PRIVACY POLICY.

Summary of key points

This summary highlights the main points of our Privacy Policy. You can find more detail in the full sections that follow.

• Who we are. OUTRUN is operated by Outrun London Limited, a company based in London, United Kingdom. We are the controller of your personal information. (See Section 1.)

• What we collect. Account and profile details, the runs and content you create, your precise location while recording a run, health and fitness data you choose to share (such as heart rate and workouts from Apple Health), social interactions, and technical/usage data. (See Section 2.)

• Sensitive (special category) data. Your route/GPS data and health and fitness metrics are treated as special category data. We only process them with your explicit consent, which you can withdraw at any time. (See Section 3.)

• Why we use it. To provide and operate the app, let you record and analyse your runs, connect you with other runners, keep the Services secure, improve them, and meet our legal obligations. (See Section 4.)

• Who we share it with. Other users (according to your visibility settings), and a small set of trusted service providers that host and support the app. We do not sell your personal information, and we do not use it for advertising. (See Section 6.)

• Your rights. You have rights over your personal information, including access, correction, deletion and the right to complain to the Information Commissioner's Office (ICO). (See Section 10.)

• Contact. Email us at info@outrunldn.com. (See Section 14.)

1. Who we are and how to contact us

The Services are provided by:

Outrun London Limited (registered in England and Wales)

71–75 Shelton Street, Covent Garden

London, WC2H 9JQ, United Kingdom

Email: info@outrunldn.com

If you have any questions about this Policy, want to exercise your privacy rights, or have a concern about how we handle your personal information, please contact us at the email above.

2. The information we collect

We collect personal information in three ways: information you give us, information we collect automatically when you use the Services, and information we receive from third parties and services you choose to connect.

2.1 Information you provide to us

• Account information — when you create an account we collect your name, email address, phone number, username, and password (passwords are stored only in hashed form by our authentication provider, never in plain text).

• Profile information — your display name, username, profile photo (avatar), and any other details you choose to add to your profile.

• Content you create — the runs and activities you log; titles, captions and comments you write; photos you upload; emoji reactions; and messages you send in group or run-club chats.

• Contacts (optional, friend-finding). With your permission, OUTRUN can use your device contacts to help you find friends who already use the app. The email addresses and phone numbers from your contacts are sent to us only to find matching OUTRUN users, and are not retained afterwards.

• Support information — any information you provide when you contact us for help or correspond with us.

2.2 Information we collect automatically when you use the Services

• Activity and run data — information about the runs you record or import, such as distance, duration, moving time, pace, per-kilometre splits, sport type, elevation gain, date and time, and the route you took. We also collect locations you add to planned runs or club meet-ups.

• Precise location data — when you record a run, OUTRUN collects your device's precise GPS location (latitude, longitude, altitude, speed, heading and accuracy) so it can map and measure your run. With your permission, location is collected in the background so you can lock your phone while running. Location is only collected for run tracking and the related map features; you can turn it off at any time in your device settings (this will disable run tracking).

• Health and fitness metrics — heart rate (average and maximum), active energy / calories burned, and similar workout metrics, where you provide them or import them from a connected source such as Apple Health.

• Social and engagement data — who you follow and who follows you, follow requests, run clubs you belong to, posts you view, and the reactions and comments you give and receive.

• Device and technical data — device model, operating system and version, app version, language and time-zone, IP address, and similar technical information needed to run the app, diagnose problems and keep the Services secure. We also collect crash and error diagnostics (see Section 13).

• Usage and analytics data — where you consent, we collect information about how you use the app (such as the screens and features you use and actions you take). Once you are signed in, this information is linked to your account identifier and email address.

• Push notification tokens — if you enable notifications, we store a push token for your device, together with your platform (iOS or Android) and time-zone offset, so we can deliver notifications.

2.3 Information from third parties and connected services

• Connected devices and apps. If you choose to connect a third-party health or fitness service (such as Apple Health or others), we collect the workout and activity data you import through it — for example workout details, GPS route, heart rate and energy/calories burned. We only access this data with your permission and use it to import and display your activities.

• Sign-in providers. If you sign in using Apple or Google, we receive basic profile information (such as your name and email address) needed to create and secure your account.

3. Special category health and location data

Some of the information OUTRUN processes is special category data under the UK GDPR — in particular your health and fitness data (such as heart rate, calories and workout details) and the precise location / route data of your runs, which can reveal information about where you live, work and exercise.

We only collect and use this data:

• with your explicit consent, which you give through the in-app and operating-system permission prompts (for example, the Apple Health permission and the location permission); and

• for the purposes described in this Policy — principally to record, display and analyse your runs and to power features you choose to use.

You can withdraw your consent at any time by turning off the relevant permission in your device settings or by disconnecting a connected device or app (such as Apple Health). Withdrawing consent stops future processing but does not affect processing already carried out, and may mean some features no longer work.

We do not use your health or location data for advertising, and we do not sell it or disclose it to third parties except as described in Section 6.

4. How and why we use your information

We use your personal information for the following purposes, relying on the legal bases shown. The legal bases are explained in Section 5.

