Skip to main content
Walkathon

Privacy Policy

Last updated:

1. Who we are

Walkathon (“we”) is operated by the Walkathon team. We’re the controller of personal data we collect directly from you (account holders) and a joint controller, alongside the organisation running a campaign, of walker data entered on campaign pages.

2. What we collect

From account holders we collect:

  • The email address you sign in with.
  • The billing email you set on your organisation.
  • Campaign metadata you enter (charity name, hero copy, palette, etc.).
  • Stripe customer and payment metadata (we don’t see your card details — Stripe handles those).
  • An audit log of admin actions you take, including your email at the time of each action.

From walkers and visitors we collect:

  • The name, team, step goal, and step counts walkers enter on the campaign page.
  • A hashed IP address (with a server-side pepper) to rate-limit share-key brute-force attempts. We don’t store raw IPs.
  • A short-lived session cookie that identifies your walker registration on this device.
  • If you opt in to analytics, anonymous Vercel Analytics page-view counts.

3. Legal basis

  • Contract for account-holder data: we need it to provide the Service you signed up for.
  • Legitimate interest for the admin-actions audit log and the rate-limit ledger: we have a clear interest in operating a fair, secure service, and the data we collect is minimal.
  • Consentfor analytics cookies and (where applicable) walker data: walkers consent to a campaign’s data collection by entering their details on the campaign page; you consent to analytics by choosing “Allow analytics” in the cookie banner.

4. Sub-processors

We use the following service providers to operate Walkathon:

  • Supabase (database, authentication) — EU/UK region.
  • Stripe (payment processing).
  • Vercel (web hosting, optional analytics).
  • Resend (transactional email — magic-link sign-in).
  • GoFundMe and JustGiving(where an organiser links a fundraising campaign). We fetch publicly-displayed totals only; we don’t share data with them.

Each of these acts as a processor on our behalf under contract or their published terms, and is bound by appropriate data-processing terms.

5. Data residency

The Walkathon database is hosted in the EU (Frankfurt) or UK (London) depending on deployment region. Some sub-processors (Stripe, Vercel, Resend) may process data in the US under appropriate transfer safeguards — see “International transfers” below.

6. Retention

  • Campaign + walker data: until the organiser archives or deletes the campaign, or refunds it (which deletes it).
  • Admin actions audit log: 7 years (billing audit).
  • Pending campaign drafts (in-progress wizard payloads): 24 hours.
  • Share-key rate-limit attempts: 30 days.
  • Cookie-consent record on your device: 1 year.
  • User consent records (which version of these policies you accepted, and when): for as long as your account exists.

7. Children’s data

Walkathon isn’t aimed at children. Walkathons themselves often involve children, though, and a walker’s entered name may be a child’s. We recommend organisers ask walkers to use nicknames, initials, or team codes — not full real names of children. Organisers are joint controllers for walker data entered on their campaigns and should provide their own privacy notice to anyone under 18 taking part.

We don’t knowingly collect personal data from children through the Service. If you believe a child has provided personal data to us directly, contact us and we’ll remove it.

8. Cookies and similar storage

We use the following cookies and device storage:

  • sb-* — Supabase auth session. Essential.
  • cookie_consent — your cookie preference. Essential (preference storage).
  • Theme and reduced-motion preferences — essential UI state on this device.
  • Walker session token (per device, per campaign) — essential for adding steps to your own walker.
  • walkathon:preview:* — browser-local state for the demo page. Cleared when you navigate away.
  • Vercel Analytics — non-essential. Only loaded if you select “Allow analytics”. Vercel Analytics doesn’t use cross-site tracking cookies.

9. Your rights

Wherever you live, you have the right to access, rectify, erase, restrict, port, or object to the processing of personal data we hold about you. You can delete your account yourself at any time from /dashboard/account — this removes your sign-in, memberships and consent records immediately, and lets you transfer or delete any organisations you solely own. For any other request (access, rectification, portability), email us (see “Contact” below) and we’ll respond within 30 days. For walker data on a particular campaign, the organisation running that campaign is also a controller — we’ll forward requests where appropriate.

If you’re in the UK, these rights flow from UK GDPR and the Data Protection Act 2018.

If you’re in the EU or EEA, equivalent rights apply under the EU General Data Protection Regulation (2016/679). The legal substance is the same; you just complain to your member state’s data protection authority instead of the UK ICO (see Complaints below).

If you’re in California, you have additional rights under CCPA / CPRA, including: the right to know what personal information we collect, the right to delete it, the right to correct inaccuracies, and the right to opt out of any “sale” or “sharing” of your data — though we don’t sell or share personal information for advertising. Email us to exercise any of these.

Other jurisdictions(Virginia CDPA, Colorado CPA, Australian Privacy Principles, PIPEDA in Canada, LGPD in Brazil, etc.) — the practical fulfilment is the same: email us and we’ll handle your request within the statutory timeframe.

10. International transfers

Some of our sub-processors (Stripe, Vercel, Resend) operate in the United States. Personal data transferred to them is protected by appropriate safeguards — Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent — as published by each provider.

11. Complaints

If you’re not happy with how we’ve handled your data, please get in touch with us first — we’d much rather fix it. If we can’t resolve it, you can also complain to:

  • UK: the Information Commissioner’s Office — ico.org.uk
  • EU / EEA:your member state’s data protection authority. The EDPB has a directory at edpb.europa.eu.
  • California:the California Privacy Protection Agency or the Attorney General’s office.
  • Elsewhere:your country’s data protection or consumer rights authority.

12. Changes to this policy

We may update this Privacy Policy from time to time. For material changes we’ll show a re-acceptance prompt on your next visit to your dashboard.

13. Contact

For privacy and data requests, please contact the Walkathon team. The current operator’s contact details are listed on the homepage and in our footer. See also the Terms of Service.