Strava API compliance statement

Before accessing any Strava user's data, your Developer Application must (a) authenticate the account of the Strava user and (b) obtain the user's legal consent in a manner that, at minimum, discloses: (i) The types of data that will be collected; (ii) The methods by which the data will be collected; (iii) How the user may withdraw consent; (iv) How the user may request deletion of the user's data; and (v) If a deletion request is made, that the deletion was successfully completed.

365 Challenge accesses Strava data only after a participant signs in and authorises the connection through Strava OAuth. Before connection, the profile page and Terms explain the data collected, the use of OAuth and the Strava API, how consent can be withdrawn, how deletion can be requested, and how deletion is confirmed.

Your Developer Application must allow the end user to access data that the end user has generated and that you have collected via the Strava API Materials, upon the end user's request.

Participants can view their own imported activities and derived challenge statistics in their dashboard. The profile page also provides a ZIP download containing CSV files for the account, profile, manual and Strava-derived activities, weight records, group memberships, and Strava deletion records stored for the signed-in participant. This 365 Challenge download is separate from Strava's own bulk export tool.

Strava Data provided by a specific Strava user may be displayed or disclosed in your Developer Application only to that user. You may not display or disclose Strava Data related to other users, even if such data is publicly viewable on the Strava Platform.

365 Challenge keeps each participant's Strava activity details private to that participant. Shared cards, group pages, and feeds show only proprietary 365 Challenge outputs such as points, ranks, badges, and challenge status. They do not show another participant's Strava activity name, sport, distance, duration, route, device, Strava link, or other Strava metric.

Your Developer Application must provide easily accessible contact information for end-user support and clear links for users to navigate to their Strava accounts. Users of your Developer Application must be permitted to express contact preferences, via notice and consent, at the point of collecting contact information and in accordance with applicable regulations.

365 Challenge provides support through its public contact page. A participant's own activity cards link back to Strava where relevant, and participants can manage monthly email preferences or unsubscribe using the one-click process.

You must delete all Data about an end user in your possession or control upon that end user's request, or upon the end user's termination or cancellation of the Developer Application's access to the Strava API Materials. You must also provide the user with written confirmation of successful deletion.

365 Challenge uses a shared deletion process for profile disconnection, Strava deauthorisation webhooks, support requests, bulk cleanup, and account deletion. The process deletes imported activities, OAuth credentials, athlete identifiers, yearly result snapshots, activity summaries, and stored group reports containing activity-derived values. Participants receive written confirmation with a deletion reference.

Your use of the Strava API Materials may be subject to limitations on access, data requests, and use as set forth on the Strava developer site.

365 Challenge operates within Strava's published access and rate limits. The integration uses a limited set of OAuth, athlete, and activity operations, avoids unnecessary refreshes, and paces bulk deauthorisation requests.

Strava may, in its discretion, vary the level of access, support, benefits, and incentives available to Developer Applications. Certain endpoints — including endpoints that expose aggregated user data, social-engagement data products, or other proprietary content — may be deprecated, restricted, or removed from time to time, temporarily or permanently. Strava may maintain an allowlist of Developer Applications authorized to continue using deprecated or restricted endpoints based on the value those Developer Applications provide to Strava users. If you wish to be considered for an allowlist, or to implement an endpoint or scope in a manner that would exceed published limitations, please contact Strava at developers@strava.com.

365 Challenge uses OAuth, athlete, and activity operations through stravalib. It does not use restricted social, segment, aggregated-user, or deprecated endpoints.

Strava classifies Developer Applications into the following Access Tiers, each of which has its own eligibility criteria and operating parameters as published on the Strava developer site: (a) Standard Tier (“Standard Tier Applications”), inclusive of two levels: - Developer Applications limited to 10 registered Strava users (generally intended for hobbyists, side projects, and early development); and - Developer Applications limited to 9,999 registered Strava users (generally intended for growing apps with a substantial user base); (b) Extended Access Tier (“Extended Access Tier Applications”), generally inclusive of Developer Applications serving 10,000 users or more and approved by Strava. Extended Access Tier Applications are admitted on a case-by-case basis and are not subject to subscription requirements, except as Strava may publish from time to time. Standard Tier Applications are subject to subscription requirements as published on the Strava developer site, including a requirement that the developer or specified end users maintain an active Strava subscription. Subscription requirements may change from time to time, and Strava may grandfather, exempt, or comp Developer Applications in its discretion.