• Create and manage your account, and authenticate you — uses account information, sign-in provider data, device data. Legal basis: performance of a contract.

• Record, store, map and analyse your runs (distance, pace, splits, route, performance) — uses activity data, precise location, content. Legal basis: performance of a contract for run data; explicit consent (Art. 9(2)(a)) for precise location and health data.

• Import and display workouts from connected devices and apps (such as Apple Health) — uses health and fitness data, activity data. Legal basis: explicit consent (Art. 9(2)(a)).

• Create run-club heatmaps from members' routes — uses route / location data of club runs. Legal basis: consent (on by default for club runs; you can opt out in Settings).

• Power social features — feed, groups, run clubs, following, comments, reactions, chat — uses profile, content, social and engagement data. Legal basis: performance of a contract.

• Help you find friends who use OUTRUN — uses your stored email and phone number; contact identifiers (matched, not retained). Legal basis: consent.

• Send push notifications about social activity and your account — uses push token, engagement data. Legal basis: consent.

• Provide product analytics to understand and improve the app — uses usage/analytics data, account identifier, email. Legal basis: consent (you can opt out at any time).

• Crash and error reporting to keep the app stable and secure — uses diagnostic data, device/technical data. Legal basis: legitimate interests (keeping the Services stable and secure).

• Prevent fraud and abuse, and troubleshoot problems — uses device/technical data, log and diagnostic data. Legal basis: legitimate interests (protecting the Services and our users); legal obligation.

• Respond to your support requests — uses support information, account information. Legal basis: performance of a contract; legitimate interests (responding to your enquiry).

• Send you service-related (non-marketing) messages — uses account and profile information. Legal basis: performance of a contract; legitimate interests (operating the Services).

• Comply with legal obligations and respond to lawful requests — uses any relevant information. Legal basis: legal obligation.

• Protect someone's life or safety in an emergency — uses any relevant information. Legal basis: vital interests (rare cases only).

We do not use automated decision-making that produces legal or similarly significant effects on you, and we do not currently send marketing emails.

5. The legal bases we rely on

Under the UK GDPR we must have a valid legal basis to process your personal information. Depending on the purpose, we rely on one or more of the following:

• Performance of a contract — where processing is necessary to provide the Services you have signed up for (for example, creating your account, recording your runs, and powering the social features).

• Consent — where you have given us permission for a specific purpose, such as accessing your location, Apple Health or contacts, sending push notifications, including your routes in run-club heatmaps, or carrying out product analytics. For special category health and precise-location data we rely on your explicit consent under UK GDPR Article 9(2)(a), which applies in addition to an Article 6 basis. You can withdraw consent at any time (see Section 10).

• Legitimate interests — where processing is necessary for our legitimate interests and these are not overridden by your rights. We rely on this for: keeping the Services stable and secure (including crash and error reporting); preventing fraud and abuse; responding to support requests; and sending service-related messages. You can object to processing based on legitimate interests at any time, and you can ask us for more detail about our balancing assessment.

• Legal obligation — where we must process information to comply with the law.

• Vital interests — only in rare cases where processing is necessary to protect someone's life or safety.

6. How and with whom we share your information

We do not sell your personal information, and we do not share it with advertising networks or use it for advertising. We share information only in the following circumstances.

6.1 With other users

OUTRUN is a social app, so some information is visible to others according to your choices:

• Public profile — your name, username and profile photo are visible to other OUTRUN users.

• Activity you share — when you post a run to the feed, it can be seen by other OUTRUN users. When you post a run to a private group (crew), it is visible only to that group's members. A shared post includes its details, such as distance, pace, route map, photos, captions, comments and reactions.

• Run clubs — if you join a run club, your membership is visible to other users, and other members can see the messages and photos you contribute to that club.

• Social interactions — the follows, comments and reactions you give are visible to other users.

Your email address and certain account details are kept private and are not shown to other users.

6.2 With our service providers

We use a number of trusted providers to run the app — for hosting and storing data, authentication, analytics (with your consent), crash and error reporting, and delivering push notifications. They process personal information only on our instructions and under contracts that require them to protect it, and some are located outside the UK (see Section 8).

When you tap a link to open an external service — for example to get directions in Apple Maps, Google Maps or Waze, or to add an event to your calendar — you leave OUTRUN and that service handles your information under its own privacy policy. We do not control those services.

6.3 For legal reasons and to protect people

We may disclose your information where we reasonably believe it is necessary to: comply with a legal obligation, court order or lawful request; enforce our Terms of Service; detect, prevent or address fraud, security or technical issues; or protect the rights, property or safety of OUTRUN, our users or the public.

6.4 Business transfers

If OUTRUN is involved in a merger, acquisition, financing, reorganisation or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and of any choices you may have.

7. Connected devices, apps and sign-in providers

• Connected health and fitness services. You can choose to connect third-party services to import your activities. We access only the data you authorise and use it solely to import and display your activities. We currently support Apple Health / Apple Watch (iOS): with your permission, OUTRUN reads your workouts (route, heart rate and active energy) on a read-only basis to import your runs, and you can review or revoke this access at any time in iOS Settings → Privacy & Security → Health, or in the Health app. Any other integrations we add in future will work on the same basis and be connected only with your permission.

