Privacy Policy

Last updated: 7 March 2026

This Privacy Policy explains how Lucta (“we”, “us”, “our”) collects, uses, and protects your data when you use the Lucta mobile application and website (the “Service”).

1. What we collect

• Account data: email address, password (stored as a hash), optional display name.
• Profile preferences: whether your runner profile is visible to other members.
• Competition data: league placements, rankings, prize outcomes.
• Strava data: activity IDs, run distance, timing, date, GPS start location, and Strava account identifiers needed for sync and validation.
• Billing data: subscription status managed through Apple. We do not store your payment card details.
• Waitlist data: email address if you join the waitlist before launch.

2. How we use your data

• To operate the league: validate runs, calculate standings, determine promotions and relegations, and award prizes.
• To manage your account and subscription.
• To send you transactional emails (welcome, results, payout notifications).
• To communicate important changes to the Service.
• To detect and prevent fraud or abuse.

3. Strava data

We access your Strava activity data solely to verify run eligibility and calculate league rankings. We do not access your private messages, social activity, or data unrelated to running activities.

Strava data displayed in the app is labelled and links back to Strava where relevant. Runner profiles are visible only to logged-in members, and you can hide your profile at any time from Settings.

4. Revoking Strava access

• You can disconnect Strava in the app. This removes your Strava connection and deletes Strava-sourced run data from our systems.
• You can also revoke access directly at Strava Settings > My Apps.

5. Data sharing

We do not sell your personal data. We share data only with:

• Strava: via their API for activity sync.
• Apple: for subscription billing.
• Resend: for transactional email delivery.

We may disclose data where required by law.

6. Security & retention

• All connections use HTTPS. Sessions are stored in secure cookies with JWT tokens.
• Passwords are hashed and never stored in plain text.
• We retain data needed for competition operation, fraud prevention, accounting, and legal obligations.
• When Strava access is revoked, Strava-sourced activity data is removed.

7. Your rights

You can:

• Access, update, or correct your account data in the app settings.
• Delete your account permanently through the app.
• Disconnect Strava and remove Strava-sourced data.
• Request a full data export or deletion by emailing us.

8. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

9. Changes

We may update this policy from time to time. Material changes will be communicated via email or in-app notification.

10. Contact

For privacy or data requests, contact support@lucta.co.uk.