Privacy Policy

Last updated: April 22, 2026 · Effective date: April 22, 2026

This Privacy Policy describes how CHALLENGRS LLC, a Delaware limited liability company ("Challengrs," "we," "us," or "our"), collects, uses, discloses, and safeguards your personal information when you use the Challengrs mobile application, our website at challengrs.app, and related services (collectively, the "Services").

By using the Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are

Challengrs is operated by CHALLENGRS LLC, a limited liability company organized under the laws of the State of Delaware (file number 10578660) with a principal place of business at 116 Shady Brook Cir Unit 301, Saint Simons Island, GA 31522, United States.

For privacy questions, contact us at support@challengrs.app.

2. Eligibility — Must Be 18 or Older

The Services are available only to individuals who are at least 18 years of age. When you create an account, you must affirmatively confirm that you are 18 or older by checking a box during sign-up. By doing so, you represent and warrant that you are at least 18 years old.

If we become aware that a user is under 18, we will promptly terminate the account and delete associated personal information. If you believe a minor has created an account, please contact support@challengrs.app.

3. Information We Collect

a. Information You Provide

Category	When	Purpose
Email address	Account creation	Authentication, password reset, important account notices
Username	Account creation	Identifier visible to other participants
Password (hashed)	Account creation	Authentication; we never see your plaintext password (handled by Supabase Auth)
Age attestation (18+)	Account creation	Eligibility verification (stored as a boolean flag; we do not collect date of birth)
Profile photo (optional)	Edit profile	Display in-app to other users
Bio (optional)	Edit profile	Display in-app to other users
Challenge content	Creating or joining challenges	Challenge title, description, rules, personal goal, stake amount
Proof photos	Uploading proof during a challenge	Verification and accountability to other participants
Proof metadata (timestamp, approximate GPS coordinates, location name)	Each proof upload	Verify authenticity; visible to participants in that challenge
Proof caption (optional)	Proof upload	User-supplied description
Redo request reason / late proof photo	Requesting a redo	Peer vote on whether to grant a redo

b. Payment Information

When you make a deposit or withdrawal, payment data (card number, CVV, expiration, bank account) is collected and processed directly by Stripe. We never see, store, or have access to your full card number or bank credentials. We receive only a payment token, the transaction amount, a Stripe payment ID, and status. Your wallet balance, deposits, stake holds, winnings, and losses are stored in our database but are visible only to you.

c. Information from Third-Party Integrations (Optional)

If you voluntarily connect a third-party account, we receive information from that provider:

• Strava: With scope activity:read_all, we receive your athlete ID, activity type (Run, Ride, Swim, Walk, Hike, Workout), and activity metrics (distance, duration, elapsed time, speed, elevation, calories, and heart rate if you share it) when a matching activity occurs. We store these with your proof upload and — for active challenges — in our database. We also temporarily log inbound Strava webhook events for idempotency and troubleshooting.
• GitHub: With scope read:user, we receive your GitHub profile and commit activity when used for coding challenges.
• Apple HealthKit: If you grant HealthKit permission, we read workout data only on your device. This data is not transmitted to our servers. If you do not grant permission, the app still works.

You can disconnect any third-party integration at any time from the Profile screen. Disconnection stops future data flow; data previously received remains associated with your prior challenge participations and is deleted when you delete your account.

d. Information Collected Automatically

• Device and push-notification data: When you enable push notifications, OneSignal receives a push token, device model, operating system, and app version. This is necessary for delivering notifications to your device.
• Log data: Our server infrastructure (Supabase) retains routine server logs such as request timestamps, IP address, and error messages for short periods to operate and secure the Services.
• App state: For in-app functionality (e.g., which challenges you have joined) we store your interactions in our database. This is not used for analytics or profiling.

e. Information We Do Not Collect

• We do not use any third-party analytics, advertising, attribution, or tracking SDKs (no Firebase Analytics, Mixpanel, Amplitude, PostHog, Segment, Meta SDK, AppsFlyer, or equivalents).
• We do not track you across other apps or websites. The App is not required to show an App Tracking Transparency prompt because we do not engage in cross-app or cross-site tracking.
• We do not fingerprint your device.
• We do not access your contacts, calendar, email, SMS, microphone, or other on-device data we don't need.
• We do not track your location in the background — GPS is read only at the moment of a proof upload if you allow it.
• We do not sell your personal information. See §8 and §13.

4. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Services, including creating accounts, running challenges, uploading proofs, settling stakes, processing payments, and delivering payouts.
• Communicate with you about your account, including password resets, challenge invitations, upload reminders, redo vote notifications, challenge results, and other service-related messages.
• Verify eligibility (age attestation), authenticate you, prevent fraud, detect abuse, and enforce our Terms of Service.
• Meet legal obligations including tax reporting (e.g., IRS Form 1099 for qualifying payouts) and responding to lawful requests.
• Improve the Services by identifying and fixing bugs. We do not use automated profiling or machine learning to make decisions about you.

