Privacy Policy
Last updated: March 11, 2026
1. What We Collect
When you connect your Strava account, we collect:
- Strava profile: Name, athlete ID, profile photo URL
- Activity data: GPS routes (summary polyline), distance, time, elevation — for runs only
- OAuth tokens: Encrypted with AES-256-GCM, used solely to fetch your activities
If you create a zone, we collect your email address for OTP verification only.
If you upgrade to Citizen, Razorpay processes your payment. We store your order ID and payment status. We never see or store your card/UPI details.
2. How We Use It
- Convert your GPS routes into H3 hexagonal tiles for the game
- Display your name on the leaderboard (partial by default, e.g. “Priya S.”)
- Process payments via Razorpay for Citizen upgrades
- Send OTP emails for zone creation verification
We do not sell, share, or monetize your data. We do not run ads.
3. What We Never Store
- Raw GPS coordinates of other users
- Your home location
- Payment card or UPI details (handled entirely by Razorpay)
- Activity data beyond what's needed for tile claiming
4. Display Name Privacy
You control how your name appears on the map and leaderboard:
- Partial (default): “Priya S.”
- Full: “Priya Sharma”
- Anonymous: “Runner #4821”
Change this anytime in Settings.
5. Data Security
- Strava tokens encrypted with AES-256-GCM at rest
- Sessions use HTTP-only secure cookies with JWT
- All traffic over HTTPS
- Database hosted on Supabase (PostgreSQL) with row-level security
6. Third-Party Services
- Strava: Activity data source. Subject to Strava's Privacy Policy
- Razorpay: Payment processing. Subject to Razorpay's Privacy Policy
- Mapbox: Map rendering (client-side only)
- Resend: OTP email delivery
- Vercel: Hosting
7. Data Deletion
You can delete your account at any time from Settings → Disconnect Account. This permanently deletes:
- Your user profile and Strava tokens
- All activity records
- Payment records
- Tile ownership (tiles become unclaimed)
- Your Strava OAuth authorization is revoked
This action is irreversible.
8. Cookies
We use a single HTTP-only session cookie for authentication. No tracking cookies, no analytics cookies, no third-party cookies.
9. Children
Territory Run is not directed at children under 13. We do not knowingly collect data from children.
10. Contact
Questions about this policy? Email privacy@territory.run