LEGAL

Privacy Policy

How we handle your data

DRAFT NOTICE: These documents are effective and govern your use of Run Mad Maps as of their publication date. They have been prepared with care but have not yet been reviewed by a qualified South African attorney. We are committed to having them professionally reviewed, and any material changes resulting from that review will be communicated to all registered users. If you have questions or concerns, contact valkenrunningmad@gmail.com.

Effective Date: 10 April 2026  ·  Last Updated: 10 April 2026

1. Who We Are

Run Mad Maps ("RMM," "we," "our," or "us") is a trail intelligence platform built for the Cape Peninsula, South Africa. RMM is owned and operated by Valken de Villiers as a sole proprietorship registered in South Africa.

Information Officer: Valken de Villiers
Contact: valkenrunningmad@gmail.com

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have under the Protection of Personal Information Act, 2013 (POPIA). We encourage you to read this policy carefully. By creating an account or using our platform, you acknowledge that you have read and understood this policy.

2. What Information We Collect

We collect only the information necessary to provide our service. We do not collect information speculatively or "just in case."

2.1 Information You Provide Directly

Data Purpose When Collected
First name Personalise communications Account registration or email sign-up
Email address Account identification, platform communications, event notifications Account registration or email sign-up
Password (hashed) Account security Account registration (if applicable)

2.2 Information from Connected Services

When you connect your Strava or Garmin account, we request only the minimum data scopes necessary:

Data Purpose Scope Requested
Strava/Garmin profile (name, profile photo) Display on your athlete profile Profile read (read-only)
GPS activity data (coordinates, timestamps, distance, elevation) Route grading, Runner Performance Score (RPS), Race Readiness assessment Activity read (read-only)
Heart rate data (if your device records it) Display only — never used in any scoring formula Activity read (read-only)

We never request write access to your Strava or Garmin account. We never access your social connections, followers, or private messages on those platforms.

2.3 Information Collected Automatically

Data Purpose Legal Basis
Device type, browser type, operating system Security monitoring, debugging, platform optimisation Legitimate interest
IP address Security, fraud prevention Legitimate interest
Pages visited, interactions with the map Platform improvement, usage analytics Legitimate interest

3. How We Use Your Information

We use your personal information for the following specific purposes and no others:

  • To calculate your Runner Performance Score (RPS) from your GPS activity data
  • To grade routes you complete using our Route Grading System
  • To assess your Race Readiness for target routes
  • To display your athlete profile, level, and performance history
  • To populate and maintain event leaderboards (from official RMM events only)
  • To send you platform updates, event announcements, and score notifications
  • To run anti-gaming validation on activity data to protect leaderboard integrity
  • To monitor platform security and prevent fraud
  • To improve the platform based on aggregate, anonymised usage patterns

We do not sell, rent, or trade your personal information to any third party. We do not use your data for advertising. We do not share your GPS data with other athletes unless you explicitly opt in to leaderboard visibility.

4. Our Scoring Systems and Your Data

RMM operates proprietary scoring and grading systems (the GPS Stream Processor, Route Grading System, Runner Performance Score, and Race Readiness Engine). These systems process your GPS activity data to produce scores, grades, and readiness assessments.

Important points about how your data interacts with these systems:

  • Your raw GPS data is processed by our systems but the underlying formulas, weights, and thresholds are proprietary trade secrets and are never exposed to you or any third party.
  • Your individual scores and grades are visible to you. Aggregate, anonymised data may be used to calibrate benchmark values.
  • Leaderboard entries are generated from official RMM events only, never from your training data, unless you explicitly enter an event.
  • If you delete your account, all your activity data and scores are permanently deleted. We cannot recover them.

5. Where Your Data Is Stored

Your data is stored using the following services:

Service What It Stores Location
Supabase (PostgreSQL) Account data, activity data, scores, event results United States (AWS infrastructure)
Vercel Platform hosting, serverless functions United States (AWS/Edge)
Stripe (when implemented) Payment processing — Stripe customer ID only, never card details United States

5.1 Cross-Border Data Transfers

Because the services listed above are hosted in the United States, your personal information is transferred to and processed in the United States. Under POPIA Section 72, we ensure that these service providers maintain adequate data protection through their published security practices, contractual commitments, and compliance with international data protection frameworks.

If you are not comfortable with your data being processed outside South Africa, you should not create an account.

6. How We Protect Your Data

We take the following measures to protect your personal information:

  • All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
  • API keys, tokens, and secrets are stored in secure environment variables, never in our codebase.
  • Database access is restricted and authenticated.
  • Strava and Garmin tokens are stored securely and used only for authorised data synchronisation.
  • We do not store payment card details — all payment processing is handled by Stripe.
  • Automated database backups run daily.
  • Anti-gaming validation flags protect the integrity of all scored data.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you within 72 hours and report to the Information Regulator as required by POPIA.

7. How Long We Keep Your Data

Data Retention Period After Deletion
Account information While your account is active Permanently deleted within 30 days
Activity and scoring data While your account is active Permanently deleted within 30 days
Leaderboard entries Indefinite (public record) Anonymised, not deleted
Email sign-up (pre-account) Until you unsubscribe Deleted within 7 days of unsubscribe
Server logs (IP, device info) 90 days Automatically purged

When we say "permanently deleted," we mean complete removal from our active database and backups. This is a hard purge, not a soft delete.

8. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Access: You may request a copy of all personal information we hold about you.
  • Correction: You may request that we correct any inaccurate information.
  • Deletion: You may request that we permanently delete your account and all associated data.
  • Objection: You may object to the processing of your personal information on reasonable grounds.
  • Withdrawal of Consent: You may disconnect your Strava or Garmin account at any time. You may unsubscribe from marketing communications at any time.
  • Complaint: You may lodge a complaint with the Information Regulator if you believe we have violated your rights.

To exercise any of these rights, contact us at valkenrunningmad@gmail.com. We will respond within 30 days.

Information Regulator (South Africa)

Website: inforegulator.org.za
Email: enquiries@inforegulator.org.za

9. Email Communications

We send two types of email:

Transactional emails: Score updates, event confirmations, account security notices. These are necessary for the service and do not require separate marketing consent.

Marketing emails: Newsletter updates, new feature announcements, event promotions. You must explicitly opt in to receive these, and every marketing email includes an unsubscribe link.

We never share your email address with third parties for marketing purposes.

10. Children

RMM is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on the platform. Your continued use of RMM after such changes constitutes acceptance of the updated policy.

We will always display the effective date and last updated date at the top of this policy.

12. Contact

Information Officer: Valken de Villiers
Email: valkenrunningmad@gmail.com
Platform: runmadmaps.com