365 Challenge maintains a Strava developer account record covering the application name, account owner, Standard access tier, approved athlete capacity, subscription requirement, and review date.

You must currently meet, and continue to meet, all eligibility and other criteria Strava requires for your current Access Tier, and must complete all forms and applications required by Strava. Eligibility criteria may change from time to time.

The named developer account owner is responsible for maintaining eligibility, subscriptions, required Strava forms, and approved tier or capacity changes for the 365 Challenge integration.

Strava operates the Strava Model Context Protocol (“Strava MCP”) as the official Strava-controlled agent-mediated interface to the Strava Platform. The Strava MCP is the sole authorized first-party agent-mediated interface and may be made available on AI platforms Strava trusts and on key partner platforms as Strava may designate. Subscribers to Strava may access the Strava MCP in connection with their personal use of their own Strava data, in accordance with this Policy and any operational requirements published on the Strava developer site, and may bring their own AI Application to interact with their own data through the Strava MCP. The Strava MCP is not authorized for, and may not be used to enable, any commercial or third-party access to the Strava API Materials or Strava Data outside the developer's own personal use.

365 Challenge does not use, provide, or expose a Strava MCP integration or AI agent interface.

Admission to the Strava Developer Program is at Strava's discretion and is not guaranteed. Strava does not commit to a fixed review-time service-level agreement; you will hear from Strava if you are admitted, or if Strava requires additional information. Similarly, requests to increase rate limits or athlete capacity will be handled at Strava’s discretion, and increases are not guaranteed. Strava does not commit to a fixed review-time service-level agreement for these requests; you will hear from Strava if you are admitted, or if Strava requires additional information.

365 Challenge operates within its approved access tier and athlete capacity. Any future capacity change will be treated as effective only after Strava approval.

You may not, and may not encourage or allow any third party to, interfere with, hinder, limit, or modify any access limits, rate limits, or other controlling mechanisms implemented by Strava. If Strava believes that you have attempted to exceed or circumvent these limitations, you will be notified and your access may be temporarily or permanently blocked.

365 Challenge does not circumvent Strava access controls, rate limits, or other controlling mechanisms. Bulk operations use authorised API calls and are paced to avoid unnecessary load.

The rights granted under the Agreement do not include any general right to use the Strava Marks in connection with your Developer Application. Subject to your continued compliance with the Agreement and this Policy, you may use Strava Marks for certain limited purposes related to your Developer Application only as described in the Brand Guidelines. These rights are non-exclusive, non-transferable, worldwide, and royalty-free, without any right to sub-license, and may be revoked by Strava at any time. If Strava updates the Brand Guidelines or any Strava Marks that you are using, you agree to update such Strava Marks to reflect the most current versions. You must not use any Strava Mark, or any confusingly similar mark, as the name or part of the name or icon of your Developer Application, or as part of any logo or branding for your Developer Application.

365 Challenge has separate product branding, uses official Strava connection and attribution assets where appropriate, and describes the relationship as compatible with Strava. Strava is not part of the 365 Challenge name, logo, or product identity.

If you choose to give attribution to Strava within your Developer Application, you must comply with the Brand Guidelines in doing so. The Brand Guidelines are available on the Strava developer site and may be updated from time to time. Strava determines whether you are in compliance with the Brand Guidelines.

365 Challenge uses official Connect with Strava and Powered by Strava artwork where attribution is shown. Public copy uses neutral compatibility wording and avoids language that implies Strava sponsorship or endorsement.

You may not display any reference to Strava or the Strava Platform in your Developer Application in a manner that has a likelihood of creating confusion as to the origin of the Developer Application or that implies a direct or indirect affiliation, endorsement, sponsorship, or approval by Strava.

365 Challenge is separately branded. Page titles, social metadata, and product copy do not imply affiliation, sponsorship, approval, or endorsement by Strava.

Data obtained through the Strava API may include data that requires attribution to third parties. If your Developer Application displays information derived from Garmin-sourced data, you must display attribution to Garmin in the form and manner required by Garmin's brand guidelines. Strava may specify additional third-party attribution requirements from time to time, as may the third parties themselves.

365 Challenge preserves source metadata supplied through Strava. Where Garmin-sourced information is displayed, personal activity views and shared source-attribution text identify Garmin without using the Garmin logo.

Strava may use your Developer Application and any related marks, logos, or other intellectual property that you leverage in the Strava API Materials, without providing notice to you, for the purposes of promoting Strava and marketing and making Developer Applications available to mutual customers. Strava has no obligation to use or promote any Developer Application.

365 Challenge places no restriction on Strava's promotional rights under this clause.

You may not issue any press release or other announcement regarding your Developer Application that makes any reference to Strava without Strava's prior written consent. Please send any such request to developers@strava.com.

365 Challenge has not issued a formal press release or public announcement about the Strava integration. Any future formal announcement about the integration will be submitted for Strava approval where required.

You may not use the Strava API Materials for any purpose other than providing the Developer Application for which you are registered as a Strava API developer.

365 Challenge imports authorised activities only to calculate and present challenge participation, scores, progress, achievements, and related account features.

You may not use the Strava API Materials in any manner that is competitive to Strava or the Strava Platform, including in connection with any application, website, or other product or service that includes, features, endorses, or otherwise supports a third party that provides services competitive to Strava's products and services. You may not use the Strava API Materials to create an application that imitates the look, imagery, or brand identity of Strava or the Strava Platform. You may not use or access the Strava API Materials to monitor the availability, performance, or functionality of the Strava Platform or for any other benchmarking or competitive analysis purpose.

365 Challenge is a separately branded challenge and motivation service. It does not reproduce Strava activity feeds, imitate Strava, benchmark Strava, or provide an alternative activity analytics service. Shared dashboards contain proprietary 365 Challenge outputs rather than raw Strava activity details.

You may not use the Strava API Materials or Strava Data, directly or indirectly, in connection with the development, training, evaluation, or operation of any AI Application. This prohibition extends to: - Any data derived from, aggregated from, anonymized from, or generated using Strava Data, in any form (including original, derivative, aggregated, anonymized, de-identified, or model-output form); and - Any of the following activities with respect to an AI Application: training, pre-training, post-training, fine-tuning, reinforcement learning, alignment, grounding, evaluation, benchmarking, embedding generation, retrieval-augmented generation, ingestion into a context window or working memory, and any other activity intended or reasonably likely to develop, improve, evaluate, or operate an AI Application. This prohibition does not extend to use of the Strava MCP, as discussed above in Section 3.5.

365 Challenge does not use Strava data in AI or machine-learning features, model pipelines, embedding stores, or retrieval systems.

You may not process or disclose Strava Data—even publicly viewable Strava Data—including in an aggregated, de-identified, or anonymized manner, for the purposes of analytics, analyses, customer insight generation, or product or service improvements. You may not combine Strava Data with other customer data for these or any other purposes. The restrictions in this Section 5.4 apply to data derived from Strava Data and to output that incorporates or was generated using Strava Data.

365 Challenge processes imported activities only to operate the challenge and calculate proprietary scores, progress, achievements, and rankings. It does not use Strava data for customer insights, market analytics, data mining, AI, search, indexing, benchmarking, or product-improvement analysis.

You may not use web scraping, web harvesting, web data extraction methods, or any other automated means to extract data from the Strava Platform. You may not bulk-export Strava Data, including by accumulating Strava Data through repeated authorized API calls into a corpus, dataset, archive, or database that exceeds the operational scope of your Developer Application. You may not store Strava Data, or any data derived from Strava Data, in any Persistent Index. The foregoing prohibits indefinite storage in vector stores, embedding stores, search indexes, knowledge graphs, retrieval-augmented data stores, archives, and any other storage configured to enable subsequent retrieval, query, or use. The seven-day cache permitted under Section 6.2 is not a Persistent Index, provided that the cache is operated as a transient cache and is not used to enable any prohibited purpose under this Section 5.5.

365 Challenge obtains data only through authorised Strava OAuth and API calls. Retained fields have defined challenge purposes, including duplicate prevention, ownership verification, eligibility, scoring, achievements, validation, corrections, privacy handling, and source attribution. Raw yearly activity records are deleted after finalisation, leaving only a private non-reconstructable aggregate result for the account holder.

You may not, and may not encourage or authorize any third party to: - Remove or alter any proprietary notices or marks on the Strava API Materials; - Frame, wrap, or otherwise reproduce significant portions of the Strava Platform; - Reverse engineer, reverse assemble, decompile, modify, or attempt to discover any source or object code of the Strava API Materials or any part of the Strava Platform; or - Modify or create derivative works based upon the Strava API Materials or distribute copies of them.

