Legal

Privacy policy

Last updated: 22 April 2026.

Who runs this service

Trigg is operated by Joseph Walford, a sole individual based in the United Kingdom, acting as the data controller for personal data processed through this app. Data access, deletion, and privacy requests can be sent to info.trigg@gmail.com.

What this app does

Trigg connects to Strava so it can import eligible activities for the signed-in athlete, compare GPS tracks against a locally stored trig pillar dataset, and display that athlete their own pillar progress, score, and match history. Trigg does not surface other athletes’ data.

Data collected from Strava

  • Strava athlete id, display name, username, and profile image when available.
  • Encrypted Strava access and refresh tokens.
  • Activity summaries for eligible `Hike`, `Walk`, and `Run` activities from your full Strava history.
  • Detailed GPS stream data for candidate activities that need matching against pillar coordinates.
  • Derived trig pillar matches, minimum distance metrics, sync history, and processing status.

Cookies and analytics

Trigg uses one strictly necessary session cookie (trigtracker_session) to keep the signed-in user authenticated. This cookie is HTTP-only and does not leave the browser except to authenticate API requests.

Trigg also uses Google Analytics 4 to measure aggregate traffic and feature usage. Google Analytics sets first-party cookies on your browser and processes pseudonymous identifiers, coarse location (country/region), device, and page-view data. IP addresses are anonymised by Google before storage. You can opt out by installing the Google Analytics opt-out browser add-on, or by blocking third-party scripts in your browser.

Lawful basis

  • Contract — processing Strava activity data is necessary to provide the pillar tracking service you signed up for.
  • Legitimate interests — operational logs and analytics used to keep the service running, secure, and measurable.
  • Consent — granted to Strava at the OAuth connect step; you can revoke access at any time from your Strava account settings or from the in-app disconnect button.

How data is used

  • To authenticate the athlete with Strava and maintain the app session.
  • To import and process eligible activities and GPS streams.
  • To calculate pillar visits, score, classes, progress, and recent history for the signed-in athlete only.
  • To operate webhook ingestion, sync retries, and debugging.
  • To measure aggregate, non-identifying product usage via Google Analytics.

How data is shared

Athlete data is never sold or used for advertising. Data is only processed by the sub-processors below, each of which is necessary to run the app:

  • Amazon Web Services (AWS Lightsail, London / eu-west-2) — hosting of the application, database, and encrypted storage.
  • Strava — source of all athlete and activity data; a separate controller for the data it holds on its own platform.
  • Google (Google Analytics 4) — aggregate web analytics as described above.

International transfers

Primary storage is in the United Kingdom (AWS London region). Google Analytics and Strava may process data outside the UK/EEA under their own standard contractual clauses and transfer mechanisms.

Retention and deletion

  • Tokens, activities, streams, pillar matches, sync history— deleted immediately when you click “Disconnect and delete my data” on the Settings page, or when Strava sends a deauthorization webhook after you revoke access from Strava’s own settings.
  • Operational server logs — retained for up to 90 days for debugging, abuse detection, and security, then deleted.
  • Google Analytics data — retained according to the default GA4 retention window (currently 14 months for event-level data).

Security

Strava access and refresh tokens are encrypted at rest. The web frontend uses its own session cookie rather than exposing raw Strava tokens. All API access is scoped to the authenticated athlete’s own account, and transport is served over HTTPS in production.

Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, object to, and port personal data held about you. The in-app disconnect button satisfies the erasure right for all athlete data Trigg stores. For any other request you can contact the operator at info.trigg@gmail.com. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

Age restriction

Trigg is not intended for use by anyone under 16. Do not connect a Strava account if you are under that age.

Changes to this policy

Material changes to this policy will be reflected by updating the “Last updated” date above. Continued use after an update constitutes acceptance of the revised policy.