SummitStats ("we," "us," or "our") is a ski and snowboard tracking app that helps you log days on the mountain, connect with friends, and track your progress across seasons. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
By using SummitStats, you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.
Information We Collect
Account Information
When you create an account using Sign in with Apple, we receive:
- Your Apple-provided user identifier (a unique, opaque string)
- Your email address (which Apple may relay through a private relay address if you choose "Hide My Email")
We do not receive your Apple ID password or any other Apple account credentials.
Profile Information
- Username — chosen by you during signup
- Profile picture — optional; uploaded from your photo library
- Bio / description — optional; written by you
- Profile tag — optional custom tag displayed on your profile
- Preferred sport — skiing, snowboarding, or Nordic skiing
- Profile accent color — a color preference for your profile display
Check-in Data
Each ski day you log contains:
- Resort name and location
- Date of visit
- Sport type and activity type (Alpine, Backcountry, Cross-Country)
- Optional title / caption
- Optional photo (uploaded from your photo library)
- Optional conditions rating
- Tagged friends (other SummitStats users you choose to tag)
Strava Activity Data Third-Party Integration
If you choose to connect your Strava account, we request read-only access to your activities. We collect and store:
- Activity stats: distance, moving time, elapsed time, elevation gain, max/average speed, heart rate, calories, achievement count
- Activity name and start location (GPS coordinates used to match the nearest resort)
- Activity type (Alpine Ski, Snowboard, Nordic Ski, Backcountry Ski)
- Your Strava athlete ID (to link webhook events to your account)
- OAuth tokens necessary to access your data (stored securely in our database)
We never post to Strava on your behalf, access activities beyond those listed above, or access any personal Strava profile information beyond what is required to identify your account.
Strava activity data is used exclusively to automatically create check-ins for your ski and snowboard days and to display aggregate stats on your profile. You can disconnect Strava at any time from Settings.
Location Data
With your permission, we access your device's GPS location to:
- Suggest nearby ski resorts when creating a check-in
- Match your Strava activity's start coordinates to the nearest resort in our database
We do not continuously track your location in the background. Location access is only used at the moment you initiate a check-in or when a Strava activity is processed. Your raw GPS coordinates are not stored — only the matched resort name is saved.
Photos and Camera
- Photo library — accessed when you choose to add a photo to a check-in or upload a profile picture. You must explicitly select a photo; we do not scan or access your library automatically.
- Photos you upload are stored on our servers (Google Firebase Storage) and are visible to users who follow you, or publicly on your profile depending on your privacy settings.
Social Activity
- Follows and follow requests between users
- Likes on check-ins
- Comments on check-ins (text content and timestamp)
- User blocks
- Notifications (who liked, commented, or followed you)
Device and Technical Information
- Push notification token — a device identifier used by Expo's push notification service to deliver notifications. This token is stored in your account and updated when you open the app on a new device.
- Device type and OS version — collected by Expo to ensure notification compatibility.
- We do not collect advertising identifiers (IDFA) or use any advertising SDKs.
Resort and Map Data
When you view a resort's detail page, we may fetch photos and address information from the Google Places API (New). This request is made server-side using your search query (resort name); your personal identity is not shared with Google as part of these requests. Photo data is cached on your device to minimize repeat API calls.
How We Use Your Information
| Purpose | Data Used |
|---|---|
| Create and manage your account | Email, Apple ID, username |
| Display your profile and stats | Profile info, check-ins, Strava data |
| Auto-create check-ins from Strava | Strava activity data, GPS start coordinates |
| Suggest nearby resorts | GPS location (momentary, not stored) |
| Social features (follows, likes, comments) | User ID, social activity data |
| Send push notifications | Push token, notification events |
| Track achievements and season stats | Check-in history, Strava aggregates |
| Friends leaderboard | Check-in counts of users you follow |
| Display resort photos | Resort name (queried against Google Places) |
| Account deletion | All data associated with your account |
We do not sell your personal data. We do not use your data for advertising or share it with advertising networks.
Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Google Firebase | Authentication, database (Firestore), and file storage | firebase.google.com/support/privacy |
| Google Places API | Resort photos and address information | policies.google.com/privacy |
| Strava | Activity data (read-only, if you connect your account) | strava.com/legal/privacy |
| Apple (Sign in with Apple) | Authentication | apple.com/legal/privacy |
| Expo (push notifications) | Delivering push notifications to your device | expo.dev/privacy |
| Open-Meteo / weather APIs | Current weather conditions for resort pages (resort coordinates only) | open-meteo.com/en/terms |
Each third-party service is governed by its own privacy policy. We encourage you to review those policies for services you use in connection with SummitStats.
Data Sharing and Visibility
Public and Follower-Visible Content
By default, your profile and check-ins are visible to users who follow you. Your username and profile picture are visible to any SummitStats user searching for you. Check-in details (location, date, sport, photos, comments) are visible to your followers.
Deep links to check-ins shared outside the app will show only the resort name and a follow prompt to non-followers — no photo, date, or content is exposed to users who do not follow you.
We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to any third party for commercial purposes.
Legal Disclosures
We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the safety of any person, protect against legal liability, or investigate potential violations of our Terms of Service.
Business Transfers
In the event of a merger, acquisition, or sale of our assets, your personal data may be transferred as part of that transaction. We will notify you via the app or email if such a change affects how your data is handled.
Data Retention
We retain your data for as long as your account is active. Specifically:
- Account and profile data — retained until you delete your account
- Check-ins, photos, and social data — retained until deleted by you or upon account deletion
- Strava tokens — retained until you disconnect Strava or delete your account; revoking access via Strava's settings will also deactivate the integration
- Push notification tokens — retained while your account is active; refreshed automatically when you open the app
When you delete your account, we permanently remove your profile, check-ins, photos, followers, likes, comments, and all associated data from our servers. This action is irreversible.
Your Rights and Choices
- Access and portability — you can view all your check-in and profile data within the app at any time.
- Correction — you can edit your username, bio, profile picture, and check-in details at any time from within the app.
- Deletion — you can delete your account from the Settings screen. This permanently removes all your data from our servers.
- Strava disconnection — you can disconnect Strava at any time from Settings → Disconnect Strava. New activities will no longer sync, but previously created check-ins will remain.
- Push notifications — you can disable push notifications at any time through your device's iOS Settings.
- Location access — you can revoke location permission at any time through iOS Settings → SummitStats → Location. This will disable the nearby resort suggestion feature.
- Photo library access — you can revoke photo library permission at any time through iOS Settings → SummitStats → Photos. This will disable photo uploads.
Children's Privacy
SummitStats is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at summitstatsios@gmail.com and we will take steps to remove that information promptly.
Security
We implement industry-standard security measures including:
- Firebase Authentication for secure sign-in — we never store passwords
- Firestore security rules restricting data access to authorized users only
- Firebase Cloud Functions for sensitive operations (Strava token exchange and disconnection) — OAuth tokens are never exposed to client applications
- HTTPS for all data transmission
No method of electronic storage or transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via a notice within the app. Your continued use of SummitStats after changes are posted constitutes your acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Email: summitstatsios@gmail.com
We will respond to all privacy-related inquiries within 30 days.