5. How We Share Information

We share personal information only in the circumstances described below. We do not sell your personal information.

a. With Other Challengrs Users

The platform is inherently social. Your username, profile photo, bio, challenges you participate in, proof photos, proof metadata (timestamp, approximate location, caption), and reactions are visible to other users in ways described in §7.

b. With Service Providers

We use a small number of trusted vendors to run the Services. They act on our behalf under contract and may process your data only for the purposes described.

Vendor	Purpose	Data they receive
Supabase (Supabase, Inc.)	Database, authentication, file storage, edge functions	Account data, challenge data, proof photos, server logs. Powered by AWS in the United States.
Stripe (Stripe, Inc.)	Payment processing, Stripe Connect payouts	Payment details, amount, transaction ID, your name/email for verification. PCI DSS Level 1 certified.
OneSignal (OneSignal, Inc.)	Server-to-server push notification delivery	Your user ID, push token, device model, OS, notification payload (title, body, challenge ID).
Strava, Inc.	Fitness activity sync (only when you connect)	OAuth token, scope-limited activity requests. See Strava's Privacy Policy.
GitHub, Inc.	Code-challenge activity sync (only when you connect)	OAuth token, scope-limited profile requests. See GitHub's Privacy Statement.
Google Workspace (Google LLC)	Hosting our support email	Email you send us.
Apple, Inc.	App distribution and HealthKit framework (on-device)	Limited data as disclosed in Apple's Privacy Policy. HealthKit data stays on your device.

c. For Legal Reasons

We may disclose information if required by law, subpoena, court order, or other valid legal process, or to protect the rights, property, or safety of Challengrs, our users, or the public.

d. Business Transfers

If Challengrs is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any change of control that affects how your information is handled.

e. Aggregated or De-Identified Data

We may create and use aggregated or de-identified information (data that cannot reasonably identify you) for product analysis, research, or public communications. Such data is not subject to this Policy.

6. Third-Party Services & Links

The Services may contain links to external websites (e.g., Strava, GitHub, Instagram for story sharing). We are not responsible for the privacy practices of third parties. We encourage you to review their policies before interacting with them.

7. What Other Users See

Understanding visibility is important. Here's exactly what others can see:

• Your username, profile photo, and bio: visible to anyone in a shared challenge and on your profile page.
• Your proof photos and their metadata: visible to all participants in the same challenge, including the timestamp, approximate location, location name, and any caption you add.
• Your progress, activity type (e.g., Run), and outcome: visible to participants in the same challenge.
• Your reactions and redo votes: visible to participants in the same challenge.
• Your wallet balance, deposit/withdrawal history, earnings, and losses: visible only to you, never to other users.
• Your email address, phone number, age attestation, or payment details: not visible to other users under any circumstances.

Proof photo URLs. Proof photos are stored in a Supabase Storage bucket and served via public URLs that are difficult to guess. Someone with the exact URL could view the image without being logged in. We use this approach to keep the app fast and simple, but it means proof photos should not contain information you would not share with challenge participants. We do not index proof photos, and we do not publish your URLs anywhere outside the app.

Photo metadata (EXIF). When the iOS app re-encodes your photo for upload (JPEG compression), iOS strips embedded EXIF metadata such as GPS coordinates, camera model, and original capture timestamps. The location shown alongside your proof upload comes from a separate one-time location request at the moment you tap upload (if you grant location permission), not from the photo file itself. You can deny or disable location permission for Challengrs at any time in iOS Settings without affecting other app functionality.

8. Tracking, Advertising, and App Tracking Transparency

We do not engage in "tracking" as defined by Apple's App Tracking Transparency framework. Specifically:

• We do not link user or device data collected in the app with user or device data from other companies for targeted advertising or advertising measurement.
• We do not share user or device data with data brokers.
• We do not use cross-app or cross-site tracking.
• We do not display advertisements in the app.

Because we do not track you, the Services do not display the App Tracking Transparency prompt. Nothing prevents you from disabling IDFA at the iOS level; it has no effect on the Services.

9. Data Security

We use technical and organizational measures designed to protect your information:

• All data is transmitted over encrypted connections (TLS 1.2+).
• Passwords are hashed by Supabase Auth and never stored in plaintext.
• Databases enforce row-level security so you can only access your own records.
• Payment information is handled by Stripe (PCI DSS Level 1); we never touch card data.
• OAuth tokens for third-party integrations are stored with server-side access restrictions and are not exposed to the client.
• We restrict employee access to production data to those who need it for operations.

