HSTL ("HSTL", "we", "us", "our") provides a web platform and mobile application that help running clubs organise sessions and help runners track participation and consistency (the "Services"). Runners can check in to a club's run directly in the browser via a check-in link — no app required. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Services, including the hstl.run website.
If you have questions, contact us at admin@hstl.run.
1) Who we are
Data Controller: Gareth Forbes, operating as HSTL (sole operator)
Location: The Netherlands
Contact: admin@hstl.run
If you are based in the European Economic Area (EEA) or the UK, we process personal data under applicable data protection laws (including the GDPR).
2) What we collect
We collect data that is needed to operate HSTL, verify check-ins, deliver rewards, and improve the product.
A. Account and profile data
- Name (if provided)
- Email address
- Nickname / display name
- Profile image (if provided)
- Authentication identifiers (e.g., Apple/Google sign-in identifiers, and sign-in-link (passwordless email) authentication records)
- Records of your acceptance of our Terms (date, version accepted, platform, and how you accepted)
B. Club and participation data
- Clubs you join, save, or run with
- Sessions (hustles) you view, save, or check into
- Attendance history, streaks, active weeks, and derived metrics
- Admin actions (if you're a club admin), such as creating sessions or managing rewards
C. Location and check-in verification data
We collect limited location data when required for features like GPS check-in — in the mobile app and in the browser when you use a club's check-in link.
- Approximate or precise location (depending on your device/browser permission settings), captured once at the moment you check in
- Check-in verification evidence: your coordinates at check-in, the reported GPS accuracy, your distance from the run's meeting point, the check-in time, and (for browser check-ins) your browser's user-agent string
- Check-in metadata such as time, method (GPS / Strava), and verification signals
We do not track your location continuously. Location is used only when you actively use relevant features (for example, when checking in). Verification (distance and check-in window) is performed on our servers.
D. Strava data (only if you connect Strava)
If you connect Strava, we access limited Strava activity data after you grant permission via OAuth. This may include:
- Activity type (e.g., Run)
- Start date and time
- Distance and elapsed time
- GPS start location (where available)
- Basic activity identifiers needed for de-duplication and verification
E. Device, analytics, and diagnostics
- Device model and operating system version
- App version
- Crash logs and diagnostics (for example via Sentry or similar services)
- Basic usage events to understand feature performance and stability
- Website analytics: on hstl.run we use Google Analytics (GA4) to measure page views and product events (for example, whether a check-in page was viewed and whether a check-in succeeded or failed). For visitors in the EEA, analytics runs in cookieless mode by default (Google Consent Mode with analytics storage denied) — no analytics cookies are set unless you grant consent. We do not use analytics for advertising.
- To protect the Services from abuse we may use Firebase App Check with Google reCAPTCHA Enterprise on the website, which processes device/browser signals to distinguish real users from bots
F. Reward and voucher data
If your club offers rewards through the Services, we collect and store:
- Reward progress (streak or check-in count toward a reward threshold)
- Claim records (when you unlocked a reward, the code assigned to you, and the expiry date)
Voucher codes assigned to you are stored securely and visible only to you. HSTL does not share your individual voucher code with other users, club admins, or brand partners.
3) How we use your data
We use personal data to:
- Create and manage accounts and authenticate users
- Operate the Services (clubs, sessions, check-ins, leaderboards, rewards)
- Verify and prevent fraudulent check-ins
- Verify browser check-ins server-side (distance from the meeting point and the run's check-in window) and keep evidence of verification
- Calculate and display derived metrics (streaks, active weeks, consistency rankings)
- Deliver and track reward card progress, assign voucher codes, and display earned rewards
- Provide support and communicate service-related updates
- Maintain security, prevent abuse, and enforce our Terms
- Improve the Services (bug fixes, performance, product decisions)
4) Legal bases (GDPR)
Where GDPR applies, we process your data under these legal bases:
- Contract: to provide the Services you request (account, club participation, check-ins, metrics, rewards)
- Legitimate interests: to maintain security, prevent fraud, improve product reliability, and run analytics that helps us build a better service
- Consent: for optional features such as connecting Strava, and for push notifications (where required). Browser location access for web check-in is requested when you tap "Check in" and used only for that check-in
- Legal obligation: if we must comply with applicable law
You can withdraw consent at any time (for example, disconnect Strava).
