Legal

Privacy Policy

Effective: 13 May 2026 · Last updated: 19 May 2026

At a Glance

A quick summary of the most important facts. Each item links to the full details below.

Who is responsible
Janis Kuhn · Contoura
privacy@contoura.app
Data collected
Name, email, orienteering data, usage logs
Why we collect it
To provide the Service and communicate with you
Third-party services
Supabase, Vercel, Groq, Google Fonts, Cloudflare, Mailtrap
How long we keep it
Until account deletion; logs up to 12 months
Your rights
Access, correction, deletion, portability, objection
Applicable law
Swiss nDSG (primary) · EU GDPR (where applicable)
Supervisory authority
EDÖB (Switzerland)

0About Contoura & Data Controller

Contoura is an intelligent training and race-analysis platform for orienteering athletes. We are committed to protecting your personal data in accordance with the Swiss Federal Act on Data Protection (nDSG / revDSG, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

We will never sell your personal data to third parties. We collect only what is necessary to operate and improve the Service.

Data Controller
Janis Kuhn
Lindenhofstrasse 9b, 8624 Grüt (Gossau ZH), Switzerland
privacy@contoura.app · contoura.app

For questions about this policy or to exercise your data protection rights, contact us at privacy@contoura.app. We will respond within 30 days.

1Data We Collect

We collect data you provide directly and data generated automatically when you use the Service or visit our website. The table below specifies what is collected, where it comes from, and whether it is required.

CategoryDataSourceRequired?
Account dataName, email address, password hash, role (athlete / coach), performance levelProvided by you at registrationRequired to use the Service
Race dataIOF XML files, split times, control sequences, event metadata, resultsUploaded by youOptional
Training dataSession logs, distance, duration, terrain type, technical focus, notesEntered by youOptional
GPS tracksGPX files uploaded for route analysisUploaded by youOptional
External linksURLs to third-party services (e.g. Livelox GPS track links) attached to entriesEntered by youOptional
Usage & log dataFeature interactions, error logs, IP address, device type, browser version (no persistent personal identifiers beyond session)Collected automatically when you use the Service or visit our websiteAutomatic

We do not collect health or biometric data, financial credentials, or any sensitive personal data as defined by Art. 5(c) nDSG.

Note on IOF XML files: Race result files produced by third-party event management systems may contain split times, control sequences, and competitor identifiers. We process this data solely to generate your performance analysis and are not responsible for the accuracy of data in files exported by third-party systems.

Note on third-party data: If you upload content containing data about other individuals (e.g. a coach uploading an athlete's files), you are responsible for ensuring you have the required legal basis to do so.

2How We Use Your Data

  • Create and manage your account and authenticate you securely.
  • Provide core features: split analysis, training log, progress tracking, and coach tools.
  • Generate AI-powered race insights and pattern analysis using the Groq API (Meta Llama models). Your data is sent to Groq solely to generate your insight — it is not used to train any AI models.
  • Send transactional emails (account verification, password reset) via Mailtrap.
  • Send transactional emails (account verification, password reset) via Mailtrap.
  • Send product update and tips emails via Mailtrap if you have opted in. You may unsubscribe at any time via your account settings or the link in each email.
  • Monitor platform health, detect errors, and prevent abuse.
  • Process payments when paid plans are introduced (via Stripe).
  • Comply with legal obligations under Swiss law and, where applicable, EU law.

We do not use your data for advertising, behavioural tracking, or profiling beyond the AI race insights described in Section 7.

3Legal Basis for Processing

We process your personal data on the following legal bases under the Swiss nDSG and, where applicable, the EU GDPR:

  • Contract performance (Art. 31(2)(a) nDSG / Art. 6(1)(b) GDPR) — processing necessary to provide the Contoura Service you signed up for, including account management, race analysis, and training logs.
  • Legitimate interests (Art. 31(1) nDSG / Art. 6(1)(f) GDPR) — security monitoring, fraud prevention, platform improvement, and loading web fonts for page rendering. We have assessed that these interests are not overridden by your rights and freedoms.
  • Consent (Art. 31(2)(b) nDSG / Art. 6(1)(a) GDPR) — optional features such as AI-generated insights and product update emails. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c) GDPR) — compliance with applicable Swiss and EU law, including financial record-keeping obligations.

4Third-Party Service Providers

We share data only with the following service providers. Each is bound by their own privacy policy and standard contractual terms, which we have reviewed prior to use. They process data only for the stated purpose and in compliance with applicable data protection law.

For transfers to the USA: these are covered by Standard Contractual Clauses (SCCs) approved by the European Commission. Switzerland recognises an equivalent level of protection via the Federal Council's adequacy list (fedlex.admin.ch).

