Privacy Policy

Last updated: 7 June 2026

Hexplore (“Hexplore”, “we”, “us”) is a game that lets you unlock hexagons of the world map by running and cycling. To do this we connect to your Strava account with your permission. This policy explains what data we collect, how we use it, who can see it, and how to delete it. It applies to everyone who uses Hexplore.

Who we are

Hexplore is the data controller for the personal data described here. For any privacy question or request, contact us at contact@hexplore.io.

The data we collect from Strava

When you log in with Strava and grant access, we receive and store the following from Strava’s API:

  • Your Strava athlete ID (a number that identifies your Strava account to us).
  • OAuth access and refresh tokens that let us call Strava on your behalf. These are stored encrypted (AES-256-GCM) and are never shown to anyone.
  • The scopes you granted and your token expiry time.
  • For each qualifying activity: its title, type, start date, distance, and its summary route line (the encoded GPS polyline Strava provides).

We do not store your Strava name, email, profile photo, heart-rate, power, or any other detailed activity stream. We read your name during login only to confirm the connection, and immediately discard it.

Data we generate

  • An anonymous handle(for example “Swift Fox #4821”) that we generate for you at sign-up. This is the only identity shown to other users — your real Strava name is never displayed.
  • The set of H3 map hexagons your routes pass through, plus counts and territory derived from them.

How we use your data

  • To calculate which hexagons your activities unlock and draw your personal map.
  • To power the leaderboard, territory, and heatmap features (see “What others can see”).
  • With your activity:writepermission, to append a single line such as “🔓 12 Hexes Unlocked — via Hexplore” to the description of new activities you record after connecting. We only ever append, we never remove or change your existing text, and we never post more than once to the same activity.
  • To keep your map up to date when you record new activities, via Strava webhooks.

We do not sell your data, share it with advertisers, or use it to train any AI or machine-learning models.

What other users can see

Your detailed activity data — activity titles, dates, distances, and route lines — is always private to you and shown only to you when you are logged in. It is never shown to other users.

The leaderboard, territory map, and heatmap are opt-in. Unless you choose to share, you do not appear in them at all and you only ever see your own map. You make this choice when you join and can change it anytime in Settings. If you opt in, other users and the public can see only:

  • Your anonymous handle and your total number of unlocked hexes (leaderboard).
  • That a hex on the territory map is held by “another runner” — without your handle, name, or any activity attached.
  • Aggregate, anonymous heatmap counts of how many runners have covered each hex.

Strava activities and privacy zones

To build your map, Hexplore reads and processes every activity your Strava permission lets us access, including activities you have marked as private on Strava. This data is used only to compute your own hexes and is kept private to you, as described above. Areas hidden by Strava’s privacy zones are already removed from the route data Strava sends us, so they are never processed or stored. You can change what Strava shares with Hexplore, or disconnect Hexplore entirely, at any time from your Strava apps settings.

How long we keep it, and how to delete it

You can delete everything at any time:

  • Use Delete account in Settings. This revokes our access to your Strava and erases your account, activities, unlocked hexes, and territory.
  • Or revoke Hexplore from your Strava apps settings. Strava notifies us and we delete your data automatically.

Either way, we permanently delete your personal data promptly — in any event within 30 days. We retain only anonymous, aggregate statistics that cannot be linked back to you (for example a hex’s total unlock count), and minimal webhook logs we need to keep the service reliable and secure.

We also keep a minimal record of your data-sharing consent decisions — the choice you made, when, and your Strava athlete id — even after your account is deleted. We hold this only as proof of consent, to comply with our legal obligations and to establish or defend legal claims; it is never used for any other purpose.

Where your data is processed

Hexplore is hosted on infrastructure in the EU/US and stores data in a managed PostgreSQL database. We use industry-standard measures to protect it, including encryption of Strava tokens at rest and encrypted connections in transit.

Your rights

Depending on where you live (including under UK/EU GDPR), you have the right to access, correct, export, or delete your personal data, and to withdraw consent. You can exercise most of these directly in Settings, or by emailing contact@hexplore.io. You also have the right to complain to your local data-protection authority.

Strava

Hexplore uses the Strava API but is not endorsed, certified, or otherwise affiliated with Strava. Your use of Strava is also governed by Strava’s Privacy Policy.

Changes

We may update this policy as Hexplore evolves. We will change the “last updated” date above and, for material changes, give notice in the app.

← Back to Hexplore