Privacy Policy

This Privacy Policy explains how I, Cesar Arnouk, an individual based in France, collect and process personal data when you use the Leeka mobile application and the website at leeka.app (together, the “Service”). I operate Leeka in my personal capacity and I am the data controller for this processing under the EU General Data Protection Regulation (GDPR) and applicable French data protection law. In this policy, “Leeka”, “I”, “me”, and “my” all refer to me as the operator of the Service.

For any privacy question, or to exercise your rights, you can contact me at privacy@leeka.app.

About this website (leeka.app)

This policy covers all of Leeka. Right now, the leeka.app website does one thing: it collects waitlist sign-ups so we can tell you when Leeka launches. The sections below describe the Leeka Service as a whole — primarily the mobile app.

On the website specifically:

We collect only what you enter in the waitlist form: your email address and, optionally, your first name, your city, and how many times a week you run. We also record the language you chose and any campaign or referrer parameters in the link you arrived from (UTM / referrer).
The legal basis is your consent, given when you submit the form, for the single purpose of being notified when Leeka launches.
We keep waitlist entries until launch + 30 days, after which they are migrated into the product or deleted.
The website runs no analytics, no advertising and no third-party trackers, so there is no cookie banner. (PostHog and Sentry, named below, are used by the mobile app — not by this website.)
To be removed from the waitlist at any time, email privacy@leeka.app.

1. What Leeka is

Leeka connects runners training for the same race and goal time so they can train and run together in local groups (“crews”). To do this, the Service stores profile information, training-plan and session data, your session-coordination choices, and content you post to your crew.

2. Data I collect

Account and identity

Your email address and a hashed password (managed by my authentication provider), or, if you choose “Sign in with Apple” or “Sign in with Google”, the identifier those providers return to me.
Your first name, last name, and gender, provided during onboarding.

Profile

An optional profile photo.
An optional short bio.

Training and coordination data

Your target event, target finish time, and training city (selected from a list).
Your crew membership and your time-slot votes for training sessions.
Your attendance records and streak data.

Content you create

Messages you send in session chats.
Photos, clips, posts, comments, and reactions you share in your crew feed.

Technical and usage data

A push-notification token, if you enable notifications, used to deliver alerts to your device.
Product-analytics events (for example, which actions you take in the app, with your user identifier and, where relevant, your crew identifier) used to understand and improve the Service. These events do not include the content of your posts, comments, chat messages, or bio — only the type of action and non-content metadata (for example, the length of a post, never its text).
Basic device and app information attached automatically to analytics and diagnostic events — such as device model, operating-system version, app version, language, and a generated analytics/device identifier.
Diagnostic and crash data used to detect and fix errors. I configure crash reporting not to attach directly identifying personal information.
Your IP address is processed transiently by my infrastructure providers as a normal part of connecting your device to the Service; I do not use it to build a location profile.

What I do not collect

I do not collect your precise or background GPS location. Your “training city” is a value you select, not a device-location reading.
I do not collect or store payment-card or banking information.
I do not knowingly collect special-category data beyond the profile fields described above.

3. How other users see your data

Leeka is a group product. The following are visible to other members of your crew only (never to the public or to other crews): your first name (with a last initial if names clash), profile photo, bio, attendance and streak statistics, your slot choices, and any chat messages, posts, comments, and reactions you share. Access is restricted at the database level so that you only ever see data for crews you belong to.

4. How I use your data and my legal bases

Purpose	Legal basis (GDPR Art. 6)
Creating and securing your account; running core features (crews, sessions, chat, feed)	Performance of a contract
Delivering push notifications you have enabled	Consent (you can withdraw it at any time in Settings or your device settings)
Product analytics to understand usage and improve the Service	My legitimate interest in understanding and improving the Service. You can object to this processing, or ask me to delete your analytics data, at any time by contacting me.
Error monitoring and security	My legitimate interest in a stable, secure Service
Responding to your requests and meeting legal obligations	Legal obligation / legitimate interest

5. Who I share data with

I do not sell your personal data. I share it only with service providers (processors) who help me operate the Service, under contracts that require them to protect it:

Supabase — database, authentication, file storage (profile photos and feed media), and realtime infrastructure. This is where your account, profile, training, and content data live.
PostHog — product analytics.
Sentry — error and crash monitoring. (I do not enable Sentry session replay or any screen-recording feature.)
Apple and Google — if you use their sign-in. They also operate the push notification networks (Apple Push Notification service on iOS; Firebase Cloud Messaging on Android), so a push you have enabled is delivered through them.
Expo (Expo Application Services) — push-notification delivery tooling and over-the-air app updates.

I may also disclose data where required by law, or to protect the rights and safety of my users and the Service.

6. International transfers

My core providers store your data in the European Union, within the EEA: Supabase (database, authentication, and file storage) in its EU West region (Ireland); PostHog (analytics) in its EU region (eu.i.posthog.com); and Sentry (crash monitoring) in its EU region.

When you enable push notifications, the notification is relayed through Expo, Apple, and/or Google, whose notification infrastructure may process the notification and your device push token outside the EEA (including in the United States). Where that occurs, the transfer relies on Standard Contractual Clauses and equivalent safeguards offered by those providers.

7. How long I keep your data

I keep your personal data for as long as your account is active and as needed to provide the Service. When you delete your account, your profile information is scrubbed as described in Section 8; note that the underlying account login record (including your email) and the content you posted are retained as explained there.

I keep analytics events for no longer than necessary to understand and improve the Service. My analytics provider does not automatically expire this data, so I delete it when it is no longer needed and, on request, when you delete your account. Crash and diagnostic data is retained for up to 90 days. Database backups are retained for 7 days.

8. Deleting your account and data

You can delete your account from within the app (Settings → Delete account). When you confirm, the following happens and the action is irreversible:

If you signed in with Apple, your Sign in with Apple authorisation is revoked.
Your profile information is scrubbed: your first and last name, profile photo, bio, gender, and training city are cleared.
Your push-notification tokens are retired so you stop receiving notifications.
You are signed out, and the account can no longer be used to sign back in — the deletion cannot be undone from your device.

What this does not do, so you know exactly where you stand: content you posted to a crew — posts, photos, comments, chat messages, and session votes — remains in that crew’s history. Once your profile is scrubbed, that content is shown as coming from a removed member and is no longer labelled with your name or photo, but the content itself is not deleted. For the same reason, your underlying account login record (including your email address) is retained rather than erased, and your content stays linked to an internal account identifier. In other words, this flow pseudonymises your presence to other users rather than fully erasing all of your data.

You can also request deletion without using the app — including if you no longer have it installed — at leeka.app/delete-account, or by emailing privacy@leeka.app. Use either route to ask me to erase any data this in-app process does not remove.

9. Your rights

Under the GDPR you have the right to access your data, correct it, erase it, restrict or object to its processing, receive it in a portable format, and withdraw consent at any time. To exercise any of these, contact me at privacy@leeka.app.

If you believe I have mishandled your data, you have the right to lodge a complaint with the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), at www.cnil.fr.

10. Security

I use access controls, encryption in transit, and database-level row security so that members can only access data for crews they belong to. No system is perfectly secure, but I take reasonable measures to protect your data.

11. Children

Leeka is intended for adult runners and is not directed at children. You must be at least 16 years old to use the Service. I do not knowingly collect data from anyone below this age; if you believe I have, contact me and I will delete it.

12. Changes to this policy

I may update this policy as the Service evolves. I will revise the “Last updated” date above and, for material changes, notify you in the app.

13. Contact

Data controller:
Cesar Arnouk
94 Boulevard Flandrin, 75016 Paris, France
privacy@leeka.app