Privacy Policy
Last updated: May 12, 2026
1. Who we are
RuckTracker is operated by EngSec LLC ("we", "us"). Contact: support@engsec.com.
2. What we collect
- Account info — your email, display name, and (when signing in with Strava) your Strava athlete ID and OAuth tokens.
- Activity data — for each ruck we sync or import: start time, duration, distance, pack weight, calories, terrain factor, elevation, heart rate, GPS track, and weather at the activity location/time.
- Preferences — units (imperial/metric), gear profiles, privacy zone radius, profile visibility.
3. How we use it
- To display your dashboard, stats, charts, and personal records.
- To append a RuckTracker report (calories, weight, weather, terrain) to the description of your matching Strava activities — only if you authorize Strava and enable auto-sync.
- To compute the community feed and public profiles (opt-in only).
4. Strava data
When you connect Strava, we request the activity:read_all and activity:write scopes so we can read your activities and update their descriptions. We store your encrypted OAuth tokens and refresh them as needed. You can revoke access at any time from strava.com/settings/apps, which immediately invalidates the tokens we hold.
RuckTracker is not affiliated with, endorsed by, or sponsored by Strava. Strava is a trademark of Strava, Inc.
5. Privacy zones
Activities are private by default. If you mark an activity public, we trim the GPS track by your configured privacy-zone radius (default 200 m) at both start and end before showing it on the community feed or your public profile. We never display street-level addresses publicly — only city, region, and country.
6. What we don't do
- We don't sell your data.
- We don't share data with advertisers.
- We don't post to Strava, Garmin, or any other platform on your behalf except the description-append flow you explicitly enabled.
7. Retention & deletion
You can delete your account at any time by emailing support@engsec.com. Deletion removes your user record, activities, tokens, and stats. Strava activities themselves are not affected — only the copies and metadata we stored.
8. Security
OAuth tokens are encrypted at rest with AES-256-GCM. All traffic is served over HTTPS. We follow standard cloud-hosting security practices; no system is perfectly secure.
9. Children
RuckTracker is not directed at children under 13.
10. Changes
We'll update this page when material changes occur. Continued use of RuckTracker after changes constitutes acceptance.