Privacy Policy
Effective date: 1 January 2026
spera (“we”, “us”, or “our”) operates the spera Team Vitality Challenge platform. This policy explains what personal information we collect, why we collect it, and your rights over that data. It applies to all users regardless of location and is intended to comply with the Protection of Personal Information Act (POPIA), GDPR, and similar frameworks.
1. Information We Collect
- Account data: name, email address, and encrypted password when you register.
- Strava data: if you connect Strava, we receive your Strava athlete profile (name, profile photo), and cycling activity data needed for the challenge (distance, duration, date, activity type, kudos, and activity ID) via the official Strava API.
- Challenge data: league selection, champion session logs, zone submissions, reward export consent, leaderboard consent, and notes you enter.
- Technical data: browser type, IP address, and session tokens stored in browser cookies for authentication purposes.
- FTP / fitness data: functional threshold power (FTP) values fetched from your Strava profile if available. Route GPS points are used only server-side to match broad club zones and are not returned to the browser or stored as raw coordinates.
We do not sell your data, serve third-party advertising, or share data with analytics providers.
2. How We Use Your Data
- To authenticate you and maintain your session securely.
- To display Team Vitality monthly distance progress, tier leaderboard rankings, and champ check-in proof.
- To enable zone check-ins and champion session tracking.
- To prepare consent-based reward eligibility exports for club or Team Vitality administration. These exports may include name, Strava ID, selected league, monthly distance, indoor/outdoor distance split, and completion status.
- To send transactional emails (e.g. email confirmation on sign-up).
3. Data Retention
Your account data is retained for as long as your account is active. Activity data pulled from Strava is cached to reduce Strava API calls and not permanently archived beyond your account lifetime. You may disconnect Strava or request deletion at any time (see Section 6).
4. Third-Party Services
- Strava API: governed by the Strava API Agreement and Strava's Privacy Policy. You may revoke access via your Strava settings or the in-app disconnect control at any time.
- Supabase: our database and authentication provider. Data is stored on Supabase-managed infrastructure.
- Discovery / Team Vitality: official Built for the Season reward eligibility and prizes are governed by Discovery's terms. spera may help prepare admin exports when you consent, but does not decide official rewards.
5. Cookies
We use strictly necessary session cookies for authentication. We do not use advertising or tracking cookies. See our Cookie Policy for details.
6. Your Rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and associated data.
- Withdraw consent for Strava data access by using the in-app disconnect control or revoking the integration in Strava.
- Withdraw leaderboard or reward-export consent from your Profile sharing preferences.
- Lodge a complaint with the Information Regulator (South Africa) or your local data protection authority.
To exercise any right, email us at ssdidiza@gmail.com.
7. Security
Passwords are hashed by Supabase Auth and never stored in plain text. All data is transmitted over HTTPS. We implement reasonable technical and organisational measures to protect your data, but no system is 100% secure.
8. Changes to This Policy
We may update this policy. Material changes will be notified by email or via an in-app notice at least 14 days before taking effect.
9. Contact
spera — ssdidiza@gmail.com