NextBurn

Privacy Policy

Last updated: March 2026

1. Data Controller and Contact

The data controller for data processing on this website and in the NextBurn app is:

Nanuc Gesellschaft mit beschränkter Haftung
Wartmauerstr. 12, D-71296 Heimsheim, Germany
Managing Director: Sebastian Schöps
Amtsgericht Mannheim, HRB 729512
VAT ID: DE296504286

Email: privacy@nextburn.app

2. Privacy at a Glance

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations (in particular the GDPR) and this privacy policy. We do not sell your data.

3. What Data We Collect

a) Account Data

During registration, we collect: name, email address, age, weight, height, and gender. This data is required to provide the app's features.

b) Waitlist Registration

When you sign up for our waitlist, we store your email address, chosen language, and the time of registration. This data is used exclusively to inform you about the NextBurn launch.

c) Training Data from Garmin Connect

When you connect your Garmin account with NextBurn, we retrieve the following data via the Garmin Connect API:

Activity Data:

  • Activity type, duration, distance, calories, pace, elevation
  • Heart rate data: average HR, max HR, HR zones, resting heart rate
  • GPS data: route, splits, segments
  • Performance data: VO2max estimate, training status
  • Activity files (FIT files with complete details)

Health Data:

  • Daily summary: steps, calorie burn, active minutes
  • Sleep: sleep duration, sleep phases, sleep quality score
  • Heart rate variability (HRV): HRV status, HRV trend
  • Stress: stress level, stress duration
  • Body Battery: energy level throughout the day
  • Body data: weight (if Garmin scale is connected)

d) Training Data from Strava

When you connect your Strava account with NextBurn, we import activity data such as type, duration, distance, and pace. Processing is analogous to Garmin data.

e) In-App Generated Data

Goals, preferences, onboarding answers, and training history that you create within the app.

f) Usage Data

We use Fathom Analytics, a privacy-friendly analytics service. Fathom does not use cookies and does not collect personal data. All data is processed in the EU. Therefore, no cookie banner is required.

g) Payment Data

Payments are processed through Apple In-App Purchase and Google Play Billing. NextBurn does not store credit card or payment data directly.

4. Purpose and Legal Basis of Processing

  • Contract performance (Art. 6 para. 1 lit. b GDPR): Provision of app features, training planning, synchronization.
  • Consent (Art. 6 para. 1 lit. a GDPR): Garmin data import, AI processing, health data processing, waitlist registration.
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR): Analytics, security, error resolution.

5. Garmin Connect Integration

NextBurn offers the option to connect your Garmin Connect account with the app. The connection uses OAuth 2.0 – you will be redirected to Garmin to grant authorization. NextBurn never stores your Garmin password.

Important: When you connect your Garmin account with NextBurn, your training data is transferred from Garmin Connect to NextBurn. This data is processed and stored by NextBurn – not by Garmin. Garmin assumes no responsibility or liability for data transferred to NextBurn.

The complete list of retrieved data categories can be found in Section 3c of this privacy policy.

Exporting Workouts to Garmin

NextBurn can export planned workouts and weekly plans to your Garmin device via the Garmin Training API. In this process, data is transferred from NextBurn back to Garmin. For information on how Garmin processes this data, please visit the Garmin Connect Privacy Policy.

Consent and Revocation

Before the first access to your Garmin data, you will be informed via a dedicated consent screen about which data will be retrieved and how it will be used. You actively grant your explicit consent (no pre-checked opt-in). You can disconnect the Garmin connection at any time in the app settings. After disconnecting, no further data will be retrieved from Garmin.

For more information about data protection at Garmin, please visit the Garmin Connect Privacy Policy.

6. Strava Integration

When you connect your Strava account with NextBurn, activity data is imported via the Strava API. The connection uses OAuth 2.0. You can disconnect the Strava connection at any time in the app settings. Data processing and usage is analogous to the Garmin integration.

7. Use of Artificial Intelligence (AI Transparency Statement)

NextBurn uses AI technology to analyze your training data and generate personalized training plans. The AI system used is Claude, operated by Anthropic PBC (San Francisco, USA).

What Data Is Sent to the AI

  • Activity data (type, duration, distance, pace, heart rate)
  • Health metrics (VO2max, HRV, sleep, resting heart rate)
  • Goal data (competition goals, training preferences)
  • Body data (age, weight, height, gender)

Anonymization

Your data is anonymized before being sent to the AI. No names, email addresses, Garmin account IDs, or other directly identifying information is sent to Anthropic.