• Sign-in providers (Apple, Google). If you sign in with a third-party provider, that provider shares limited profile information with us to create and secure your account. Your use of those accounts is governed by the relevant provider's own privacy policy, which we recommend you review.

8. International data transfers

We are based in the United Kingdom and aim to store and process your personal information within the UK and the European Economic Area (EEA) where possible. However, some of our service providers are based in, or store data in, other countries, including the United States.

Where personal information is transferred outside the UK, we put in place appropriate safeguards required by UK data protection law, such as:

• transfers to countries the UK government has decided provide an adequate level of protection; or

• contractual protections such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses.

You can request a copy of the relevant safeguards (for example, the IDTA or UK Addendum) by emailing info@outrunldn.com.

9. How long we keep your information

We keep your personal information for as long as you maintain an OUTRUN account and for as long as needed to provide the Services and fulfil the purposes in this Policy.

• Account and content — kept while your account is active.

• After you delete your account — when you delete your account, we delete the personal information we hold about you and remove it from our active systems without undue delay. Information held in routine backups is deleted as those backups are cycled.

• Where we must keep information longer — for example to comply with legal, tax or accounting obligations, or to resolve disputes and enforce our agreements — we retain only what is necessary and for no longer than required.

Note that content you have shared publicly or with other users (for example, comments on another user's run) may remain visible after you delete your own account.

10. Your privacy rights

Under UK data protection law you have the following rights over your personal information:

• Access — to be told whether we process your information and to receive a copy of it.

• Rectification — to have inaccurate or incomplete information corrected. You can update much of your profile directly in the app.

• Erasure — to ask us to delete your information ("right to be forgotten"), including by deleting your account.

• Restriction — to ask us to limit how we use your information in certain circumstances.

• Portability — to receive certain information in a portable, machine-readable format, or have it transferred to another provider.

• Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time.

• Withdraw consent — where we rely on your consent (for example, for location, health data, contacts, push notifications, run-club heatmaps, or analytics), you can withdraw it at any time. This does not affect processing already carried out.

We do not carry out automated decision-making that produces legal or similarly significant effects, so the related right under Article 22 does not arise; if this changes, we will update this Policy.

You can exercise most of these controls directly in the app and your device settings — for example by editing your profile, deleting posts, deleting your account, opting out of analytics, opting out of run-club heatmaps, or turning permissions for location, Apple Health, contacts and notifications on or off. To make any other request, contact us at info@outrunldn.com. We will respond within the timeframe required by law (usually one month, which we may extend by up to two further months for complex or numerous requests, in which case we will let you know). We may need to verify your identity before acting on a request.

Exercising your rights is free, and we will not penalise you for doing so.

Right to complain. If you are unhappy with how we have handled your personal information, you can complain to the UK's data protection regulator, the Information Commissioner's Office (ICO). This is without prejudice to any other legal remedy you may have.

• Website: https://ico.org.uk

• Helpline: 0303 123 1113

• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would, however, appreciate the chance to address your concerns first, so please consider contacting us before approaching the ICO.

11. How we keep your information secure

We use appropriate technical and organisational measures designed to protect your personal information, and we use reputable hosting and infrastructure providers. No method of transmission or storage is completely secure, however, so while we work to protect your information we cannot guarantee its absolute security. You can help protect your account by using a strong, unique password and keeping your device and the app up to date.

12. Children

OUTRUN is not intended for, or directed at, anyone under the age of 18. We ask you to confirm that you are at least 18 when you sign up, and we do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use the Services.

If you believe a person under 18 has provided us with personal information, please contact us at info@outrunldn.com and we will take steps to deactivate the account and delete the information.

13. Analytics and tracking technologies

OUTRUN is a mobile app. It does not use advertising cookies or third-party advertising trackers, and we do not sell your data.

• Product analytics (PostHog, hosted in the EU). We use product analytics to understand how features are used so we can improve the app — for example, events such as signing up, completing onboarding, starting and completing runs, interacting with the feed, following other users, syncing contacts, and joining clubs and challenges. Because this involves storing and reading information on your device, we use product analytics only with your consent, and you can opt in or out at any time in Settings. Once you are signed in, analytics events are linked to your account identifier and your email address.

• Crash and error reporting (Sentry, hosted in the EU). We use crash and error diagnostics to detect and fix bugs and keep the app stable and secure. This may include technical data such as your IP address. We rely on our legitimate interest in providing a secure and reliable service for this limited purpose.

Because OUTRUN does not use web cookies, we provide these controls directly through your in-app and device settings rather than through a browser. We do not respond to browser "Do Not Track" signals, as there is no agreed standard for them in apps.

14. How to contact us

If you have questions or comments about this Policy, or wish to exercise your rights, contact us at:

Outrun London Limited

71–75 Shelton Street, Covent Garden

London, WC2H 9JQ, United Kingdom

Email: info@outrunldn.com

15. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will provide a more prominent notice, such as an in-app message, email, or push notification. Where a change affects processing we carry out on the basis of your consent, we will ask for your consent again rather than relying on continued use. We encourage you to review this Policy periodically.