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

10. Data Retention

Data category	Retention period
Account profile (email, username, bio, avatar)	Until you delete your account, plus up to 30 days for backup rotation
Challenge records (titles, goals, rules, participation)	Until deleted by the creator or by account deletion
Proof photos and metadata	Until you delete your account, the challenge creator deletes the challenge, or we decide to remove content per our Terms of Service
Transaction records (deposits, stakes, payouts)	Up to 7 years for tax and financial-record compliance (e.g., IRS Form 1099 obligations)
OAuth tokens (Strava, GitHub)	Until you disconnect the integration, delete your account, or the token expires / is revoked
Server logs (IP, request metadata)	Up to 90 days
Strava webhook event log	Up to 90 days for idempotency
De-identified analytics	Indefinitely (no longer linked to you)

11. Your Rights and Choices

Regardless of where you live, you can:

• Access and correct your profile information at any time from Profile → Edit Profile.
• Delete your account at any time from Profile → Settings → Delete Account (see §12).
• Disconnect integrations (Strava, GitHub) from Profile → Connected Accounts.
• Disable push notifications from your iOS Settings → Notifications → Challengrs.
• Revoke HealthKit permission from iOS Settings → Health → Data Access & Devices.
• Contact us for any other request at support@challengrs.app. We respond within 30 days.

12. Account Deletion

You can delete your account at any time from within the app (Profile → Settings → Delete Account). Account deletion is irreversible and performs the following:

• Deletes your profile, email, username, password hash, age attestation, bio, avatar, and preferences.
• Deletes your proof uploads, reactions, redo requests, and redo votes.
• Deletes your participation records in all challenges.
• Deletes challenges you created where no other participants remain. Where other participants remain, your creator identity is anonymized (set to NULL) and the challenge continues without you.
• Deletes your transaction records, unless we are legally required to retain them for tax or compliance purposes, in which case we retain the minimum records required and treat them in accordance with this Policy.
• Deletes your OAuth tokens for Strava and GitHub. You may also revoke access on those platforms directly.
• Revokes your Supabase authentication session and deletes your Supabase auth user.

Requests sent to support@challengrs.app are honored within 30 days.

13. US State Privacy Rights

Depending on where you live, you may have specific privacy rights under state law. This section applies to residents of California, Colorado, Connecticut, Oregon, Texas, Utah, Virginia, and other states with comparable laws.

a. Rights You Have

• Right to know / access: request the categories and specific pieces of personal information we collect about you.
• Right to correct: request correction of inaccurate information.
• Right to delete: request deletion of your personal information.
• Right to data portability: request a machine-readable export.
• Right to opt out of sale or sharing for cross-context behavioral advertising: we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond providing the Services.
• Right to non-discrimination: we will not deny, charge different prices for, or provide a different level of Services because you exercise a privacy right.
• Right to appeal: if we deny a rights request, you may appeal by emailing support@challengrs.app with the subject line "Privacy Rights Appeal."

b. How to Exercise Your Rights

Email support@challengrs.app with your request. We may need to verify your identity before responding; typically we confirm by asking you to reply from the email address associated with your account. You may use an authorized agent, provided we can verify the agent's authority.

c. "Do Not Sell or Share My Personal Information" / CCPA Notice

We do not sell personal information, and we do not share it for cross-context behavioral advertising. Because we do not engage in these activities, we do not display a "Do Not Sell or Share" link. In the past 12 months, we have not sold or shared personal information for these purposes.

d. Categories of Personal Information Collected & Disclosed (CCPA)

In the past 12 months we have collected categories A (identifiers), D (commercial information - limited to transaction records), F (internet/app activity - limited to in-app events), G (geolocation - limited to proof upload GPS), K (inferences - none), and L (user-generated content - proof photos, captions). We have disclosed categories A, D, F, and L to the service providers listed in §5(b) for business purposes.

14. EEA, United Kingdom, and Swiss Rights (GDPR / UK GDPR / Swiss FADP)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following applies.

Controller. CHALLENGRS LLC is the controller of your personal information processed through the Services.

Legal bases for processing. We process personal information based on (a) performance of a contract (operating the Services for you), (b) our legitimate interests in operating, securing, and improving the Services where not overridden by your rights, (c) compliance with legal obligations, and (d) your consent where required (e.g., push notifications, optional integrations).

Your rights. You have the right to access, rectify, erase, restrict processing of, object to processing of, and port your personal data. You may withdraw consent at any time where processing is based on consent. To exercise any of these rights, email support@challengrs.app.

Right to lodge a complaint. You have the right to lodge a complaint with your local data protection authority.

International transfers. Our servers are in the United States. If you access the Services from outside the US, your personal information will be transferred to and processed in the US. We rely on Standard Contractual Clauses (or equivalent) with our processors where applicable.

15. Children's Privacy

The Services are not intended for users under 18. We do not knowingly collect personal information from anyone under 18. If you believe we may have collected information from a minor, contact us immediately at support@challengrs.app and we will promptly delete it.

16. International Users

Challengrs is operated from the United States. If you access the Services from another country, you understand that your personal information will be transferred to, processed, and stored in the United States, where laws differ from those of your jurisdiction. By using the Services, you consent to such transfer.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top will reflect the most recent revision. Material changes will be communicated through the app, via email, or by prominent notice before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

18. Contact Us

For any question or request regarding this Privacy Policy or our data practices, please contact:

CHALLENGRS LLC
Attn: Privacy
116 Shady Brook Cir Unit 301
Saint Simons Island, GA 31522
support@challengrs.app

---

Challengrs is a product of CHALLENGRS LLC. © 2026 CHALLENGRS LLC. All rights reserved.