Privacy Policy

1. Data Controller

The controller responsible for the processing of personal data on enduringmotion.com is:

Andrzej Ziombra

Seestr. 59B, 70174 Stuttgart, Germany

Email: contact@enduringmotion.com

2. Scope and principles of processing

Personal data is processed only to the extent necessary to operate the Website, answer enquiries, handle orders, supply digital content, run the newsletter, and ensure the technical security of the Website.

Where no more specific retention period is stated in this Privacy Policy, personal data is deleted once the relevant purpose has been fulfilled and no statutory retention obligation requires further storage.

3. Legal bases for processing

• Art. 6(1)(a) GDPR – consent, for example in connection with the newsletter or where separate consent is required for a specific processing activity,
• Art. 6(1)(b) GDPR – performance of a contract or steps taken prior to entering into a contract, for example order handling and the supply of digital content,
• Art. 6(1)(c) GDPR – compliance with a legal obligation, for example tax or accounting obligations,
• Art. 6(1)(f) GDPR – legitimate interests, for example website security, abuse prevention, error diagnostics, and basic analytics,
• Art. 9(2)(a) GDPR – explicit consent, where health-related data is exceptionally processed.

4. Hosting and server logs

The Website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. In connection with hosting, technical connection data may be processed, in particular IP address, date and time of access, requested resource, referrer, browser information, and system information.

This data is processed for the secure operation of the Website, error diagnostics, and abuse prevention. The legal basis is Art. 6(1)(f) GDPR.

Where personal data is transferred to a third country, the transfer takes place on the basis of appropriate safeguards, in particular standard contractual clauses, unless an adequacy decision applies.

5. Contact form and email contact

If you contact me via contact form or email, I process the data you provide, in particular your name, email address, subject line, and message content, in order to respond to your enquiry and handle the matter.

Fields marked as mandatory are required to process the enquiry. Without this data, the enquiry may not be processed.

The legal basis is Art. 6(1)(b) GDPR where the enquiry relates to the conclusion or performance of a contract, or Art. 6(1)(f) GDPR in other cases.

Messages may technically be sent using Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Only the data necessary to send the message is transferred.

Contact data is stored for as long as necessary to handle the matter and then deleted, unless longer retention is necessary due to legal obligations or the defence of legal claims.

6. Newsletter

If you subscribe to the newsletter, your email address is processed for the purpose of sending newsletter messages. Subscription takes place using a double opt-in procedure.

The newsletter tool provider is MailerLite (UAB MailerLite, J. Basanavičiaus 15, LT-03108 Vilnius, Lithuania).

The legal basis is your consent under Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future, for example by using the unsubscribe link contained in each newsletter email.

Newsletter data is stored until you unsubscribe or withdraw your consent, unless legal documentation obligations require longer retention.

7. Protection of forms against abuse (Cloudflare Turnstile)

To protect forms against spam and automated abuse, I use Cloudflare Turnstile (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA).

In this context, technical connection data and browser metadata necessary to distinguish legitimate traffic from automated traffic may be processed. The legal basis is Art. 6(1)(f) GDPR.

Where the use of this tool involves a transfer of personal data to a third country, such transfer takes place on the basis of appropriate safeguards, in particular standard contractual clauses.

8. Cookies and functional settings

The Website does not use marketing cookies or cookies for advertising profiling.

A single functional mechanism, for example NEXT_LOCALE, may be used to remember the selected site language where this is technically necessary for the proper operation of the Website.

9. Web analytics

The Website uses Plausible Analytics (Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia) for privacy-friendly aggregate website statistics. Based on the current technical configuration, no marketing cookies are used and IP addresses are not stored permanently.

To the extent that technical usage data is processed, this is done on the basis of the legitimate interest in the efficient and technically stable operation of the Website under Art. 6(1)(f) GDPR.

10. Maps and weather data

To display maps, route information, or terrain data, the Website may load map tiles from OpenStreetMap and OpenTopoMap. When such content is loaded, your IP address and technical request data are transmitted to the respective providers.

The Website may also request weather data from Open-Meteo. In that case, technical request data, including IP address, may be transmitted to the service provider.