365 Challenge does not reverse engineer Strava, frame the Strava Platform, copy its interface, or modify Strava API materials.

You may not use or access the Strava API Materials to aggregate, cache, or store geographic location information or other user information accessible via the Strava API, except as expressly permitted by Section 6.2.

365 Challenge does not collect or store routes, coordinates, maps, or other geographic information. It retains only the user and activity fields needed to authenticate users, import authorised activities, verify eligibility, calculate proprietary challenge scores and achievements, support corrections, and provide source attribution.

You may not charge end users, in any manner, for access to or use of the Strava API Materials or any services or functionality included in or related to the Strava API Materials or the Strava Platform. You may not sell, rent, lease, sublicense, redistribute, or syndicate access to the Strava API Materials, and you may not charge any service, booking, or similar fee in connection with services made available via the Strava Platform. The foregoing does not prohibit you from charging for the provision of functionality not provided by the Strava Platform in your Developer Application and that is not substantially duplicative of functionality offered by Strava.

365 Challenge does not charge users for Strava access and does not sell Strava API materials. The core service and Strava connection are free. Shop and partner charges relate only to merchandise and proprietary 365 Challenge services.

You may include advertisements in your Developer Application, but you may not use Strava Data in any advertisement without Strava's express written consent. Advertisements may not be displayed in a manner that suggests approval or endorsement by Strava. You may not use the Strava API Materials, directly or indirectly, for targeted advertising or similar purposes.

365 Challenge does not use Strava data for advertising or audience targeting and does not show Strava data in advertisements.

You may not collect, use, store, aggregate, or transfer Strava Data in any manner except as expressly permitted for the operation of your Developer Application. You may not transfer or disclose Strava Data — including publicly viewable Strava Data — to any third party, except as expressly permitted by this Agreement and your then-current privacy policy and in full compliance with applicable law (including Section 28 of the GDPR and Section 28 of the UK GDPR). You may not, directly or indirectly, disclose, market, sell, license, lease, or make available in exchange for monetary or other valuable consideration, any Strava Data to any third party — including advertisers, data brokers, AI Application providers, or model developers — even if a user of your Developer Application consents.

365 Challenge does not sell, license, lease, advertise with, syndicate, or transfer Strava data to data brokers, AI providers, model developers, or other commercial third parties. Shared views contain proprietary 365 Challenge outputs rather than raw or summary Strava metrics.

You may not use the Strava API Materials to distribute any virus, spyware, adware, malware, or other harmful or malicious component. You may not use the Strava API Materials for any purpose that might overburden, impair, or disrupt the Strava Platform or related servers or networks.

365 Challenge contains no malicious or deliberately disruptive functionality. User guidance discourages unnecessary API refreshes.

You may not include or use the Strava API Materials in, or in connection with, any application, website, or other product or service that includes content or engages in conduct that (a) may be perceived as detrimental, disparaging, or harmful to Strava, or (b) would violate Strava's Acceptable Use Policy or Community Standards if posted on or through the Strava Platform. You may not use the Strava API Materials to distribute unsolicited advertising or promotions, or to send messages, make comments, or initiate any other unsolicited direct communication or contact with Strava users or partners.

365 Challenge is a fitness challenge service with a personal safety policy. It does not use Strava data for harmful content, unsolicited promotion, comments, or direct contact.

You may not, and may not encourage or allow any third party to, interfere with, hinder, limit, or modify any notices, authorization requests, or consent requests provided by Strava. You may not use the Strava API Materials in any way that would grant anyone other than you or the applicable Strava user the right to see data related to that user without the prior express consent of that user.

365 Challenge uses Strava's standard OAuth flow and does not modify, obscure, hinder, or bypass Strava notices or consent requests. Participants choose whether to connect Strava and whether to join groups. Group pages and feeds share only proprietary challenge outputs and omit Strava activity details.

You must at all times use the Strava API Materials and Strava Data in accordance with all applicable laws and regulations, your privacy policy, and the Service Terms — including laws, regulations, and directives regarding privacy, data security, the export of data, and the regulation of artificial intelligence (including the EU AI Act, where applicable). You may not use the Strava API Materials or Strava Data to conduct or facilitate any activity that violates applicable law or the Service Terms.