ProviderPurposeData transferredLocation
SupabaseDatabase, authentication, file storageAll user, race, and training dataEU — Frankfurt
VercelApplication hosting and global CDN deliveryIP address, browser metadata (standard server logs)USA — SCCs / Global CDN
Google FontsWeb font delivery (Inter typeface used across all pages)IP address, browser metadata sent to Google's CDN on each page loadUSA — SCCs
CloudflareDDoS protection, DNSIP address, request metadataUSA — SCCs
GroqAI-generated race insights and pattern analysis (Meta Llama models)Race & training data (anonymised where possible)USA — SCCs
MailtrapTransactional emails (account verification, password reset) and product update emails to users who have opted inName, email addressEU — Estonia
NamecheapDomain registrationDomain-level metadata onlyUSA — SCCs
Stripe (planned)Payment processing for future paid plansPayment data handled entirely by Stripe — we never store card numbersUSA — SCCs

How to limit data transfers to specific third parties

  • Google Fonts: You can block requests to Google's font servers using a browser extension such as uBlock Origin. Doing so may affect page rendering (a system font will be used as fallback). Legal basis: legitimate interest (Art. 31(1) nDSG / Art. 6(1)(f) GDPR).
  • Vercel / Cloudflare: These process your IP address as part of delivering the website — technically necessary and cannot be avoided while using contoura.app.
  • Groq (AI Insights): You can opt out of AI-generated insights in your account settings. Opting out does not restrict access to the manual split analysis features.
  • Mailtrap (emails): Transactional emails (e.g. password resets, account verification) are necessary for the Service and cannot be opted out of while maintaining an active account. Product update emails can be disabled at any time in your account settings.

Third-party links (e.g. Livelox): The Service allows you to attach external URLs to your entries. We store these URLs as part of your content. When you click such a link, you leave Contoura and are subject to that third party's own privacy policy. We do not transmit any personal data to linked third-party platforms.

Links to other websites: Our website may contain links to third-party websites. We have no control over those sites and are not responsible for their privacy practices. We encourage you to read their privacy policies directly.

5Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law.

  • Account & profile data — retained for the duration of your account, deleted within 30 days of account deletion.
  • Race & training data — retained for the duration of your account; deleted within 30 days upon account deletion or explicit deletion request.
  • GPS tracks & uploaded files — retained until you delete them or your account is closed.
  • Usage & log data — retained for up to 12 months for security and debugging purposes, then deleted or anonymised.
  • Financial records — retained for 10 years as required by Swiss law (OR Art. 958f).

You may request deletion of your data at any time by emailing privacy@contoura.app. Deletions are completed within 30 days, subject to legal retention obligations listed above.

6Cookies

Contoura uses only technically necessary cookies. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required under the Swiss nDSG for strictly necessary cookies.

  • Session cookie — keeps you logged in. HttpOnly, SameSite=Strict. Expires on browser close or after 30 days if "remember me" is selected.
  • CSRF token — protects form submissions against cross-site request forgery attacks. Strictly necessary.

You can clear or block cookies at any time in your browser settings. Clearing session cookies will log you out of Contoura. Blocking all cookies may prevent login from working.

7AI-Generated Insights & Automated Processing

Contoura uses the Groq API (Meta Llama models) to generate automated race insights and pattern analysis. This process analyses your split data to assess navigation patterns — which constitutes profiling under Art. 5(f) nDSG and falls within the scope of automated processing under GDPR Art. 22.

This profiling is not high-risk profiling (Art. 5(g) nDSG) and does not constitute a solely automated decision with legal or similarly significant effects on you within the meaning of GDPR Art. 22(1). AI Insights are informational and supplementary — they do not determine your eligibility for anything, nor are they shared with third parties to make decisions about you.

You can opt out of AI-generated insights at any time in your account settings. Opting out does not affect access to the manual split analysis features. Should fully automated decision-making ever be introduced, we will notify you and obtain explicit consent before activating it for your account.

8Your Rights & Choices

Under Swiss nDSG (Art. 25–32) and, where applicable, EU GDPR (Art. 15–22), you have the following rights. We fulfil all requests within 30 days at no charge.

  • Right of access (Art. 25 nDSG / Art. 15 GDPR) — request a copy of all personal data we hold about you, including information on its source, purpose, and any third parties it has been shared with.
  • Right to rectification (Art. 32 nDSG / Art. 16 GDPR) — correct inaccurate or incomplete data. You can manage most profile data directly on your Profile page without contacting us.
  • Right to erasure (Art. 32 nDSG / Art. 17 GDPR) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations outlined in Section 5.
  • Right to data portability (Art. 28 nDSG / Art. 20 GDPR) — receive your data in a machine-readable format (JSON / CSV), or request transfer to another controller.
  • Right to restriction (Art. 18 GDPR) — limit our processing of your data in certain circumstances (e.g. while a correction request is pending).
  • Right to object (Art. 32 nDSG / Art. 21 GDPR) — object to processing based on legitimate interests, including profiling for AI insights.
  • Right to withdraw consent — withdraw consent (e.g. for marketing emails) at any time without affecting prior processing. Use the unsubscribe link in any email or contact privacy@contoura.app.
  • Right not to be subject to solely automated decisions — as noted in Section 7, our AI features do not produce solely automated decisions with legal effects.

