Data Protection Policy

This policy was last updated: June 2026.

Who We Are

365 Challenge is the controller of personal data held by the 365 Challenge service. Our contact address is HQ, Balsall Common, England, and you can contact us.

Data We Collect and Why

We collect only the data needed to provide and protect the 365 Challenge service:

  • Account data: username, email address, profile details, preferences, and authentication records.
  • Strava connection data: your Strava athlete identifier and OAuth tokens.
  • Activity data: activity name, description, sport type, date, distance, duration, elevation, calories, speed, privacy status, and source-device name where supplied by Strava.
  • Challenge data: proprietary 365 scores, rankings, badges, achievements, progress, and private yearly result archives.
  • Support and enquiry data: information you provide when contacting us.

Lawful Bases

We process account and challenge data to provide the service under our Terms of Service. We process Strava-sourced data with your express authorisation through Strava OAuth. We also rely on legitimate interests where necessary to secure, support, and administer the service, and on legal obligations where applicable.

Sharing and Visibility

We do not sell, rent, license, or provide your personal data to advertisers or data brokers. We use IONOS for UK hosting and transactional email. These suppliers process data only to provide those services to 365 Challenge.

Your proprietary 365 score, rank, achievements, badges, streaks, and challenge progress may be visible to other participants in challenges, groups, or leaderboards you join. These are 365 Challenge outputs rather than Strava metrics. Private activities may contribute to your proprietary challenge score where authorised, but their private activity details should not be presented as shared activity information.

Data Protection Commitment

  • We limit collection and retention to documented challenge purposes.
  • We do not use Strava data for advertising, general analytics, search indexes, AI, or machine-learning processing.
  • We use appropriate organisational and technical security measures.
  • We maintain incident-response and supplier records.

Data Storage

Your data is hosted in the UK using IONOS infrastructure and is only accessed for:

  • Processing your challenge activities
  • Generating performance statistics
  • Technical maintenance and support

Minimum Age

365 Challenge is not directed at children under 13. Users under 13 must not create an account or connect Strava. Users must also be old enough to use Strava in their location.

Your Rights

Depending on applicable law, you may ask us to provide access to, correct, erase, restrict, or transfer your personal data, or object to processing. Where processing depends on consent, you may withdraw that consent without affecting earlier lawful processing. Use our contact page to exercise these rights.

You may request a copy of the Strava-sourced data held by 365 Challenge. This is separate from Strava's own bulk data export tool. You may also complain to the UK Information Commissioner's Office at ico.org.uk.

Strava API Compliance

When you connect your Strava account to the 365 Challenge app, we comply with Strava's API requirements:

  • We only request access to the minimum data required for the app's functionality
  • Your Strava activities are synced only after explicit authorisation from you
  • You can revoke access to your Strava data at any time through your Strava settings
  • We respect Strava's rate limits and data usage guidelines
  • We store your activities data securely and only use it for calculating challenge points and statistics
  • If you disconnect Strava, we immediately delete imported activities, connection credentials, derived challenge status, and stored group reports containing your activity data. We email you a deletion reference when this is complete.
  • We follow Strava's API Agreement and terms of service

When you connect Strava, 365 Challenge communicates with Strava through Strava's OAuth and API services. These requests identify the authorised Strava account and allow 365 Challenge to retrieve the activity data needed to operate the challenge. 365 Challenge does not intentionally provide independent 365 profile information to Strava other than information necessarily included in ordinary OAuth and API communications.

Strava may monitor, collect, and use usage data relating to 365 Challenge's use of the Strava API, including for API operation, support, security, compliance, platform improvement, and other purposes described in Strava's API terms and privacy materials.

Strava's own Privacy Policy governs Strava's processing of your Strava account and platform data. This policy applies only to processing controlled by 365 Challenge and does not modify, replace, or override Strava's Privacy Policy.

Controller Roles and International Transfers

365 Challenge and Strava act as independent controllers for the personal data each organisation controls. Contact 365 Challenge about data held by 365 Challenge. Contact Strava about your Strava account, the Strava platform, or data controlled by Strava.

365 Challenge hosts data with the providers identified in our internal subprocessor register. Where a transfer of personal data outside the UK or another protected jurisdiction is required, appropriate legal safeguards are used where applicable.

Data Retention

Account data is retained while your account remains active. After a yearly challenge is finalized, raw Strava activity records and group reports for that year are deleted through a controlled annual process. We retain a private aggregate result snapshot so you can view your previous yearly challenge, including totals, monthly progress, bonuses, and achievements. The snapshot excludes activity names, Strava links, exact active-day dates, activity identifiers, and evidence records.

Disconnecting Strava, revoking authorisation, requesting deletion, or deleting your account removes both current challenge data and all retained yearly result snapshots associated with your account. Partner and support enquiries are retained only while reasonably needed for the enquiry and follow-up.

Questions and Concerns

If you have any questions or concerns about our data protection policy or how we handle your information, use our contact page.