API Data Handling
Last updated: October 27, 2025
Scope & Purpose
When you connect Strava, we import only the minimum metrics required to operate mileage logs, leaderboards, and campaign/race totals: distance, duration (moving time), and the date/time of your activities. We also store the Strava activity ID and sport type for filtering. We do not store raw GPS routes or detailed stream data.
What We Store
- Distance (mi), moving time (seconds), and activity date/time.
- Strava activity ID and athlete ID; sport type (e.g., Run, Walk) for filtering.
- Automatic mapping to campaigns and races based on your memberships and time windows.
- A minimal evidence hash used for idempotent sync and duplicate detection.
- Encrypted OAuth tokens needed to fetch and refresh your activity data.
What We Do Not Store
- GPS coordinates, polylines, or route maps.
- Detailed stream data such as cadence, heart rate, or power.
- Private notes or sensitive health metrics.
- Any activity fields beyond the minimal list above.
Use of Data
- To maintain accurate mileage logs and leaderboards.
- To calculate campaign and race totals.
- To keep data consistent with updates from Strava (e.g., activity edits).
- Not used for advertising, behavioral profiling, or any commercial resale.
- Not used for AI or model training.
Visibility & Publishing
We do not publish private Strava activities. Public stats and boards respect your visibility and anonymity settings (e.g., display name, opt-outs).
Revocation & Deletion
- You can disconnect Strava anytime from your profile or from Strava’s settings.
- Disconnecting stops future syncs but does not automatically delete previously imported data.
- You may request deletion of imported activity summaries at any time.
- If you delete your account, we anonymize your profile and schedule full deletion of your data according to our retention policy.
Webhooks
Strava notifies us when activities are created or updated. We record a minimal webhook event (no GPS) to queue processing, fetch the activity one time, and update your totals. Webhook payloads are retained briefly for reliability and audits, then purged. Unsupported types (e.g., Walk, if excluded from a leaderboard) are ignored.
Security
- OAuth tokens are encrypted at rest.
- Data is accessed only through controlled code paths.
- All traffic uses HTTPS and CSRF protection.
- Admin tools and logs are restricted by role.
Data Retention
We retain imported activity summaries as long as your account remains active. If you delete your account, we anonymize your profile and schedule full removal using a staged deletion process. Webhook logs are purged on a rolling basis.
Your Choices
- Disconnect Strava at any time.
- Request export or deletion of your imported activity summaries by emailing info@runandresist.com.
Contact
Questions about integrations or activity data? Email info@runandresist.com. For broader practices, see our Privacy Policy and Terms of Service.