5) How we share your data
We do not sell your personal data.
We share data in these limited cases:
A. With clubs you participate in
If you check into a club's sessions, that club's organisers/admins (including chapter captains with limited permissions) can see:
- Your display name/nickname and profile image (if provided)
- Your attendance and participation within that club
- Derived participation metrics for that club (e.g., active weeks, check-ins)
Club admins can see aggregated reward metrics (e.g., how many rewards have been claimed) but cannot see individual voucher codes assigned to runners.
B. With brand partners
If a club's rewards are provided by a brand partner (e.g., a clothing company offering discount codes), HSTL may share limited data with the brand only in aggregated, anonymised form (e.g., total rewards claimed, redemption rates). HSTL does not share your name, email, or individual participation data with brand partners unless you explicitly consent.
C. With service providers
We use vendors to host and operate the Services (for example: Firebase/Google Cloud, Expo, and error monitoring tools like Sentry). These providers process data on our behalf under contractual obligations.
D. For legal and safety reasons
We may share information if required to:
- Comply with law or legal process
- Enforce our Terms
- Protect the rights, safety, and security of HSTL, users, clubs, or the public
6) Strava data access, retention, and deletion
What we do with Strava data
If you connect Strava, we use Strava activity data to:
- Verify participation in a session you checked into
- Reduce fraud and duplicate check-ins
- Support derived metrics such as active weeks and streaks
Retention
We may temporarily cache limited Strava activity data for up to 7 days for verification and troubleshooting.
We store derived metrics (e.g., active weeks, streaks, attendance stats) until you delete your account.
Disconnecting Strava
You can disconnect Strava in the app. After disconnection, we stop retrieving new Strava data.
7) Data retention
We keep personal data only as long as necessary:
- Account and participation data: kept while your account is active
- Reward data: claim records and assigned voucher codes are retained while your account is active
- After account deletion: we remove your data from active systems and may retain limited data in encrypted backups for up to 30 days before purge
- Expired voucher codes may be retained in anonymised form for analytics
- Check-in verification evidence (coordinates, accuracy, user-agent) is retained with the check-in record while your account is active, and is used only for verification, anti-fraud, and support
- Some data may be retained longer where required for legal compliance, security, or fraud prevention, but we aim to minimise retention
8) Your rights and choices
Depending on your location, you may have rights to:
- Access your personal data
- Correct inaccurate data
- Delete your account and personal data
- Object to or restrict certain processing
- Request data portability
In-app and web controls
- Edit profile details in settings (mobile app)
- Manage push notifications in your device settings
- Disconnect Strava in the app
- Delete your account in the app (Privacy section), or — if you use HSTL only on the web — email admin@hstl.run from your account email and we will delete it for you
- Control browser location permission per-site in your browser settings; you can decline it at any time (you won't be able to GPS check-in from the web without it)
Complaints
If you are in the Netherlands, you can file a complaint with the Autoriteit Persoonsgegevens.
9) Security
We use reasonable administrative, technical, and organisational safeguards to protect personal data (including encrypted connections, access controls, and server-side storage of sensitive data such as voucher codes). No system is 100% secure; please protect your account credentials.
10) Children
HSTL is not intended for children under 16. If you believe a child has provided us personal data without appropriate consent, contact admin@hstl.run.
11) Changes to this policy
We may update this Policy. We will post updates on hstl.run and update the "Last updated" date. Material changes may be communicated in-app or by email.
12) Contact