GDPR · Personal data · EU hosting

Privacy.

This page explains, in plain language, what data Kimbia processes, why, where it lives, and your rights. Found something unclear or wrong? Write to us: contact@kimbia.app.

Last updated · 6 May 2026

01

Who is responsible?

The data controller is the operator listed in the imprint. For any data-related question: contact@kimbia.app.

02

What data do we collect?

Three families of data:

Account
Your atproto handle (your public identifier as a domain, e.g. alice.bsky.social) and DID (the protocol's stable identifier). We never store passwords: authentication is handled entirely by the protocol.
Training data
Activities, plans, sessions, metrics (heart rate, pace, distance, duration, sleep, HRV, etc.) that you import via Garmin, Wahoo, Coros and similar services, or enter manually. This includes activity files (FIT/GPX/TCX) and their metadata.
Technical data
Minimal server logs (IP address, user-agent, request timestamps) retained for security and abuse prevention.
03

Why?

To deliver the service you use: showing your activities, computing your zones, comparing planned vs. actual, letting you export your data. Legal basis: performance of the contract (GDPR art. 6.1.b) and legitimate interest for security (art. 6.1.f). Heart rate, HRV, sleep and pace are special-category data under art. 9 GDPR; we process them on your explicit consent (art. 9.2.a), captured at signup and revocable at any time.

04

Where is data stored?

On Hetzner servers located in Germany (European Union). No transfers to third countries outside the EEA take place for primary storage.

05

Processors and third parties

We never sell your data. We do not share it with ad networks. Once imported, Kimbia is the controller for that data, distinct from the source platform. The only third parties involved are:

  • Hetzner Online GmbH (Germany) - data hosting
  • Garmin, Wahoo, Coros and similar services - only when you connect one of those services and authorise the import (each under its own terms)
  • atproto - decentralised identity protocol for your account
06

How long do we keep your data?

As long as your account exists. You can export all of your data at any time in open formats. When you delete your account, your data is removed within 30 days, except for security logs (90 days maximum) and any retention required by law.

07

Your rights (GDPR)

You have the right to access your data, rectify it, delete it, export it (portability), object to processing, and lodge a complaint with a data-protection authority (in Austria: the DSB).

08

Cookies and local storage

No advertising cookies, no third-party pixels, no consent banner to click. We only set what's strictly needed: your language preference, and session cookies tied to your atproto authentication. All of it falls under the e-Privacy and GDPR exemptions.

Sentry, our error-monitoring tool, may capture an error stack, your handle/DID if signed in, your IP, and a session replay (text masked) - only when an error occurs. Sentry sets no cookies and purges this data after 30 days. Legal basis: legitimate interest (security and service quality).

09

Contact

For any data-related request: contact@kimbia.app.