Privacy Policy
Aquaduct Data Strategies LLC Version: 1.0-draft Effective Date: March 21, 2026 Last Updated: 2026-03-21
Notice: This is the master Privacy Policy for Aquaduct Data Strategies LLC and its DBA brands (Runner’s Review, Aquaduct Cascade, Biased Bites). Product-specific data practices are detailed in the applicable product annex referenced in Section 14. Where a product annex and this master policy differ, the product annex controls for that product.
1. Introduction and Scope
Aquaduct Data Strategies LLC (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our products and services.
This Policy applies to all products operated by the Company and its registered DBAs:
- Runner’s Review — iOS race discovery and review application
- Aquaduct Cascade — Web-based data aggregation and race event discovery platform
- Biased Bites — Dining discovery platform (when launched)
This Policy does not apply to third-party websites, applications, or services that may be linked from our products. We encourage you to review the privacy policies of those third parties before using them.
By using our products, you acknowledge you have read and understood this Privacy Policy.
2. Data Controller Identity
The data controller responsible for your personal information is:
| Attribute | Value |
|---|---|
| Legal Name | Aquaduct Data Strategies LLC |
| EIN | 99-1207154 |
| Address | 631 Clouds Way, Rock Hill, SC 29732 |
| strategies@aquaductdata.com | |
| Phone | (803) 670-0335 |
For product-specific data practices, see the relevant product annex (Section 14).
3. Categories of Personal Information We Collect
We collect personal information in the following categories. The specific types collected depend on which product(s) you use — see your product’s annex for details.
3.1 Identifiers
- Name, email address, username, or other account identifier
- Apple ID or other social sign-in identifier (if you use Sign in with Apple)
- User-generated profile information (profile image, preferences)
- Device identifiers (for app functionality and security)
3.2 Professional or Employment Information
- Employer organization and role (Cascade users only)
- Benefits elections and enrollment data (Cascade users only)
- Tenant/organization identifier
3.3 Precise Geolocation Data
- Precise GPS coordinates (Runner’s Review only, when location permission is granted)
- Location is used for proximity-based search functionality and is not persistently stored or tracked beyond the active session
3.4 User-Generated Content
- Reviews, ratings, and text submissions
- Photos and images you upload (stored in Google Cloud Storage)
- Feedback and survey responses
3.5 Internet or Network Activity
- Link-click telemetry and navigation activity within our platforms (Cascade only — see Cascade annex for disclosure)
- App usage logs and feature interaction data
- Error and diagnostic data
3.6 Inferences and Derived Data
- Vendor or content recommendations derived from your usage patterns and preferences (Cascade only)
3.7 Financial Information
- Payment processing data (Cascade only) — note: full payment card numbers are processed and stored by Stripe; we do not store raw payment card data
3.8 Health and Activity Data
- Running activity logs (Runner’s Review only) — distance, pace, route information you voluntarily enter or log
- Apple HealthKit data is not collected. Runner’s Review does not request HealthKit permissions and does not access health data from Apple Health.
3.9 Information Collected Automatically
- IP address and general network location (not GPS)
- Browser type and operating system
- Session timestamps and activity logs
- Firebase App Check tokens (for security verification — Runner’s Review)
4. Legal Basis for Processing
We rely on the following legal bases to process your personal information:
| Basis | Description | Applicable When |
|---|---|---|
| Contract performance | Processing necessary to provide the service you requested | Account creation, service delivery, app functionality |
| Legitimate interests | Processing for our reasonable business interests that do not override your rights | Security, fraud prevention, product improvement, analytics |
| Consent | Where you have provided explicit consent | Location access, optional analytics, marketing communications |
| Legal obligation | Processing required to comply with applicable law | Tax records, legal holds, regulatory compliance |
Note: The GDPR legal basis framework is described in detail in Section 11 (inactive scaffold). The bases above apply to current U.S. operations.
