Privacy Policy
Last updated: January 1, 2026
This Privacy Policy explains how StreetVenture (“we”, “our”) collects, uses, and protects your information when you use our mobile application and related services (the “Services”). It is intentionally readable — we’ve adapted the structure of established fitness-app policies (notably Strava’s) and removed everything that doesn’t apply to us. You can read the entire thing in under fifteen minutes.
We do not sell your personal data. Full stop. We do not sell, rent, or trade your name, email, GPS data, activity history, or any other personal information to advertisers, data brokers, or insurers.
1. Scope
This Policy applies to the StreetVenture mobile app, our website at streetventure.app, and the services that power both. It governs personal information collected when you create an account, record activities, view friends’ activities, or otherwise use the Services.
StreetVenture acts as the data controller for the information described here. Our jurisdiction is the Netherlands, and EU/EEA users’ rights under the GDPR apply in full.
2. Information We Collect
2.1 Information You Provide
- Account information — name, email address, username, password (stored via our identity provider, Clerk, never as plaintext on our servers).
- Profile information — optional profile photo, display name, sport preferences, and goals you choose to add.
- Support requests — anything you send us when asking for help.
2.2 Information from Using the Services
- Activity data — the routes you walk, run, or cycle, including timestamps, distance, speed/pace, duration, and the street segments your GPS trace passes through. We snap your GPS to the OpenStreetMap road network ourselves; we do not send raw GPS traces to third-party map APIs at runtime.
- Location data — collected from your device when you record an activity, with the permission you grant in your operating system. We do not track your background location when no activity is being recorded.
- Usage information — which screens you visit, which features you use, what time you log in. Aggregated to help us understand which parts of the app are useful.
- Device information — operating system, app version, device model, language, and time zone. Used for crash reporting and to keep the app working on the devices people use.
- Crash and diagnostic logs — captured automatically when the app fails so we can fix it. These never contain your email, password, or precise GPS coordinates.
2.3 Information from Third-Party Integrations
If you connect your StreetVenture account to a third-party service, we will receive activity data from that service. Today the only supported integration is Strava import (one-way: we read from Strava, we never write back). When you authorize the Strava connection, Strava shares your past activities and any activities you choose to import.
If you choose to enable HealthKit (iOS) or Health Connect (Android) integration, please see §9 Health Data for the dedicated, more-detailed disclosure (including the data types we read, what we explicitly do not read, and the Apple-mandated HealthKit clauses).
2.4 What We Do Not Collect
- We do not collect payment information. The app is free to use.
- We do not collect contacts from your phone’s address book.
- We do not collect health information for advertising or sell it to insurers or anyone else.
- We do not collect background location data when no activity is being recorded.
3. How We Use Your Information
We use your information to:
- Provide the core service — record your activities, snap them to the OpenStreetMap road network, calculate coverage, award XP, maintain streaks, and surface progress in the app.
- Power social features — your friends’ feed, leaderboards, challenges, expeditions, and shared routes.
- Communicate with you — for transactional purposes (password resets, account notices, important changes to this policy). If we add a marketing email list, you will be asked to opt in separately.
- Keep the service running — fix bugs, prevent abuse, detect fraud, debug crashes.
- Comply with legal obligations — respond to lawful requests where required.
We do not use your data for automated decisions that have legal or similarly significant effects on you. We do not use your data to train third-party AI models, and we do not sell or license your data to anyone for that purpose.
4. How We Share Your Information
4.1 Other Users
Information you share publicly (your profile, your activities’ routes, your reactions on the feed) is visible to other StreetVenture users according to the privacy controls you choose in the app. You can mark activities private at any time.
4.2 Service Providers (Processors)
We use a small set of third-party providers strictly to operate the service. None of them are permitted to use your data for their own purposes.
- Clerk — authentication and account management. Clerk stores email addresses, hashed passwords, and authentication metadata on our behalf.
- Hetzner Online GmbH — our hosting provider. The database (PostgreSQL with the Marten event store) and the application servers run on machines we lease from Hetzner in their EU data centers.
- OpenFreeMap / OpenStreetMap contributors — we render maps using the OpenFreeMap tile service, which serves OpenStreetMap vector tiles. Your device requests map tiles directly from the tile provider; the request includes your IP address and the area you’re looking at, but never your account identity.
- Zoho Mail (EU) — operates the
support@streetventure.appmailbox. Receives only the email content you send us and any data you choose to include in that message (typically an account email when you write to request data access or deletion).
4.3 Legal Requirements
We may disclose information when required by law (court orders, subpoenas, government demands lawfully issued under Dutch or EU law) or when reasonably necessary to prevent serious harm.
4.4 We Do Not Sell Your Data
We do not sell or share your personal data with advertisers, data brokers, insurers, or anyone else for commercial purposes. We have no advertising business model.
5. Map Data Attribution
Our maps use OpenStreetMap data, which is licensed under the Open Database License (ODbL). Map tiles are served by OpenFreeMap.
When you cover streets in StreetVenture, you are matching your activity to OpenStreetMap’s street network. The street geometry itself is community-contributed data we do not own.
6. Your Rights
You have the following rights under the GDPR (if you are in the EU/EEA), the UK GDPR (if you are in the UK), and analogous laws in other jurisdictions:
- Access — see what we hold about you.
- Rectification — correct anything inaccurate.
- Erasure — delete your account and all associated personal data.
- Restriction — limit how we process your data.
- Portability — export your activities in a machine-readable format (we use standard GPX).
