Data & Privacy Policy

This policy explains what personal data raceRival processes, why we process it, and your rights under EU GDPR.

1. Data we process

Account data: email address, display name, and authentication credentials.

Individual performance data: activity metadata and performance streams (pace, heart rate, elevation, GPS coordinates) synced from third-party fitness platforms you explicitly connect, such as Strava. This data is used solely for your own personal dashboard, PR tracking, and individual competition features. It is never shared with, displayed to, or accessible by any other user.

Multi-athlete competition data: GPS activity files (GPX format) that you manually upload to participate in friends or group competitions. By uploading a GPX file to a competition, you explicitly consent to sharing the performance data contained in that file with other participants in that specific competition only.

Connected third-party accounts: when you connect a fitness platform such as Strava, we store only the OAuth access token required to fetch your own activities on your behalf. We do not access, store, or process any other user's data from those platforms.

2. Strava data — strict individual use only

raceRival connects to the Strava API solely to fetch your own activities for your personal use. Strava data is:

Multi-athlete competitions and group leaderboards on raceRival use only GPX files that each athlete uploads directly. No Strava data is used in any feature that involves more than one athlete.

3. Purpose and legal basis

We process data to provide core platform functionality, secure accounts, and deliver requested analytics. Individual performance data is processed on the basis of contract performance. Multi-athlete competition data is processed on the basis of explicit consent given at the time of GPX upload.

4. Aggregated data sharing

Aggregated analytics sharing is disabled by default and requires explicit opt-in in Settings. You may withdraw consent at any time.

5. Data retention

We retain personal data only as long as needed for service delivery, legal compliance, and fraud prevention. Deleted account records are anonymized where retention is required.

6. Your GDPR rights

You can access, rectify, erase, and restrict processing of your data, and withdraw optional consent from Settings. To exercise your rights, contact privacy@racerival.app.

Last updated: 2026-06-06. For contractual terms, see Terms & Conditions.