5. How We Use Your Information
We use personal information we collect to:
- Provide and operate our services — Account creation, authentication, feature delivery, customer support
- Process transactions — Payment processing via Stripe (Cascade), refunds, billing records
- Improve our products — Analyze usage patterns, diagnose errors, test new features, improve search relevance
- Ensure security and prevent fraud — Authenticate users, detect abuse, enforce our Terms of Service
- Communicate with you — Send account-related notifications, respond to support requests, provide service updates
- Comply with legal obligations — Respond to lawful requests from government authorities, maintain required records
- Enable search and discovery — Use precise location data to return relevant nearby results (Runner’s Review)
- Facilitate benefits management — Match employees to employer plans, process vendor recommendations (Cascade)
We do not sell your personal information to third parties for their own marketing purposes.
6. Data Sharing and Third Parties
We share personal information with third-party service providers only to the extent necessary to operate our services. We do not sell or rent personal information to third parties for their own marketing.
6.1 Third-Party Service Providers
The following third parties may receive or process your personal information on our behalf:
| Provider | Service | Data Shared | Products |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, database hosting (Cloud SQL), object storage (GCS), machine learning (Cloud Vision) | Account data, photos, activity logs | Runner’s Review |
| Google Firebase | App security (Firebase App Check), push notifications | App Check tokens, device identifiers | Runner’s Review |
| Apple Inc. | Sign in with Apple, App Store distribution, TestFlight | Apple ID, email (if shared by user) | Runner’s Review |
| Auth0 (Okta) | Identity and authentication management | Email, name, profile image, role, tenant ID | Aquaduct Cascade |
| Stripe, Inc. | Payment processing | Payment information, billing records | Aquaduct Cascade |
| Amazon Web Services (AWS) | Cloud infrastructure hosting | Account data, platform data | Aquaduct Cascade |
| Tinker | AI/inference services for vendor recommendations | Usage patterns, preferences | Aquaduct Cascade |
| Brave Search / SerpAPI / Google Custom Search Engine | Search API services | Search queries | Aquaduct Cascade |
| DOL/SEC APIs | Public government data APIs | No personal data transmitted | Aquaduct Cascade |
6.2 Legal Disclosures
We may disclose your personal information if required by law, court order, or government authority, or if we believe disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights or safety of the Company, our users, or the public; (c) detect, prevent, or address fraud or security issues.
6.3 Business Transfers
If the Company is involved in a merger, acquisition, asset sale, or reorganization, your personal information may be transferred as part of that transaction. We will provide notice (per Section 13) before your information is transferred and becomes subject to a different privacy policy.
6.4 What We Do Not Do
- We do not sell personal information as defined under the CCPA or similar state laws
- We do not share personal information with third parties for their own direct marketing purposes without your consent
- We do not share Runner’s Review location data with advertising networks
7. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer period is required by law.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data (active users) | Duration of account + 90 days after deletion request | Extended if required by legal hold |
| Transaction and billing records | 7 years | Required for tax and accounting compliance |
| Activity logs and app usage data | 12 months rolling | Aggregated/anonymized after retention period |
| Photos and user-uploaded content | Until user deletes or account is closed | Stored in GCS; deletion is irreversible |
| Precise location data | Session only — not persistently stored | Runner’s Review proximity search |
| Link-click telemetry | 12 months rolling | Cascade only; see Cascade annex |
| Security and fraud prevention logs | 24 months | Required for fraud detection efficacy |
| Legal hold data | As required by legal obligation | Overrides normal retention schedule |
To request deletion of your data, see Section 9 (User Rights).
8. Security Practices
We implement reasonable administrative, technical, and physical safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our practices include:
- Encryption in transit: All connections to our services use TLS/HTTPS
- Encryption at rest: Sensitive data is encrypted at the database and storage layer (GCS, Cloud SQL, AWS)
- Access controls: Access to personal data is restricted to personnel who need it to operate the service; authentication is enforced via Auth0 (Cascade) and Firebase App Check (Runner’s Review)
- Incident response: We maintain procedures for identifying and responding to data security incidents
- Third-party security: We select service providers with their own documented security programs (GCP, AWS, Stripe, Auth0 are SOC 2 certified)
No security system is impenetrable. We cannot guarantee the absolute security of data transmitted to or stored by our services. If you believe your account or data has been compromised, contact us immediately at strategies@aquaductdata.com.
9. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
9.1 Right to Access
You may request a copy of the personal information we hold about you. We will respond within 45 days (CCPA) of a verifiable request.
9.2 Right to Correction
You may request that we correct inaccurate or incomplete personal information. Some corrections can be made directly within the product (account settings).
9.3 Right to Deletion
You may request deletion of your personal information. We will honor deletion requests subject to exceptions for legal obligations, fraud prevention, and completing transactions.
9.4 Right to Portability
You may request a machine-readable export of your personal information in cases where processing is based on your consent or performance of a contract.
9.5 Right to Opt Out of Sale/Sharing
We do not sell personal information. If our practices change, you will be provided with an opt-out mechanism before any such sale begins.
9.6 Right to Non-Discrimination
We will not discriminate against you for exercising any rights under this Policy or applicable law. You will not receive different prices, service tiers, or reduced quality as a result of exercising your privacy rights.
9.7 How to Submit a Rights Request
To exercise your rights, contact us at:
- Email: strategies@aquaductdata.com (subject: “Privacy Rights Request”)
- Mail: Aquaduct Data Strategies LLC, 631 Clouds Way, Rock Hill, SC 29732
We aim to respond to all verifiable requests within 30 days. CCPA requests receive a response within 45 days as required by law (see Section 10.4 for CCPA-specific timelines). We may require verification of your identity before processing a request to protect against unauthorized access.
10. California Residents (CCPA / CPRA Disclosures)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.
10.1 Categories Collected
In the preceding 12 months, we have collected the following categories of personal information (as defined by Cal. Civ. Code § 1798.140):
| CCPA Category | Collected | Examples |
|---|---|---|
| Identifiers | Yes | Name, email, user ID, Apple ID, device ID |
| Personal information under Cal. Civ. Code § 1798.80 | Yes | Name, email address |
| Characteristics of protected classifications | No | — |
| Commercial information | Yes (Cascade) | Transaction records, subscription data |
| Biometric information | No | — |
| Internet or other electronic network activity | Yes | Usage logs, link-click telemetry (Cascade) |
| Geolocation data | Yes (Runner’s Review) | Precise GPS for proximity search |
| Sensory data (audio, video, etc.) | Yes (partial) | Photos uploaded by users (Runner’s Review) |
| Professional or employment information | Yes (Cascade) | Role, employer, benefits data |
| Education information | No | — |
| Inferences drawn from the above | Yes (Cascade) | Vendor recommendations |
| Sensitive personal information | Yes (partial) | Precise geolocation (Runner’s Review); account credentials |
10.2 Purposes for Collection
We collect personal information for the business and commercial purposes described in Section 5 of this Policy.
10.3 Categories of Third Parties to Whom We Disclose
We disclose personal information to third-party service providers as described in Section 6.1. We do not sell or share personal information for cross-context behavioral advertising as defined by the CPRA.
10.4 Your CCPA Rights
As a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell
- Delete personal information we have collected about you (subject to exceptions)
- Correct inaccurate personal information
- Opt out of the sale or sharing of your personal information — note: we do not currently sell personal information
- Limit use of your sensitive personal information — we do not use sensitive PI beyond what is necessary to provide our services
- Non-discrimination for exercising these rights
To submit a CCPA rights request: Email strategies@aquaductdata.com with the subject line “CCPA Rights Request.” We respond to verifiable requests within 45 days. We may request information to verify your identity.
Authorized Agents: California residents may use an authorized agent to submit rights requests on their behalf. We may require written authorization or power of attorney before processing a request submitted by an agent.
11. EU/EEA Residents — GDPR
INACTIVE SCAFFOLD — This section is NOT currently active.
