uk.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Art. 33.

If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay (GDPR Art. 34) using the email address linked to your account.

12. AI Assistant and Profiling

The AI assistant accepts free-text prompts describing your running needs. Your prompt is sent to our backend, processed by an AI model, and the result is saved to your account.

What is stored: the original prompt, a generated preference profile (pace, cushioning, rebound, stability, preferred brand, heel-to-toe drop), a textual summary, a timestamp, and the number of matching shoes returned.

Profiling disclosure (Art. 13(2)(f)): the AI assistant performs automated profiling of your running characteristics. This profiling is used solely to rank shoe recommendations and does not produce any legal or similarly significant effects. You are not subject to any automated decision-making under Art. 22(1).

Service improvement: anonymised prompts (stripped of any account linkage) may be reviewed internally to improve recommendation quality. The legal basis is legitimate interests (Art. 6(1)(f)).

Important: do not include sensitive personal data (medical conditions, injuries, health history) beyond what is directly relevant to shoe selection.

You can delete individual AI results at any time from your profile page.

13. Data Security

All data is transmitted over HTTPS. Authentication is passwordless — we send a one-time verification code by email instead of storing passwords. Session tokens are stored in browser localStorage and are not transmitted as cookies.

We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

14. Children

This service is not directed at children under 16. We do not knowingly collect data from minors. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes we will notify registered users by email or via an in-app notice before the change takes effect.

Questions? Contact us