Privacy Policy Pace

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you can be personally identified. Health data is data that is stored during data processing for the evaluation of AI tools and the MCP server. For detailed information on the subject of data protection, please refer to our privacy policy listed below this text.

Data Collection on this Website

Who is responsible for data collection on this website? Data processing on this website is carried out by the website operator. Their contact details can be found in the "Notice on the Responsible Party" section of this privacy policy.

How do we collect your data? Your data is collected in two ways: firstly, when you provide it to us. This may include data that you enter in a contact form or that arises during registration and use of the Pace MCP Server. Other data is collected automatically or with your consent when you visit the website through our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of page access). In addition, with your express consent, health and fitness data from connected wearable devices is collected and processed.

What do we use your data for? Part of the data is collected to ensure error-free provision of the website. In addition, we process your wearable and health data exclusively to provide the Pace MCP service, i.e., to provide personalized training and health analyses within the Claude AI environment.

What rights do you have regarding your data? You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to request restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time regarding this and other questions about data protection.

2. Hosting

External Hosting

This website is hosted externally. The personal data collected on this website is stored on the host's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.

External hosting is carried out for the purpose of contract fulfillment towards our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6 para. 1 lit. f GDPR).

We use the following host: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Frontend Hosting

The landing page of the Pace MCP Server is hosted and provided via the Framer platform: Framer B.V., Rozengracht 207a, 1016 LZ Amsterdam, Netherlands

When visiting the landing page, technical access data (e.g., IP address, browser type, time of access) is processed by Framer. Processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and efficient provision of the service).

Pace MCP Server – Cloud Infrastructure (Google Cloud Platform)

The Pace MCP Server operates on the Google Cloud Platform (GCP). The following services are used:

  • Google Cloud Run – serverless execution environment for the MCP server (FastMCP/FastAPI/Python)

  • Cloud SQL PostgreSQL – managed database infrastructure for storing synchronized wearable data

  • Firebase Authentication – user authentication via email/password or Google SSO

All mentioned services are operated by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Processing is based on Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Art. 9 para. 2 lit. a GDPR (express consent for health data).

3. Analysis Tools

Framer Analytics

This website uses Framer Analytics, an analysis tool provided by the hosting provider Framer B.V. When accessing the website, usage data (including anonymized IP address, page views, dwell time, device information) is automatically transmitted to Framer B.V. servers and processed there.

Provider: Framer B.V., Rozengracht 207a, 1016 LZ Amsterdam, Netherlands

Processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in analyzing and improving the web offering). If consent is required under § 25 para. 1 TDDDG, processing is carried out exclusively based on your consent. This can be revoked at any time with effect for the future.

Further information on data protection at Framer can be found at: https://www.framer.com/legal/privacy-statement/

4. Pace MCP Server – Data Processing in Detail

Purpose and Functionality

The Pace MCP Server enables users to access their personal wearable and fitness data within the Claude AI environment (Anthropic) and have it analyzed. Supported devices and platforms include Garmin, Polar, Whoop, Oura, Apple Health, and Fitbit.

Data Categories Collected

Registration and Account Data:

  • Email address

  • Authentication tokens (Firebase Auth / OAuth 2.1)

Health and Fitness Data (special categories under Art. 9 GDPR):

  • Sleep data (sleep duration, sleep phases, sleep quality)

  • Heart rate data (resting heart rate, HRV – heart rate variability)

  • Training and activity data (training load, activity duration, calorie consumption)

  • Body measurement data (if provided by the device)

  • Other wearable metrics released by the user

Data-Storage Location:

europe-west-1, St.Ghislain | Belgium, Europe

Processing of these special data categories is carried out exclusively based on your express consent pursuant to Art. 9 para. 2 lit. a GDPR, which you provide during the onboarding process. Consent can be revoked at any time.

Data Flow

The data flow occurs in three steps:

  1. Onboarding: The user registers on pace-mcp.web.app (Firebase Auth), connects their wearable devices via the Terra Widget, and selects the data types to be synchronized.

  2. Synchronization: Terra API transfers device data via webhook to our Cloud SQL PostgreSQL database. The data is normalized into a uniform schema. Multiple devices can be connected simultaneously.

  3. MCP Access: The user adds Pace as a connector in Claude (OAuth 2.1 flow with PKCE). Claude queries the database via MCP tools and provides context-rich answers in the conversation.

