Privacy Policy

Last updated: April 2026

Maramaps ("we", "us", "our") is a tool that turns your running and cycling routes into poster art. This policy explains what data we handle, how we use it, and your rights, including data sourced from Strava.

Short version: GPX processing and poster rendering happen in your browser. Strava access tokens are stored in server-side sessions, not in browser localStorage, and you can disconnect at any time.

1. Data we collect

From Strava

When you connect your Strava account, we request read-only access to your activities (activity:read_all scope). We retrieve:

Your Strava first name - displayed in the app as a greeting
A list of recent activities (type, name, distance, duration, date)
GPS stream data (latitude/longitude, altitude, timestamps) for the activity you select

This data is requested through our Netlify serverless functions so your Strava client secret stays server-side. We store the minimum session and token data needed to keep your Strava connection active and fetch the activity you choose.

From GPX files

GPX files you upload are parsed entirely in your browser. The file is never transmitted anywhere.

OAuth tokens

To keep you logged in, we store Strava OAuth tokens in server-side session records. Your browser only stores a signed session reference cookie. Session data is used solely to fetch your Strava activities on your behalf. It is:

Stored server-side, not in browser localStorage
Never shared with third parties
Automatically refreshed when they expire
Removed when you disconnect or when Strava deauthorizes the app

Analytics & logging

We use first-party analytics to understand site usage and product adoption. These events can include page views, referral host, UTM parameters, country, and product actions such as GPX loads, Strava connections, and exports. We do not use third-party ad tracking scripts.

2. How we use your data

GPS and activity data is used solely to render your route as a poster image within your browser. Specifically:

Drawing the route on a map
Displaying statistics such as distance, time, pace, and elevation in the poster ribbon
Generating a downloadable PNG that you save to your device

We do not use your data for advertising, profiling, or any purpose beyond creating your poster.

3. Data sharing

We do not sell, rent, or share your personal data or Strava data with any third party. The only external services involved are:

Strava - we exchange OAuth tokens and fetch activity data via the Strava API (Strava Privacy Policy)
Mapbox - map tiles are loaded from Mapbox servers (Mapbox Privacy Policy)
Netlify - our hosting provider handles serverless functions, session storage, and analytics event storage (Netlify Privacy Policy)

4. Strava API compliance

Maramaps is built using the Strava API and complies with the Strava API Agreement. In accordance with those terms:

We only request the minimum permissions needed (activity:read_all)
We display "Powered by Strava" attribution wherever Strava data is shown
We store only the minimum server-side session data needed to support the connection and revoke access when required
We do not use Strava data to build profiles or for any purpose other than creating your poster

5. Revoking Strava access

You can disconnect Maramaps from Strava at any time in two ways:

In Maramaps: click "Disconnect" in the app - this clears the active session immediately
In Strava: go to strava.com/settings/apps and revoke access for Maramaps

Revoking access in either place prevents further data access. If Strava sends a deauthorization webhook, we revoke stored sessions server-side as well.

6. Data retention

We do not retain uploaded GPX files or finished posters on our servers. Strava session records are retained only as long as needed to keep your connection active and are removed on disconnect or deauthorization.

7. Children's privacy

Maramaps is not directed at children under 13. We do not knowingly collect data from children.

8. Changes to this policy

We may update this policy as the product evolves. Changes will be reflected by updating the "Last updated" date above. Continued use of Maramaps after changes constitutes acceptance of the updated policy.

9. Contact

Questions about this privacy policy or your data? Reach us at support@maramaps.com.