365 Challenge uses Strava data only to operate the challenge. It does not export Strava data for other purposes or use it for AI or machine learning. Its privacy, UK GDPR, international-transfer, and supplier arrangements reflect the current production service.

If your Developer Application is directed to or knowingly collects data from children under thirteen (13) (or the equivalent age threshold under applicable law), you represent and warrant that you comply with the Children's Online Privacy Protection Act ("COPPA"), the GDPR (including Section 8), the UK GDPR, and any analogous applicable law, including by obtaining all required parental or guardian consents and by implementing all required notices and protections. Strava's service is not directed to children under thirteen (13).

365 Challenge is not directed at children under 13. Account creation requires confirmation that the participant is at least 13 and old enough to use Strava in their location. The Data Protection Policy prohibits users under 13 from creating an account or connecting Strava.

You may not, and may not authorize any third party to: (a) operate, offer, or facilitate any abstraction layer, integration-platform-as-a-service, no-code-AI platform, pass-through proxy, intermediary, or aggregator that re-exposes the Strava API Materials, in whole or in part, to third parties; (b) operate any MCP Server, agent-mediated interface, or analogous mechanism that exposes the Strava API Materials, Strava Data, or any subset thereof; (c) share, transfer, multiplex, or otherwise re-use API Tokens or authentication credentials across multiple servers, services, applications, or end users; or (d) build a Developer Application whose primary purpose is to enable third parties to access the Strava API Materials or Strava Data through your credentials or infrastructure. The Strava MCP is the sole authorized first-party agent-mediated interface to the Strava Platform. The restrictions in this Section apply to any successor or analogous protocol or technology that performs a function comparable to an MCP Server, regardless of name.

365 Challenge uses Strava data only within its challenge service. It does not expose API credentials or provide a Strava proxy, MCP server, no-code layer, or agent interface.

Unless your Developer Application has an athlete capacity of 9,999 or less, you may display or disclose to an end user only the specific Strava Data related to that end user. You may not display or disclose Strava Data related to other users, even if such data is publicly viewable on the Strava Platform.

365 Challenge operates below its approved athlete capacity. Shared views contain proprietary 365 Challenge challenge outputs and do not disclose another participant's raw or summary Strava activity data.

You may not retain Strava Data in your cache for longer than seven (7) days. If your Developer Application checks for a resource (for example, a segment) and that resource is no longer available from Strava, you must remove it from your cache immediately, regardless of how frequently your cache is refreshed. Except for such limited caching, you may not store Strava Data, or provide or display Strava Data or any associated service, to any third party other than the Strava user using your Developer Application.

Strava's cache wording sets a seven-day limit, while the 365 Challenge is a year-long challenge that needs authorised activity records for the current challenge period to calculate scores, verify results, correct errors, and complete the year. Raw records are deleted after annual finalisation. A private aggregate yearly result remains available only to the account holder until revocation or deletion. We keep this retention model under review against Strava's seven-day provision.

You may not continue displaying or disclosing in your Developer Application any Strava Data that a Strava user has deleted from Strava. Deletions must be reflected in your Developer Application expeditiously but in all cases within forty-eight (48) hours.

Activity-delete webhooks remove matching activity records immediately. Regular synchronisation also removes local activities that are no longer present in Strava for the queried period, so Strava deletions are reflected promptly and within the required timeframe.

Except as expressly permitted by Section 6.2, you may not retain Data, and you may use and retain Data only so long as necessary for the purpose for which it was originally obtained.

365 Challenge retains Strava-sourced activity records for longer than seven days during the active challenge year, limited to the purposes of calculating, verifying, correcting, and presenting proprietary challenge scores, progress, and achievements. Raw data is deleted after annual finalisation. Private aggregate yearly results remain only until the participant revokes access or requests deletion. We keep this aggregate-retention position under review against Strava's retention rules.

Strava may monitor and collect Usage Data and may use Usage Data for any business purpose, internal or external, including providing enhancements to the Strava API Materials or the Strava Platform, providing developer or user support, ensuring compliance with this Agreement, or otherwise. You agree to include a statement to this effect in your privacy policy.

The Data Protection Policy states that Strava may monitor, collect, and use data about 365 Challenge API usage for operation, support, security, compliance, platform improvement, and the other purposes in Strava's terms and privacy materials.

Each Strava user has the right to access and export the user's own Strava data, free of charge, through the Bulk Data Export Tool published on the Strava service. Nothing in this Agreement is intended to limit or condition that user-facing right.

