MoveTogetherMoveTogether
Login with StravaGet started

Privacy Policy

1. Introduction

MoveTogether ("we", "our", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service, which integrates with Strava's API to provide fitness challenge functionality.

This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using MoveTogether, you consent to the data practices described in this policy.

2. Data We Collect

2.1 Data from Strava: When you connect your Strava account, we collect:

  • Profile Information: Strava user ID, username, first name, last name, email address, profile photo
  • Authentication Tokens: OAuth access tokens and refresh tokens (encrypted and securely stored)
  • Activity Data: Activity type, distance, duration, elevation gain, moving time, start date/time
  • Performance Metrics: Average speed, calories burned, heart rate data (if available)

2.2 Data You Provide:

  • Challenge details (name, description, dates, scoring rules, visibility settings)
  • Team names and descriptions
  • Chat messages within challenges (max 500 characters, sanitized for security)
  • Invitations, participation requests, and invite link usage

2.3 Data We Generate:

  • Challenge scores and rankings calculated from your Strava activities
  • Team scores and leaderboards
  • Participation status (owner, joined, requested, invited, declined)
  • Invite codes for shareable challenge links
  • Session data and authentication cookies

2.4 Technical Data:

  • IP address and browser information (for security purposes)
  • Usage data and service interaction logs

3. How We Use Your Data

3.1 Service Provision:

  • Authenticate your identity and manage your account
  • Sync your Strava activities to calculate challenge scores
  • Display leaderboards and rankings within challenges
  • Enable team-based competitions
  • Process invitations, participation requests, and invite link joins
  • Enable challenge-specific chat messaging between participants

3.2 Communication:

  • Send challenge invitations and notifications
  • Respond to your support requests
  • Notify you of important service updates

3.3 Service Improvement:

  • Monitor and analyze usage patterns to improve functionality
  • Troubleshoot technical issues
  • Ensure service security and prevent fraud

3.4 Legal Compliance:

  • Comply with legal obligations and lawful requests
  • Enforce our Terms of Use
  • Protect our rights and those of other users

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Consent: You explicitly authorize access to your Strava data via OAuth
  • Contract Performance: Processing is necessary to provide our service
  • Legitimate Interests: Service improvement, security, and fraud prevention
  • Legal Obligations: Compliance with applicable laws and regulations

5. Data Sharing and Disclosure

5.1 Within Challenges: When you join a challenge, the following data is visible to other participants in that challenge:

  • Your name and profile photo (from Strava)
  • Your challenge-specific scores and rankings
  • Your team assignment (if applicable)
  • Your chat messages within that challenge

5.2 We DO NOT:

  • Sell, rent, or trade your personal data to third parties
  • Share your data with advertisers or data brokers
  • Display your private challenge data to non-participants
  • Use your data for AI/machine learning model training
  • Share your activity details beyond what you've explicitly consented to

5.3 Service Providers: We may share data with:

  • Strava: We send requests to Strava's API to fetch your authorized data
  • Stripe: We share your email and billing information to process payments securely
  • Cloud Hosting: Our infrastructure providers who store data securely
  • Analytics: Anonymized usage data for service improvement

5.4 Legal Requirements: We may disclose data if required by law, court order, or to protect our legal rights.

6. Payment Information & Stripe

6.1 Payment Processing: When you purchase challenge credits, your payment is processed by Stripe, Inc., a PCI-DSS compliant payment processor. MoveTogether does not directly handle, process, or store your full credit card information.

6.2 Data Shared with Stripe: When you make a payment, Stripe collects:

  • Payment card information (card number, CVV, expiration date)
  • Billing address and contact information
  • Transaction amount and currency
  • Device and browser information for fraud prevention

6.3 What We Receive from Stripe: MoveTogether only receives:

  • Payment confirmation (success or failure)
  • Transaction ID and timestamp
  • Number of challenge credits purchased
  • Last 4 digits of your card (for reference)
  • Stripe Customer ID (for managing your billing portal access)

6.4 Stripe's Privacy Policy: Your payment data is governed by Stripe's Privacy Policy. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification.

6.5 Billing Portal: If you have purchased challenge credits, you can manage your billing information through Stripe's secure Customer Portal, accessible from your account settings. This portal allows you to:

  • View payment history and invoices
  • Update payment methods
  • Download receipts

6.6 Payment Data Retention: We retain transaction records (confirmation, amount, date) for accounting and tax compliance purposes for up to 7 years, as required by law. Full payment card details are never stored by MoveTogether and are managed solely by Stripe.

6.7 Refunds: In case of refunds (as outlined in our Terms of Use), the refund is processed through Stripe to your original payment method. We retain records of refund requests and confirmations.

7. Data Retention

6.1 Activity Data Cache: Strava activity data is cached for maximum 7 days for performance optimization, then refreshed from Strava.

6.2 Account Data: We retain your account data while your account is active and for a reasonable period after deletion to comply with legal obligations.

6.3 Challenge Data: Historical challenge data (scores, rankings) is retained to maintain challenge integrity, but personally identifiable information is removed upon account deletion.

6.4 Deleted Activities: If you delete an activity from Strava, it will be removed from our system within 48 hours.

8. Data Security

We implement robust security measures to protect your data, including:

  • Encryption: All data transmissions use HTTPS/TLS encryption
  • Secure Storage: Authentication tokens are encrypted at rest
  • Access Controls: Strict authentication and authorization mechanisms
  • Regular Audits: Periodic security assessments and monitoring
  • Data Minimization: We only collect and retain data necessary for service provision

In the event of a data breach affecting your personal information, we will notify you and relevant authorities within 24 hours of discovery, as required by GDPR.

9. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Restriction: Limit how we process your data in certain circumstances
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Revoke your Strava authorization at any time

To exercise these rights, you can:

  • Revoke Strava access through your Strava account settings
  • Leave challenges via the application interface
  • Contact us directly with your request

We will respond to your requests within 30 days.

10. Cookies and Tracking

We use the following cookies:

  • Essential Cookies: Session management (movetogether_session) - required for authentication
  • Security Cookies: CSRF protection and secure authentication

We do not use advertising or third-party tracking cookies. Essential cookies cannot be disabled without affecting service functionality.

11. Third-Party Services

11.1 Strava: Our service relies on Strava's API. Your data from Strava is governed by Strava's Privacy Policy.

11.2 Stripe: Payment processing is handled by Stripe, Inc. Your payment information is governed by Stripe's Privacy Policy. Stripe is PCI-DSS Level 1 certified, the highest level of payment security.

11.3 Data Controller Relationship: MoveTogether, Strava, and Stripe are independent data controllers. Each is separately responsible for compliance with data protection laws for the data they control.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place, including encryption and compliance with GDPR's data transfer requirements.

13. Children's Privacy

MoveTogether is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or prominent notice in the application. Continued use after changes indicates acceptance.

15. Contact & Data Protection Officer

For privacy-related questions, data access requests, or to exercise your rights:

  • Contact us through our support channels
  • Email: privacy@movetogether.com (if applicable)

If you are located in the EEA, you also have the right to lodge a complaint with your local data protection authority.

Last updated: February 12, 2026