Rimba — Privacy Policy

1. Information We Collect

When you authenticate Rimba using Strava OAuth, our system collects and processes only the bare minimum data payloads required to drive your private world:

• Identity Provider Profile: Your Strava athlete ID, display name, and profile image URL.
• Activity Telemetry Ingestion (Via Secure Webhooks): Activity type, distance in meters, moving time, elapsed time, and start date.
• Device-on-Body Legitimacy Signals:
  • Presence of device-recorded GPS data (used for Run/Walk eligibility verification).
  • Presence of device-recorded Heart Rate data (used for Walk eligibility and treadmill verification).
  • Strava metadata flags identifying if an activity was manually entered or completed on an indoor trainer.
• Geospatial Boundaries: Rimba processes activities categorized as a Run or Walk. We do not store, cache, or process route polylines or GPS coordinates beyond the instant webhook validation required to confirm GPS presence. Map geometry is completely discarded and is never rendered anywhere within the platform.

2. How Your Data Is Processed & Used

Rimba uses your activity data exclusively through automated script operations to power your personal world progression loop:

• Eligibility Evaluation:To protect ecosystem integrity, our pure scoring engine checks activities against strict gates (GPS-recorded runs/walks ≥ 1.0 km, or walks with heart-rate tracking ≥ 1.0 km). Manually entered activities are completely excluded.
• Growth XP Calibration: Eligible runs calculate a non-linear Growth XP reward scaled against your current read-time Malaysia Time (MYT) consistency streak.
• Visual Asset Generation: XP updates your incremental evolution stage database field, unlocking static ecosystem assets (e.g., transitioning from a Meadow to a Grove or Pond) in your private dashboard view.
• Memory Scrapbook Minting:Significant milestones generate abstract, text-based timeline events ("7-Day Running Streak" or "Longest Run"), which are stored as unique, independent game states.

Rimba does not sell, license, rent, or market your data to any third party. We do not use your data for advertising, marketing, or any purpose beyond powering your personal world layout.

3. Absolute Privacy Isolation

Rimba is a strictly private, single-player experience.

• No Public Surfaces:All of your data—world state, progression memories, and companion state—is visible only to you when securely authenticated. There are no public user profiles, friend lists, team rosters, or surfaces that expose your data to other users.

4. Technical Constraints & Non-Goals

In absolute adherence to Strava’s Developer Program Policies, Rimba enforces strict operational limitations:

• We do not display raw activity logs, split times, or routes to other users.
• We do not query, store, or call any Strava public social-graph, club, or follower endpoints.
• We do not use any third-party AI systems, large language models (LLMs), or data aggregators to process or analyze your activity payload.

5. Data Retention, Minimization, & Deletion

We do not permanently store your raw athletic statistics.

• 7-Day Automatic Data Deletion: Raw activity telemetry metadata ingested from webhooks (distance, moving time, start date) is retained in our transactional ledger for a maximum window of 7 days to ensure accurate read-time streak evaluation and auditing. A daily background cron job permanently removes activity ledger records older than 7 days. Only your transformed game attributes (growth XP, evolution stage, Memory text tokens) persist past this window.
• Revoking Access: You can cut off Rimba’s access at any time through your Strava Profile Settings panel under "My Apps," which triggers an automated oauth/revoke connection pipeline.
• Permanent Account Purge:You can trigger a complete, irreversible account purge at any time directly within your dashboard (Settings → Delete My Account & Data). Upon execution, our database performs a cascading delete that instantly and permanently erases your User profile, StravaAthlete records, historical game states, companion milestones, remaining ledger items, and OAuth secure tokens. Your historical activities on Strava remain completely unaffected.