← Back

Privacy Policy

Last updated: April 14, 2026

1. Who we are

RunRiot is a territory-conquest running game operated by Fintale(based in India). We run RunRiot as an exclusive companion to the Monsoon Miles 2026 event hosted by RunWithDina (event date: July 19, 2026).

Contact: [email protected]

2. What we collect

  • Account data: email, name, password (hashed by Firebase Authentication), profile photo (optional).
  • Gameplay data: zones you claim, distance run, XP, streaks, run timestamps — derived from your Strava activities.
  • Strava data: if you connect Strava, we receive your athlete ID, name, and activity data (route polylines, distance, duration, start time). Scope requested: activity:read_all.
  • Technical: IP address, device/browser type, error logs — used only to keep the service running.

We do not collect your phone number, address, payment info, or any health data beyond what Strava exposes in activity records.

3. How we use it

  • Run the territory-conquest game — convert your runs into zones, XP, and leaderboard standings.
  • Show your activities to you and to your Monsoon Miles peers (names + stats only, never raw GPS traces).
  • Detect and reject clearly invalid activities (spoofed GPS, unrealistic speeds).
  • Announce event-related updates via email (rare).

We do not sell your data. We do not run ads. We do not share data with third parties except the processors listed below.

4. Who we share it with

  • Google Firebase (Authentication, Firestore, Cloud Functions) — stores your data and runs our backend. Located in Mumbai (asia-south1).
  • Strava — you authorise us to pull your activity data from Strava. Their privacy policy: strava.com/legal/privacy
  • Mapbox — for displaying the territory map. They may log your IP when you view the map.
  • RunWithDina / Monsoon Miles organisers — only aggregate leaderboard standings for race-day awards. No raw activity data.

5. How long we keep it

Your account and gameplay data are retained for the duration of the Monsoon Miles 2026 campaign and for 12 months after, after which they are permanently deleted unless you've re-engaged with a future event. You can request earlier deletion at any time (see §7).

When you disconnect Strava in your profile, we immediately delete your Strava tokens and all runs we've ingested from Strava, plus reset your totals to zero. This is also triggered automatically if you revoke access from Strava's side.

6. Security

Data is encrypted in transit (HTTPS) and at rest (Firebase/GCP defaults). Firestore rules restrict who can read what — your tokens are readable only by you and by our server-side functions. We do not store any Strava access tokens in plaintext on your device.

7. Your rights

You can at any time:

  • Export a copy of your data — email us.
  • Correct your name, email, or profile photo — from the profile page.
  • Disconnect Strava — from the profile page.
  • Delete your entire account — email us from the address you signed up with.

We respond to requests within 7 days.

8. Children

RunRiot is not intended for users under 13. If you believe a child has created an account, email us and we will delete it.

9. Changes

If we materially change this policy we'll email registered users 7 days before the change takes effect.

10. Contact

Questions? [email protected]
Grievance officer (India): Siddharth Shah, Fintale, Vadodara.

Terms of ServiceHome