Privacy Policy

Effective date: 8 April 2026 · Last updated: 8 April 2026

Note: KOM Hunter is currently in pre-launch. This privacy policy reflects our committed practices and will be finalized before public launch. Questions in the interim should go to matt@autoalphaadvisory.co.za.

1. Who we are

KOM Hunter is a Strava companion application operated by Matt Owen, sole proprietor, based in Cape Town, South Africa. Contact: matt@autoalphaadvisory.co.za.

Information Officer (POPIA): Matt Owen, matt@autoalphaadvisory.co.za. Registered with the Information Regulator of South Africa.

2. What information we collect

When you connect your Strava account to KOM Hunter, we receive and process the following categories of personal information:

Profile information: Strava display name, profile picture URL, Strava athlete ID.
Authentication tokens: Encrypted Strava OAuth access and refresh tokens, used solely to access the data you have authorized.
Activity history: Your own Strava segment efforts, including elapsed time, distance, elevation, average power (if present), and heart rate — limited to the scope you grant via Strava OAuth.
Approximate location: Your device's approximate GPS coordinates, used only for the "Around Me" segment discovery feature. Not stored long-term.
User preferences: Unit system (metric/imperial), activity type defaults, starred segments (hunts), and trophies.

We do not collect payment information, biometric data beyond what Strava shares, or any data about users other than the authenticated user.

3. Why we collect it and lawful basis

We process your personal information for the following purposes, each with a specific lawful basis under POPIA and GDPR:

To provide the KOM Hunter service (Strava connection, segment discovery, personalized recommendations, hunt tracking) — lawful basis: performance of a contract and your consent granted via the Strava OAuth flow.
To calculate personalized achievability predictions using classical statistical methods (FTP estimation, VAM averages, similarity matching) on your own activity history — lawful basis: performance of a contract.
To respond to your support requests — lawful basis: your consent.

We do not use your Strava data with any machine learning, neural network, or large language model. All personalization is transparent classical statistics operating on your own data only.

4. How we store and protect it

Your data is stored in a Supabase (PostgreSQL) database with Row Level Security policies ensuring that you can only access your own data. The database is hosted in a region within the European Economic Area or South Africa. Authentication tokens are encrypted at rest. Traffic between the app and the backend is encrypted in transit via HTTPS.

5. Who we share it with

We share the minimum necessary personal information with the following categories of third parties to provide the service:

Strava, Inc. — to authenticate you, read your activity and segment data, and star segments on your behalf. Governed by Strava's own privacy policy and the Strava API Agreement.
Supabase, Inc. — our database and authentication provider. Data is processed under Supabase's standard Data Processing Agreement.
Mapbox, Inc. — for map tile rendering only. Mapbox receives anonymized tile requests based on the map area you are viewing; it does not receive your identity or Strava data.
Apple / Google — for push notifications (opt-in), handled via the Expo Push service. No personal data beyond the device push token is shared.

We do not sell your data, do not use it for advertising, and do not share it with data brokers.

6. How long we keep it

We retain your personal information for as long as your account is active. If your account is inactive for 12 consecutive months, we will delete your data automatically. You can request deletion at any time via the "Delete My Data" control in the app Settings screen, or by emailing matt@autoalphaadvisory.co.za.

7. Cross-border data transfers

If your personal information is transferred outside of South Africa for processing, we rely on the European Union's GDPR adequacy framework or equivalent safeguards to ensure an adequate level of protection.

8. Your rights

You have the following rights under POPIA (South Africa) and GDPR (EU):

Access — request a copy of the personal information we hold about you.
Correction — request correction of inaccurate or incomplete information.
Deletion ("right to be forgotten") — request permanent deletion of your personal information.
Portability — request a machine-readable export of your data.
Objection — object to further processing.
Withdraw consent — disconnect your Strava account at any time via the Settings screen, which revokes the OAuth token and deletes your data.

To exercise any of these rights, email matt@autoalphaadvisory.co.za. We will respond within the timeframes required by applicable law.

9. How to lodge a complaint

If you believe we have mishandled your personal information, you may lodge a complaint with:

South Africa: Information Regulator of South Africa, inforegulator.org.za
European Union: the supervisory authority in your country of residence.

10. Cookies and similar technologies

The KOM Hunter web application uses only essential session cookies required for authentication. We do not set advertising, tracking, or analytics cookies. No consent banner is required for essential cookies under the ePrivacy Directive.

11. Children

KOM Hunter is not intended for users under the age of 13. Strava itself blocks accounts for users under 13, and KOM Hunter inherits this protection via the Strava OAuth flow.

12. Changes to this policy

We will update this policy as needed. Material changes will be notified via the app and via the effective date above. Continued use of the service after a change constitutes acceptance of the updated policy.