← HomeStamped

Privacy Policy

Last updated · 16 May 2026

Stamped is a personal-atlas tool for athletes that uses the Strava API to map your activities to the countries and states you've moved through. This policy explains what data we receive from Strava, how we use it, and your rights over it. Stamped may add support for additional activity sources over time; this policy will be updated before any new source is enabled.

Who we are

Stamped is operated as a small independent project. We are not affiliated with, endorsed by, or sponsored by Strava, Inc. When this policy uses "we" or "Stamped," we mean the operators of getstamped.xyz.

What we collect

Stamped only collects information you actively share by connecting your Strava account. From Strava we receive:

  • Athlete profile. Your Strava athlete ID and display name. We may also receive your email address if Strava shares it under the OAuth scope you grant — with our default scope (activity:read_all) Strava does not.
  • Activity records. For each activity: the sport type, start date, distance, moving time, elevation gain, the start latitude/longitude, kudos count, and PR count.
  • OAuth tokens. The access and refresh tokens Strava issues so we can fetch new activities on your behalf. These are encrypted at rest with strong industry-standard encryption (AES-256) before being written to our database — a database read alone cannot recover them without the encryption key, which is stored separately from the database.
  • Preferences. Display settings you choose in the app, such as your preferred distance unit and default activity category.

We do not collect advertising identifiers, browser fingerprints, or any other tracking signals. Stamped does not run advertising of any kind. See "Analytics and performance" below for the privacy-friendly aggregate analytics we do use.

How we use it

We use your data only to render the Stamped experience for you:

  • To match each activity to a country and U.S. state.
  • To compute the per-region totals (distance, time, elevation, kudos, PRs) shown on your passport.
  • To draw your activity points on the world or USA map.

We do not sell, rent, license, or otherwise share your Strava data with third parties. We do not use your data — directly or indirectly — to train machine-learning or AI models, and we do not aggregate it for analytics, customer-insight generation, or similar purposes. These restrictions are required by Strava's API agreement.

Where it's stored

Stamped runs on Vercel and stores activity and account records in a Supabase Postgres database. Both providers process data in the United States. All traffic is encrypted in transit (HTTPS), and your Strava OAuth tokens are encrypted at the application layer before being written to the database (see "OAuth tokens" above). Database-level access controls further restrict which application roles can read which rows — even a misconfigured query cannot read another user's data.

Retention and deletion

We retain your activity records for as long as your account is connected to Stamped. You can manage your data directly from your Stamped profile page:

  • Disconnect revokes Stamped's access to your Strava account and removes the stored OAuth tokens.
  • Delete permanently removes your account and all associated activity records from our database.

You can also revoke access from your Strava app settings. When you do, Strava notifies us and we delete every record we hold for you. If you would prefer we handle a deletion request by email, write to hello@getstamped.xyz and we will action it within 48 hours, as required by Strava's API agreement.

If an individual activity is deleted from Strava, we remove our copy shortly after Strava notifies us, typically within minutes.

Your rights

You can, at any time:

  • Disconnect or delete your account directly from your Stamped profile page.
  • Revoke Stamped's access to your Strava account from Strava's app settings page.
  • Request a copy of the data we hold about you, or ask us to delete it on your behalf, by emailing hello@getstamped.xyz.

Analytics and performance

Stamped uses Vercel Web Analytics and Vercel Speed Insights to understand aggregate site usage (page views) and performance (Core Web Vitals — load time, layout stability, and similar measurements). Both are designed to be privacy-friendly: cookieless, no advertising identifiers, no persistent personal identifiers. IP addresses are processed transiently for country and region attribution and are not stored. We use these signals only to improve the app and have no way to associate them with individual users.

Stamped does not currently offer an in-app opt-out for these analytics. Users who prefer not to be measured can use a content blocker, which detects and blocks the analytics scripts.

Cookies

Stamped sets a single first-party session cookie used by NextAuth to keep you signed in. We do not use any tracking or advertising cookies, and our analytics providers (see above) are cookieless.

Children

Stamped is not intended for users under 18. Strava's terms also require you to be 18 or older to hold a Strava account.

Changes to this policy

If we change this policy, we will update the "last updated" date above. Material changes will be highlighted on the dashboard the next time you sign in.

Contact

Questions, requests, or complaints: hello@getstamped.xyz.