Legal

Privacy Policy

Last updated: June 12, 2026

The short version

DropPace turns your runs into share-ready images. We process the data we need to make that image — your workout, your route, and (if you choose) your photo — and we hold on to as little as possible. The mobile app does not require an account and does not collect your name, email, or contact information. We do not sell your data, we do not use your health or workout data for advertising, and we do not use any third-party AI service to profile you or advertise to you.

The one place we do collect an email address is when you buy a lifetime offer on our website — because we have to email you the access link. Details are in section 3 below.

1. Who we are

Nuko Nova Dynamics LLC ("DropPace," "we," "us," or "our"), a Florida limited liability company, operates the DropPace mobile application (the "app") and the websites at droppace.com and droppace.app (together with the app, the "service"). For the purposes of the EU and UK General Data Protection Regulation ("GDPR"), Nuko Nova Dynamics LLC is the data controller for personal data processed through the service.

This Privacy Policy explains what data we process, why, how long we keep it, who we share it with, and the rights you have. For any privacy question or request, contact [email protected].

2. No account required (and the one exception)

The DropPace app is designed to work without a sign-up. You do not create an account, and we do not ask for your name, email, or phone number to use it. Your subscription is tied to your device and to your Apple or Google account, which we never receive in identifiable form.

The exception is a website purchase. If you buy a one-time lifetime offer at droppace.com, we collect the email address you provide so we can deliver your access link and backup code, and our payment processor collects your payment details. See "Website and lifetime purchases" in section 3.

3. Data we process

Workout and route data

With your permission, DropPace reads completed workout records from Apple HealthKit (iOS) or Google Health Connect (Android), which may include workout type, start and end time, distance, duration, pace, heart rate, calories, and the GPS polyline of your route. This is health and precise-location data, and we treat it as sensitive. We use it only to render your share image and to validate that the stats shown on the image match your workout. We do not run continuous or real-time location tracking — we read only the completed workouts you authorize, when you ask us to make an image.

Photos you provide

For the photo-led modes, you choose a photo from your camera roll or take a new one with the camera. That photo is uploaded so our servers can compose or restyle your share image with the chosen style applied. The original photo is processed to create your image and is not retained after the share image is generated. We do not perform facial recognition and we do not use your photos to identify you or anyone else.

Generated images

The share image we create for you is cached on our infrastructure for up to 30 days so you can re-download or re-share it without re-rendering, then deleted automatically. Each generated image contains an embedded "Software" metadata tag identifying it as produced with DropPace and marking it as AI-generated. This metadata travels inside the image file you share.

Device identifier and subscription state

We generate a random, device-scoped identifier so we can attach your trial status, subscription status, credit balance, or redeemed lifetime entitlement to your installation and enforce per-device usage limits and prevent abuse. This identifier is not linked to your name, email, phone number, or Apple/Google account.

Notifications

If you allow notifications, your device provides a push token so we can send you optional alerts, such as a reminder when a new run is ready to drop. You can turn notifications off at any time in your device settings.

Diagnostics and product analytics

We collect crash reports, performance traces, and anonymized product-usage events (for example, "a render was generated" or "a share was tapped") to find bugs and decide what to build next. These events do not contain your photo, your route, your workout data, or any information that identifies you personally.

Website and lifetime purchases

If you buy a one-time lifetime offer on droppace.com, we and our payment processor process the email address you provide, your purchase and entitlement record, the time and amount of the purchase, and your IP address (used to route the checkout and to help prevent fraud and abuse). We use this information to take payment, deliver your access link and backup code, provide support, keep records, and meet our tax and accounting obligations. Your full payment-card details are handled by our payment processor (Stripe); we do not receive or store your card number.

Cookies and website data

The DropPace app does not use cookies. Our websites use only the strictly necessary cookies and similar technologies needed to load pages, remember your choices, keep the site secure, and complete a purchase — including cookies our payment processor sets during checkout to process your payment securely. We do not use advertising cookies and we do not use cookies to track you across other websites. Because we rely only on essential and payment-related cookies, you can manage them through your browser settings.

