Privacy Policy & GDPR

Your personal data is processed by:

We are committed to protecting our users' privacy and complying with applicable laws, including Regulation (EU) 2016/679 (GDPR).

We collect and process the following categories of data:

• Identification Data: Name, surname, email address, profile picture (for Google authentication).
• Billing and Delivery Data: Full postal address (for physical medal delivery), details required for invoicing by law.
• Technical and Usage Data: IP address, browser type, device used, activity logs, challenge progress (distance covered).
• Financial Data: Payment information (securely processed via Stripe; we do not store your full card details).

We do not sell your personal data. We only share it with partners necessary for service operation:

• Payment Processors: Stripe (for secure payment processing).
• Infrastructure Services: Google Firebase (for hosting, authentication, and database).
• Courier Services: Partner courier companies, strictly for order delivery.
• Public Authorities: Only if there is a legal obligation (e.g., tax authorities).

Your data may be stored on servers located in the European Union or the United States (via Google Firebase and Stripe). We ensure these providers comply with security standards and Standard Contractual Clauses approved by the European Commission.

Under GDPR, you have the following rights:

• Right of Access: You can request a copy of the data we hold about you.
• Right to Rectification: You can correct inaccurate data.
• Right to Erasure ("Right to be Forgotten"): You can request deletion of data, unless we are legally required to keep it (e.g., invoices).
• Right to Restriction of Processing.
• Right to Data Portability.
• Right to Object.

To exercise these rights, you can contact us at: contact@legendsteps.com. You also have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).