As of June 21, 2026
This privacy policy informs you about the processing of personal data when using the app "kontur" (hereinafter "the app").
Responsible under the General Data Protection Regulation (GDPR):
Michael Schmidinger
Sommeregg 14
5301 Eugendorf
Austria
Email: [email protected]
For data protection inquiries, please email the address above with the subject "Privacy kontur".
The app processes almost all data exclusively locally on your device. No transmission to the controller’s servers takes place. The app contains no advertising SDKs, no tracking and no usage analytics.
Data leaves your device in only two cases:
Hammerhead login and activity retrieval (Art. 6 (1) lit. b GDPR, contract performance) — you actively connect to your Hammerhead account.
Optional cloud AI features (Art. 6 (1) lit. a GDPR, consent) — only if you provide a Gemini API key yourself and actively ask questions or request analyses. The default AI runs on-device (see section 3.3) and transmits no data.
When retrieving from Hammerhead, the following data is stored on your device (SwiftData database, encrypted when device encryption is enabled):
Activity data: date, distance, duration, elevation, speed, cadence, temperature, calories
Health-related data (Art. 9 GDPR): heart rate, power/watts, training stress score (TSS), intensity factor (IF), FTP
Location/route data: GPS polylines of your activities
Climb data: detected climbs, climb profiles (length, gradient, VAM)
Metadata: activity name, description, device name, gear
Purpose: display of your statistics, climbs and training analysis in the app. Storage duration: until manual deletion in the app (Settings → "Delete local data") or uninstallation of the app.
When connecting to Hammerhead and syncing, data is exchanged between your device and Hammerhead (HQ Inc.):
On login: OAuth flow via ASWebAuthenticationSession; an access token is stored encrypted in the iOS Keychain.
On retrieval: Hammerhead transmits activity lists and FIT files to the app; the app sends no activity content to Hammerhead.
Legal basis: Art. 6 (1) lit. b GDPR (contract performance with Hammerhead). Hammerhead (HQ Inc.) is responsible for processing on its side; their privacy policy applies. This app only retrieves data that Hammerhead has already collected from you — no additional collection takes place.
The app offers AI-powered training analysis and a training assistant (chat). The AI works in two ways:
a) Default: Apple Foundation Models (AFM) — on-device, no transmission
On devices from A17 Pro with Apple Intelligence enabled, the app uses Apple Foundation Models. AI inference runs entirely locally on your device. No training data is transmitted to Apple or third parties. Apple does not see the requests, and no tracking takes place. Legal basis: Art. 6 (1) lit. b GDPR (contract performance) and Art. 9 (2) lit. a GDPR (explicit consent through use) for the purely local processing of health-related data.
b) Optional: Cloud fallback via Gemini API (only with stored API key)
If AFM is unavailable (device < A17 Pro or Apple Intelligence disabled) and you provide a Gemini API key in Settings, calling AI features transmits aggregated training data to Google LLC (generativelanguage.googleapis.com):
Transmitted data: date, distance, elevation, duration, heart rate, power, cadence, temperature, gear, activity names, climb names
NOT transmitted: GPS/route data, location coordinates, polylines
Legal basis: Art. 6 (1) lit. a GDPR (your consent by providing the API key and actively calling the feature). You can withdraw consent at any time by removing the API key in Settings. From the next call, no data will be transmitted. The transmitted data is subject to Google LLC’s privacy policy (third party / processor).
The API key itself is stored encrypted in the iOS Keychain and leaves the device only for authentication with Google.
Local activity data: until deletion in the app or uninstallation
OAuth token (Hammerhead): until disconnecting in Settings
AI API key: until removal in Settings
Server-side at the controller: no storage (no backend)
Under the GDPR you have the right to:
Access (Art. 15) to the data processed here
Rectification (Art. 16) of inaccurate data
Erasure (Art. 17) — in the app: "Delete local data" or uninstallation
Restriction (Art. 18) of processing
Data portability (Art. 20) — your data is local; export is possible via iOS backup
Objection (Art. 21) to processing
Withdrawal of consent (Art. 7 (3)) — see section 3.3
Complaint to a supervisory authority (Art. 77)
Since all data is stored locally on your device, you can exercise most rights yourself through the app functions or by deleting the app. For questions, contact the address in section 1.
Heart rate, power and training metrics may qualify as health data under Art. 9 GDPR. These are processed exclusively locally. The default AI (Apple Foundation Models) also runs on-device — health data is not transmitted to third parties here either. Transmission to third parties occurs only with the cloud fallback (Gemini API) enabled after explicit consent (section 3.3b). The legal basis for local processing is Art. 9 (2) lit. a GDPR (explicit consent through use of the app with your own Hammerhead data) in conjunction with Art. 6 (1) lit. b GDPR.
The app is not directed at persons under 16 and is not intended for them. We do not knowingly process data from minors.
OAuth token and AI API key are stored in the iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) — encrypted and not included in unencrypted device backups.
All network connections use HTTPS (App Transport Security, no exceptions for insecure connections).
There is no controller backend that could be attacked.
This privacy policy may be updated when the app’s features change. The current version is always available in the app (Settings → Legal) and at the URL registered in App Store Connect.
Michael Schmidinger
Sommeregg 14
5301 Eugendorf
Austria
Email: [email protected]
See the imprint for details.