Privacy Policy
Effective 2026-05-09 · Last updated 2026-05-09
This Privacy Policy explains how Are You Faster CIC ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the Are You Faster mobile application on iOS or Android (the "App") or visit areyoufaster.com (the "Website").
For our terms of use, see our Terms of Service at https://areyoufaster.com/terms.
1. Who We Are
Are You Faster CIC is a Community Interest Company registered in England and Wales, company number 16536715. We are the data controller for personal data processed through the App and the Website.
| Contact | |
|---|---|
| Privacy / data subject rights | privacy@areyoufaster.com |
| General support | hello@areyoufaster.com |
| Legal | legal@areyoufaster.com |
| Security disclosures | security@areyoufaster.com |
| UK ICO (regulator) | ico.org.uk |
Postal address available on request.
2. Plain-English Summary
- What we collect: sign-in email, a display name you choose, GPS location while you are actually running, your run statistics, an avatar if you upload one, and basic app usage analytics.
- What we do with it: run the App, save your progress, show leaderboards if you opt in, improve the product.
- What we don't do: sell your data, share it with advertisers, track you when you're not running, read your contacts / photos / messages, or use cross-app tracking identifiers.
- Where it lives: Google Cloud (Firebase), primarily in the London region.
- Your rights: access, correct, delete, port, restrict, object, withdraw consent, complain to a regulator.
3. Data We Collect
3.1 Account data
| Field | Source | Stored | Why |
|---|---|---|---|
| You / Apple / Google | Firebase Authentication | Identify your account | |
| Hashed password (email sign-up only) | You | Firebase Auth — never visible to us | Authentication |
| Display name | You | Firestore user_profiles |
Show alongside your activity |
| Account ID (UID) | Generated | Firestore, on-device | Internal record key |
| Auth tokens | Sign-in flow | iOS Keychain / Android EncryptedSharedPreferences | Keep you signed in |
| Date of birth | You (onboarding) | Local device only — never transmitted | Age verification (13+) |
| Terms acceptance timestamp | Generated on accept | Firestore user_profiles |
Audit trail |
Lawful basis: Contract (UK GDPR Art. 6(1)(b)).
3.2 Location
We collect precise GPS coordinates only while a run or ride is actively in progress. Latitude, longitude, altitude, speed, and accuracy, sampled at approximately 1 Hz.
- Run starts → location collection begins.
- Run pauses / finishes / is abandoned → collection stops.
- Background tracking is enabled only for the duration of an active run so it continues if the screen locks. This is industry-standard.
- When you are not running, we collect no location data at all.
We do not derive your home or work address, do not infer commuting patterns, and do not link your location to advertising profiles.
Lawful basis: Consent (Art. 6(1)(a)). You can revoke location permission in device Settings; without it we cannot record runs.
3.3 Fitness and activity data
Run duration, distance, pace, max speed, mode, opponent type, outcome, achievement progress, AYF Score (a composite gameplay metric), and streak data. Stored locally on your device and in our Firestore database.
Lawful basis: Contract.
3.4 Avatar (optional)
If you upload an avatar, the image is stored on Firebase Storage. Maximum 5 MB. Your avatar is visible to other users alongside your display name wherever you appear in the App. You can replace or remove it in Settings.
Lawful basis: Consent.
3.5 Sign-in providers
- Sign in with Apple (iOS): we receive your Apple email (often a relay address), optionally your name, and a stable Apple identifier.
- Sign in with Google: we receive your Google email, name, and Google identifier.
- Email and password: you provide an email; passwords are stored by Firebase Authentication, never in plaintext by us.
These providers may set their own browser identifiers during the sign-in flow. We do not control those. See:
- Apple privacy: apple.com/legal/privacy
- Google privacy: policies.google.com/privacy
3.6 Mailing list (opt-in)
If you opt in to our updates list, we keep your email and the opt-in timestamp so we can email you product news. Unsubscribe via the link in any email or by emailing privacy@areyoufaster.com.
Lawful basis: Consent.
