RunBar·§ Legal · 01

Privacy policy.

Last updated · May 5, 2026

RunBar is a local-first macOS menu-bar app. We do not run servers, we do not collect analytics, and we do not phone home. This page describes the only places your data leaves your Mac, and on whose behalf.

Who we are

RunBar is built and operated by an individual developer (the Data Controller). For privacy enquiries, deletion requests, or any GDPR / UK GDPR right of access: contact page.

What data lives on your Mac

  • Strava activities (last 7 days). RunBar synchronises a rolling 7-day window of your runs from the Strava API into a local SwiftData store at ~/Library/Application Support/RunBar/store.sqlite. Activities older than 7 days are purged automatically on every sync, in line with the Strava API Agreement.
  • Weekly snapshots (derived). RunBar stores per-week aggregates (target, achieved distance / runs / elevation, metric used) in UserDefaults. These are summary numbers computed locally — they are not raw Strava data.
  • Strava OAuth tokens and (optionally) your AI provider API key are stored in the macOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly.
  • Settings & preferences. Goal target, metric, unit, race date and name. Stored in UserDefaults.

What leaves your Mac, and to whom

RunBar makes outbound network calls only in three situations:

  1. Strava API (privacy policy): OAuth login + activity sync over HTTPS. Strava is the source of the run data; their privacy terms apply to the access we have on your behalf, scoped to the permissions you granted at OAuth time.
  2. Sparkle update check. The app fetches https://runbar.run/appcast.xml roughly every 24 hours to check for new versions. The request carries no identifier beyond a generic User-Agent.
  3. AI coach (opt-in only). If — and only if — you enable the coach and provide an API key, RunBar sends a small JSON payload of weekly aggregates to the chosen provider (default: Google Gemini). Specifically: distance, run count, elevation, target, progress %, days left in the week, the last four weeks of distance totals, your goal streak, and (if set) your race name and days until race. We never send activity names, timestamps, GPS data, or personal identifiers. Your API key is sent over HTTPS to authenticate the request and is never stored on any server we control.

Strava data & third parties

Per the Strava API Agreement, RunBar may not share Strava Data with third parties or use it for AI / ML model training. The values transmitted to your AI provider are derived aggregates (sums and ratios computed locally on your Mac), not raw Strava records — a constraint we built into the product to honour that agreement.

We recommend the paid Gemini API tier when using the AI coach. Google’s free tier may use prompts to improve their models; paid tiers do not. See Gemini API terms.

What we don’t do

  • No analytics or telemetry.
  • No advertising of any kind.
  • No data sold, rented, leased, or otherwise shared.
  • No tracking cookies (the marketing site is static).

Your rights

You have the right under GDPR / UK GDPR to access, correct, port, and erase the personal data RunBar holds about you. Because the app is local-first, most of these rights are exercised in the app itself:

  • Access & portability: every activity row in the popover is a view on the local database; the SQLite file is yours and can be opened with any SQLite client.
  • Deletion (Strava data): Settings → Sources → Disconnect. RunBar deletes the OAuth tokens and purges all locally cached Strava activities from the store.
  • Deletion (everything): drag RunBar.app to the Trash and remove ~/Library/Application Support/RunBar/ and the com.rodrigue.runbar.tahoe entries from ~/Library/Preferences/.
  • Withdraw AI consent: Settings → Coach → Remove key, or toggle the coach off. The key is wiped from the Keychain and no further requests are sent.
  • Strava revocation: at any time you can revoke RunBar’s access at strava.com/settings/apps. On revocation, RunBar deletes the cached activities at the next launch.

Data retention

Strava data is retained for at most 7 days locally, in line with the Strava API Agreement. Derived weekly aggregates (snapshots) and your settings are retained for as long as you use the app and are removed when you uninstall.

Security

All outbound traffic uses HTTPS. Tokens and API keys live in the macOS Keychain with device-only access. Because there is no RunBar backend, there is no remote attack surface for your data.

Children

RunBar is not directed at children under 13. If you are a parent and believe a child has used the app, contact us and we will help with deletion guidance.

Changes to this policy

Material changes will be reflected here, with a new Last updated date. Continued use of RunBar after a change constitutes acceptance.