Privacy Policy

KRANQ is a desktop application for indoor cycling. Your ride data, device connections, and settings are stored locally on your computer. Our backend server (hosted in Germany) handles user authentication, license validation, and webhook reception for third-party integrations — raw fitness data is not retained on our servers. Third-party integrations (Strava, Intervals.icu, COROS) are optional and user-initiated.

KRANQ uses Clerk as its authentication provider. When you sign in:

• You create an account via Clerk using your email address, Google account, or Discord account
• Authentication is handled entirely by Clerk — KRANQ never sees or stores your password
• Your Clerk user ID, email address, and display name are stored on our server to identify your account
• Session tokens are short-lived (60 seconds) and refreshed automatically
• Your account links your license, subscription status, and multiplayer identity across devices

Sign-in happens in your system browser via Clerk's hosted pages — the KRANQ desktop app never handles your credentials directly.

See Clerk's privacy policy.

KRANQ uses LemonSqueezy as its payment and license management provider. When you activate a license key:

• Your license key and a randomly generated instance identifier are sent to our server (api.kranq.fit), which validates them with LemonSqueezy
• LemonSqueezy returns your customer name and email (as provided during purchase), which are stored locally on your device
• Our server issues a cryptographically signed token that your app verifies locally on startup — no network request is needed for daily use
• Every 7 days (when online), the app re-validates your license with our server to check for revocations
• The LemonSqueezy API key never leaves our server — the desktop app does not communicate with LemonSqueezy directly

When you activate a license while signed in, the license key is linked to your account on our server, enabling cross-device license management.

A 14-day free trial is available for the first profile on each machine. No payment information is required to start the trial.

See LemonSqueezy's privacy policy.

On startup, KRANQ checks for available updates by requesting a manifest file from api.kranq.fit/downloads/update.json. This is a standard HTTPS GET request — no user data, device identifiers, or telemetry is sent. Your server's standard access logs (IP address, user agent) may be recorded.

KRANQland Online is an optional multiplayer feature that will require a separate subscription. When you connect:

• Your identity is verified via your account (Clerk authentication)
• Your display name, country, and real-time ride telemetry (power, speed, heart rate) are sent to our server via WebSocket and shared with other connected riders
• Chat messages are broadcast to other connected riders and stored temporarily in Redis (last 50 messages, no permanent retention)
• Presence data (your online status and telemetry) is stored in Redis while connected and automatically removed after 30 seconds of inactivity
• You can disconnect from KRANQland Online at any time, which immediately stops all data sharing

On your device (local only):

• Ride recordings — power, cadence, heart rate, speed, distance, and elevation data from your BLE trainer and sensors
• Rider profile — weight, FTP, and display name you enter in settings
• Imported routes — GPX files you load into the app
• Workouts — structured workouts you create or import
• OAuth tokens — access and refresh tokens for connected third-party services (Strava, Intervals.icu, COROS), stored in a local SQLite database
• License data — license key, instance ID, customer name and email (from LemonSqueezy), and a signed verification token

On our server:

• Account data — your Clerk user ID, email address, and display name (synced from Clerk via webhooks)
• License data — your license key and activation status, linked to your account
• Subscription status — whether you have an active KRANQland Online subscription (synced from LemonSqueezy via webhooks)

We do not collect:

• Analytics or telemetry from the desktop app
• Personal information beyond what you enter in settings
• Location data (KRANQland coordinates are virtual, not real GPS)

KRANQ connects to third-party services only when you explicitly choose to do so. Each integration uses OAuth 2.0 — KRANQ never sees or stores your password for any external service. You must explicitly authorize each connection and can revoke it at any time.

Strava

• Data sent to Strava: completed ride activities including power, cadence, heart rate, speed, distance, GPS coordinates, timestamps, and duration (TCX format)
• Purpose: automatic upload of completed rides to your Strava account
• Authentication: OAuth 2.0 — KRANQ never sees or stores your Strava password
• User control: you can disconnect Strava at any time from within KRANQ settings. Disconnecting revokes KRANQ's access and stops future uploads. Previously uploaded activities remain on Strava and must be deleted there directly.

See Strava's privacy policy.

Intervals.icu

• Data sent to Intervals.icu: completed ride activities including power, cadence, heart rate, speed, distance, GPS coordinates, timestamps, and duration (TCX format)
• Purpose: automatic upload of completed rides to your Intervals.icu account for training analysis and planning
• Authentication: OAuth 2.0 — KRANQ never sees or stores your Intervals.icu password
• User control: you can disconnect Intervals.icu at any time from within KRANQ settings. Disconnecting revokes KRANQ's access and stops future uploads. Previously uploaded activities remain on Intervals.icu and must be deleted there directly.

See Intervals.icu's privacy policy.

