Privacy Policy

Operator: Martin Shirley, sole trader trading as LASTGATE, United Kingdom.
ICO data controller registration: ZC134032
Contact: hello@lastgate.app

1. What this policy covers

This policy explains what information LASTGATE ("we", "us", "our") collects when you use the LASTGATE web app at app.lastgate.app, what we do with it, your rights under UK GDPR, and how we comply with Strava's API Agreement.

2. Information we collect

2.1 Information you provide directly

• Email address — for sign-up, account recovery, and beta invitations.
• Operative call sign — display name visible to your squad members.
• Operative role + colour — squad-display preferences.
• Self-reported 5K baseline pace — used to calibrate your daily training plan.
• Squad membership — which squad code you've joined.

2.2 Information from Strava (with your explicit consent)

If you connect Strava via OAuth, with scope activity:read only, we receive:

• Your Strava athlete ID, first name, and last name — used only for in-app display to your squad.
• Run activities of types Run, TrailRun, and VirtualRun only — distance, moving time, elapsed time, GPS polyline, elevation gain, heart rate (if recorded), maximum speed, and activity start date.
• Activity stream data (time, latitude/longitude, distance, velocity_smooth) for activities you complete after connecting — used to detect sprint efforts within your runs for in-app gameplay mechanics.

We explicitly do not access non-running activity types (rides, swims, hikes), social interactions (posts, comments, kudos, follows), segment performances, private notes, or athlete-level personal data beyond name and athlete ID.

We never use any write scope. We do not post, modify, kudos, comment on, or otherwise change anything on your Strava account.

2.3 Information collected automatically

• Approximate location — only if you enable the Scavenger Protocol feature, used solely to generate beacon points within ~3 km of a home base point you set. Never shared with anyone.
• Device type and browser — for compatibility diagnostics.
• Anonymous usage analytics via Plausible (cookieless, no personal data). Strava-derived data is never sent to analytics.

3. How we use your information

3.1 Core service operation

• Provide the squad campaign experience (display your runs, leaderboard, missions, daily contracts, achievements)
• Sync run summaries between you and your squad members via Firebase Firestore
• Calculate training metrics (XP, ranks, sprint encounter detection)
• Send you service-essential emails or invitations (opt-out any time)
• Improve the app via aggregated, anonymous usage analytics

3.2 Strava data — sharing within your squad

By connecting Strava and joining a squad, you explicitly consent to sharing your run summaries (distance, duration, pace, date, activity name) with the other 1-3 operatives in your chosen squad. This is required for the squad-based gameplay loop (shared missions, squad leaderboards, daily contract verification).

• Your data is visible only to operatives in your specific squad (maximum of 3 others) — never to any other squad, never publicly.
• You can review your squad's members in Settings → SQUAD MEMBERSHIP at any time.
• You can leave your squad at any time, which immediately stops further data being shared.
• GPS polylines and detailed stream data are not shared with squad members — only summary metrics.

3.3 What we never do with your data

• Sell your data to any third party
• Use your data for advertising or to target you with ads
• Share your Strava data with any third party other than as required to operate the service (Firebase as our data processor, on EU/UK servers)
• Send your Strava data to any AI tool, machine learning service, or external analytics platform
• Use your Strava data to train AI models (ours or anyone else's)
• Share your data with any third-party intermediary platform (Pipedream, Zapier, n8n, etc.) — all Strava API calls are made directly between your device and api.strava.com via our own infrastructure
• Display your Strava data to anyone outside your chosen squad

4. Where your data is stored

• Run summaries, squad state, inventory, contracts: Google Firebase Firestore, region europe-west2 (London, UK)
• Strava OAuth tokens: your device (browser localStorage), with backup mirror to your own user document in Firestore for cross-device persistence
• Strava client_secret: our Cloudflare Worker at auth.lastgate.app — server-side only, never sent to user devices
• Email (for beta intake): Tally (EU servers)

5. How long we keep it

• Active account data: retained while you use the service.
• Account deleted on request: data deleted within 30 days of receipt.
• Strava disconnection: stored Strava tokens are immediately deleted from your device and from Firestore. Run summaries already imported remain in your squad until your account is deleted.
• Anonymous analytics: retained for 12 months.

6. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct any inaccurate data
• Request deletion of your data (Right to be Forgotten)
• Restrict or object to certain processing
• Withdraw consent at any time (e.g., disconnect Strava, leave squad, delete account)
• Data portability — receive your data in a structured, commonly-used format
• Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, email hello@lastgate.app. We aim to respond within 30 days.

6.1 How to disconnect Strava

You can revoke our access to your Strava data at any time:

1. In LASTGATE: Settings → TELEMETRY FEED · STRAVA → Disconnect. Deletes OAuth tokens from your device and backend immediately.
2. In Strava directly: Strava → Settings → My Apps → LASTGATE → Revoke Access. Invalidates our token immediately.

After disconnection, no further data is read from Strava. Run summaries already imported into your squad remain unless you request full account deletion.

6.2 How to delete your account

Email hello@lastgate.app with the subject "Account deletion". We will remove you from your squad, delete your user profile, delete all your run summaries, and confirm completion via email within 30 days.

7. Strava — API Agreement compliance

LASTGATE is an independent application built on the Strava API. We are not endorsed by, certified by, partnered with, or affiliated with Strava, Inc. Strava® is a registered trademark of Strava, Inc., used here per Strava's Brand Guidelines.

Our use of the Strava API is governed by Strava's API Agreement, API Policy, Terms of Service, and Privacy Policy. Our application uses Strava data only as described in Section 2.2 above, with the explicit consent of each user.

We are an independent data controller for the personal data we receive from Strava under our service, in line with the API Agreement (Section 14.6 — Independent Controllers).

8. Cookies and local storage

LASTGATE uses browser localStorage to remember your session, preferences, and locally-cached run data. We don't use third-party advertising cookies or tracking pixels. Plausible Analytics is cookieless.

9. Children

LASTGATE is not directed at people under 16. We do not knowingly collect data from anyone under 16. If you believe we have inadvertently collected data from a child, email hello@lastgate.app and we'll delete it.

10. International transfers

Your data is stored in the UK and EU. Some of our service providers (Cloudflare, Tally) may transfer data to other jurisdictions under standard contractual clauses or equivalent UK-approved safeguards.

11. Security

• HTTPS / TLS for all data in transit
• Firebase rule-based access control — only members of your squad can read your squad's data
• Server-side storage of API secrets — Strava client_secret held only on our Cloudflare Worker, never shipped to user devices
• Secure password storage via Firebase Auth (bcrypt + salt)

We will notify affected users within 72 hours of becoming aware of a personal data breach that's likely to result in risk to your rights and freedoms, in accordance with UK GDPR Article 34.

12. Changes to this policy

We'll update this policy if our practices change. Material changes will be communicated in-app at least 30 days before they take effect (where practicable). The "Last updated" date at the top reflects the most recent change.

LASTGATE is currently operated by Martin Shirley as a sole trader, registered as a UK data controller with the Information Commissioner's Office (ZC134032). If we incorporate as a limited company in future, this policy will be updated to reflect the new entity.