The legal basis is Art. 6(1)(b) GDPR where the function is linked to a contractual service, or Art. 6(1)(f) GDPR in other cases.

11. Checkout and payment provider (Paddle)

For paid digital products, checkout and payment processing are handled through Paddle, acting as Merchant of Record.

In connection with a purchase, data such as email address, billing data, payment data, country, transaction value, currency, VAT-related information, and transaction status may be processed.

This processing is necessary for the performance of the contract and for compliance with legal obligations, in particular accounting and tax obligations. The legal bases are Art. 6(1)(b) and Art. 6(1)(c) GDPR.

The specific data processed in each case depends on the checkout and the privacy information of the payment provider.

12. Training planner and product-related forms

When you use the training planner or similar product-related forms, I process the data you provide in order to prepare and deliver the requested digital product. This may include data such as target race, distance, elevation, preparation period, training level, weekly volume, available training time, and similar training-related parameters.

The legal basis is Art. 6(1)(b) GDPR, to the extent that the processing is necessary for the performance of a contract or for steps taken prior to entering into a contract.

Where a form allows the voluntary submission of data relating to injuries, health conditions, or similar health-related circumstances, the rules set out in the section “Special categories of personal data” below apply.

Digital Products delivered through the Website may contain a personalised watermark that may be linked to order data.

Fields marked as mandatory are required to provide the requested service. Without this data, the service may not be available.

Form input data is stored only for as long as necessary for preparation, delivery, documentation, or the defence of legal claims. Input data not subject to statutory retention obligations is deleted once the purpose has been fulfilled.

13. Special categories of personal data

The Website and purchase flow are designed so that, as a rule, no special categories of personal data under Art. 9 GDPR are required for an order. Please do not submit health data, medical details, injury histories, or similar sensitive information through the Website unless a specific form expressly requests such information.

Where a User voluntarily provides data relating to health, injuries, physical limitations, or similar circumstances, such data is processed only to the extent necessary to handle the matter and only on the basis of the User’s explicit consent under Art. 9(2)(a) GDPR.

Where such consent is given, it may be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

14. Recipients of data and service providers

Personal data is disclosed to third parties only to the extent necessary to fulfil the purposes described in this Privacy Policy.

Service providers currently used include in particular:

• Vercel Inc. (USA) – website hosting,
• Railway Corp. (USA) – backend hosting and data processing,
• Resend Inc. (USA) – transactional email delivery,
• MailerLite (Lithuania) – newsletter delivery and management,
• Cloudflare Inc. (USA) – bot protection (Turnstile),
• Plausible Insights OÜ (Estonia) – web analytics,
• Paddle (Ireland/United Kingdom) – checkout and payment processing,
• Functional Software Inc. / Sentry (USA) – error detection and stability monitoring,
• Upstash Inc. (USA) – technical rate limiting.

Where processors are used, they are engaged on the basis of data processing agreements where required by law, or the processing is supported by other permissible legal bases.

Where service providers are based outside the European Economic Area, data transfers take place on the basis of appropriate safeguards under Art. 46 GDPR, in particular standard contractual clauses, unless an adequacy decision under Art. 45 GDPR applies.

15. Retention periods

Order and billing data is retained in accordance with statutory commercial and tax retention obligations.

Newsletter data is retained until consent is withdrawn or the subscription is cancelled.

Contact enquiries, form data, and technical logs are retained only for as long as necessary for the relevant purpose or as justified by legitimate interests.

16. Your rights

• right of access under Art. 15 GDPR,
• right to rectification under Art. 16 GDPR,
• right to erasure under Art. 17 GDPR,
• right to restriction of processing under Art. 18 GDPR,
• right to data portability under Art. 20 GDPR,
• right to object under Art. 21 GDPR where processing is based on legitimate interests,
• right to withdraw consent at any time with effect for the future,
• right to lodge a complaint with a competent data protection supervisory authority.

17. Obligation to provide data

Where certain fields in forms or the order process are marked as mandatory, this data is required to process the request, perform the contract, or provide the requested service. Without this data, the service may not be available or may be limited.

18. Changes to this Privacy Policy

This Privacy Policy may be updated where necessary due to changes in law, technical changes, or changes to the services offered. The version published on the Website applies.