What we do not collect

Through the app, we do not require an account and we do not collect your name, email address, phone number, mailing address, social-media handle, advertising identifier, contacts, calendar, microphone audio, or browsing history. We do not track you across other apps or websites, and we do not use the Advertising Identifier (IDFA) or App Tracking Transparency for tracking.

4. Why we process your data, and our legal bases

We process personal data only for the purposes described below. Where the GDPR applies, the legal basis for each purpose is noted in brackets.

  • To create your share image — reading the workout, route, and photo you select and sending the route and stats (and, for photo modes, your photo) to our AI provider to generate and validate the image. [Performance of our contract with you and steps taken at your request; and, for health and precise-location data, your explicit consent, which you give through the in-app permission prompts.]
  • To run subscriptions, trials, and purchases — managing entitlements and, for website purchases, taking payment and delivering access. [Performance of a contract; compliance with legal obligations such as tax and accounting.]
  • To keep the service working and secure — enforcing usage limits, preventing fraud and abuse, and diagnosing crashes and performance issues. [Our legitimate interests in operating and securing the service; consent where required for analytics.]
  • To improve the product — understanding anonymized usage patterns to decide what to build. [Our legitimate interests; consent where required.]
  • To communicate with you — sending optional notifications and responding to your support requests. [Consent for push notifications; our legitimate interests in supporting you.]

You can withdraw consent at any time — for example, by revoking HealthKit or Health Connect access in your device settings, turning off notifications, or deleting your data in the app — without affecting processing that already took place.

5. Health and fitness data: our commitments

Health, workout, and route data is the most sensitive data DropPace touches, and we hold ourselves to the platform health-data rules:

  • We use health and fitness data obtained through Apple HealthKit and Google Health Connect only to provide the user-facing features of DropPace — generating your share image and validating its stats.
  • We never use health or fitness data for advertising, marketing, or any use-based data mining, and we never sell it.
  • We never use health or fitness data to determine eligibility for employment, insurance, or credit, and we do not share it for those purposes.
  • We do not transfer health or fitness data to third parties except the service providers needed to render your image (see sections 6 and 7), and only for that purpose.

DropPace's access to, use, and transfer of information received from Apple HealthKit and Google Health Connect adhere to the Apple Developer Program License Agreement and App Store Review Guidelines and to the Google Play requirements for health and fitness apps, including their Limited Use requirements. Any other use or transfer of Google user data to third parties is prohibited and we do not engage in it.

6. Third-party AI

DropPace uses a third-party artificial-intelligence service to generate the image treatment applied to your run and to validate that the on-image stats match your workout. Specifically, we send your route polyline, the selected workout stats, a style prompt, and — for the photo-led modes — your photo to OpenAI's image and vision APIs, which process that data on our behalf and return a generated image and a validation result. We do not send your name, email, device identifier, or any account information, because we do not collect them in the app.

When accessed through OpenAI's developer API as we do, that data is not used to train OpenAI's models. OpenAI may retain API inputs and outputs for up to 30 days to provide the service and monitor for abuse, after which they are deleted unless OpenAI is legally required to keep them. We do not use any third-party AI service to profile you, target advertising, or make automated decisions that produce legal or similarly significant effects about you. We ask for your consent to this processing through the in-app disclosure before your first generation.

7. Service providers we rely on

We rely on a small set of vendors to operate the service. Each acts as our processor and handles only the data needed for its role, under contract:

  • OpenAI — generates the share image and validates on-image stats, as described in section 6.
  • Convex — hosts our backend, our database, and the temporary storage for generated images.
  • RevenueCat — manages subscription state and entitlements purchased through Apple or Google.
  • Apple App Store and Google Play — process in-app purchases and subscriptions. We do not receive your payment-card details.
  • Stripe — processes website purchases of the one-time lifetime offer, including payment details.
  • Resend — sends transactional email for website purchases, such as your access link and backup code.
  • Sentry — receives crash reports and error traces.
  • PostHog — receives anonymized product-analytics events.
  • Cloudflare and Vercel — host this website, route share links, and provide network and DNS services.