Waitlist

On our landing page, there is an option to register for a waitlist to be informed about the launch and availability of the Pace MCP Server. The following personal data is collected and stored:

  • Data Collected: Name (optional), email address (required), country (required), time of registration

  • Purpose: Information about the launch and availability of the Pace MCP Server

  • Legal Basis: Art. 6 para. 1 lit. a GDPR (consent)

  • Storage Duration: Until consent is revoked or until the launch process is completed, but no later than 12 months after registration

  • Processed by: Framer B.V., Rozengracht 207a, 1016 LZ Amsterdam, Netherlands (form hosting and data storage)

Consent to be included in the waitlist can be revoked at any time by informal notification to office@alpen-top.com or via the unsubscribe link in the emails sent. The lawfulness of processing carried out prior to revocation remains unaffected.

User Registration (pace-mcp.web.app)

Registration is required to use the Pace MCP Server. The following data is processed:

  • Data Collected: Email address, password (stored encrypted), optionally: Google account data when logging in via Google SSO

  • Purpose: Creation and management of your user account, authentication for access to the Pace MCP Server

  • Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)

  • Storage Duration: For the duration of active account use; after account deletion, personal data will be deleted within 30 days, provided there are no legal retention obligations

  • Processed by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Firebase Authentication)

When using the "Continue with Google" option, data from your Google account (name, email address, profile picture) is transmitted to Firebase Authentication. Google's privacy policy also applies: https://policies.google.com/privacy

Third-Party Provider: Terra API (Wearable Data Aggregation)

We use Terra API for aggregation and normalization of wearable data: Tryterra Limited (server location: eu-west-2, AWS – United Kingdom)

Terra API acts as a data processor within the meaning of Art. 28 GDPR. The United Kingdom is considered a safe third country based on the EU Commission's adequacy decision of June 28, 2021, so data transfer is permissible without additional guarantees. We note that this adequacy decision is regularly reviewed.

Integration with Claude (Anthropic)

The Pace MCP Server is integrated as a connector in Anthropic's Claude AI environment. When using the connector, queries and responses are processed via Anthropic's infrastructure. Anthropic acts as an independent controller in this regard. We recommend users also review Anthropic's privacy policy at https://www.anthropic.com/legal/privacy.

5. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

Notice on the Responsible Party:

Salcher Anton St. Lorenzen im Lesachtal 35, 9654, Email: leo.bereuter@pacetraining.co

Storage Duration

Unless a more specific storage period has been specified within this privacy policy, your personal data will remain with us until the purpose for data processing ceases to apply. If you assert a legitimate request for deletion or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial retention periods); in the latter case, deletion will occur after these reasons cease to apply.

General Information on the Legal Basis for Data Processing on this Website

If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR if special data categories according to Art. 9 para. 1 GDPR are processed. In case of express consent to the transfer of personal data to third countries, data processing also takes place on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information in your device (e.g., via device fingerprinting), data processing additionally takes place on the basis of § 25 para. 1 TDDDG. Consent can be revoked at any time. If your data is required for contract fulfillment or to carry out pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR. Furthermore, we process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 para. 1 lit. c GDPR. Data processing can also be based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Information about the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

Recipients of Personal Data

As part of our business activities, we work with various external entities. In some cases, this also requires the transfer of personal data to these external entities. We only transfer personal data to external entities when this is necessary for contract fulfillment, when we are legally obligated to do so (e.g., transfer of data to tax authorities), when we have a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the transfer, or when another legal basis permits data transfer. When using data processors, we only transfer personal data from our customers on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement is concluded.

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent already given at any time. The lawfulness of data processing carried out prior to revocation remains unaffected by the revocation.

Right to Object to Data Collection in Special Cases and to Direct Marketing (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6 PARA. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES TO ASSERT, EXERCISE, OR DEFEND LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

Right to Lodge a Complaint with the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the member state of their habitual residence, place of work, or place of the alleged violation. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.

Right to Data Portability

You have the right to have data that we process automatically based on your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of data to another controller, this will only be done to the extent technically feasible.

Information, Correction, and Deletion

Within the framework of applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing and, if applicable, a right to correction or deletion of this data. The deletion of data can be done through “Settings”, there you can execute the deletion of data and your account, through clicking “Delete”. You can contact us at any time regarding this and other questions about personal data.

Right to Restriction of Processing

You have the right to request restriction of the processing of your personal data. You can either disconnect your wearable in the main-menu or contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the verification, you have the right to request restriction of the processing of your personal data.

  • If the processing of your personal data was/is unlawful, you can request restriction of data processing instead of deletion.

  • If we no longer need your personal data, but you need it to exercise, defend, or assert legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.

  • If you have lodged an objection pursuant to Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.

To exercise your right to restriction of processing, you can contact us at office@alpen-top.com or use the corresponding function directly in your Pace account under "Privacy Settings." A confirmed restriction will be implemented within 72 hours. During the restriction, no new wearable data will be synchronized and access to your data via the Claude connector is not possible. Stored data will be retained until the restriction is lifted or at your express request.

SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.