Privacy Policy

Last updated: June 2026

Overview

SF2G is a community cycling commute tracker for the SF2G (San Francisco to the Peninsula) community. This policy explains what data we collect, how we store it, and your rights regarding that data.

What Data We Collect

When you connect your Strava account, we collect and store:

  • Strava profile information — your username, first name, last name, and profile photo URL
  • Ride activity data — ride name, date, distance, elevation, speed, moving time, route GPS data, and activity visibility settings
  • Performance metrics — average and max heart rate, average and max power (watts), kilojoules, and relative effort score, when available from your device
  • OAuth tokens — access and refresh tokens used to sync your rides from Strava

We do not collect your email address, password, or any data beyond what is listed above.

How Data Is Stored

Your data is stored in a PostgreSQL database hosted on Supabase's cloud infrastructure. Database access is protected by Row-Level Security (RLS) policies and service-role authentication for server-side writes.

What's Publicly Visible

The following data is visible to all visitors on the leaderboard and ride tables:

  • Your display name and profile photo
  • Ride statistics — date, distance, speed, elevation, route category
  • Leaderboard rankings and aggregate ride counts

Rides marked as private on Strava are excluded from the public leaderboard and ride tables. Hidden rides (manually hidden by you) are also excluded from public views.

What's Private

The following data is never exposed publicly:

  • OAuth access and refresh tokens
  • Your email address (we don't collect it)
  • Session cookies and authentication state

Data Retention

Your profile and ride data are stored as long as your Strava account remains connected to SF2G. We periodically sync new rides from your Strava account to keep your data up to date.

Deleting Your Data

You can disconnect your Strava account at any time from your profile page. When you disconnect:

  • All of your ride data is permanently deleted from our database
  • Your OAuth tokens are cleared
  • Your Strava access is revoked
  • Your data is removed from the leaderboard

You can also revoke SF2G's access directly from your Strava settings page.

Third-Party Services

SF2G relies on the following third-party services:

  • Strava API — ride data sync and OAuth authentication
  • Supabase — database hosting and API layer
  • Cloudflare Pages — application hosting and CDN
  • OpenStreetMap / CARTO — interactive map tile rendering

Each service has its own privacy policy. We encourage you to review them for details on how they handle data.

Cookies & Local Storage

SF2G uses minimal browser storage:

  • Session cookie — a signed, HTTP-only cookie used to maintain your authenticated session
  • Theme preference — your dark/light mode choice is stored in localStorage

We do not use tracking cookies, advertising cookies, or any third-party analytics scripts.

Analytics & Tracking

SF2G does not use any analytics services (no Google Analytics, no Mixpanel, no tracking pixels). We do not track your browsing behavior beyond basic server request logs that are automatically generated by our hosting infrastructure.

Children's Privacy

SF2G is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us so we can delete it.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. We encourage you to check back periodically.

Contact

If you have questions about this privacy policy or your data, please open an issue on our GitHub repository.