This section has been drafted in anticipation of EU/EEA operations (specifically, a planned relocation to Spain by the Company’s founder). This section will not take effect until:
- The Company begins actively targeting or serving EU/EEA residents, AND
- A qualified attorney licensed in EU data protection law has reviewed and approved this section
Attorney review is required before activation.
Until activated, EU/EEA residents are subject to Section 9 (Your Rights) and Section 10 (California/CCPA) as the most analogous rights framework currently operative.
[INACTIVE] 11.1 Lawful Bases (GDPR Art. 6)
Under the GDPR, we rely on the following lawful bases for processing:
- Art. 6(1)(b) — Contract: Processing necessary for performance of a contract with you
- Art. 6(1)(c) — Legal obligation: Processing required by applicable law
- Art. 6(1)(f) — Legitimate interests: Processing for fraud prevention, security, and product improvement, balanced against your rights
- Art. 6(1)(a) — Consent: For processing not covered above (e.g., marketing, optional analytics)
[INACTIVE] 11.2 Data Subject Rights (GDPR Arts. 15–22)
EU/EEA residents have rights to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and rights related to automated decision-making (Art. 22).
[INACTIVE] 11.3 Data Transfers
If we transfer personal data from the EU/EEA to the United States, we will implement appropriate safeguards as required by GDPR Chapter V (e.g., Standard Contractual Clauses with service providers).
[INACTIVE] 11.4 Supervisory Authority
EU/EEA residents have the right to lodge a complaint with a supervisory authority. If operations are based in Spain, the competent authority would be the Agencia Española de Protección de Datos (AEPD) (www.aepd.es).
[INACTIVE] 11.5 Representative
If required under GDPR Art. 27, the Company will designate an EU representative before activating this section.
12. Children’s Privacy
Our products and services are not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13.
If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at strategies@aquaductdata.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, products, or applicable law. We will notify you of material changes by:
- Updating the “Last Updated” date at the top of this document
- Posting a notice in the applicable product (in-app or on-site notification)
- Sending an email notification to registered users when we have your email address
Your continued use of our products after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree with the changes, you should stop using the affected product and contact us to delete your account.
Material change means a change that significantly affects how we collect, use, or share your personal information, or that meaningfully reduces your rights.
14. Product-Specific Annexes
For full disclosure of data practices specific to each product, please review the applicable annex:
| Product | Annex | Key Additions |
|---|---|---|
| Runner’s Review | Runner’s Review Annex | Apple Sign-In, precise location, GCS photos, Firebase App Check, Google Cloud Vision |
| Aquaduct Cascade | Aquaduct Cascade Annex | Auth0, AWS, dorking discovery, enrichment pipeline, compliance-gated scraping |
15. Contact for Privacy Requests
For privacy-related questions, rights requests, or to report a concern:
| Contact Type | Details |
|---|---|
| Privacy Email | strategies@aquaductdata.com (subject: “Privacy Request”) |
| Mailing Address | Aquaduct Data Strategies LLC, 631 Clouds Way, Rock Hill, SC 29732 |
| DMCA Takedowns | See DMCA Policy |
| Cookie Policy | See Cookie Policy |
We aim to respond to all privacy requests within 30 days. CCPA verifiable requests receive a response within 45 days as required by law (with a possible 45-day extension if we notify you of the extension).
16. Version and Effective Date
| Attribute | Value |
|---|---|
| Version | 1.0-draft |
| Effective Date | March 21, 2026 |
| Last Updated | 2026-03-21 |
| Status | Draft — awaiting Diego Lafuente review and approval |
| GDPR Sections | Inactive scaffold — requires attorney review before activation |
Document History
| Date | Version | Changes | Author |
|---|---|---|---|
| 2026-03-21 | 1.0-draft | Initial draft | ADS Legal |
This Privacy Policy was prepared by Aquaduct Data Strategies LLC. It has not been reviewed by a licensed attorney. The GDPR scaffold sections (Section 11) must be reviewed by a qualified EU data protection attorney before activation. If you have legal questions, consult a qualified attorney licensed in South Carolina or the applicable EU member state.