Privacy Policy
Last updated: June 2026
Overview
SF2G is a community cycling commute tracker for the SF2G (San Francisco to the Peninsula) community. This policy explains what data we collect, how we store it, and your rights regarding that data.
What Data We Collect
When you connect your Strava account, we collect and store:
- Strava profile information — your username, first name, last name, and profile photo URL
- Ride activity data — ride name, date, distance, elevation, speed, moving time, route GPS data, and activity visibility settings
- Performance metrics — average and max heart rate, average and max power (watts), kilojoules, and relative effort score, when available from your device
- OAuth tokens — access and refresh tokens used to sync your rides from Strava
We do not collect your email address, password, or any data beyond what is listed above.
How Data Is Stored
Your data is stored in a PostgreSQL database hosted on Supabase's cloud infrastructure. Database access is protected by Row-Level Security (RLS) policies and service-role authentication for server-side writes.
What's Publicly Visible
The following data is visible to all visitors on the leaderboard and ride tables:
- Your display name and profile photo
- Ride statistics — date, distance, speed, elevation, route category
- Leaderboard rankings and aggregate ride counts
Rides marked as private on Strava are excluded from the public leaderboard and ride tables. Hidden rides (manually hidden by you) are also excluded from public views.
What's Private
The following data is never exposed publicly:
- OAuth access and refresh tokens
- Your email address (we don't collect it)
- Session cookies and authentication state
Data Retention
Your profile and ride data are stored as long as your Strava account remains connected to SF2G. We periodically sync new rides from your Strava account to keep your data up to date.
Deleting Your Data
You can disconnect your Strava account at any time from your profile page. When you disconnect:
- All of your ride data is permanently deleted from our database
- Your OAuth tokens are cleared
- Your Strava access is revoked
- Your data is removed from the leaderboard
You can also revoke SF2G's access directly from your Strava settings page.
Third-Party Services
SF2G relies on the following third-party services:
- Strava API — ride data sync and OAuth authentication
- Supabase — database hosting and API layer
- Cloudflare Pages — application hosting and CDN
- OpenStreetMap / CARTO — interactive map tile rendering
Each service has its own privacy policy. We encourage you to review them for details on how they handle data.
Cookies & Local Storage
SF2G uses minimal browser storage:
- Session cookie — a signed, HTTP-only cookie used to maintain your authenticated session
- Theme preference — your dark/light mode choice is stored in
localStorage
We do not use tracking cookies, advertising cookies, or any third-party analytics scripts.
Analytics & Tracking
SF2G does not use any analytics services (no Google Analytics, no Mixpanel, no tracking pixels). We do not track your browsing behavior beyond basic server request logs that are automatically generated by our hosting infrastructure.
Children's Privacy
SF2G is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us so we can delete it.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. We encourage you to check back periodically.
Contact
If you have questions about this privacy policy or your data, please open an issue on our GitHub repository.