Move2Money
ENLT

Legal

Privacy Policy

Last updated: 2026-03-01

1. Introduction

Move2Money ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our mobile application ("App").

By using the App, you consent to the practices described in this policy. We comply with the General Data Protection Regulation (GDPR) and applicable EU data protection laws.

2. Data We Collect

We collect the following categories of data:

Account Information: Email address, display name, profile photo, and password (securely hashed).

Health & Fitness Data: Step counts from your device's pedometer and health services (Apple HealthKit on iOS, Google Health Connect on Android). This data is used solely for race tracking and is never sold.

Location Data: GPS coordinates during active race sessions for route tracking, distance calculation, and anti-cheat verification. We do not track your location when you are not in an active race.

Device Information: Device model, operating system version, app version, and platform (iOS/Android) for technical support and compatibility.

Payment Information: Payment transactions are processed by Stripe. We do not store your full credit card details — only transaction references and payment status.

Usage Data: App interaction data, race participation history, and performance statistics.

3. How We Use Your Data

We use your data for the following purposes:

  • Providing and operating the App and its features
  • Tracking steps and GPS during races for accurate ranking
  • Anti-cheat detection and fair play enforcement
  • Processing payments and distributing prizes
  • Sending notifications about races, results, and prizes
  • Improving App performance and user experience
  • Providing customer support
  • Complying with legal obligations

4. Data Storage & Security

Your data is stored securely using industry-standard practices:

  • Database: Hosted on Supabase (PostgreSQL) with encryption at rest and in transit
  • Authentication: Managed via Supabase Auth with secure JWT tokens
  • Sensitive data: Session secrets and tokens are stored in device secure storage (Keychain on iOS, Keystore on Android)
  • Passwords: Hashed using bcrypt — we never store plain-text passwords
  • Communication: All API traffic is encrypted via HTTPS/TLS

While we implement strong security measures, no method of electronic transmission or storage is 100% secure.

5. Third-Party Services

We use the following third-party services that may process your data:

  • Supabase — Authentication and database hosting (EU-hosted)
  • Stripe — Payment processing (PCI DSS compliant)
  • Expo / React Native — App framework and push notifications
  • Apple HealthKit / Google Health Connect — Step data access (data stays on device; we only read step counts)
  • Redis (Upstash) — Real-time leaderboard caching

Each service has its own privacy policy. We encourage you to review them.

6. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of Access: Request a copy of your personal data.
Right to Rectification: Correct inaccurate personal data.
Right to Erasure: Request deletion of your personal data ("right to be forgotten").
Right to Restriction: Request we limit how we process your data.
Right to Data Portability: Receive your data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, use the Contact Support feature in the App or email support@move2money.com. We will respond within 30 days.

7. Data Retention

We retain your data for as long as your account is active. When you request account deletion:

  • Deletion is scheduled for 30 days (grace period to cancel)
  • After 30 days, personal data is permanently deleted
  • Anonymised, aggregated data may be retained for analytics
  • Financial records are retained as required by law (typically 7 years)

GPS tracking data from completed races is retained for anti-cheat review for 90 days, then deleted.

8. Children's Privacy

The App is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

9. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

  • In-App: Use the Contact Support feature in your Profile
  • Email: support@move2money.com

You also have the right to lodge a complaint with your local data protection authority.

← Back to home