Purpose of AI Processing

  • Daily training recommendations
  • Personalized weekly plans
  • Goal predictions
  • Weekly training reviews

No AI Model Training

Your data is not used to train or improve AI models. Anthropic does not use data submitted via the API for model training by default.

Consent and Revocation

AI processing requires your explicit consent, which you actively grant before first use. You can disable AI processing at any time in the app settings. Upon revocation, you will no longer receive AI-powered training recommendations, but basic app features will remain available.

Server Location

AI processing takes place on Anthropic PBC servers in the USA. See Section 9 (Third-Country Transfer) for the data protection safeguards in place.

8. Data Sharing with Third Parties

  • Anthropic PBC (USA): Anonymized training data, health metrics, and goal data for AI-powered training plan generation. Anthropic does not process API data for model training.
  • Garmin International (USA): When using the workout export feature, planned training sessions are transferred to Garmin.
  • Strava Inc. (USA): When using the Strava integration, activity data is imported.
  • Hetzner Online GmbH (Deutschland): Hosting of our servers in Germany.
  • Fathom Analytics: Privacy-friendly website analytics, no cookies, EU data processing.
  • Apple / Google: Processing of in-app purchases. NextBurn does not store payment data.

We do not share data with advertisers. We do not sell your data.

9. Third-Country Transfer

Some of our service providers are based in the USA, a country without an EU Commission adequacy decision for all companies. We take the following safeguards:

  • Anthropic PBC: We verify certification under the EU-US Data Privacy Framework. Additionally, we rely on Standard Contractual Clauses (SCC) and anonymization of transferred data as an additional technical safeguard.
  • Garmin International: Standard Contractual Clauses (Controller-to-Controller, Module 1) pursuant to Annex A of the Garmin Connect Developer Program Agreement. Governing law: German law. Supervisory authority: State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW).

10. Data Security

  • Encryption of all data transfers via TLS/HTTPS
  • Encryption of sensitive data at rest
  • EU servers (Hetzner, Germany)
  • Role-based access controls and authentication
  • Secure OAuth 2.0 implementation for Garmin and Strava – no password storage
  • Regular security audits
  • Documented incident response processes for security incidents

11. Special Protection of Health Data

Data such as heart rate, HRV, sleep, and VO2max are considered health data within the meaning of Art. 9 GDPR. These are subject to special protection:

  • Legal basis: Explicit consent pursuant to Art. 9 para. 2 lit. a GDPR
  • Separate consent: Consent for processing health data is obtained separately from general consent
  • Enhanced security measures: Encryption, access restriction, pseudonymization
  • Data minimization: Only data required for the purpose is collected

12. Data Retention and Deletion

Data TypeRetention Period
Activity and health dataWhile account active + 30 days after deletion
AI-generated training plans12 months
Garmin OAuth tokensUntil revocation or account deletion
Account dataUntil account deletion + statutory retention periods

What Happens When You Delete Your Account

  • All personal data is completely deleted
  • Garmin OAuth tokens are revoked and deleted
  • Data at Anthropic: API calls are not permanently stored
  • Remaining data only where legally required (e.g., billing records)

13. Your Rights

Under the GDPR, you have the following rights:

RightImplementation
Access (Art. 15 GDPR)In-app display of all stored data + export function
Rectification (Art. 16 GDPR)Profile data can be changed in the app
Erasure (Art. 17 GDPR)Account deletion in the app → complete data deletion incl. Garmin tokens
Restriction (Art. 18 GDPR)Option to disable AI processing
Data portability (Art. 20 GDPR)Export of your training data in JSON format
Objection (Art. 21 GDPR)At any time via app settings
Withdrawal of consentDisconnect Garmin, disable AI processing – at any time in settings

To exercise your rights, you can contact us at any time: privacy@nextburn.app

14. Hosting

This website and the NextBurn app are hosted on servers by Hetzner Online GmbH in Germany. Data processing takes place exclusively on EU servers.

15. Push Notifications

NextBurn may send push notifications for training motivation, overtraining warnings, and weekly reviews. You can enable or disable push notifications at any time in the app or device settings.

16. Location and GPS Data

NextBurn processes GPS data from your Garmin activities solely for running analysis and per-segment pace calculations. GPS data is not collected by default but only imported with your explicit consent as part of the Garmin connection.

17. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements, new features, or changes to Garmin policies. For significant changes, we will notify you via in-app notification or email. The URL of this privacy policy will remain stable and will redirect if the address changes.

18. Contact and Supervisory Authority

For questions about data protection, contact us at: privacy@nextburn.app

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de