Privacy Policy

1. Information We Collect

We collect the following categories of information:

a) Account Information

• Email address (used for account identification and service communications)
• Display name (optional)
• Password (stored as a bcrypt hash — your actual password is never stored in plain text)

b) Strava Activity Data

When you connect your Strava account, we access and store:

• Activity metadata: activity type, name, start date/time, duration, distance, elevation
• Performance data: average heart rate, cadence, power, speed
• GPS data streams: location points, time series, altitude, velocity — used to verify legitimate outdoor activity
• Strava athlete profile: first name, last name, profile picture, city, state, country — used for display purposes
• Strava Athlete ID: used to uniquely identify your Strava account

GPS stream data is stored in our database and used for fraud detection and activity reprocessing. It is not sold or shared with third parties.

c) Solana Wallet Address

Your Solana public wallet address, which you provide voluntarily to receive token rewards. Note: wallet addresses and transaction signatures on the Solana blockchain are publicly visible by nature.

d) Optional Profile Data

• Shipping address (name, street, city, state/province, postal code, country) — only requested if you purchase physical items from the Store
• Gender (M/F) — used only for challenge leaderboard divisions when Strava does not provide this information
• Instagram and Facebook handles — used only for social media challenge participation verification

e) Automatically Collected Data

• Server logs: IP address, browser type, operating system, pages visited, timestamps
• Session data: authentication tokens stored as httpOnly cookies
• Terms acceptance records: when and which version of Terms you accepted

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Verify qualifying fitness activities, calculate and award credits, process Miles Coin airdrops to your wallet.
• Prevent Fraud: Detect and prevent submission of false, replayed, or manipulated activity data using GPS and biometric analysis.
• Operate the Store: Process token-based purchases and, for physical items, fulfill shipping using the address you provide.
• Run Challenges: Calculate leaderboard positions, segment efforts, and challenge contributions using your activity data and optional profile data (gender).
• Communicate with You: Send service-related communications (account issues, material platform changes). We do not send marketing emails without your explicit consent.
• Legal Compliance: Retain records as required by applicable law and to enforce these Terms.

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

3. Strava Data Handling

Our use of Strava data is governed by the Strava API Agreement. Specifically:

• We access your Strava data only after you grant explicit OAuth authorization.
• We use Strava data only for the purposes described in this Privacy Policy and no other purpose.
• We do not use Strava data for advertising or to build profiles for sale to third parties.
• You can revoke our access to your Strava data at any time via your Strava account settings (“My Apps”) or the Platform's Settings page. Revoking access stops future data collection. Historical activity records already stored are retained for fraud audit purposes.
• Raw GPS stream data (“stream data”) is stored in our database to allow activity reprocessing. This data is not shared externally.

4. Blockchain Data

When you register a Solana wallet address or receive MILES tokens, your public wallet address and all associated on-chain transactions (including token transfer signatures and amounts) are recorded permanently on the Solana blockchain. This data is publicly visible to anyone who queries the blockchain and cannot be deleted or obscured by the Platform or by you.

5. Data Sharing

We share your data only in the following limited circumstances:

• Service Providers: We use Supabase (PostgreSQL database hosting) to store your data. Supabase is ISO 27001 certified and operates under its own privacy policy. We do not authorize service providers to use your data for their own purposes.
• Legal Requirements: We may disclose your information if required by law, court order, or legal process, or if we believe disclosure is necessary to protect our rights or the safety of others.
• Business Transfer: If Miles Coin Platform is acquired, merged, or its assets transferred, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Platform before your data is subject to a different privacy policy.
• Fraud Prevention: We may share information with Strava or law enforcement in cases of suspected fraud or violation of Strava's Terms of Service.

6. Data Retention

• Account data is retained while your account remains active.
• Activity data (including GPS streams) is retained for fraud detection and audit purposes even after account deletion.
• Server logs are retained for up to 90 days.
• Upon account deletion request, we will delete your personal identifiable information (email, name, optional profile data) within 30 days. Activity data stripped of personal identifiers may be retained longer for fraud prevention.
• Blockchain records (wallet address, transaction signatures) cannot be deleted.

7. Security

We implement the following security measures to protect your data:

• Passwords are hashed using bcrypt (industry-standard, 12 salt rounds). Your actual password is never stored.
• Authentication sessions use signed JSON Web Tokens (JWTs) stored in httpOnly cookies, preventing client-side JavaScript access.
• The Platform database is hosted on Supabase, which maintains SOC 2 Type II and ISO 27001 certifications.
• All data is transmitted over HTTPS.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your data and are not liable for unauthorized access resulting from circumstances beyond our reasonable control.

8. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate personal information via the Settings page or by contacting us.
• Deletion: Request deletion of your account and personal data. Email miles@miles-coin.com. Deletion is processed within 30 days. Note: activity data retained for fraud purposes and blockchain records cannot be deleted.
• Revoke Strava Access: Disconnect your Strava account at any time via Settings or directly in your Strava account.
• California Residents (CCPA): California residents have additional rights including the right to know, delete, and opt-out of sale of personal information. We do not sell personal information. To exercise CCPA rights, contact us at miles@miles-coin.com.

9. Cookies and Tracking

We use a minimal number of cookies:

• Session cookie (session): httpOnly, secure in production. Contains your authentication JWT. Required for platform access. Expires after 7 days.
• Terms acceptance cookie (terms_accepted_version): httpOnly, secure in production. Records the version of Terms you accepted. Required for platform access. Expires after 7 days.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

10. Children's Privacy

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will immediately terminate their account and delete their personal data. If you believe a minor has registered, contact us at miles@miles-coin.com.

11. International Users

Miles Coin Platform is operated in the United States. If you are accessing the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer and processing.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will make reasonable efforts to notify you via email or a notice within the Platform. Continued use of the Platform after the effective date of changes constitutes your acceptance of the revised policy.

13. Contact Us

For privacy-related inquiries, data access requests, or deletion requests, contact us at: