Privacy Policy
Introduction
GpxAnalyzer ("the App") is a post-processing tool designed to analyze and visualize GPS data from GPX files. This privacy policy explains how the App handles user data in compliance with Google Play Developer Program policies and applicable privacy laws.
Important: This App does NOT track your current location. It only processes historical GPS data from GPX files that you choose to load.
Data Collection and Usage
Overview
GpxAnalyzer is designed with privacy in mind. The App operates primarily locally on your device and does not collect personal information for tracking or advertising purposes.
Types of Data Accessed
1. File Storage Data
- What: GPX files stored on your device
- Why: To read and process GPS track data for visualization and analysis
- How: Through Android storage permissions (varies by Android version):
- Android 13+: READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_AUDIO
- Android 11-12: READ_EXTERNAL_STORAGE
- Android 10: READ_EXTERNAL_STORAGE
- Android 7.0-9.0: READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE
- Storage: Files are read from your device storage
- Sharing: No data is shared with third parties
- Retention: Data is processed in memory and not permanently stored by the App
2. Historical Location Data (from GPX files)
- What: GPS coordinates, timestamps, and elevation data contained in GPX files
- Why: To visualize routes on maps and generate charts (altitude, velocity)
- How: Extracted from GPX files you select
- Storage: Processed locally on your device, cached temporarily in device memory
- Sharing: Never shared with third parties
- Retention: Cached data is cleared when the App is closed or when you load a different file
3. Strava Activity Data (Optional)
- What: Activity data from your Strava account (location, time, elevation, activity metadata)
- Why: To import and analyze your Strava activities
- How: Through OAuth 2.0 authentication with Strava API
- OAuth Scopes Requested:
read: Access to your public profile informationactivity:read: Access to read your activity data
- Data Fetched:
- Activity list (activities from the last 30 days by default, configurable)
- Activity streams (GPS coordinates, altitude, timestamps)
- Activity metadata (type, distance, duration, elevation gain)
- Only activities with GPS data are processed
- API Rate Limits:
- The App respects Strava API rate limits to ensure fair usage
- Current Rate Limits (as of December 27, 2025):
- 15-minute window: 25 requests overall, 15 read requests
- Daily window: 40 requests overall, 30 read requests
- Rate Limit Structure:
- 15-minute Overall Limit: Maximum 25 total API requests per 15-minute rolling window
- 15-minute Read Limit: Maximum 15 read-type API requests per 15-minute rolling window
- Daily Overall Limit: Maximum 40 total API requests per 24-hour rolling window
- Daily Read Limit: Maximum 30 read-type API requests per 24-hour rolling window
- Rate limits are fetched from an encrypted online source and may be updated to reflect current Strava API policies
- If the online source is unavailable, the App uses fallback default limits (30/80 overall, 20/60 read)
- The App tracks API usage locally and automatically waits when limits are approached or exceeded
- When rate limits are reached, the App will:
- Display a notification informing you of the wait time
- Automatically wait for the rate limit window to reset before making additional requests
- Prevent further API calls until the limit window resets (15 minutes or 24 hours depending on the limit)
- Each sync operation uses at least 1 API request, plus additional requests for downloading activity streams
- You will be informed of current API usage before starting a sync operation
- Storage:
- OAuth tokens stored securely on your device (access tokens expire every 6 hours and are automatically refreshed)
- Activity data fetched and converted to GPX format, processed locally
- GPX files are cached locally on your device to avoid redundant downloads
- Rate limit usage statistics stored locally to track API consumption
- Sharing:
- Data is fetched from Strava API (subject to Strava's privacy policy)
- Data is never shared with third parties beyond what is necessary for Strava API functionality
- Data is only displayed to you (the authenticated user)
- Retention:
- OAuth tokens stored until you revoke access
- Activity data cached locally on your device until you clear app data
- Rate limit usage statistics reset when limit windows expire (15 minutes or 24 hours)
- Control: You can revoke access anytime through Strava settings, which will invalidate stored OAuth tokens
- Limitations:
- Due to Strava API rate limits, frequent syncing may require waiting periods
- The App fetches activities from a configurable date range (default: last 30 days)
- Maximum number of activities per sync is configurable to manage API usage
- If you exceed Strava's global API rate limits (HTTP 429), the App will wait before retrying
4. Network Data
- What: Internet connection required for:
- Strava API integration (when used)
- OpenStreetMap tile downloads for map display
- Fetching privacy policy updates and minimum supported application version information (both encrypted)
- Why: To fetch Strava activities, display map tiles, check for privacy policy updates, and verify minimum supported app version requirements
- How: Through INTERNET and ACCESS_NETWORK_STATE permissions
- Storage: Map tiles cached locally by the map library
- Sharing:
- Strava API requests subject to Strava's privacy policy
- OpenStreetMap tile requests subject to OpenStreetMap Foundation privacy policy
- Privacy policy version checks and minimum supported app version checks are made to GitHub Pages (subject to GitHub's privacy statement). These checks use encrypted JSON files to ensure data integrity and authenticity.
- Retention: Map tiles cached temporarily by the map library
Data Handling and Security
Secure Data Handling
- Local Processing: All GPX data processing occurs locally on your device
- No Server Transmission: GPX file data is never transmitted to external servers
- Encrypted Communication: When connecting to Strava API, all communication uses HTTPS (TLS encryption)
- Encrypted Version Information: Privacy policy version information and minimum supported app version data are fetched as encrypted JSON files using AES-256-GCM encryption. This ensures the integrity and authenticity of version requirements and policy updates.
