Last updated: July 13, 2026
Introduction
Stay Obssd ("we", "our", or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains what information we handle when you use our website and services, and how you can control it.
How the App Works
Stay Obssd turns your own Strava activities into shareable images and videos. When you sign in with Strava:
- You authorize us via Strava OAuth with the scopes
read (your public profile — name and avatar) and activity:read_all (your activities, including private ones, so overlays work even if you keep your activities private). - Your Strava activity data is fetched on demand through our server and shown only to you, the authenticated athlete. We never display your Strava data to other users, and we never use it for advertising, AI/ML training, aggregated analytics, or resale.
- Designs and editor state are stored locally in your browser, not on our servers. We do not store your Strava activities server-side.
What We Store on Our Servers
- Strava connection record: your Strava athlete ID, granted scopes, encrypted OAuth tokens, and connection timestamps (such as last sign-in). Tokens are encrypted at rest and are never shared.
- Webhook event log: Strava sends us technical notifications (for example, when you revoke access or change an activity). We keep the event envelope — never activity contents — for up to 30 days for reliability and auditing.
- Billing: if paid non-Strava creative export features are enabled and you purchase them, payment and subscription state are handled by Polar. Polar receives a stable pseudonymous billing key, not your raw Strava athlete ID, plus billing information you enter at checkout. We do not store card details.
We do not store your Strava activities, routes, streams, or profile details server-side.
Data Retention and Deletion
- Disconnect anytime: Settings → "Disconnect Strava" submits a deletion request, revokes our access with Strava, and deletes stored tokens after successful revocation. We confirm the result in the app. If Strava is temporarily unavailable, the encrypted token is retained only to retry revocation and is deleted within 30 days. A token-free security tombstone prevents stale sessions from restoring access and expires within the same period.
- Revoking on Strava: if you revoke Stay Obssd in your Strava settings, Strava notifies us and we delete your stored tokens automatically. The same 30-day maximum applies to the security tombstone.
- Inactivity: if you do not use the app for 90 days, we automatically revoke our Strava access and delete your stored tokens. You can reconnect anytime by signing in again.
- Webhook event envelopes expire automatically after 30 days.
- For any other deletion request, contact us at the address below. We complete it and provide written confirmation as soon as practicable and no later than 30 days.
Analytics
We use Umami only for anonymous analytics on public, signed-out pages and Vercel for hosting. Analytics does not load while you are signed in or on activity URLs. We do not send Strava profiles, activities, locations, athlete identities, authenticated URLs, or error reports to analytics providers.
Strava may monitor and collect technical usage data related to our use of the Strava API, as described in the Strava API Agreement.
Cookies and Similar Technologies
We use a cookie to keep you signed in. Umami runs only on the public signed-out pages described above and does not use an advertising profile. We do not use Strava data for advertising.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our service.
Prohibited Uses and Sharing
We do not sell, license, aggregate, or use Strava data for advertising, product analytics, benchmarking, or artificial-intelligence or machine-learning training, evaluation, context, or operation. We do not transfer raw Strava data to billing, analytics, geocoding, or other unrelated providers.
Children's Privacy
Our service is not directed to children under the age of 13. We do not knowingly collect personally identifiable information from children under 13.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "last updated" date.
Contact Us
If you have any questions about this Privacy Policy, or want your data deleted, please contact us at:
Email: gordavtyan918@gmail.com