Privacy Policy

Atlas is a personal activity visualisation tool that connects to your Strava account to display your own activities on a map, group them into trips, and show elevation profiles. This policy explains what data we collect, how we use it, and your rights.

Atlas is not affiliated with, endorsed by, or sponsored by Strava. This app is powered by the Strava API and subject to the Strava API Agreement.

When you connect your Strava account, Atlas requests the activity:read_all OAuth scope. This allows us to read your activities, including private ones. We collect the following data from Strava:

Profile

• Your name and profile photo URL (used to identify your account within the app)

Activities

• Activity name and sport type
• Start date and time (UTC and local)
• Timezone
• Distance, moving time, and elapsed time
• Elevation gain, peak altitude, and lowest altitude
• Average speed
• Start and end coordinates (latitude/longitude)
• Route polyline (encoded GPS path)

Activity streams (fetched on demand when you view an activity or trip)

• Full-resolution altitude, distance, and elapsed time data
• GPS coordinates (latitude/longitude) per second
• Smoothed velocity
• Heart rate (if recorded by your device)

Session data

• A session token stored in an encrypted, httpOnly cookie. Sessions expire after 90 days.
• Your Strava access and refresh tokens, stored server-side and used only to make API requests on your behalf.

Your data is used exclusively to provide the Atlas service to you personally:

• Displaying your activities on an interactive map
• Grouping activities into multi-day trips
• Rendering elevation profiles and movement statistics
• Keeping your activity list up to date via sync

We do not share, sell, license, or transfer your data to any third party. We do not use your data for analytics, advertising, AI or machine learning model training, or any purpose other than providing the features described above. We do not combine your Strava data with data from other sources.

Your activity data is stored for as long as you maintain a connected Strava account within Atlas. When you disconnect:

• All your activity data, streams, and trips are deleted within 48 hours
• Your session is invalidated immediately
• Your Strava access tokens are revoked and removed

You can also request deletion at any time by emailing us (see Contact below).

If Strava notifies us that you have revoked access via their Connected Apps page, we will delete your data within 48 hours of receiving that notification.

Under GDPR and UK GDPR, you have the right to access, correct, or delete the personal data we hold about you. To exercise any of these rights:

• Withdraw consent: Disconnect Atlas from your Strava account via Strava's Connected Apps page, or use the disconnect option within Atlas. Your data will be deleted within 48 hours.
• Data access or correction: Contact us at the email address below.
• Data deletion: Use the disconnect option in Atlas or email us directly.

All data is transmitted over HTTPS. Session tokens are stored in httpOnly, Secure, SameSite=Lax cookies and are never exposed to client-side JavaScript. Strava access tokens are stored server-side and are never included in page HTML or API responses sent to the browser.

In the event of a data breach or unauthorised access, we will notify affected users and Strava as soon as reasonably practicable.

Strava monitors usage of their API by third-party applications, including Atlas. This means Strava may collect information about how Atlas interacts with their API. For details on how Strava handles this data, please refer to the Strava Privacy Policy.

In the event of any conflict between this privacy policy and Strava's Privacy Policy, Strava's Privacy Policy takes precedence with respect to data processed by Strava.

For any privacy-related questions, data access requests, or deletion requests, please contact us at: CONTACT_EMAIL_PLACEHOLDER