Privacy Policy

Last updated: April 2026

Maramaps ("we", "us", "our") is a tool that turns your running and cycling routes into poster art. This policy explains what data we handle, how we use it, and your rights — including those specific to data sourced from Strava.

1. Data we collect

From Strava

When you connect your Strava account, we request read-only access to your activities (activity:read_all scope). We retrieve:

• Your Strava first name — displayed in the app as a greeting, never transmitted to our servers
• A list of recent activities (type, name, distance, duration, date)
• GPS stream data (latitude/longitude, altitude, timestamps) for the activity you select

This data is fetched directly in your browser from the Strava API and is never sent to or stored on Maramaps servers.

From GPX files

GPX files you upload are parsed entirely in your browser. The file is never transmitted anywhere.

OAuth tokens

To keep you logged in, we store Strava OAuth tokens in your browser's localStorage. These tokens allow us to fetch your activities on your behalf. They are:

• Stored only on your device, not on our servers
• Never shared with third parties
• Automatically refreshed when they expire
• Removed immediately when you click "Disconnect"

Analytics & logging

We do not currently use analytics or tracking scripts. Our hosting provider (Netlify) may collect standard server access logs (IP address, request path, timestamp) as part of normal CDN operation; these are not linked to your identity.

2. How we use your data

GPS and activity data is used solely to render your route as a poster image within your browser. Specifically:

• Drawing the route on a map
• Displaying statistics (distance, time, pace, elevation) in the poster ribbon
• Generating a downloadable PNG that you save to your device

We do not use your data for advertising, profiling, or any purpose beyond creating your poster.

3. Data sharing

We do not sell, rent, or share your personal data or Strava data with any third party. The only external services involved are:

• Strava — we exchange OAuth tokens via their API (Strava Privacy Policy)
• Mapbox — map tiles are loaded from Mapbox servers; your route coordinates are not transmitted to Mapbox (Mapbox Privacy Policy)
• Netlify — our hosting provider handles OAuth token exchange server-side to keep client secrets secure (Netlify Privacy Policy)

4. Strava API compliance

Maramaps is built using the Strava API and complies with the Strava API Agreement. In accordance with those terms:

• We only request the minimum permissions needed (activity:read_all)
• We display "Powered by Strava" attribution wherever Strava data is shown
• We do not store Strava athlete data beyond what is held in your browser's localStorage
• We do not use Strava data to build profiles or for any purpose other than creating your poster

Powered by Strava

5. Revoking Strava access

You can disconnect Maramaps from Strava at any time in two ways:

• In Maramaps: click "Disconnect" on the landing page — this removes all tokens from your browser immediately
• In Strava: go to strava.com/settings/apps and revoke access for Maramaps

Revoking access in either place immediately prevents further data access. Because we don't store your data server-side, there is nothing additional to delete.

6. Data retention

We retain no Strava or GPS data on our servers — there is nothing to delete beyond your browser's localStorage. Clearing your browser data or clicking "Disconnect" removes all locally stored tokens and athlete information.

7. Children's privacy

Maramaps is not directed at children under 13. We do not knowingly collect data from children.

8. Changes to this policy

We may update this policy as the product evolves. Changes will be reflected by updating the "Last updated" date above. Continued use of Maramaps after changes constitutes acceptance of the updated policy.

9. Contact

Questions about this privacy policy or your data? Reach us at support@maramaps.com.