Privacy Policy

Last updated: 2026-03-01

1. Controller

The controller responsible for data processing on this website is:
Moritz von Göwels
Frankenthaler Str. 18
50739 Köln
Email: moritz@tarn-vedra.de

2. Overview

This website ("DSD Checkpoints") is a cycling checkpoint contest application. It integrates with the Strava API to import your cycling activities and match GPS tracks against geographic checkpoint locations. We take your privacy seriously and process personal data only as described below.

3. Data We Collect

When you log in via Strava, we collect and store:

• Strava profile information: Your name, Strava athlete ID, and profile URL.
• Activity data: Your cycling activities (title, date, distance, duration) and GPS tracks (polyline/stream data) for the purpose of checkpoint matching.
• OAuth tokens: Access and refresh tokens to communicate with the Strava API on your behalf.
• Session data: A session identifier stored on the server filesystem to keep you logged in.

4. Purpose of Processing

We process your data for the following purposes:

• Authenticating you via Strava OAuth2.
• Importing your cycling activities to check them against checkpoint locations.
• Displaying rankings, scores, and visited locations on the website.
• Showing your name and profile link on public leaderboards.

5. Legal Basis

The legal basis for processing is your consent (Art. 6(1)(a) GDPR), given when you authorize the application via Strava OAuth2. You can withdraw consent at any time by revoking access in your Strava application settings.

6. Data Sharing

Your data is not sold or shared with third parties for marketing purposes. The following data is publicly visible on the website:

• Your name and Strava profile link.
• Your ranking, score, and visited checkpoint locations.
• Activity dates associated with checkpoint visits.

We communicate with the Strava API (operated by Strava, Inc.) to import your data. Strava's privacy policy applies to data held by Strava: strava.com/legal/privacy.

7. Data Storage and Security

Your data is stored in a local SQLite database on the server. Session data is stored on the server filesystem. We take reasonable technical measures to protect your data, but no system is 100% secure.

8. Data Retention

Your data is retained for the duration of the contest and a reasonable period thereafter. You may request deletion at any time (see section 10).

9. Cookies

This website uses a session cookie to keep you logged in after authenticating with Strava. This is a technically necessary cookie and does not require separate consent. We do not use tracking cookies or analytics services.

10. Your Rights

Under the GDPR, you have the right to:

• Access your personal data (Art. 15 GDPR).
• Rectification of inaccurate data (Art. 16 GDPR).
• Erasure of your data (Art. 17 GDPR).
• Restriction of processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR).
• Object to processing (Art. 21 GDPR).
• Withdraw consent at any time (Art. 7(3) GDPR).
• Lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise any of these rights, contact us at moritz@tarn-vedra.de. You can also revoke Strava access at any time in your Strava settings.

11. External Resources

This website loads the following external resources:

• missing.css (CSS framework) from unpkg.com.
• OpenStreetMap tiles for map display, loaded by Leaflet.

These services may log your IP address according to their own privacy policies.

12. Changes to This Policy

We may update this privacy policy from time to time. The current version is always available at this page.