Privacy Policy

HSTL ("HSTL", "we", "us", "our") provides a mobile application and related services that help running clubs organise sessions and help runners track participation and consistency (the "Services"). This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Services.

If you have questions, contact us at admin@hstl.run.

1) Who we are

Data Controller: Gareth Forbes, operating as HSTL (sole operator)

Location: The Netherlands

Contact: admin@hstl.run

If you are based in the European Economic Area (EEA) or the UK, we process personal data under applicable data protection laws (including the GDPR).

2) What we collect

We collect data that is needed to operate HSTL, verify check-ins, deliver rewards, and improve the product.

A. Account and profile data

• Name (if provided)
• Email address
• Nickname / display name
• Profile image (if provided)
• Authentication identifiers (e.g., Apple/Google sign-in identifiers)

B. Club and participation data

• Clubs you join, save, or run with
• Sessions (hustles) you view, save, or check into
• Attendance history, streaks, active weeks, and derived metrics
• Admin actions (if you're a club admin), such as creating sessions or managing rewards

C. Location and check-in verification data

We collect limited location data when required for features like GPS check-in.

• Approximate or precise location (depending on your device permission settings)
• Check-in metadata such as time, method (GPS / Strava), and verification signals

We do not track your location continuously. Location is used only when you actively use relevant features (for example, when checking in).

D. Strava data (only if you connect Strava)

If you connect Strava, we access limited Strava activity data after you grant permission via OAuth. This may include:

• Activity type (e.g., Run)
• Start date and time
• Distance and elapsed time
• GPS start location (where available)
• Basic activity identifiers needed for de-duplication and verification

E. Device, analytics, and diagnostics

• Device model and operating system version
• App version
• Crash logs and diagnostics (for example via Sentry or similar services)
• Basic usage events to understand feature performance and stability

F. Reward and voucher data

If your club offers rewards through the Services, we collect and store:

• Reward progress (streak or check-in count toward a reward threshold)
• Claim records (when you unlocked a reward, the code assigned to you, and the expiry date)

Voucher codes assigned to you are stored securely and visible only to you. HSTL does not share your individual voucher code with other users, club admins, or brand partners.

3) How we use your data

We use personal data to:

• Create and manage accounts and authenticate users
• Operate the Services (clubs, sessions, check-ins, leaderboards, rewards)
• Verify and prevent fraudulent check-ins
• Calculate and display derived metrics (streaks, active weeks, consistency rankings)
• Deliver and track reward card progress, assign voucher codes, and display earned rewards
• Provide support and communicate service-related updates
• Maintain security, prevent abuse, and enforce our Terms
• Improve the Services (bug fixes, performance, product decisions)

4) Legal bases (GDPR)

Where GDPR applies, we process your data under these legal bases:

• Contract: to provide the Services you request (account, club participation, check-ins, metrics, rewards)
• Legitimate interests: to maintain security, prevent fraud, improve product reliability, and run analytics that helps us build a better service
• Consent: for optional features such as connecting Strava, and for push notifications (where required)
• Legal obligation: if we must comply with applicable law

You can withdraw consent at any time (for example, disconnect Strava).

5) How we share your data

We do not sell your personal data.

We share data in these limited cases:

A. With clubs you participate in

If you check into a club's sessions, that club's organisers/admins can see:

• Your display name/nickname and profile image (if provided)
• Your attendance and participation within that club
• Derived participation metrics for that club (e.g., active weeks, check-ins)

Club admins can see aggregated reward metrics (e.g., how many rewards have been claimed) but cannot see individual voucher codes assigned to runners.

B. With brand partners

If a club's rewards are provided by a brand partner (e.g., a clothing company offering discount codes), HSTL may share limited data with the brand only in aggregated, anonymised form (e.g., total rewards claimed, redemption rates). HSTL does not share your name, email, or individual participation data with brand partners unless you explicitly consent.

C. With service providers

We use vendors to host and operate the Services (for example: Firebase/Google Cloud, Expo, and error monitoring tools like Sentry). These providers process data on our behalf under contractual obligations.

D. For legal and safety reasons

We may share information if required to:

• Comply with law or legal process
• Enforce our Terms
• Protect the rights, safety, and security of HSTL, users, clubs, or the public

6) Strava data access, retention, and deletion

What we do with Strava data

If you connect Strava, we use Strava activity data to:

• Verify participation in a session you checked into
• Reduce fraud and duplicate check-ins
• Support derived metrics such as active weeks and streaks

Retention

We may temporarily cache limited Strava activity data for up to 7 days for verification and troubleshooting.

We store derived metrics (e.g., active weeks, streaks, attendance stats) until you delete your account.

Disconnecting Strava

You can disconnect Strava in the app. After disconnection, we stop retrieving new Strava data.

7) Data retention

We keep personal data only as long as necessary:

• Account and participation data: kept while your account is active
• Reward data: claim records and assigned voucher codes are retained while your account is active
• After account deletion: we remove your data from active systems and may retain limited data in encrypted backups for up to 30 days before purge
• Expired voucher codes may be retained in anonymised form for analytics
• Some data may be retained longer where required for legal compliance, security, or fraud prevention, but we aim to minimise retention

8) Your rights and choices

Depending on your location, you may have rights to:

• Access your personal data
• Correct inaccurate data
• Delete your account and personal data
• Object to or restrict certain processing
• Request data portability

In-app controls

• Edit profile details in settings
• Manage push notifications in your device settings
• Disconnect Strava in the app
• Delete your account in the app (Privacy section)

Complaints

If you are in the Netherlands, you can file a complaint with the Autoriteit Persoonsgegevens.

9) Security

We use reasonable administrative, technical, and organisational safeguards to protect personal data (including encrypted connections, access controls, and server-side storage of sensitive data such as voucher codes). No system is 100% secure; please protect your account credentials.

10) Children

HSTL is not intended for children under 16. If you believe a child has provided us personal data without appropriate consent, contact admin@hstl.run.

11) Changes to this policy

We may update this Policy. We will post updates on hstl.run and update the "Last updated" date. Material changes may be communicated in-app or by email.

12) Contact