- Objection — object to processing based on our legitimate interests.
- Withdrawal of consent — withdraw consent for any consent-based processing at any time.
- Complaint — file a complaint with your local data protection authority. For Dutch residents, that is the Autoriteit Persoonsgegevens.
To exercise any of these rights, see the Contact section below.
7. Data Retention
We retain your information for as long as your account is active, and for a limited period afterward to allow for account recovery and to meet legal obligations.
When you delete your account, we delete your personal information within 45 days, except where retention is required for legal compliance (e.g. tax records, court orders). After deletion, your data cannot be reinstated.
To request deletion now, see our delete-account page for the in-app path (preferred) and the by-email fallback.
Aggregated, fully de-identified statistics may be retained indefinitely.
8. Children’s Privacy
StreetVenture is not intended for users under 16. We do not knowingly collect personal information from anyone under 16. This age threshold reflects the digital age of consent under the Dutch implementation of the GDPR (Article 8) — the same age applies across most EU/EEA member states; a few set the threshold lower (13–15), in which case the local age applies but never below 13.
If you believe a child under 16 has provided personal information to us, please contact us using the address in Section 16 and we will delete it.
9. Health Data (HealthKit & Health Connect)
If you enable Apple HealthKit (iOS) or Google Health Connect (Android) integration in the app, the OS shares a narrow set of health data with StreetVenture so we can credit your activity correctly. This section explains exactly what we read, what we never read, and the rules we operate under. In plain English first: we never use this data for ads, never sell it, never hand it to data brokers.
For Apple HealthKit, the following clauses apply, verbatim per Apple’s App Review guidelines:
- HealthKit data is never used for advertising or other data-mining purposes other than improving health, medical, and fitness management, or for research.
- HealthKit data is never sold or shared with third parties without explicit user consent.
- HealthKit data is never disclosed to data brokers under any circumstances.
The same three policies apply identically to Google Health Connect on Android.
What we read (only the data types you toggle on in the app’s Settings → Health screen):
- Step count
- Distance
- Active minutes
- Heart rate (optional; off by default)
What we never read, even if you grant blanket permission:
- Sleep data
- Medical records (clinical, prescriptions, lab results)
- Reproductive health
- Mental-health data
- Body measurements (weight, body fat, etc.)
What we never write to HealthKit or Health Connect: nothing. The integration is read-only.
The in-app Settings → Health screen is the source of truth for which data is currently shared per account. Toggle data types off there and the OS revokes our read access immediately.
10. Data Collection Summary
The table below lists every category of personal data StreetVenture collects (and explicitly lists the categories we do not collect). The same declarations are filed in Apple’s App Store Connect Privacy section and Google Play Console’s Data Safety form; the three surfaces are kept in sync deliberately.
| Data type | Collected? | Linked to user identity? | Used for tracking? | Purpose (Apple Privacy Label / Google Data Safety) | |---|---|---|---|---| | Email address | Yes | Yes | No | Account / App Functionality | | Name (display) | Yes | Yes | No | Account / App Functionality | | Profile photo | Optional (user-uploaded) | Yes | No | Account / App Functionality | | Precise location | Yes (during recording only) | Yes | No | App Functionality | | Coarse location | Yes | Yes | No | App Functionality | | Activity routes (GPS traces) | Yes | Yes | No | App Functionality | | Health & fitness data | Optional (HealthKit / Health Connect, user-toggled per type) | Yes | No | App Functionality | | In-app interactions (screens visited) | Yes | No | No | Analytics / Diagnostics | | Crash data | Yes | No | No | Diagnostics | | Performance data | Yes | No | No | Diagnostics | | Payment info | No | – | – | – (the app is free; we don’t take payment) | | Phone contacts | No | – | – | – | | Photos (camera roll, except profile photo) | No | – | – | – | | Background location when not recording | No | – | – | – | | Browsing history | No | – | – | – | | Microphone / audio | No | – | – | – |
These declarations are the source of truth for the App Store Connect Privacy section and the Play Console Data Safety form. If a row changes here, those two consoles MUST be updated to match before the next app release.
11. Security
We use industry-standard security measures: TLS for data in transit, encrypted disks at rest, password hashing via Clerk, and least-privilege access for our own engineers. No system is perfectly secure; if we ever learn of a breach affecting your data, we will notify you as required by law.
12. International Transfers
Our infrastructure is in the EU (Hetzner). Some service providers (notably Clerk) operate from the United States. Where personal data is transferred to a third country, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
13. Cookies and Similar Technologies
Our marketing website uses a minimal set of first-party cookies for session and security purposes. We use Vercel Analytics for aggregate, cookie-less visitor counts on the marketing site; it does not track individual users.
The StreetVenture app itself does not use third-party advertising or analytics SDKs.
14. Development & Demo Data
For internal development and screenshot capture, we run a “demo data seeder” that creates synthetic users and synthetic activities. This is a development-only tool. No demo data ever runs against, or is mixed with, production user data. The screenshots on our marketing site were captured against demo data.
15. Changes to This Policy
We may update this policy. Material changes will be announced via the app and via this page’s “Last updated” date. Continued use of the Services after an update means you accept the change.
16. Contact
For privacy and data-rights requests, email us at:
GDPR data-rights requests (access, rectification, erasure, portability, restriction, objection, withdrawal of consent) are honored at this address within the legal timeframe — 30 days from receipt, extendable by 60 days for complex requests with notification to you.
