HSTL PRIVACY POLICY
Last updated: 10 DECEMBER  2025

HSTL ("HSTL," "we," "our," "us") provides a mobile application and related services that help running‑club organisers manage events and let runners track their participation and Hustle (HSTL) scores. We value your privacy and want you to understand how we process personal data. This Policy applies to the HSTL iOS/Android apps, the hstl.run website, and any features or content we control (collectively, the "Services").

––––––––––––––––––––––––––––––
1. INFORMATION WE COLLECT

We collect the minimum data needed to run HSTL:

• Account details – name, email, emoji / nickname, login tokens (Google, Apple).
• Club participation – club(s) you follow, event RSVPs, QR check‑ins, attendance history.
• Device & usage data – app version, device model, crash logs (via Sentry) and anonymous analytic events.

––––––––––––––––––––––––––––––
2. HOW WE USE THE INFORMATION

• Operate and improve the Services.
• Calculate and display club leaderboards.
• Auto‑link your run to an event you checked into (time + location match).
• Send push notifications (e.g., streak reminders, new events).
• Maintain safety, security and integrity of our platform.

––––––––––––––––––––––––––––––
3. SHARING OF INFORMATION

We never sell your data. We share only:
• With the club organiser(s) you follow – your attendance, XP Scores and profile emoji/nickname.
• With service providers who host, process or analyse data for us (Firebase, Google Cloud, Expo, Sentry). All are under strict confidentiality agreements.
• As required by law or to protect rights, property or safety.

3A. STRAVA DATA ACCESS & USE

If you choose to connect your Strava account, HSTL accesses a limited subset of your Strava activity data only after you grant explicit OAuth permission.

Data accessed may include:

  • Activity type (e.g. Run, Trail Run)

  • Activity start date and time

  • Distance and elapsed time

  • GPS start location

  • Heart rate data (if available)

How we use this data:

  • To verify participation in a club hustle

  • To award XP, streaks and club rankings

  • To prevent duplicate or invalid check-ins

Data retention:

  • Raw Strava activity data is cached temporarily for no longer than 7 days

  • After this period, raw activity data is deleted or refreshed

  • Only derived metrics (XP, streaks, rankings) are stored long-term

HSTL does not share, sell or redistribute Strava data. You can disconnect Strava at any time in the app, which immediately stops all future data access.

––––––––––––––––––––––––––––––
4. DATA RETENTION
• Derived metrics (XP Score, insights) → kept until you delete your account.
• Account and attendance records → kept while you maintain an account and for up to 30 days after deletion before permanent purge from backups.

––––––––––––––––––––––––––––––
5. YOUR CHOICES & RIGHTS

You have control over your personal information and can manage it in the following ways:

Access and Edit Your Profile: You can view and edit your profile information, such as your name and nickname, directly within the app's settings.

Manage Connected Services: You can disconnect your Strava or Garmin account at any time. Upon disconnection, we will immediately stop fetching new activity data from that service.

Control Notifications: You can opt out of certain push notifications through your in-app settings or your device's operating system settings.

Delete Your Account: You can permanently delete your account at any time from the "Privacy" section within your profile settings. When you initiate deletion, your account and associated personal data are immediately and irreversibly removed from our live production systems. This data may persist in our secure, encrypted system backups for up to 30 days before being permanently purged.

––––––––––––––––––––––––––––––
6. SECURITY

We use ISO‑27001–certified cloud providers, encrypted connections (TLS 1.2+), and restrict employee access to production systems. No system is 100 % secure; please keep your login credentials safe.

––––––––––––––––––––––––––––––
7. CHILDREN

HSTL is not directed to children under 16. If you learn a child has provided us data without parental consent, contact us and we will delete it.

––––––––––––––––––––––––––––––
8. CHANGES TO THIS POLICY

We may update this Policy and will post the new version on hstl.run with a "Last updated" date. Material changes will be announced in‑app or via email.

––––––––––––––––––––––––––––––
9. CONTACT

Questions or requests? Email us at admin@hstl.run.