1. Data We Collect from Strava
When you connect your Strava account, we access:
- Profile information (name, profile picture)
- Activity data (date, distance, duration, elevation, pace, route polyline)
2. How We Use Your Data
- Display your activities within the app
- Verify activity authenticity
- Show verified activities on public leaderboards (only if you explicitly share them)
3. Data Storage
- Data is stored securely in encrypted databases (Supabase/PostgreSQL)
- We retain activity data only while your account is active
- Route polylines are NOT stored permanently
4. Data Sharing
- We do NOT sell your data
- We do NOT share your data with third parties
- Only activities you explicitly "Share to Leaderboard" become visible to others
5. Your Rights (GDPR Compliant)
- Access: Request a copy of your data at any time
- Deletion: Request complete deletion of your account and all associated data
- Revocation: Disconnect Strava at any time; we will delete your data within 7 days
- Portability: Export your data in standard formats
6. Data Retention
- Active accounts: Data retained while account exists
- Deleted accounts: All data permanently deleted within 7 days
- Revoked Strava access: All Strava-sourced data deleted within 7 days
7. Security
- All data transmitted via HTTPS
- OAuth tokens stored encrypted, never exposed to frontend
- No client secrets in browser code