Privacy Policy

Operator: Martin Shirley, sole trader, registered in England.
ICO data controller registration: ZC134032
Contact: privacy@lastgate.app

1. What this policy covers

This policy explains what information LASTGATE ("we", "us") collects when you use the LASTGATE web app at app.lastgate.app, what we do with it, and your rights under UK GDPR.

2. Information we collect

Information you provide

• Email address — for sign-up, account recovery, and beta invitations.
• Operative call sign / display name — what your squad sees you as.
• Squad membership — which squad invite code you've joined.
• Race target time and goal pace — used to calibrate your training plan.

Information from connected services

If you connect Strava, we receive (with your explicit OAuth permission):

• Your Strava athlete ID and display name
• Run activities (distance, duration, pace, GPS polyline, heart rate, elevation)
• Per-second stream data for sprint / encounter detection

We do not access non-running activities, social posts, or any private information beyond running activity data.

Information collected automatically

• Approximate location — only if you enable the Scavenger Protocol feature, used to generate daily beacon points within a 3 km radius of a base point you set yourself.
• Device type and browser — for compatibility diagnostics.
• Anonymous usage analytics via Plausible Analytics. Plausible doesn't use cookies and doesn't collect any personal data — only aggregated page views and country-level location. Plausible's privacy policy.

3. What we do with it

We use your information to:

• Provide the squad campaign experience (display your runs, leaderboard, missions, achievements)
• Sync data between you and your squad members via Google Firebase Firestore
• Calculate training metrics (XP, ranks, encounter detection)
• Send you beta invites or service updates (you can opt out at any time)
• Improve the app via aggregated, anonymous usage analytics

We do not:

• Sell your data to third parties
• Use your data for advertising
• Share your run data outside your squad

4. Where your data is stored

• Run telemetry, squad state, inventory, Strava OAuth tokens (encrypted in transit and at rest): Google Firebase Firestore, region europe-west2 (London, UK).
• Local browser cache (for offline use): on your device only.
• Email captured via beta sign-up form: Tally (form provider) — Tally's privacy policy.

5. How long we keep it

• Active account data: retained while you use the service.
• Deleted accounts: data is permanently deleted within 30 days of deletion request.
• Anonymous analytics: retained for 12 months.

6. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct any inaccurate data
• Request deletion of your data
• Withdraw consent at any time
• Object to certain processing
• Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, email privacy@lastgate.app. We aim to respond within one calendar month.

7. Strava

LASTGATE is an independent app and is not endorsed by, certified by, or affiliated with Strava, Inc. Strava® is a registered trademark of Strava, Inc. Use of the Strava API is subject to Strava's API Agreement.

8. Cookies and local storage

LASTGATE uses your browser's local storage to remember your session, preferences, and offline data. We don't use third-party advertising cookies. Plausible Analytics is cookie-free.

9. Changes to this policy

We'll update this policy if our practices change. Material changes will be flagged in-app and via email to anyone with an active account.

LASTGATE is currently operated by Martin Shirley as a sole trader. If we incorporate as a limited company in future, this policy will be updated to reflect the new entity.