When you choose to share a generated image to a social network, messaging app, or other third-party platform, that platform — not DropPace — controls what happens to the image and your activity there, under its own terms and privacy policy. You are responsible for what you choose to share and where, and we are not responsible for the practices of third-party platforms or destinations you send your images to.

8. How long we keep data

  • Original uploaded photos: processed to create your image and not retained afterward.
  • Workout and route data: processed only for the duration of the render and then discarded; the rendered route shape is part of the cached generated image.
  • Generated share images: cached for up to 30 days, then deleted automatically.
  • Device identifier and subscription state: retained while your installation or subscription is active and for a reasonable period afterward to service refunds, disputes, and abuse prevention.
  • Website purchase records: retained as long as your entitlement is valid and as required to meet our tax, accounting, and legal obligations.
  • Diagnostics and analytics: retained per the standard retention windows of Sentry and PostHog.

9. How we protect your data

We use technical and organizational measures appropriate to the sensitivity of the data, including encryption of data in transit and at rest with our infrastructure providers, access controls that limit who can reach production data, short retention windows, and secure development practices. No method of transmission or storage is perfectly secure, but we work to protect your data and to limit how long we hold it.

10. Your choices and controls

  • Delete your data in the app. Open Settings → Privacy → "Delete my data" to remove your device-scoped identifier and any cached images associated with it.
  • Manage permissions. You control HealthKit / Health Connect access, photo access, camera access, and notifications from your device settings, and can revoke any of them at any time.
  • Skip the photo. You can generate a share image without providing a photo by using the no-photo mode.
  • Contact us. Email [email protected] for any privacy request, including from a device whose data you want removed.

11. Your privacy rights

Because the app does not require an account or collect identifiers tied to you personally, the practical scope of these rights is narrow for app data — but we honor them, and they apply in full to website purchase data.

California (CCPA / CPRA)

In the past 12 months we have collected the following categories of personal information: identifiers (a random device identifier and, for website purchases, an email address and IP address); commercial information (purchase and entitlement records); internet or network activity (anonymized product-analytics and crash data); geolocation data (the route of a workout you choose to render); and sensitive personal information (health and precise-location data from your authorized workouts). We collect this information for the business purposes described in section 4, from you and from your device.

We do not sell your personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA. We use and disclose sensitive personal information only to provide the service and for other purposes permitted without a right to limit. You have the right to know, access, delete, and correct your personal information, and not to be discriminated against for exercising these rights. To exercise a right, email [email protected]; you may use an authorized agent. We will verify your request using reasonable measures proportionate to the data involved.

EEA and UK (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time. The legal bases for our processing are set out in section 4. To exercise a right, email [email protected]. You also have the right to lodge a complaint with your local data protection supervisory authority, though we hope you will contact us first so we can help.

Washington, Nevada, and other state health-data laws

If you are in Washington, Nevada, or another state with a consumer health data law, our separate Consumer Health Data Privacy Policy describes the consumer health data we collect, the purposes, the third parties that process it, and how to exercise your rights to access, withdraw consent, and delete — including from backups. Where your state treats workout, heart-rate, or precise route data as sensitive data requiring consent (for example, Connecticut), we collect it only with your permission, through the device health permissions and the in-app disclosure, and only as necessary to provide the service you request.

Other regions

If you are elsewhere, you may have similar rights under your local law (for example, in Canada, Brazil, or Australia). Contact us and we will honor the rights that apply to you.

12. International data transfers

DropPace is operated from the United States. If you use the service from outside the United States, your data will be processed in the United States and in other countries where our service providers operate. Where we transfer personal data out of the EEA or the UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. Contact us for more information about these safeguards.

13. Children

DropPace is not directed to, and we do not knowingly collect personal data from, children under 13 — or under 16 in the European Economic Area and the United Kingdom (or such other age as your local law sets for digital consent) unless a parent or guardian has provided consent. If you believe a child has provided us data, contact [email protected] and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in-app. Your continued use of DropPace after a change takes effect means you accept the updated policy.

15. Contact

Questions or requests about this Privacy Policy or your data? Email [email protected]. You can also review our Terms of Service and our Acceptable Use Policy.