Privacy Policy

When you connect your Strava account, we receive and store:

• Profile information — your Strava display name and profile photo URL
• Activity data — GPS route coordinates from your cycling activities, used to calculate which map tiles you have ridden through
• Authentication tokens — Strava OAuth access and refresh tokens, used to fetch your activity data on your behalf

We also store data you generate within the app:

• Tiles you have captured and their current status (lives, protection)
• Rides you have uploaded or synced, including tile counts
• Social activity — who you follow, your activity feed, and in-app notifications
• Your settings — privacy preferences and tile colour

We do not store the raw GPS track of your rides beyond what is needed to calculate tile captures. We do not store heart rate, power, speed, or other sensor data from Strava.

We use your data solely to operate the Veloterra game:

• To authenticate you via Strava OAuth
• To calculate which map tiles your rides cover
• To display your territory and statistics on the map
• To power social features — following other riders, activity feeds, and notifications
• To sync new Strava activities automatically (at most every 15 minutes)
• To send in-app notifications about game events (tiles under siege, tiles stolen, new followers)

We do not use your data for advertising, profiling, or any purpose unrelated to the game.

Under UK GDPR, we process your data on the basis of contract — processing is necessary to provide the service you signed up for. By connecting your Strava account and using Veloterra, you enter into an agreement with us to provide the game service.

Where you have made your profile private, we rely on your consent to share data with followed riders.

We do not sell your data. We share data with the following third-party services solely to operate the app:

• Strava — we access your activity data via their API in accordance with their Privacy Policy
• Neon — our database provider, hosted in the EU. Your data is stored on Neon's PostgreSQL infrastructure
• Vercel — our hosting provider. Application code and server functions run on Vercel's infrastructure
• Sentry — we use Sentry for error monitoring. Error reports may include technical context (browser type, OS, page URL) but are configured to exclude personal identifiers such as email addresses and IP addresses

All third-party providers are bound by their own privacy policies and data processing agreements. We only share the minimum data necessary for each service to function.

• Tiles — tiles decay and expire 30 days after your last ride through them
• Ride records — stored for the lifetime of your account to prevent duplicate uploads
• Notifications — retained for display purposes; cleared when your account is deleted
• Authentication tokens — stored for the lifetime of your account and used only to sync Strava data on your behalf

All data is permanently deleted when you delete your account (see Section 7).

By default, your captured tiles are visible to all Veloterra users on the map. Your tile locations reflect real-world routes you have cycled, which may include routes near your home.

You can set your account to private in Settings. When private, your tiles are only visible to riders you follow back. We recommend enabling this if you have concerns about route visibility.

We do not display your raw GPS tracks — only the hexagonal tiles derived from them.

You have the following rights regarding your personal data:

• Right of access — you can request a copy of the data we hold about you
• Right to rectification — you can ask us to correct inaccurate data
• Right to erasure — you can delete your account at any time via Settings → Danger zone. This permanently removes all your data from our systems
• Right to restrict processing — you can ask us to stop processing your data in certain circumstances
• Right to data portability — you can request your data in a machine-readable format
• Right to object — you can object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@veloterra.app. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Veloterra uses a single session cookie to keep you signed in. This cookie is essential for the app to function and does not track you across other websites. We do not use advertising cookies or third-party tracking cookies.

Veloterra is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it promptly.

We may update this policy from time to time. If we make significant changes we will notify signed-in users via an in-app notification. The date at the top of this page always reflects when the policy was last updated.