Privacy Policy — Running Legacy

Who we are

Running Legacy (runninglegacy.com) is operated by Russell Carter. We provide a youth running club management platform and a youth running book platform for athletes, parents, and coaches.

What data we collect

For adult accounts (parents and coaches):

Email address and full name
Password (stored as a one-way bcrypt hash — we cannot read it)
Date of birth (for age verification at registration)
Phone number (optional; for SMS notifications only)
Parental consent timestamps, IP address, and browser agent (required by COPPA)
Club membership history, event RSVPs, and run logs (if you participate as a runner)

For student accounts (children):

Display name only (e.g. “Emma R.”) — no last name, no photo
Date of birth and current grade
Run logs: distance, duration, date, and optional coach notes
Emergency contact: name, relationship, and phone number
Medical notes (optional; allergies or conditions visible only to coaches)
Event RSVPs, attendance history, badge history, and challenge submissions

We do not use advertising trackers, analytics SDKs, or third-party pixels. Fonts are self-hosted at build time — no CDN calls to Google Fonts. GPS data from challenge submissions is extracted from photo EXIF metadata only; we do not request browser geolocation from children.

COPPA — Children's Online Privacy Protection Act

Running Legacy is designed specifically for youth athletes. We comply with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 rule amendments, which are in active enforcement as of April 22, 2026.

No child self-registration

Children under 13 cannot create their own accounts. All student accounts are created by a verified parent or legal guardian. We do not knowingly allow self-registration by anyone under 13.

Verifiable Parental Consent (VPC)

We use the FTC-approved “email-plus” method for verifiable parental consent:

The guardian reviews and checks two separate consent checkboxes — one for data collection and use, one for disclosure to named third parties.
We send a confirmation email to the guardian's verified email address with a one-time link (valid 72 hours).
The guardian clicks the link. Only after that click is consent recorded as “confirmed.”
A receipt email is sent summarizing what data we collect, which third parties receive it, and how to revoke consent.

Third parties who receive child data

Resend — transactional email provider. Receives guardian and coach email addresses for sending notifications. Child email addresses are used only when the child has a login account.
Twilio — SMS provider. Receives phone numbers only if a guardian provides one and enables SMS notifications. This is optional.
Self-hosted PostgreSQL (Docker, Synology NAS) — all data is stored on our own hardware. No third-party cloud database vendor has access.

Student accounts use email + password only. Google OAuth is never offered to student accounts. No student data is ever sold, licensed, or shared for advertising.

Data retention

Student data is retained for the duration of active club membership. After an account is deactivated or a guardian requests deletion, data is retained for 30 days to allow cancellation, then permanently purged — including photos uploaded to challenge submissions.

Parental rights

Review: Sign in and visit Dashboard → Children → [child's name] to see all data collected for your child.
Correct: Contact us at privacy@runninglegacy.com to correct inaccurate information.
Delete: Go to Dashboard → Children → [child's name] → “Delete account” to begin the 30-day deletion process.
Revoke consent: Go to Account Settings → Privacy → “Revoke parental consent.” This suspends all associated student accounts and begins the deletion process.

CCPA — California Consumer Privacy Act

We do not sell your personal information. California residents have the right to:

Know what personal data we hold
Request a copy of your data (go to Account Settings → “Download my data”)
Request deletion of your account and all associated data
Opt out of sale of personal information (we do not sell it)

Strava integration

Running Legacy can optionally sync your runs from Strava on a per-user, opt-in basis. The integration follows these rules:

You initiate the connection from Account Settings → “Connect with Strava.” You're redirected to strava.com to authorize. We never collect Strava login credentials.
Read-only access. We request theread andactivity:readOAuth scopes only. We cannot post to your Strava account, change your activities, or write any data back to Strava.
What we receive. When you record a new activity on Strava (via your watch, phone, or any device that uploads to Strava), Strava sends us a webhook event. We then fetch that activity's public metadata: type, start time, duration, distance, elevation gain, splits, and GPS polyline.
Home-start GPS trimming. Before storing any GPS track, we automatically remove the first and last 200 meters of the polyline. This protects your home, school, or club starting location from being inferred from the route shape.
Only runs are imported. Bike rides, swims, and other non-run activity types are ignored even when Strava sends their events.
Disconnect any time. Account Settings → Workout Sync → “Disconnect Strava” immediately deletes your OAuth tokens from our database and stops all future sync. Previously-synced runs remain in your account; you can delete them individually from the run detail page.
Student accounts. Strava's minimum age is 13. Strava sync is not offered for COPPA-covered student accounts under 13, and the “Connect with Strava” button does not appear on those accounts.

Strava is a registered trademark of Strava, Inc. Running Legacy displays Strava data subject to Strava's API Agreement and brand guidelines. See Strava's API Agreement for details on Strava's data-handling commitments to you.

Strava-specific data rights

Per Strava's API Agreement §2.5(e), as a connected Strava athlete you have the following rights regarding any data we collected from Strava on your behalf:

Support contact. Email privacy@runninglegacy.com for help with your Strava connection, sync issues, or questions about data we hold.
Access your data. Account Settings → “Download my data” gives you a JSON export of every Run, Workout, polyline, and Strava activity ID we have stored for you.
Delete your data. Two options: (a) Account Settings → Workout Sync → “Disconnect Strava” immediately revokes our OAuth tokens and stops future sync (previously-synced runs remain — delete them individually from each run detail page); or (b) Account Settings → “Delete my account” removes everything we hold about you, including all Strava-sourced workouts.
Navigate to your Strava account. Every run detail page sourced from Strava includes a “View on Strava” link that takes you directly to the activity record on strava.com so you can edit, comment, or delete it at the source.
Source deletions cascade. When you delete an activity on Strava, Strava sends us a webhook event and we delete the corresponding Run + Workout rows from our database automatically. Per §2.5(f).

Data security

Passwords are hashed with bcrypt (cost factor 12). All data is transmitted over HTTPS. Our server is physically located on-premises on a Synology NAS behind a hardware firewall. Database access is not exposed to the public internet.

School-affiliated clubs

If a club is operated by a school district or school-sponsored program, FERPA (Family Educational Rights and Privacy Act) may apply. School-affiliated clubs require a Data Use Agreement between the school and Running Legacy before student data may be shared. Contact legal@runninglegacy.com to obtain one.

Account deletion

Adult users can delete their account from Account Settings. Deletion immediately removes your profile, all associated run logs, posts, RSVPs, and badges. Student data linked to your account is queued for deletion (30-day soft-delete window) per our data retention policy above.

Contact

Privacy questions or data requests: privacy@runninglegacy.com

Legal inquiries: legal@runninglegacy.com