3.7 Device and diagnostics
We collect app version, OS version, device model, crash reports (via Firebase Crashlytics, with personal data stripped), performance metrics (launch time, frame rate), and network errors.
Lawful basis: Legitimate interest — improving app stability and performance.
3.8 Analytics
We use Firebase Analytics in aggregate (events like "run completed", "achievement unlocked"). No advertising identifier; no cross-app tracking.
- iOS: analytics enabled by default. You can disable in Settings → Privacy → Analytics.
- Android: analytics disabled by default. We ask for consent in onboarding.
Lawful basis: Consent on Android; legitimate interest on iOS (with on-by-default disclosure and easy opt-out).
3.9 What we do not collect
- Camera, microphone, photo library (other than an avatar you choose to upload)
- Contacts, calendar, reminders, messages
- Browsing history outside the App
- Advertising identifiers (IDFA, AAID)
- Health data from Apple Health or Health Connect (we only optionally write to them, never read)
- Payment or financial information
- Biometric or government-issued identifiers
4. Children Under 13
The App is not intended for children under 13. We require a date of birth at sign-up and refuse account creation for anyone under 13. We store this date of birth on your device only.
If you are 13–17, we strongly recommend a parent or guardian review this policy before you use the App. In jurisdictions where the GDPR-equivalent age of consent is higher than 13 (some EU member states require 14, 15, or 16), we apply that higher age.
If you believe a child under 13 has used the App, email privacy@areyoufaster.com and we will delete the account and any associated personal data without delay.
5. How We Share Your Data
5.1 With other users (only when you participate)
| What | When | Visible to |
|---|---|---|
| Display name + AYF Score | Opt-in via Settings → Privacy | All signed-in users |
| Run time on a published track | When you run that track | Anyone viewing the track |
| Weekly challenge time | When you submit a challenge attempt | Anyone viewing that challenge |
| Avatar | Whenever your display name appears | All signed-in users |
| Tracks you publish | When you choose to publish | All signed-in users |
You can opt out of the global leaderboard, change your display name, remove your avatar, or delete a track you published at any time.
5.2 With service providers (data processors)
| Processor | Purpose | Location |
|---|---|---|
| Google (Firebase) | Authentication, database, storage, analytics, crash reporting, server functions | London region with limited transfers to other Google data centres |
| Apple Inc. | Sign in with Apple, push notifications, optional Apple Health writes | Per Apple |
| Google LLC | Sign in with Google, optional Health Connect writes | Per Google |
| OpenFreeMap + MapLibre | Map tile delivery | EU |
| Apple App Store / Google Play | App distribution | Per platform |
We have written data-processing agreements with our processors. We do not use advertising networks, cross-app attribution SDKs, marketing-automation platforms with user-level data, or customer-data-platform tools.
5.3 For legal reasons
We may share data when required by a valid court order, search warrant, subpoena, or written request from a regulator with appropriate jurisdiction. We will challenge overbroad requests and notify you where lawfully permitted.
5.4 In a corporate transaction
If we are acquired, merged, or our assets transferred, we will give you advance notice and the acquirer must honour this policy or provide equivalent protection.
5.5 We do not sell or "share" your data
We do not sell personal data. We do not "share" personal data within the meaning of California's CPRA or equivalent state laws. We do not engage in cross-context behavioural advertising.
6. International Transfers
Most data sits in Google Cloud's London region. Limited operational transfers to other Google data centres rely on:
- UK GDPR: UK International Data Transfer Agreement (IDTA) and the UK Addendum to the EU Standard Contractual Clauses.
- EU GDPR: Standard Contractual Clauses (Commission Decision 2021/914).
- Other: equivalent transfer mechanisms where applicable.
7. How Long We Keep Data
| Category | Retention |
|---|---|
| Active account record | While the account is active |
| After account deletion | 30 days, then permanently erased |
| Crash diagnostics | 90 days |
| Firebase Analytics | 14 months (Firebase default), then auto-deleted |
| Device-side data | Until you sign out or uninstall |
| Mailing list opt-in | Until you unsubscribe |
| Anti-fraud / security logs | 180 days |
| Records we must keep for tax / legal reasons | As required by applicable law |
Anonymised aggregates may persist indefinitely (e.g. "x users ran this week"). These cannot be re-linked to you.
