Privacy Policy

Overview

This Privacy Policy explains what personal data Klaym collects, how it is used, and your rights as a user. By using Klaym, you agree to this policy.

Data We Collect

Account Data

When you register, we collect:

• Email address and password (hashed — we never store plain-text passwords)
• First name and last name
• Optional: sport preference, short bio, equipment list

Strava Activity Data

When you connect your Strava account, we receive and store the following for each activity you sync:

• Activity type (run, ride, hike, etc.)
• Distance, duration, and elevation gain
• GPS route polyline (used to determine which map hexagons your activity covers)
• Activity start date and time
• Activity name
• Strava activity ID (used to link back to strava.com)

We do not collect your Strava athlete profile photo, follower list, kudos, or any social data.

Location & Territory Data

GPS polylines from activities are decoded into H3 hexagonal grid cells. These cells represent geographic areas you have physically covered. The raw GPS track is stored server-side; the derived hex grid data is visible to other Klaym users as part of the territory game.

Indoor Activity Data (Steps & Calories)

If you choose to log indoor activities, we store the following:

• Step count (if you enter step-based activities)
• Calorie burn (if you enter calorie-based activities)
• Activity name, date, and duration

Indoor activities do not contain GPS location data and do not claim map hexagons. This data is used only to calculate Effort Points and update your Home Hex defense (see below).

Home Hex (Private Location Feature)

You may optionally set a "Home Hex" — a single map hexagon representing a location you regularly visit (such as a gym or neighborhood). The following rules apply:

• Your Home Hex is completely private: it is never shown to other users, never included in public API responses, and never labeled on the shared map.
• Other players see it as an ordinary owned hexagon — they cannot see that it is your Home Hex.
• The Home Hex ID is only returned by the authenticated /auth/me endpoint, which is accessible only to you.
• Setting a Home Hex is entirely voluntary. You can remove it at any time by deleting your account.
• You can change your Home Hex once every 30 days.

We implement this privacy-by-design approach in compliance with GDPR Article 25 (Data Protection by Design and by Default).

Usage Data

We collect standard server logs including IP addresses, request timestamps, and API endpoints accessed. This data is used for security, rate limiting, and debugging. It is not linked to your public profile.

How We Use Your Data

• Running the game: Activity data is converted into Effort Points and used to claim, defend, and rank hexagonal territories on the map.
• League standings: Your Effort Points and hex count determine your position in regional league tables, which are visible to other users.
• Strava sync: We use Strava webhooks to automatically import new activities as soon as you finish them. You can disconnect Strava at any time.
• Service improvement: Aggregated, anonymized usage data helps us identify bugs and improve the product.

We do not use your data for advertising, profiling, or any purpose beyond operating Klaym.

Strava Integration

Klaym integrates with Strava via their official API. By connecting your Strava account you authorize Klaym to:

• Read your activity data (routes, distances, durations, elevations)
• Receive new activity notifications via Strava's webhook system

Klaym does not write to your Strava account, post activities, or access payment information.

You can revoke Klaym's access to your Strava account at any time at strava.com/settings/apps. When you do, we stop receiving new activity data. You can also disconnect from within Klaym's profile settings.

Strava's own Privacy Policy applies to data held by Strava: strava.com/legal/privacy.

Data Sharing & Third Parties

What other users can see

The following information is visible to other Klaym users:

• Your display name and league tier
• The hexagons you own on the map
• Your position in the league standings (rank, Effort Points, hex count)

Your email address, GPS tracks, activity details, step counts, calorie data, and your Home Hex designation are not visible to other users.

Infrastructure providers

Klaym uses the following third-party services to operate:

• Supabase (database hosting) — stores your account and activity data on servers in the EU. Supabase Privacy Policy
• Railway (backend hosting) — runs our API server. Railway Privacy Policy
• Netlify (frontend hosting) — serves the web app. Netlify Privacy Policy

We do not sell, rent, or share your personal data with any other third parties.

Data Retention

We retain your data for as long as your account is active. If you delete your account, your personal data (email, name, activities, territories) will be permanently removed within 30 days.

Server logs are retained for up to 30 days for security purposes, then automatically deleted.

Your Rights

As a user, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct your data via your profile settings.
• Deletion: Delete your account and all associated data via profile → Settings → Danger Zone, or by contacting us.
• Portability: Request an export of your activity data in JSON format.
• Objection: Object to any data processing at any time by contacting us.

If you are in the European Economic Area (EEA), you also have rights under the GDPR. Our legal basis for processing your data is contract performance (providing the Klaym service you signed up for) and legitimate interest (security and abuse prevention).

Security

Klaym uses the following security measures to protect your data:

• Passwords are hashed using industry-standard algorithms — plain-text passwords are never stored
• All data in transit is encrypted via HTTPS/TLS
• API access requires authentication tokens; tokens expire after 7 days
• Rate limiting is applied to all API endpoints to prevent abuse
• Database access is restricted to the Klaym backend server only

No system is completely secure. If you discover a security issue, please report it to us at the contact address below.

Cookies & Local Storage

Klaym does not use tracking cookies or advertising cookies. We store the following data in your browser's localStorage:

• Your authentication token (required to keep you logged in)
• Cached profile data (to reduce loading times)

This data stays on your device and is cleared when you log out.

Children's Privacy

Klaym is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you via the app. Continued use of Klaym after changes are posted means you accept the updated policy.

Contact

If you have questions about this Privacy Policy or want to exercise your rights, contact us: