Privacy Policy

Last updated: April 2026

Summit ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights. We've written it in plain English — if anything is unclear, email us at hello@summitapp.uk.

The short version: We collect only what we need to run the app. We never sell your data. We use Strava to detect your summits, Supabase to store your logbook, and Stripe to handle payments. None of your financial data touches our servers.

1. Who we are

Summit is operated as an independent product based in Scotland, UK. For data protection purposes, we are the data controller for the personal data you provide. Contact: hello@summitapp.uk.

2. Data we collect

From Strava (when you connect your account):

Your name and Strava athlete ID
GPS coordinates from your hiking and walking activities — used solely to detect which hill summits you've visited
Activity dates, types, and names
OAuth access and refresh tokens (stored securely, used to fetch your activities)

From you directly:

Ascent logs you create — dates, companions, conditions, personal notes
Settings and preferences

From Stripe (payments):

We receive a Stripe Customer ID and subscription status. We never see or store your payment card details — these are handled entirely by Stripe.

Automatically:

Standard server logs (IP addresses, request timestamps) — retained for up to 30 days for security purposes

3. How we use your data

To detect summits in your Strava GPS tracks and populate your hill logbook
To store and display your ascent history across sessions
To manage your subscription via Stripe
To send transactional emails (account confirmation, payment receipts) — we do not send marketing emails without your consent
To improve the app and fix bugs

4. Legal basis for processing (UK GDPR)

Contract performance — processing your Strava data and ascent logs to deliver the service you signed up for
Legitimate interests — server logs for security; improving the app
Legal obligation — retaining transaction records as required by UK law

5. Data sharing

We share data only with the following third-party services necessary to operate Summit:

Strava — to authenticate you and fetch your activity data. Strava Privacy Policy
Supabase — our database provider, hosted in the EU. Supabase Privacy Policy
Stripe — payment processing. Stripe Privacy Policy
Cloudflare — infrastructure and DDoS protection. Cloudflare Privacy Policy

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. Data retention

Your account and ascent data: retained for as long as your account is active
If you delete your account: all personal data deleted within 30 days
Payment records: retained for 7 years as required by UK tax law
Server logs: deleted after 30 days

7. Your rights

Under UK GDPR you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Portability — export your ascent data (available via CSV export in the app)
Objection — object to certain types of processing
Withdraw consent — disconnect Strava at any time in the app settings

To exercise any of these rights, email hello@summitapp.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

Summit does not use tracking cookies or advertising cookies. We use localStorage (browser storage) to keep you logged in and store your app settings. This data never leaves your device.

9. Security

Your data is transmitted over HTTPS at all times. Strava tokens are stored encrypted. Payment card data never touches our servers. We regularly review our security practices.

10. Children

Summit is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to this policy

We may update this policy from time to time. We'll notify you of significant changes by email or via the app. Continued use after changes constitutes acceptance.

12. Contact

Questions about this policy? Email us at hello@summitapp.uk. We aim to respond within 2 working days.