8. Your Rights
8.1 UK GDPR / EU GDPR
If you are in the UK, EU, or EEA, you have the right to:
- access your personal data
- correct inaccurate data
- delete your data ("right to be forgotten")
- restrict processing while a dispute is resolved
- data portability (machine-readable export)
- object to processing based on legitimate interest
- withdraw consent at any time
- not be subject to solely automated decision-making with legal or similarly significant effect on you
- lodge a complaint with a supervisory authority (in the UK, the ICO at ico.org.uk)
To exercise any right, email privacy@areyoufaster.com. We will respond within 30 days (extendable by up to 60 further days for complex requests, with notice). Free unless manifestly unfounded or excessive.
8.2 California
If you are a California resident, you also have the right to know the categories and specific pieces of personal information we hold, the sources, the purposes, the categories of recipients; to delete; to correct; to limit use of sensitive personal information (we already limit it); to opt out of sale or sharing (we do not sell or share); and to non-discrimination for exercising your rights.
Submit a verifiable consumer request from the email address associated with your account to privacy@areyoufaster.com.
8.3 Other US states
We extend equivalent rights (access, delete, correct, opt-out where applicable) to residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Montana, and Florida. Email privacy@areyoufaster.com.
8.4 Other jurisdictions
We will give effect to substantially equivalent rights where local law provides them, including:
- Brazil (LGPD)
- Canada (PIPEDA and Quebec Law 25)
- Australia (Privacy Act 1988)
- India (DPDP Act 2023)
- South Africa (POPIA)
- Japan (APPI)
- Singapore (PDPA)
- Thailand (PDPA)
Email privacy@areyoufaster.com.
9. Security
We protect your data with:
- TLS 1.2+ for all network traffic
- Encryption at rest provided by Firebase (AES-256)
- iOS Keychain and Android EncryptedSharedPreferences for tokens
- Per-user access controls in our database
- Server-side validation of submitted runs and tracks
- Rate limiting on sensitive endpoints
- Multi-factor authentication on staff cloud accounts
- Responsible-disclosure programme at security@areyoufaster.com
No security measure is perfect. If you discover a vulnerability, email security@areyoufaster.com. We acknowledge within 72 hours and respond responsibly under good-faith research expectations.
10. Marketing
We will only send you marketing emails if you opt in. You can unsubscribe at any time. We do not knowingly send marketing to users under 16. Transactional emails (password reset, security alerts, policy updates) are sent without an opt-in while you have an account and are not optional.
11. Automated Decisions
The AYF Score is calculated by an algorithm based on your run performance. It is not a credit score or otherwise consequential decision under Art. 22 of UK GDPR — it is a gameplay metric. If you believe a calculation is wrong, contact privacy@areyoufaster.com for a manual review.
Our server validates submitted runs against anti-cheat checks. If a submission is rejected and you believe it was rejected in error, contact privacy@areyoufaster.com.
12. Cookies
The App is a native mobile app and does not use cookies. If you visit areyoufaster.com we use a minimal set of strictly-necessary cookies (to keep you signed in and to prevent cross-site request forgery) plus, only with your explicit consent shown via the cookie banner, simple first-party analytics that does not identify you or track you across sites.
13. Changes to This Policy
For material changes, we will give you at least 30 days' notice via in-app notification and (where we have your email) by email. The "Last Updated" date at the top changes when we revise this policy. You can request previous versions from privacy@areyoufaster.com.
14. Contact
| Inquiry | |
|---|---|
| Privacy / data subject rights | privacy@areyoufaster.com |
| General | hello@areyoufaster.com |
| Legal | legal@areyoufaster.com |
| Security disclosure | security@areyoufaster.com |
Are You Faster CIC · Company 16536715 · Registered in England and Wales.