365 Challenge does not restrict or place conditions on a participant's use of Strava's bulk export tool.

Your Developer Application must respect the privacy settings configured by Strava users. If your Developer Application does not collect the authentication credentials of a Strava user, you are not permitted to display any data or use any functionality via the Strava API Materials relating to that user.

365 Challenge respects Strava privacy settings and does not show private activity details on shared surfaces. Activity names, sports, distances, durations, routes, records, devices, and activity leaderboards remain private. Authorised activities may contribute to proprietary 365 Challenge scores and active-day indicators, but those outputs do not identify or reconstruct the underlying activity.

Strava users must expressly authorize your Developer Application before you access any of their data. Your Developer Application must authenticate the account of the Strava user and, at minimum, provide the user with the information required by Section 2.1 of the Policy (including the types of data collected, collection methods, consent-withdrawal mechanisms, and deletion request mechanisms). In the event of a change in the type of data collected from a Strava user, you must notify the user of such change and obtain the user's consent to the change in scope. Authorizations shall respect any granular permissioning implemented by Strava, which may be updated from time to time.

365 Challenge accesses Strava data only after the participant signs in and authorises the connection through Strava OAuth. The profile page and Terms explain the data collected, collection method, consent withdrawal, and deletion process. The integration uses the activity:read_all scope, and any material change to data collection or scope will be disclosed before use and require fresh authorisation.

You must provide a lawful privacy policy for your Developer Application that meets the requirements of the GDPR and the UK GDPR, is accessible through reasonably prominent hyperlinks that do not modify, conflict with, or supersede the Strava Privacy Policy (which controls in the event of any conflict with your privacy policy), and explains how you collect, store, use, or transfer any Personal Data via your Developer Application. You will comply with all privacy and data protection laws applicable to you.

The footer-linked Data Protection Policy identifies 365 Challenge as controller and explains the data collected, purposes, lawful bases, IONOS processing, challenge visibility, user rights, ICO complaints, retention, and international-transfer safeguards. It distinguishes 365 Challenge processing from processing governed by Strava's Privacy Policy.

Upon (a) a Strava user's request, (b) a Strava user's revocation of your Developer Application's authorization to access the user's Strava account, (c) a Strava user's deletion of the user's Strava account, (d) your cessation of use of the Strava API Materials, or (e) termination of this Agreement, you must promptly and permanently delete the following from your Developer Application and from all systems, networks, and servers under your control: (i) in the case of clauses (a) through (c), all Strava Data and all Personal Data derived from Strava Data relating to the requesting or revoking user; and (ii) in the case of clauses (d) and (e), all Strava Data and all Personal Data derived from Strava Data, regardless of user. Deletion under this Section 7.4 must be completed expeditiously but in any event within thirty (30) days, except where applicable law or an agreement with the affected user requires retention for a longer period (in which case you must retain proof of the legal or contractual basis and provide it to Strava on request). You must certify deletion to Strava in writing on request.

User requests, Strava revocation, support actions, and account deletion all trigger the same immediate purge. The purge deletes imported activities, credentials, athlete identifiers, yearly result snapshots, activity summaries, and stored group reports. Sync and webhook processes verify that the Strava connection remains active before writing data. Non-identifying deletion records support written certification to Strava.

If you provide Personal Data to Strava in connection with the Strava API Materials, you must first obtain all necessary consents and authorizations from the applicable users, ensure that such users are aware of this processing and disclosure, and disclose this processing in your privacy policy. Strava will treat Personal Data obtained from you through your use of the Strava API Materials in accordance with the then-current Strava Privacy Policy.

The Data Protection Policy explains that 365 Challenge communicates with Strava through OAuth and API services. Requests identify the authorised Strava account so 365 Challenge can retrieve the required activity data. 365 Challenge sends no separate 365 profile information beyond data required for ordinary OAuth and API communications.

Each party is a separate and independent controller of the Personal Data that it discloses or receives under this Agreement, and will individually determine the purposes and means of its processing of such Personal Data. The parties are not joint controllers and do not intend to process Personal Data as joint controllers under Section 26 of the GDPR, Section 26 of the UK GDPR, or any analogous provision of applicable data protection law. Each party is individually and separately responsible for complying with the obligations that apply to it as a controller under applicable data protection and privacy laws, and neither party is responsible for the other party's compliance with those laws. Where either party receives a request from a data subject in respect of Personal Data controlled by the other party, the receiving party will direct the data subject to the other party. To the extent any Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a jurisdiction not subject to an adequacy decision, the transfer is governed by the European Commission Standard Contractual Clauses (Decision 2021/914), the United Kingdom International Data Transfer Addendum, or analogous transfer mechanism applicable to the recipient jurisdiction, each as incorporated by reference and as in effect from time to time.

