API Data Handling
Last updated: October 27, 2025
Scope & Purpose
When you connect Strava, we import only the minimum metrics needed to power logging, leaderboards, and campaign/race totals: distance, duration (moving time), and the date/time of activities. We also store the Strava activity ID and sport type to filter which activities count. We do not store raw GPS routes or streams.
What We Store
- Distance (mi), duration (s), and activity date.
- Strava activity ID and athlete ID; sport type (e.g., Run vs Walk) for filtering.
- Optional mapping to a campaign and/or race window (based on your memberships).
- Minimal activity metadata necessary for idempotent sync (evidence hash).
- Encrypted OAuth tokens needed to fetch your activities from Strava.
What We Do Not Store
- Raw GPS coordinates, route polylines, or detailed stream data.
- Sensitive health metrics beyond distance/duration.
- Private activity content beyond the minimal fields listed above.
Use of Data
- We use imported fields solely for logging, totals, and leaderboards (respecting your preferences).
- We do not use your Strava data for advertising, profiling, or cross-service tracking.
- We do not sell data or use it for AI/model training or other secondary purposes.
Visibility & Publishing
We do not publish private activities. Public stats and boards use allowed data and respect your anonymity/visibility settings (e.g., display name, opt-outs).
Revocation & Deletion
- You can disconnect Strava anytime from your profile and/or within Strava settings.
- On request, we will delete your imported activity records and disconnect your token.
- Disconnecting prevents future imports; it does not automatically remove previously imported rows unless you ask us to delete them.
Webhooks
Strava notifies us when activities are created or updated. We record a minimal webhook event (no GPS) to queue processing, fetch the activity once, and update your totals. Webhook payloads are retained only for troubleshooting and audit, then purged regularly. Unsupported types (e.g., Walk, if excluded) are ignored.
Security
- OAuth tokens are encrypted at rest; access is restricted to operational code paths.
- All traffic is over HTTPS; forms use CSRF protection; admin tools are role-gated.
- We limit stored data to what is necessary for the stated features.
Data Retention
We keep activity summaries as long as your account remains active or until you request deletion. Webhook event logs are kept briefly for reliability and then purged on a rolling basis.
Your Choices
- Disconnect Strava at any time.
- Request export or deletion of your imported activity summaries by emailing info@runandresist.com.
Contact
Questions about API data? Email info@runandresist.com. For general practices, see our Privacy Policy and Terms of Service.