- Secure Token Storage: OAuth tokens are stored securely on your device using Android's secure storage mechanisms
- No Data Collection: The App does not collect analytics, usage statistics, or personal information
Data Retention
- GPX File Data: Processed in memory only, cleared when App is closed or new file is loaded
- Strava Data: Cached temporarily in device memory, cleared when App is closed
- OAuth Tokens: Stored on device until you revoke access through Strava settings
- Map Tiles: Cached by the map library, subject to library's cache management
Data Deletion
- No Account Required: The App does not require account creation, so there is no account data to delete
- Clear App Data: You can delete all App data at any time by:
- Uninstalling the App (removes all local data including OAuth tokens)
- Clearing App data through Android Settings
- Revoke Strava Access: You can revoke Strava access at any time through Strava settings, which will invalidate stored OAuth tokens
App Updates and Version Management
Minimum Supported Version Requirements
The App includes a version management system that may require you to update to a minimum supported version before continuing to use the App. This feature ensures compatibility, security, and stability.
Why Updates Are Required: The App is currently under intensive development to improve functionality, security, and user experience. When a minimum supported version is enforced, it is done to ensure:
- Data Protection: Your data remains safe and unaffected during updates
- App Stability: Critical fixes and improvements are applied to prevent data loss or corruption
- Security: Security vulnerabilities are addressed promptly
- Compatibility: The App remains compatible with required services and APIs
How Version Checking Works
- Automatic Checks: On app startup, the App checks online for the minimum supported version requirement
- Encrypted Data: Version information is fetched as encrypted JSON using AES-256-GCM encryption to ensure authenticity
- Offline Support: If no network connection is available, the App uses cached version information when available
- Update Prompt: If your app version is below the minimum required version, you will be prompted to update via the Play Store
- No Personal Data: Only your app version number is compared; no personal information is transmitted during version checks
Privacy Policy Version Management
- Version Tracking: The App checks for privacy policy updates using encrypted JSON version information
- Encrypted Communication: Privacy policy version data is encrypted using AES-256-GCM encryption, ensuring the integrity and authenticity of policy updates
- User Consent: When a new privacy policy version is available, you will be prompted to review and accept it before continuing to use the App
- Transparency: All privacy policy versions are publicly available and accessible for your review
Third-Party Services
OpenStreetMap
Strava API
- Purpose: Import activity data (optional feature)
- Data Shared: OAuth authentication and activity data requests (subject to Strava API Agreement)
- OAuth Scopes: The App requests
read (public profile) and activity:read (activity data) scopes
- API Rate Limits: The App respects Strava API rate limits:
- Current limits (as of December 27, 2025): 25 requests per 15 minutes (overall), 15 read requests per 15 minutes, 40 requests per day (overall), 30 read requests per day
- Rate limits are enforced by the App to prevent exceeding Strava's API quotas
- When limits are reached, the App automatically waits for the rate limit window to reset
- Rate limit configuration is fetched from an encrypted online source and may be updated to reflect current Strava API policies
- If the online source is unavailable, fallback default limits are used (30/80 overall, 20/60 read)
- Privacy Policy: Strava Privacy Policy
- API Agreement: Strava API Agreement
- API Documentation: Strava API Reference
- Note: If Strava data originates from Garmin devices, attribution to Garmin may be required per Strava's terms.
GitHub Pages
- Purpose: Hosting encrypted privacy policy version information and minimum supported app version data
- Data Shared: Requests for encrypted JSON files containing version information (your IP address may be visible to GitHub servers)
- Privacy Policy: GitHub Privacy Statement
- Note: All version data is encrypted using AES-256-GCM encryption before transmission. Only encrypted JSON files are fetched; no personal user data is transmitted.
Permissions Used
The App requests the following permissions:
- Storage Permissions (varies by Android version):
- Android 13+ (API 33+): READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_AUDIO
- Android 11-12 (API 30-32): READ_EXTERNAL_STORAGE
- Android 10 (API 29): READ_EXTERNAL_STORAGE
- Android 7.0-9.0 (API 24-28): READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE
- Purpose: To read GPX files from device storage. The App uses standard Android storage permissions appropriate for each Android version.
- Internet Permission (INTERNET):
- Purpose: To connect to Strava API (when used), download OpenStreetMap tiles, and fetch encrypted privacy policy version and minimum supported app version information from GitHub Pages
- Network State Permission (ACCESS_NETWORK_STATE):
- Purpose: To check network connectivity status before making network requests, ensuring efficient operation and proper error handling when the device is offline
Note: The App does NOT request location permissions. It does not track your current location. It only processes historical GPS data from GPX files you choose to load.
Your Rights
- Full Control: You have full control over your data
- No Tracking: The App does not track you or collect personal information
- No Account Required: No registration or account creation needed
- Delete Anytime: You can delete the App and all associated data at any time
- Revoke Access: You can revoke Strava access at any time through Strava settings
Children's Privacy
The App is not directed to children under the age of 13. The App does not knowingly collect personal information from children.
Changes to This Privacy Policy
This privacy policy may be updated periodically to reflect changes in the App's functionality or legal requirements. The effective date will be updated accordingly. Continued use of the App after changes constitutes acceptance of the updated policy.
Contact
If you have questions about this privacy policy or how the App handles your data, please contact:
Developer: Rafał Stańczuk
Email: anddev0110@gmail.com
You can also contact through the App repository or distribution platform where you obtained the App.
Compliance
This privacy policy complies with:
- Google Play Developer Program Policies (User Data Policy)
- Applicable privacy and data protection laws
- Strava API Agreement requirements
Last Updated: December 27, 2025