At PaceArena, your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our strategic running game platform.
1. Information We Collect
Account Information
- Email Address: Used for account creation, authentication, and important notifications
- Username: Your display name visible to other players and team members
- Password: Encrypted and stored securely (we never see your actual password)
- Selected City: The city you compete in for territory control
Strava Activity Data
When you connect your Strava account (optional), we collect the following performance metrics via Strava's API:
Data We DO Collect:
- Activity Type: We only process running activities (road runs, trail runs, treadmill runs)
- Distance: Total kilometers/miles run
- Pace: Average pace (min/km or min/mile)
- Duration: Moving time and elapsed time
- Heart Rate: Average and maximum heart rate (if available from your device)
- Cadence: Steps per minute (if available from your device)
- Elevation Gain: Total meters/feet climbed
- Activity Timestamp: When the run was started and completed
Data We NEVER Collect or Store:
- GPS Coordinates: No latitude/longitude data (start_latlng, end_latlng)
- Route Polylines: No map data or route traces
- Map Tiles: No visual map images
- Segment Data: No GPS-based segment efforts
- Location Information: No geographic data of any kind
Important: We strictly comply with Strava's data protection requirements. PaceArena is location-independent—only your distance, pace, and duration matter for gameplay. Detailed technical metrics (heart rate, cadence) are visible only to you, never shared with other users.
Game Activity Data
- Points (PAP) Balance: Your current and total earned Pace Arena Points
- Territory Claims: Sectors you control and reinforcements you make
- Team Membership: Teams you create or join
- Contest Participation: Battles you initiate or defend against
- Transaction History: Complete audit trail of points earned and spent
Technical Information
- IP Address: For security and fraud prevention
- Browser Type and Version: To ensure compatibility
- Device Information: Operating system and screen resolution
- Session Cookies: To keep you logged in and remember your preferences
2. How We Use Your Data
Core Gameplay
- Calculate PAP (Points): Convert your running activities into game points using our formula
- Enable Territory Control: Allow you to claim, reinforce, and contest city sectors
- Power Team Features: Display team statistics, leaderboards, and collaborative achievements
- Process Contests: Manage 3-round battles between teams for sector control
Communication
- Account Notifications: Email verification, password resets, security alerts
- Game Notifications: Territory attacks, contest updates, team invitations (optional)
- Platform Updates: Important changes to features or policies
Platform Improvement
- Bug Fixes: Identify and resolve technical issues
- Feature Development: Understand how players use the game to build better features
- Performance Optimization: Improve speed and reliability
3. Data Sharing and Disclosure
Within PaceArena
- Team Members: Your username, total points contributed, and team activity logs are visible to teammates
- City Leaderboards: Team names and aggregate performance statistics (not individual routes)
- Territory Map: Sector ownership and team control are public within each city
Third-Party Services
- Strava API: Only when you explicitly connect your account (you can disconnect anytime)
- Hosting Provider (Railway): Secure database storage and application hosting
- Redis Cache: Temporary data storage for real-time features
We NEVER sell your running data or personal information to third parties. Your activity data is used exclusively for PaceArena gameplay.
Legal Requirements
We may disclose information if required by law, such as:
- Responding to valid legal requests (subpoenas, court orders)
- Protecting the rights, property, or safety of PaceArena, our users, or the public
- Detecting, preventing, or addressing fraud, security, or technical issues
4. Data Retention
We retain your data as follows:
- Active Accounts: All data retained while your account is active
- Deleted Accounts: Personal information deleted within 30 days of account deletion
- Transaction History: Anonymized game statistics may be retained for analytics
- Legal Compliance: Some data may be retained longer if required by law
5. Your Privacy Rights
Access and Control
- View Your Data: Access your profile, statistics, and transaction history anytime
- Update Information: Modify your username, email, or city selection
- Disconnect Strava: Revoke Strava integration from the Integrations page
- Opt-Out Notifications: Disable optional game notifications (account security emails still sent)
Data Portability
You have the right to:
- Request a copy of your personal data in a portable format (JSON export)
- Transfer your data to another service (where technically feasible)
Right to Deletion
You can request deletion of your account and personal data by:
- Emailing privacy@pacearena.com with subject "Account Deletion Request"
- We will process your request within 30 days
- Some anonymized game statistics may be retained for platform analytics
For EU Users (GDPR)
If you're in the European Union, you have additional rights:
- Right to Rectification: Correct inaccurate personal data
- Right to Restriction: Limit processing of your data
- Right to Object: Object to certain data processing activities
- Right to Lodge a Complaint: Contact your local data protection authority
6. Data Security
We implement industry-standard security measures to protect your data:
- Encryption: All data transmitted via HTTPS (SSL/TLS)
- Password Hashing: Passwords encrypted using bcrypt algorithm
- Secure Tokens: OAuth tokens stored encrypted in our database
- Access Controls: Limited employee access to personal data
- Regular Backups: Automated database backups with encryption
- Monitoring: Continuous security monitoring and vulnerability scanning
While we take reasonable precautions, no system is 100% secure. Please use a strong, unique password for your account.
