Legal

Privacy Policy

Last updated: March 2026

1. Introduction

Summova ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it.

We operate under UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using the App you acknowledge this Policy.

If you have questions, contact us at help.summova@gmail.com.

2. Information We Collect

2a. Information You Provide Directly

Account information: email address, username, and profile photo
Profile information: display name, bio, and preferences
Activity data: GPS routes, distances, durations, elevation, and pace that you choose to record and save
User content: posts, photos, captions, and comments you publish in the App

2b. Information Collected Automatically

Precise GPS location: collected only while you are actively recording an activity. We do not collect background location data.
Device sensors (magnetometer & accelerometer): accessed in real-time by the Sky / AR Camera feature to compute device orientation for constellation overlay. This sensor data is processed entirely on-device and is never transmitted to our servers or stored.
Camera feed: accessed in real-time by the Sky / AR Camera feature. No camera images or video are captured, stored, or transmitted. The camera feed is rendered locally on your device only.
Push notification token: your device's APNs token, used to send you activity and social notifications. You can disable notifications in your device Settings.
Device information: device type, operating system version, and app version for debugging and compatibility purposes.
Usage data: features used, screen views, and interaction patterns, used to understand how the App is used and improve it.

2c. Apple HealthKit Data (iOS, optional)

If you grant permission, we may read or write workout data, step counts, distance, and active energy to Apple Health.
HealthKit data is used only to display health metrics within the App and to sync activities. It is never used for advertising and is never shared with third parties for commercial purposes.
You can revoke HealthKit access at any time via iOS Settings → Health → Data Access & Devices → Summova.

3. How We Use Your Information

We use your data to:

Create and manage your account
Record, store, and display your activities and posts
Detect and log peaks based on your GPS track
Enable social features: following, likes, comments, and the activity feed
Calculate and display personal records and streaks
Generate peak leaderboards and statistics
Send push notifications about social activity and achievements
Provide the Sky / AR constellation overlay (on-device only)
Improve the App through anonymised usage analysis
Comply with legal obligations

Our legal bases under UK GDPR are: (a) performance of a contract (providing the Service you signed up for); (b) legitimate interests (improving the App, preventing fraud); and (c) your consent (HealthKit access, push notifications).

4. Camera & Sensor Data — No Storage

The Sky / AR Camera feature accesses your device camera, magnetometer, and accelerometer exclusively in real-time to render a constellation overlay on screen.

We do not capture, record, store, transmit, or process any camera images or video. We do not store or transmit any raw magnetometer or accelerometer readings. All processing happens locally on your device and ceases the moment you leave the Sky tab. No camera or sensor data ever leaves your device.

5. Location Data

Precise GPS location is collected only when you actively start recording an activity. We do not use background location tracking. Your recorded GPS route is stored on our servers (Supabase) and associated with your account so you can review it later.

You can delete any recorded activity — and its associated GPS data — from your profile at any time. You can disable location access entirely in iOS Settings, but this will prevent activity recording.

6. Third-Party Service Providers

We share data with the following providers solely to operate the App:

Supabase — database, authentication, and file storage. Your account data, activity records, and uploaded photos are stored on Supabase infrastructure. Supabase servers may be located outside the UK/EEA (see Section 9 on international transfers). Supabase Privacy Policy: supabase.com/privacy

Mapbox — map tiles and route rendering. When you view a map, your device makes requests to Mapbox servers which may log IP addresses. Mapbox Privacy Policy: mapbox.com/legal/privacy

OpenStreetMap — open geographic data used for map rendering. OSM data is used under the Open Database Licence.

Apple Push Notification Service (APNs) — used to deliver push notifications to your device. We share only your device token with APNs.

Apple HealthKit — iOS health data integration. Data flows between the App and Apple Health on-device; Apple's HealthKit policies apply.

RevenueCat — in-app subscription and purchase management. When you subscribe to Summova Premium, your Apple ID purchase history and subscription status are processed by RevenueCat to verify entitlements. RevenueCat Privacy Policy: revenuecat.com/privacy

Sightengine — automated image moderation. Photos you upload are sent to Sightengine's API to detect prohibited content (nudity, violence, etc.). Images are not stored by Sightengine beyond the moderation check. Sightengine Privacy Policy: sightengine.com/privacy-policy

7. Data Sharing

We do not sell your personal data. We do not share your data with advertisers. We share data only:

With the third-party providers listed in Section 6, under appropriate data processing agreements
When required by law, court order, or regulatory authority
With your explicit consent

Activity posts and content you set as public are visible to other users of the App. Peak bagging records and leaderboard rankings are visible to other users. You control post visibility in the App settings.

8. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, we will delete your profile, posts, and associated data within 30 days, except where we are required to retain data for longer to comply with legal obligations.

Aggregated and anonymised statistics derived from your data (e.g. total app activity counts) may be retained indefinitely as they cannot identify you.

9. International Data Transfers

Supabase infrastructure may process and store your data on servers located outside the United Kingdom and European Economic Area, including in the United States. Where data is transferred internationally, appropriate safeguards are in place in accordance with UK GDPR (such as standard contractual clauses or equivalent mechanisms). For details, refer to Supabase's data processing documentation at supabase.com/privacy.

10. Your Rights (UK GDPR)

Under UK data protection law you have the following rights:

Right of access: request a copy of the personal data we hold about you
Right to rectification: ask us to correct inaccurate data
Right to erasure ("right to be forgotten"): request deletion of your data
Right to data portability: receive your data in a structured, machine-readable format
Right to object: object to processing based on legitimate interests
Right to restrict processing: ask us to limit how we use your data
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at help.summova@gmail.com. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted data transmission (HTTPS/TLS), access controls, and secure credential storage. However, no method of internet transmission is 100% secure. We cannot guarantee absolute security and accept no liability for unauthorised access beyond what is required by applicable law.

If you suspect your account has been compromised, contact us immediately at help.summova@gmail.com.

12. Children's Privacy

Summova is not directed at or intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe we have collected such data, please contact us at help.summova@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email at least 14 days before the changes take effect. The current version will always be available within the App and on this page. Continued use of the App after the effective date constitutes acceptance of the revised Policy.

14. Contact & Data Controller

Summova is the data controller for personal data processed under this Policy. If you have any questions, requests, or complaints regarding your privacy, please contact us:

✉ help.summova@gmail.com