CommitrLogin

Legal

Privacy Policy

Effective date: May 25, 2026

This Privacy Policy explains how Commitr (“we”, “us”, or “our”) collects, uses, stores, and protects your personal information when you use our fitness rewards platform. It also describes your rights under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173).

1. Information We Collect

1.1 Account Information

When you register, we collect:

  • Full name — displayed to club members and administrators.
  • Philippine mobile number — used as your login identifier and for OTP-based authentication.

1.2 Run Data

When you log a run, we collect:

  • Distance (km) and date of the run.
  • Strava activity identifiers and metadata needed for challenge verification.

1.3 Financial Data

To process credits, deposits, and cashouts, we collect:

  • GCash payment receipt screenshots for deposit verification.
  • GCash account number you provide when requesting a cashout.
  • A full transaction ledger of all credit movements (stakes, payouts, deposits, and cashouts).

1.4 Strava Data

If you choose to connect your Strava account, we access and store the following data from Strava via their official API:

  • Athlete profile — your Strava display name and profile photo, used to confirm your identity in run verification.
  • Activity data— activity type, distance (metres), and start date of your activities, used solely to verify that a run occurred and meets the challenge's distance target.

We do not access, store, or use:

  • Your GPS route or map data.
  • Heart rate, power, or other health metrics.
  • Private activities (visibility: “Only You” on Strava).
  • Strava followers, segments, kudos, or social data.
  • Your Strava email address or payment information.

How Strava data is displayed:Raw Strava API responses (activity data retrieved directly from Strava) are shown only to you — the athlete who owns that data. Club leaderboards and challenge standings display Commitr's own derived records (approved km totals stored in our database after admin verification), not raw Strava API data. Commitr operates as a Community Application under the Strava API Agreement and displays aggregated club progress for organisational purposes.

Data minimisation and caching: We request only the minimum Strava OAuth scopes needed for run verification. We do not cache Strava API responses for longer than 7 days.

Prohibited uses: We do not use Strava data for artificial intelligence, machine learning, analytics, customer profiling, or any purpose other than verifying your individual run activity. We do not combine Strava data with data from other sources or sell, license, or transfer it to any third party.

Strava monitoring:Please note that Strava may independently monitor and collect certain usage data related to our use of the Strava API. That data collection is governed by Strava's own Privacy Policy and API Agreement, not this policy.

Authorization:We do not access any Strava data before you explicitly authorize our application through Strava's official OAuth flow. You may disconnect Strava at any time from your account settings, which immediately revokes our access to your Strava account. Revoking access does not delete previously approved run records stored in Commitr's database.

If you delete activity data from your Strava account, we will immediately stop displaying that data and delete any corresponding unprocessed Strava data from our systems within 48 hours.

1.5 Usage and Technical Data

We may automatically collect standard server-side technical information such as error logs, request timestamps, and the identity of API endpoints accessed. We do not use browser cookies for tracking or analytics beyond what is required by Supabase for session management.

2. How We Use Your Information

We use the information we collect to:

  • Authenticate you via phone OTP and maintain your session.
  • Display your name and progress to other members of clubs you belong to.
  • Process challenge stakes, payouts, deposits, and cashouts.
  • Verify runs using associated Strava activity data.
  • Maintain an immutable transaction ledger for accountability and dispute resolution.
  • Communicate with you about your account (e.g., OTP codes via SMS).
  • Detect and prevent fraud, abuse, and violations of our Terms of Service.

We do not use your data for advertising, profiling for marketing purposes, or any purpose unrelated to operating the Commitr platform.

3. How We Share Your Information

We do not sell your personal information. We share data only in the following limited circumstances:

  • Within your club — your name, avatar, km progress, and challenge standings are visible to other members of clubs you have joined. Club administrators can additionally view deposit receipts, cashout account numbers, and run verification outcomes to process requests.
  • Service providers — we use Supabase (database and file storage) and an SMS gateway to operate the Service. These providers process data on our behalf under their own privacy policies and security controls.
  • Legal requirements — we may disclose information if required to do so by law, court order, or to protect the rights, property, or safety of Commitr, its users, or the public.

4. Data Storage and Security

Your data is stored on Supabase-managed infrastructure. We apply Row-Level Security (RLS) policies so that each user can only access data they are authorised to see. File uploads (deposit receipts) are stored in private Supabase Storage buckets accessible only via authenticated API calls. All data is transmitted over HTTPS.

We implement security measures consistent with GDPR Article 32 (administrative, technical, organisational, and physical safeguards) for the protection of any personal data obtained through the Strava API, in addition to our obligations under the Philippine Data Privacy Act of 2012.

While we implement reasonable measures to protect your data, no system is completely secure. You are responsible for keeping your phone and OTP codes confidential.

In the event of a security breach affecting Strava data obtained via the Strava API, we will notify Strava within 24 hours of becoming aware of the incident, as required by the Strava API Agreement.

5. Data Retention

We retain your personal data for as long as your account remains active. Specifically:

  • Account data (name, phone) — retained for the lifetime of your account.
  • Transaction ledger — retained indefinitely for financial accountability.
  • Deposit receipts — retained for up to 12 months after the relevant deposit closes.
  • Strava activity data — retained for up to 90 days after the relevant run is approved or rejected. If you disconnect Strava, we delete unprocessed Strava activity data within 30 days. If you delete activity data from your Strava account, we delete any corresponding unprocessed data from our systems within 48 hours.

When you close your account, we delete or anonymise your personal information within 30 days, except where retention is required for legal or accounting purposes.

6. Your Rights (Philippine Data Privacy Act)

Under the Philippine Data Privacy Act of 2012, you have the right to:

  • Be informed — know what personal information we hold about you and how it is processed.
  • Access — request a copy of the personal information we hold about you.
  • Rectification — request correction of inaccurate or incomplete personal information.
  • Erasure — request deletion of your personal information, subject to legal retention obligations.
  • Object — object to the processing of your personal information in certain circumstances.
  • Data portability — request your data in a structured, machine-readable format.

To exercise any of these rights, contact us at dowhilesoftwares@gmail.com. We will respond within 15 business days.

7. Children's Privacy

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with their information, please contact us immediately and we will delete it.

8. Third-Party Services

The Service may contain links to or integrate with third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to read the privacy policies of any third-party services you use.

Where Strava data or Strava-sourced activity information is displayed in the Service, it will be accompanied by Strava attribution in accordance with the Strava API Agreement and Strava Brand Guidelines. Your use of Strava through our Service is also subject to Strava's Terms of Service and Privacy Policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will make reasonable efforts to notify you via your registered phone number or within the app. Continued use of the Service after any changes constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact our Data Privacy Officer at:

Commitr — Data Privacy Officer

dowhilesoftwares@gmail.com

You may also file a complaint with the National Privacy Commission of the Philippines at www.privacy.gov.ph.