7. Cookies and Tracking
We use cookies for:
- Authentication: Keep you logged in between sessions
- Preferences: Remember your city selection and settings
- Security: CSRF protection for form submissions
- Real-time Features: WebSocket connections for live territory updates
We do NOT use third-party advertising cookies or tracking pixels.
8. Children's Privacy
PaceArena is not intended for users under 13 years old. We do not knowingly collect personal information from children. If you believe a child has created an account, please contact us immediately at privacy@pacearena.com.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:
- Data hosting on secure, certified infrastructure (Railway)
- Compliance with GDPR for EU users
- Standard contractual clauses for international transfers
10. Changes to This Policy
We may update this Privacy Policy periodically. When we make significant changes:
- The "Last Updated" date will change
- Version number will increment
- Existing users will be prompted to review and accept the new policy
- Continued use of PaceArena after changes constitutes acceptance
11. Strava-Specific Disclosures
For users who connect Strava accounts, we comply with Strava's API Agreement and data protection requirements:
11.1 OAuth Authorization & Scopes
- Explicit Consent Required: You must explicitly authorize PaceArena via Strava's OAuth consent screen
- Minimal Scopes Requested: We request only "read" and "activity:read" scopes (NOT activity:read_all which includes private activities)
- What This Allows: Access to your public profile and public running activities only
- Token Security: OAuth access tokens are encrypted and stored securely in our PostgreSQL database
- Token Refresh: Access tokens expire every 6 hours and are automatically refreshed using secure refresh tokens
11.2 Webhook Processing & Data Fetch
- Real-time Notifications: Strava sends webhook notifications when you complete activities
- Webhook Verification: All webhook requests are verified using secret tokens to prevent unauthorized access
- API Data Fetch: When notified, we fetch activity details from Strava's API using your access token
- Processing Timeline: Activities are typically processed within minutes of completion
- Cache Policy: We comply with Strava's 7-day cache limit—no Strava data remains in cache longer than 7 days
11.3 Data Visibility & Privacy Protection
Current Implementation - Dual Message Architecture:
When you complete a Strava-tracked run, our system generates two separate activity log entries:
What YOU See (Activity Owner):
- Full activity details: distance, pace, duration
- Heart rate and cadence data (if available)
- "View on Strava" link directing to your activity on Strava.com
- Game points (PAP) earned from the activity
What Your Teammates See:
- Your username and team contribution message
- Game points (PAP) you contributed to the team
- Generic encouraging adjective (based on points earned)
- NO access to your distance, pace, duration, heart rate, or cadence
- NO "View on Strava" link visible to teammates
Strava API Agreement Compliance: PaceArena complies with Strava's requirement that "Strava Data related to other users, even if such data is publicly viewable on the Strava Platform, may not be displayed or disclosed." Our database architecture stores separate messages for activity owners and teammates, with Django serializers enforcing user-specific data access based on authentication.
11.4 User Control & Disconnection
- Disconnect Anytime: Revoke Strava access from our Integrations page or Strava's settings
- Soft Disconnect: Disable integration locally while keeping authorization (can reconnect without re-authorizing)
- Hard Disconnect: Full deauthorization that revokes OAuth tokens with Strava
- Data After Disconnection: We stop syncing new activities immediately; existing activity data retained unless you request deletion
- Deletion Timeline: Upon deauthorization, personal Strava data deleted within 24 hours if requested
- Audit Trail: All deauthorization attempts logged with timestamps and reasons for security
11.5 Data Storage & Security
- What We Store: Only performance metrics (distance, pace, duration, heart rate, cadence, elevation)
- What We Never Store: GPS coordinates, route polylines, map tiles, or any location data
- Secure Infrastructure: Data hosted on Railway's certified infrastructure with encryption
- Access Controls: Limited employee access to Strava data; all access logged
- No Third-Party Sharing: Strava data never sold, licensed, or shared with advertisers or analytics services
11.6 Important Disclaimers
- Data Accuracy: We rely on Strava's data accuracy; PaceArena is not responsible for errors in Strava's activity tracking
- API Changes: Strava may modify their API; we will adapt to maintain compliance but cannot guarantee uninterrupted service
- Policy Updates: This privacy protection approach may evolve with proper notice to users and continued Strava API Agreement compliance
← Back to Home