Privacy Policy

Last updated: April 2026

Sparkrun ("we", "us", "our") is a personal-use web application that connects your Strava account with your Parkrun results and appends your official Parkrun stats to matching Strava activities. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Data We Collect

When you use Sparkrun, we collect and store the following information:

• Strava account data: Your Strava athlete ID, and OAuth access and refresh tokens (encrypted at rest). These are obtained via the Strava OAuth flow and are used solely to read and update your Strava activities.
• Parkrun credentials: Your Parkrun athlete ID and password (encrypted at rest using AES-256-GCM). These are used solely to fetch your Parkrun results.
• Activity metadata: Strava activity IDs, dates, names, distances, and descriptions for runs that match the criteria for a Parkrun candidate. We do not store heart rate, GPS, or other personal health metrics.
• Session data: A server-side session cookie is used to maintain your login state. No tracking or analytics cookies are set.

2. How We Use Your Data

Your data is used exclusively to provide the core function of Sparkrun:

• Fetching your Strava activities to identify runs that may be Parkrun events.
• Fetching your official Parkrun results and appending them to matching Strava activity descriptions.
• Caching activity data temporarily to reduce the number of API calls to Strava and Parkrun.

We do not sell, share, or use your data for advertising or any purpose other than operating the service for you.

3. Data Retention

• Strava activity data (candidate run records) is refreshed from the Strava API within 7 days, in compliance with the Strava API Agreement's cache limit.
• Your account data (tokens and credentials) is retained for as long as you have an active account with Sparkrun.
• If you delete your account (see below), all your data is permanently removed immediately.

4. Data Security

Strava OAuth tokens and Parkrun credentials are encrypted at rest using AES-256-GCM before being stored in our database. Connections to Sparkrun are served over HTTPS.

5. Your Rights — Deleting Your Data

You have the right to request deletion of all data we hold about you at any time. To delete your account and all associated data:

1. Log in to Sparkrun.
2. Click Delete my account in the dashboard.
3. Confirm the deletion prompt.

This will permanently and immediately delete all your stored credentials, tokens, and activity records. You will also be logged out. This action cannot be undone.

You can also revoke Sparkrun's access to your Strava account at any time via Strava Settings → My Apps.

6. Third-Party Services

Sparkrun interacts with the following third-party services on your behalf:

• Strava — activity data is read and updated via the Strava API. Use of Strava is subject to Strava's Privacy Policy.
• Parkrun — results are fetched from the Parkrun website. Use of Parkrun is subject to Parkrun's Privacy Policy.

7. Contact

If you have any questions or concerns about this Privacy Policy or your data, please open an issue on the Sparkrun GitHub repository.

8. Changes to This Policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of Sparkrun after changes are posted constitutes acceptance of the updated policy.