Privacy Policy
Version 2026-06-15. How Sub24 collects, uses and protects your data. See also the Terms & Conditions.
What we collect
When you sign in with Google we receive your email, display name, profile picture URL and a unique account id, so we can show your account and let you sign back in.
When you upload a GPX file we store the route geometry, elevation and any waypoints/checkpoints. We don’t keep the original file beyond the parsed representation.
If you connect Strava we receive your athlete id, name and the metadata for run-like activities (distance, duration, elevation, date, type), used to import races and fit your pace. We don’t store full GPS traces from Strava activities.
When your crew uses a share-code we store the code, race id and expiry; the crew session is scoped to that one race.
Product analytics
We use Firebase Analytics (Google Analytics 4) to understand how the app is used — page views and key actions (e.g. creating a race, logging a checkpoint). Events are tied to a pseudonymous account id, never your email or other directly-identifying details, and aren’t used for advertising. Accepting the Terms on first sign-in covers this use.
What we don’t do
- We don’t sell your data.
- We don’t share your data with advertisers or use it for ad targeting.
- We don’t email you marketing — only transactional messages (sign-in, invites).
Where it lives
Your data is stored in Google Cloud Firestore (US multi-region) and the app runs on Firebase App Hosting. Strava OAuth tokens are stored encrypted at rest by Google Cloud.
Your rights
You can export your data, delete your account, or revoke Strava access from your settings at any time. Deletion removes your races, route data, splits, pantry, Strava tokens and access state; crew sessions for codes you generated stop working. See how to delete your account.
If you’re in the UK or EU you have rights under UK/EU GDPR including access, rectification, erasure and portability, and can withdraw consent at any time. Some activity and route data may be treated as special-category data; email us to exercise your rights (see Contact).
Cookies
We set one cookie, __session, which holds your signed-in session and is required for the app to work. It’s httpOnly, secure and same-site, and isn’t used for tracking — a strictly-necessary cookie that doesn’t require a consent banner.
Contact
Questions or data requests? Email privacy@sub24.run. We aim to reply within 7 days.
This is a plain-English summary, not legal advice.