Data Protection Policy
This policy was last updated: June 2026.
Who We Are
365 Challenge is the controller of personal data held by the 365 Challenge service. Our contact address is HQ, Balsall Common, England, and you can contact us.
Data We Collect and Why
We collect only the data needed to provide and protect the 365 Challenge service:
- Account data: username, email address, profile details, preferences, and authentication records.
- Strava connection data: your Strava athlete identifier and OAuth tokens.
- Activity data: activity name, description, sport type, date, distance, duration, privacy status, and source. Strava may also supply elevation, speed, and source-device name.
- Challenge data: proprietary 365 scores, rankings, badges, achievements, progress, and private yearly result archives.
- Shop data: shop order references, order items, payment references, fulfilment references, delivery details needed to fulfil an order, and support notes for shop enquiries.
- Support and enquiry data: information you provide when contacting us.
Lawful Bases
We process account, manually entered activity, and challenge data to provide the service under our Terms of Service. We process Strava-sourced data with your express authorisation through Strava OAuth. We also rely on legitimate interests where necessary to secure, support, and administer the service, and on legal obligations where applicable.
Sharing and Visibility
We do not sell, rent, license, or provide your personal data to advertisers or data brokers. We use IONOS for UK hosting and transactional email. These suppliers process data only to provide those services to 365 Challenge.
For shop purchases, Stripe processes payment details and Inkthreadable receives the delivery and order details needed to produce and dispatch print-on-demand kit. 365 Challenge stores payment references, order records, fulfilment references, and support information, but does not store card numbers or CVCs.
Your proprietary 365 score, rank, achievements, badges, streaks, and challenge progress may be visible to other participants in challenges, groups, or leaderboards you join. These are 365 Challenge outputs rather than Strava metrics. Private activities may contribute to your proprietary challenge score where authorised, but their private activity details should not be presented as shared activity information.
Data Protection Commitment
- We limit collection and retention to documented challenge purposes.
- We do not use Strava data for advertising, general analytics, search indexes, AI, or machine-learning processing.
- We use appropriate organisational and technical security measures.
- We maintain incident-response and supplier records.
Data Storage
Your data is hosted in the UK using IONOS infrastructure and is only accessed for:
- Processing your challenge activities
- Generating performance statistics
- Technical maintenance and support
Minimum Age
365 Challenge is not directed at children under 13. Users under 13 must not create an account or connect Strava. Users must also be old enough to use Strava in their location.
Your Rights
Depending on applicable law, you may ask us to provide access to, correct, erase, restrict, or transfer your personal data, or object to processing. Where processing depends on consent, you may withdraw that consent without affecting earlier lawful processing. Use our contact page to exercise these rights.
You may download a ZIP of the data stored for your account from your profile page. This is separate from Strava's own bulk data export tool. You may also complain to the UK Information Commissioner's Office at ico.org.uk.
Strava API Compliance
When you connect your Strava account to the 365 Challenge app, we comply with Strava's API requirements:
- We only request access to the minimum data required for the app's functionality
- Your Strava activities are synced only after explicit authorisation from you
- You can revoke access to your Strava data at any time through your Strava settings
- We respect Strava's rate limits and data usage guidelines
- We store your activities data securely and only use it for calculating challenge points and statistics
- If you disconnect Strava, we immediately delete imported Strava activities, connection credentials, Strava-derived challenge status, and stored group reports containing Strava activity data. Activities you added directly in 365 remain in your account, and your current score is rebuilt from them. We email you a deletion reference when this is complete.
- We follow Strava's API Agreement and terms of service
When you connect Strava, 365 Challenge communicates with Strava through Strava's OAuth and API services. These requests identify the authorised Strava account and allow 365 Challenge to retrieve the activity data needed to operate the challenge. 365 Challenge does not intentionally provide independent 365 profile information to Strava other than information necessarily included in ordinary OAuth and API communications.
Strava may monitor, collect, and use usage data relating to 365 Challenge's use of the Strava API, including for API operation, support, security, compliance, platform improvement, and other purposes described in Strava's API terms and privacy materials.
Strava's own Privacy Policy governs Strava's processing of your Strava account and platform data. This policy applies only to processing controlled by 365 Challenge and does not modify, replace, or override Strava's Privacy Policy.
Controller Roles and International Transfers
365 Challenge and Strava act as independent controllers for the personal data each organisation controls. Contact 365 Challenge about data held by 365 Challenge. Contact Strava about your Strava account, the Strava platform, or data controlled by Strava.
365 Challenge hosts data with the providers identified in our internal subprocessor register. Where a transfer of personal data outside the UK or another protected jurisdiction is required, appropriate legal safeguards are used where applicable.
Data Retention
Account data is retained while your account remains active. After a yearly challenge is finalized, raw activity records from Strava and activities added directly in 365, together with group reports for that year, are deleted through a controlled annual process. We retain a private aggregate result snapshot so you can view your previous yearly challenge, including totals, monthly progress, bonuses, and achievements. The snapshot excludes activity names, Strava links, exact active-day dates, activity identifiers, and evidence records.
Shop order records are retained while reasonably needed for accounting, customer support, delivery, refunds, and legal obligations. Delivery address details are not used for challenge scoring or marketing. Disconnecting Strava, revoking authorisation, requesting deletion, or deleting your account removes both current challenge data and all retained yearly result snapshots associated with your account. Partner and support enquiries are retained only while reasonably needed for the enquiry and follow-up.
Questions and Concerns
If you have any questions or concerns about our data protection policy or how we handle your information, use our contact page.