← Back

Privacy Policy

1. Controller

Susann Müller
Engelbert-Schoner-Weg 4
99425 Weimar, Germany
Email: sport_challenges@web.de

This is the privacy policy ("Datenschutzerklärung") for the Sport Challenges web app, explaining what personal data is processed, why, on what legal basis, and what rights you have under the General Data Protection Regulation (GDPR).

2. What data we collect

Account data (when you register or log in):

• Email address
• Password (stored only as a salted hash by Firebase Authentication — we never see or store it in plain text)
• Display name

Profile data:

• Profile picture (optional, uploaded by you)

Activity and progress data:

• Completed challenges and their completion history
• Personal goals you create ("Own Goals"), including any image you attach to a goal
• Community challenges you submit for review, including the display name shown as the author once a challenge is approved and published
• XP, points, category breakdown, streak count and daily activity log
• Unlocked achievements

App settings: language and theme (light/dark) preference.

Push notification data (only if you grant browser notification permission):

• Firebase Cloud Messaging (FCM) device token
• Date you were last active in the app ("last seen") and your selected notification language

Technical data (collected automatically by our hosting infrastructure for every visit, as with virtually any website):

• IP address, browser type and version, operating system, referring page, date and time of access

3. Purpose of processing

Your data is used to:

• Create and manage your account and authenticate you when you log in
• Save and display your progress, goals, achievements and profile
• Display your name on community challenges you have submitted and that have been approved
• Send you an optional reminder notification if you have not been active for a while (only if you have granted notification permission)
• Operate, secure and troubleshoot the app (technical/server log data)

We do not sell your data, and we do not share it with third parties for advertising purposes. We do not use analytics or tracking tools.

4. Legal basis

• Art. 6(1)(b) GDPR (performance of a contract) — for account creation, storing your progress, and providing the core features of the app
• Art. 6(1)(a) GDPR (consent) — for optional data such as your profile picture, goal images, and push notifications. Consent can be withdrawn at any time (see Section 9 and Section 10)
• Art. 6(1)(f) GDPR (legitimate interest) — for technical server log data, which is necessary to operate the app securely and reliably

5. Retention period

Account and progress data is stored for as long as your account exists. After you delete your account, all personal data is removed within 30 days. Push notification tokens are deleted automatically once they become invalid (e.g. after you uninstall/block notifications) or when you disable notifications. Server log data is retained only as long as technically necessary and is rotated regularly by our hosting provider.

6. Firebase and Google

This app uses Firebase by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for the following services:

• Firebase Authentication — for user login and password management
• Cloud Firestore — to store app data (account, progress, goals, settings)
• Firebase Hosting — to serve the app and generate technical server logs
• Cloud Functions — to run the scheduled job that checks inactivity and triggers reminder notifications
• Firebase Cloud Messaging — to deliver push notifications to your browser

Google processes this data on servers within the EU. We have a data processing agreement with Google in accordance with Art. 28 GDPR. Further information: firebase.google.com/support/privacy

7. Cloudinary (image hosting)

Profile pictures and images attached to your goals or community challenges are uploaded to and hosted by Cloudinary, Inc., a service provider based in the United States. This may involve a transfer of personal data (the image file and the metadata of the upload, e.g. IP address at upload time) to a country outside the EU/EEA. Cloudinary participates in data transfer safeguards recognized under GDPR (such as the EU-U.S. Data Privacy Framework and Standard Contractual Clauses pursuant to Art. 46 GDPR). Further information: cloudinary.com/privacy

8. Visibility of your content to other users

If you submit a challenge for the community section and it is approved, its title, description, category and your display name are shown publicly to all users of the app. Your completed challenges, goals, XP, streaks and achievements are private and are not shown to other users.

9. Push notifications

If you grant your browser permission to show notifications, we use Firebase Cloud Messaging to send you an occasional reminder if you have not opened the app for a while. Granting this permission is entirely optional and is requested by your browser, not pre-selected by us. You can withdraw this consent at any time by changing the notification permission for this site in your browser settings; your device token will then no longer be used and is deleted automatically once it becomes invalid.

10. Cookies and local storage

The app uses local storage (localStorage / IndexedDB) exclusively for technically necessary purposes:

• Login state (Firebase Authentication session)
• Theme preference (light/dark)
• Language preference
• Whether you have acknowledged the cookie notice

No tracking, analytics or advertising cookies are set, and no user tracking takes place.

11. Automated decision-making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. XP, levels and streaks are purely a display feature within the app and have no legal or other significant effect on you.

12. Data security

The app is served exclusively via encrypted HTTPS connections. Passwords are never stored in plain text — Firebase Authentication stores only a salted hash. Access to your data in Cloud Firestore is restricted by security rules so that only you can read or write your own account data.

13. Your rights

Under GDPR you have the right to:

• Access your stored data (Art. 15 GDPR)
• Correction of inaccurate data (Art. 16 GDPR)
• Deletion of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR) — especially regarding processing based on legitimate interests, such as the technical server log data described in Section 2
• Withdraw consent at any time, with effect for the future (Art. 7(3) GDPR), e.g. for your profile picture or push notifications
• Lodge a complaint with a data protection supervisory authority

To exercise your rights, contact us at: sport_challenges@web.de

14. Minors

This app may be used by minors. Registration by minors requires the consent of a parent or legal guardian.

15. Changes

This privacy policy may be updated when necessary, for example if we add new features that process personal data. The current version is always available on this page.

Last updated: June 2026