Your choices about data processing

  • Race and training data fields are optional — you may use only the features you need.
  • Product update and tips emails: opt in during registration or disable at any time in account settings.
  • Transactional emails (password reset, account verification) are necessary for the Service and cannot be opted out of while maintaining an active account.
  • AI Insights: opt out in account settings without losing other functionality.
  • Account deletion: you may close your account and request full deletion of your data at any time via Settings or by emailing privacy@contoura.app.

To exercise any of the above rights, email privacy@contoura.app with your request. We may ask you to verify your identity before fulfilling the request.

Supervisory authority complaints: If you are located in Switzerland, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (EDÖB) at edoeb.admin.ch. If you are located in an EU member state, you may lodge a complaint with your local data protection authority — a full list is available at edpb.europa.eu.

9International Users & GDPR

Contoura is operated from Switzerland and is primarily governed by Swiss nDSG. Because we serve users across Europe — including EU member states — we also comply with the EU GDPR to the extent it applies to our processing of EU residents' data.

EU-to-Switzerland transfers: Switzerland is recognised by the European Commission as a country providing an adequate level of data protection (Commission Decision 2000/518/EC, assessed under GDPR Art. 45). No additional safeguards are required for EU-to-Switzerland transfers. For onward transfers to the USA (via Groq, Cloudflare, and other providers in Section 4), Standard Contractual Clauses apply.

EU data protection authorities: EU residents have the right to lodge a complaint with their local supervisory authority. You do not need to use Swiss channels. A list of EU DPAs is available at edpb.europa.eu.

GDPR Art. 27 representative: Given the current small-scale, beta nature of the Service and the limited, non-systematic nature of EU data processing, we have not yet designated a formal EU representative under GDPR Art. 27. We will assess this requirement as the Service grows and designate a representative if required.

10Data Security

We implement appropriate technical and organisational measures (TOMs) as required by Art. 8 nDSG and GDPR Art. 32:

  • All data in transit is encrypted using TLS 1.3.
  • All data at rest is encrypted using AES-256 (via Supabase).
  • Passwords are hashed using bcrypt (minimum 12 rounds) — never stored in plaintext.
  • Authentication tokens are stored in HttpOnly, SameSite=Strict cookies.
  • Row-Level Security (RLS) ensures each user can only access their own data.
  • CSRF protection is applied to all state-changing API endpoints.
  • Uploaded files are validated using magic bytes verification.

Data breach notification: In the event of a personal data breach likely to result in a risk to your rights, we will notify the EDÖB without undue delay (Art. 24 nDSG) and, for EU residents, the competent EU supervisory authority within 72 hours (GDPR Art. 33). For breaches posing a high risk, we will also notify affected users directly, describing the nature of the breach and steps taken to address it. All incidents are documented as required by law.

11Children's Privacy

Contoura is available to users aged 13 and above. Users between the ages of 13 and 18 should obtain appropriate parental or guardian consent as required by local law before registering.

We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact privacy@contoura.app and we will delete the account promptly.

12Applicable Law

This Privacy Policy is governed by the following legal framework:

  • Swiss Federal Act on Data Protection (nDSG / revDSG) — primary applicable law, in force since 1 September 2023. Governs all data processing activities carried out by Contoura from Switzerland.
  • EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) — applies to the extent that Contoura processes personal data of individuals located in EU member states, in accordance with Art. 3(2) GDPR.
  • Swiss Code of Obligations (OR) — governs financial record retention (Art. 958f OR).

In the event of any conflict between Swiss nDSG and EU GDPR requirements, we apply the standard that provides a higher level of protection for the data subject. Disputes arising under this Privacy Policy shall be governed by Swiss law, with jurisdiction in the courts of Zurich, Switzerland, unless mandatory EU consumer law provides otherwise for EU residents.

13Changes to This Policy

We may update this Privacy Policy when necessary. The updated date at the top of this page reflects the most recent revision. For material changes that significantly affect your rights or the way we process your data, we will notify you by email at least 14 days before the change takes effect. Continued use of Contoura after a change takes effect constitutes acceptance of the updated policy.

Previous versions of this policy are available upon request by emailing privacy@contoura.app.

14Contact

Privacy requests & rights: privacy@contoura.app
General contact: hello@contoura.app
Website: contoura.app
Postal address: Janis Kuhn, Lindenhofstrasse 9b, 8624 Grüt (Gossau ZH), Switzerland

Swiss supervisory authority: edoeb.admin.ch (EDÖB)
EU supervisory authorities: edpb.europa.eu