COROS

• Data sent to COROS: completed ride activities including power, cadence, heart rate, speed, distance, GPS coordinates, timestamps, and duration
• Purpose: automatic upload of completed rides to your COROS account
• Authentication: OAuth 2.0 — KRANQ never sees or stores your COROS password
• User control: you can disconnect COROS at any time from within KRANQ settings

See COROS's privacy policy.

Garmin Connect (planned)

• Data received from Garmin: user profile metrics (FTP, weight, resting heart rate, heart rate zones), activity history, and route data
• Purpose: personalizing the indoor training experience — auto-importing rider configuration, training history, and routes for indoor riding
• Authentication: OAuth 2.0 via Garmin Connect — KRANQ will never see or store your Garmin password
• User control: you will be able to disconnect Garmin Connect at any time from within KRANQ settings

See Garmin's privacy policy.

General principles

• All third-party connections use OAuth 2.0 — KRANQ never stores passwords for external services
• Users must explicitly authorize each connection
• Users can revoke any connection at any time
• Ride data generated within KRANQ (power, speed, cadence, heart rate, GPS) is owned by the user
• Local data (SQLite database) is stored in your app data directory and can be deleted by uninstalling the app
• Our backend server is hosted on a Netcup VPS in Germany, subject to GDPR
• We do not sell user data to third parties
• We do not use third-party data for advertising

We do not sell, rent, or share your data with third parties. Your ride data is only sent to services you explicitly connect and authorize (Strava, Intervals.icu, COROS) or features you opt into (KRANQland Online).

Ride data, rider profiles, routes, and workouts are stored locally on your computer in a SQLite database within the application's data directory.

Our backend server (hosted on a Netcup VPS in Germany, subject to GDPR) stores account data (Clerk user ID, email, display name), license and subscription status, and OAuth tokens for third-party integrations. The database is PostgreSQL with Redis for multiplayer presence caching. Raw fitness data is not stored server-side.

BLE (Bluetooth Low Energy) communication with your trainer and sensors is processed entirely on your device. KRANQ does not relay Bluetooth data to any external service.

Under the GDPR and applicable data protection laws, you have the following rights:

• Access (Art. 15) — all local data is on your device. For server-side data, contact us for a copy.
• Rectification (Art. 16) — update your profile information in the app or your Clerk account settings
• Erasure (Art. 17) — delete rides, workouts, or routes in the app. Request full account deletion via email (see below).
• Data portability (Art. 20) — export rides as TCX files and workouts as .kranq or .zwo files
• Restrict processing (Art. 18) — contact us to restrict processing of your data
• Object (Art. 21) — you may object to data processing based on legitimate interest
• Withdraw consent — disconnect any third-party integration at any time in Settings
• Lodge a complaint — you have the right to lodge a complaint with a supervisory authority (for Germany: BfDI)

To exercise any of these rights, contact us at info@friesslich.de.

We process your data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR) — account creation, license activation, providing the software and multiplayer services you purchased
• Consent (Art. 6(1)(a) GDPR) — optional third-party integrations (Strava, Intervals.icu, COROS) that you explicitly connect
• Legitimate interest (Art. 6(1)(f) GDPR) — fraud prevention, license enforcement, server security logs

• Local ride data: retained until you delete it or uninstall the app
• OAuth tokens: retained until you disconnect the integration
• Server-side account data: retained for the lifetime of your account. Deleted within 30 days of account deletion.
• Server-side license/subscription data: retained while your license or subscription is active. Removed on account deletion.
• Multiplayer presence/chat: automatically removed from Redis after disconnection (presence: 30 seconds, chat: last 50 messages rolling)

• You can delete individual rides from within KRANQ
• You can disconnect any third-party integration, which revokes access and removes associated data
• You can request complete account deletion by contacting info@friesslich.de
• Upon account deletion, all server-side data (tokens, account info) is permanently removed within 30 days

We use the following third-party services to operate KRANQ:

• Clerk (USA) — user authentication, session management. Privacy policy
• LemonSqueezy / Lemon Squeezy LLC (USA) — payment processing, license management, subscription billing (merchant of record). Privacy policy
• Netcup GmbH (Germany) — server hosting (VPS for api.kranq.fit). Privacy policy
• Vercel Inc. (USA) — hosting for the kranq.fit marketing website. Privacy policy
• GitHub / Microsoft (USA) — CI/CD pipeline, source code hosting. No user data is stored on GitHub.

For US-based processors, data transfers are conducted in compliance with the EU-US Data Privacy Framework or Standard Contractual Clauses as applicable.

The kranq.fit website does not use cookies, analytics, or tracking scripts. It is a static site hosted on Vercel. Vercel may collect standard web server logs (IP address, user agent) as described in Vercel's privacy policy.

KRANQ is not directed at children under 16. We do not knowingly collect data from children.

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of KRANQ after changes constitutes acceptance.

Questions about this privacy policy? Reach us at info@friesslich.de.

Jonas Friesslich Software
Michael-Brech-Str. 28
97522 Sand am Main, Germany