Privacy Policy

Last Updated: June 14, 2025

Welcome to Club Faceoff ("we", "us", or "our"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application (the "Service"), which is designed to integrate with your Strava account.

By using our Service, you agree to the collection and use of information in accordance with this policy. This Privacy Policy is compliant with the General Data Protection Regulation (GDPR) and the Strava API Agreement.

1. Information We Collect

We collect information that you provide to us directly or automatically through your use of the Service and your connection to Strava. As per the Strava API agreement, we are an independent controller of the data we receive.

Information Collected via the Strava API

When you connect your Strava account, you authorize us to access and process the following information from your Strava profile:

  • Strava Profile Information: Your public profile data, including your Strava Athlete ID, name, profile picture, and club memberships. We do not store most of this information long-term on our servers; instead, we fetch it from Strava at runtime to display in the application. Your Strava ID is stored to maintain the link to your account.
  • Activity Data: Summary information about your activities, such as distance, moving time, elevation gain, and activity type. We only store essential data required to provide the Service's features, like leaderboards. We do not store detailed GPS data, maps, or other sensitive information.
  • Club Data: We access the list of clubs you are a member of to provide club-specific leaderboards and features.

Session and Authentication Data

To provide a secure experience, we collect and store:

  • Session Information: We use secure, HTTP-only cookies to manage your session. Our session database stores a session ID, user ID (your Strava Athlete ID), and session expiry information.
  • Strava Authentication Tokens: We securely store your Strava access and refresh tokens in our database using strong AES-256-GCM encryption. These tokens are necessary to communicate with the Strava API on your behalf and are never exposed to the client-side.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To Provide and Maintain the Service: To authenticate you, display your activity leaderboards within your clubs, and provide year-over-year comparisons.
  • To Personalize Your Experience: To show you relevant club data and statistics.
  • As a "Community Application": Our service operates as a "Community Application" under the Strava API Agreement. This allows us to display leaderboard data to other members of the same club you are in. This is a core feature of the Service. Only your performance metrics are shared within the private context of your club leaderboard in our application.
  • To Manage Your Session: To keep you logged in and ensure the security of your account.
  • To Comply with our Obligations: To adhere to the Strava API Agreement and applicable laws.

We explicitly do not use your data for training artificial intelligence or machine learning models, as prohibited by the Strava API Agreement.

3. How We Share Your Information

We do not sell, trade, rent, or otherwise transfer your personally identifiable information to outside parties for marketing, advertising, or other purposes. Your information may be shared only in the following situations:

  • Within Your Clubs on Our Service: As a "Community Application", your leaderboard rankings, which include your name and activity summary statistics, are visible to other members of your clubs who also use our Service.
  • With Service Providers: We may use third-party service providers (such as Supabase for database and authentication) to help us operate our Service. These providers are contractually obligated to protect your data and are not permitted to use it for any other purpose.
  • For Legal Compliance: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

4. Data Security and Storage

We implement a variety of security measures to maintain the safety of your personal information. Your Strava authentication tokens are encrypted at rest in our database using industry-standard encryption (AES-256-GCM). We use secure session management with HttpOnly cookies to protect your session. All data transmission between our service and Strava, and between your browser and our service, is encrypted using HTTPS.

5. Data Retention

We retain your personal data only for as long as is necessary to provide you with the Service.

  • Your session data is stored until your session expires or you log out.
  • Your Strava-related data that we store (e.g., activity summaries for leaderboards) is kept as long as your account is active with us.
  • If you disconnect your Strava account from our Service or request account deletion, we will delete your personal information from our systems in accordance with GDPR and the Strava API Agreement. We will process deletion requests promptly.
  • If you delete an activity on Strava, we will make our best effort to reflect this change in our service within 48 hours.

6. Your Rights Under GDPR

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

  • The right to access, update or to delete the information we have on you.
  • The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
  • The right to object. You have the right to object to our processing of your Personal Data.
  • The right of restriction. You have the right to request that we restrict the processing of your personal information.
  • The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
  • The right to withdraw consent. You also have the right to withdraw your consent at any time where we relied on your consent to process your personal information.

To exercise these rights, please contact us. You can disconnect our app's access to your Strava data at any time from your Strava account settings. This will prevent us from accessing your data in the future and can serve as a request for data deletion.

7. Third-Party Services

Our Service depends entirely on the Strava API. Your use of our Service is also subject to Strava's Privacy Policy and Terms of Service. We are not responsible for the data practices of Strava.

8. Children's Privacy

Our Service is not intended for use by anyone under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, we take steps to remove that information from our servers.

9. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us via our support forum.