The Data Protection Policy identifies 365 Challenge and Strava as independent controllers, directs users to the correct organisation for each type of data, names the hosting providers, and explains the safeguards used for cross-border transfers.

You must, on Strava's request, provide a current list of Subprocessors that process Strava Data on your behalf, including each Subprocessor's name, role, and processing location. You are responsible for the acts and omissions of your Subprocessors as if they were your own and must ensure that each Subprocessor is bound by data-protection obligations no less protective than those in this Agreement.

365 Challenge maintains a subprocessor register covering IONOS hosting and transactional email, the data processed, processing location, and purpose. The register is reviewed when services change and is available to Strava on request.

You agree to use commercially reasonable and appropriate administrative, technical, organizational, and physical measures to maintain the security and integrity of all Data, taking into account the measures described in Section 32(1) of the GDPR and the UK GDPR. You are fully responsible for the security of Data used in connection with your Developer Application or otherwise in your possession.

365 Challenge protects Strava-related data using appropriate application, operational, and access-control measures for a small challenge service. Production secrets are kept out of source code, rotated where exposure has occurred, and checked at startup. The service uses authenticated access, standard Django security protections, secure production transport and cookie settings, password validation, and controlled data-deletion processes to maintain the security and integrity of participant data.

You will comply with all applicable laws — including state and federal laws — regarding the collection, security, and dissemination of any personal, financial, card, or transaction Data on your site or through your Developer Application.

365 Challenge does not process payment-card data. Current source no longer embeds production-sensitive application credentials, and the previously exposed credentials identified under clause 8.1 have been rotated.

You must notify Strava of any security breach—including any personal data breach within the meaning of the GDPR or the UK GDPR—related to your Developer Application or Strava Data, in writing to legal@strava.com, as soon as possible but no later than twenty-four (24) hours after discovery of the incident.

365 Challenge maintains an incident-response procedure with primary and backup owners. It defines Strava-related breaches, requires assessment and notification to Strava within 24 hours where applicable, covers ICO and user notification, and requires an evidence log.

Strava may provide, suggest, or mandate security procedures and controls intended to reduce the risk of fraud or security breaches ("Security Controls"). Security Controls may include processes or applications developed by Strava or by third parties, including two-factor authentication for users logging into their Strava account. You agree to review all Security Controls and implement those that are appropriate for your business and your Developer Application to protect against unauthorized transactions and, if necessary, to use other procedures and controls not provided by Strava. Strava cannot guarantee that security measures will defeat all unauthorized access or misuse, and if you provide Personal Data to Strava, you do so at your own risk.

365 Challenge uses Django authentication, password validation, CSRF protection, access controls, login requirements, and signup throttling. New security controls introduced by Strava are reviewed for applicability.

You must not impose terms on users of your Developer Application that are inconsistent with the Agreement or the Service Terms.

Users accept the 365 Challenge Terms of Service during signup. The Terms state that 365 Challenge is independent from Strava, require compliance with Strava's terms, grant no rights to Strava data beyond the API permissions, identify challenge scores and rankings as proprietary 365 Challenge outputs, and confirm that 365 Challenge provides support for its service.

Your Developer Application's terms of service must disclaim, on behalf of third-party service providers, all warranties (including implied warranties of merchantability, fitness for a particular purpose, and non-infringement) and must exclude third-party service providers from all liability for consequential, special, punitive, and indirect damages.

The 365 Challenge Terms disclaim express and implied warranties for third-party service providers, including merchantability, fitness for purpose, and non-infringement. They exclude those providers from liability for consequential, special, punitive, and indirect damages to the fullest extent permitted by law.

You, and not Strava, are responsible for providing all customer and technical support and maintenance for your Developer Application. Strava has no obligation to provide any technical or other support for the Strava API Materials or any services or content related thereto.

365 Challenge accepts responsibility for its application support and provides a public contact page linked from the footer. Users are not directed to Strava for support with the 365 Challenge service.