Privacy Policy

Last updated: February 20, 2026

Onestack Oy ("Laakso", "we", "us", or "our") provides an ultra-running training service. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Laakso website and application (collectively, the "Service").

If you have questions, contact us at contact@laakso.app. For information about the terms governing your use of the Service, please see our Terms of Service.

1. Who we are (data controller)

For the purposes of the EU/EEA GDPR and similar laws, the data controller is Onestack Oy (registered in Finland). We have not appointed a Data Protection Officer, as we do not meet the thresholds requiring one under Article 37 GDPR. If this changes, we will update this policy accordingly.

2. What we collect

2.1 Account and profile data

When you create an account or sign in, we process your email address. If you sign in with Google, we may also receive your name and profile image from Google, depending on your Google account settings.

2.2 Usage and device data

When you use the Service, we process technical and usage information such as pages you view, actions you take in the app, approximate device information, and timestamps. This helps us operate and improve the Service.

2.3 Garmin and wearable data (training and health information)

If you choose to connect Garmin, we process data from your Garmin account to provide training features. This may include:

  • Activity data (e.g., activity type, start time, duration, distance, elevation, and related metrics).
  • Performance and sensor metrics associated with activities (e.g., heart rate).
  • Health-related records such as sleep and heart-rate variability (HRV) summaries, and daily wellness summaries (where available).

You can disconnect Garmin at any time in the app settings and/or through your Garmin account.

2.4 Support communications

If you contact us, we process the content of your message and related contact details to respond and provide support.

3. How we use your data

We use personal data to:

  • Provide and operate the Service (authentication, training plan features, syncing).
  • Analyze training history and generate insights and recommendations you request.
  • Maintain security, prevent abuse, and troubleshoot issues.
  • Improve the Service based on aggregated usage patterns and feedback.
  • Send service emails (e.g., login links).

We do not sell your personal data. We do not use your Garmin training or health information for advertising.

4. Legal bases (EEA/UK)

Where GDPR or similar laws apply, we rely on the following legal bases:

  • Contract (Article 6(1)(b)): to provide the Service you request (including processing training data you choose to sync).
  • Consent (Article 6(1)(a)): for optional analytics and for connecting Garmin; and where required, for processing health-related data.
  • Legitimate interests (Article 6(1)(f)): to secure and improve the Service, prevent fraud/abuse, and maintain reliability.

Where health-related data is considered special category data under Article 9 GDPR, we rely on your explicit consent (Article 9(2)(a)) before processing such data. You may withdraw this consent at any time (see Section 10).

5. Cookies and analytics

We use PostHog (EU-hosted) for in-app analytics and Google Analytics for our landing page. Both are enabled only after you provide consent. Google Analytics may set cookies on the landing page; PostHog does not use cookies in the app.

We do not intentionally send personal identifiers like email or name to analytics. We use an opaque user ID for measuring product usage in the app.

6. Who we share data with (processors)

We use trusted service providers (processors) to operate the Service. These providers are permitted to process personal data only on our instructions and for the purposes described in this policy. Key providers include:

  • Vercel (hosting and infrastructure).
  • PostHog EU (product analytics, consent-based).
  • Upstash (background processing for Garmin webhook events and rate limiting/deduplication).
  • Resend (transactional email delivery for login links).
  • Google (Google Analytics on our landing page, consent-based; and optional sign-in via Google OAuth).
  • Garmin (data source you connect and authorize).

We may also share information when required by law, to protect rights and safety, or as part of a corporate transaction (e.g., merger or acquisition), subject to appropriate safeguards.

7. International transfers

Some service providers may process data outside the EEA/UK. Where required, we use appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.

8. Data retention

We keep personal data only as long as necessary for the purposes described above, including legal, accounting, or security requirements. In general:

  • Account data is kept while your account is active and for up to 12 months after account closure, unless you request earlier deletion.
  • Garmin training and health data is kept while you use the Service and for up to 12 months after you disconnect Garmin or close your account, unless you request earlier deletion.
  • Certain raw activity detail files used for processing and charts may be stored temporarily and deleted on a rolling basis (typically within 30 days after processing).
  • Analytics data is retained according to the default retention settings of each provider (PostHog and Google Analytics) and is anonymized or deleted thereafter.
  • Support communications are retained for up to 24 months after your last interaction.

10. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, and to data portability.

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by declining analytics in the consent banner, disconnecting Garmin in your app settings, or contacting us directly.

To exercise your rights, contact us at contact@laakso.app. You also have the right to lodge a complaint with your local data protection authority.

11. Security

We use administrative, technical, and organizational measures designed to protect personal data. This includes access controls and encryption of sensitive tokens at rest.

12. Children

The Service is not directed to children under 16 (or a higher age where required by local law), and we do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, if changes are material, take reasonable steps to notify you.

14. Contact

Email: contact@laakso.app

Legal entity: Onestack Oy (registered in Finland)