Privacy Policy / summa.run
Last updated: 24 March 2026
Applies to: the Summa web application at https://app.summa.run and, where applicable, the marketing site https://summa.run.
Controller / operator: Pavel Olar (natural person, individual developer), Pärnu mnt. 139f, 11314 Tallinn, Estonia.
Contact (privacy & data requests): pavel.olar@gmail.com
Related pages: Terms of Service ·
1. Summary
Summa is a personal running diary and training log. We process your information to run your account, sync and display your training data, and improve the reliability and security of the service.
2. Who we are
Pavel Olar (“we”, “us”, “our”) operates Summa (“Service”) as an individual developer based in Estonia.
For EU/UK data protection law, the controller of personal data processed through Summa is Pavel Olar at the address above, unless we inform you otherwise.
3. Information we collect
3.1 Account and profile
When you register or use the Service, we may process:
Depending on how you use Summa, we may process:
3.3 Strava connection data
If you connect Strava, we process:
If you use Summa’s coaching features, we may process:
3.5 Service operations, security, and support
We may process:
When Summa calls the Strava API on your behalf, Strava processes information under Strava’s own policies. You should read:
Disclosure required by Strava: Under the Strava API Agreement, Strava may monitor and collect usage data and information related to our use of the Strava API and Strava Platform in connection with Summa, and may use such information for Strava’s business purposes (including compliance, support, and improving the API). That processing is governed by Strava’s documents, not this policy.
4. Purposes and legal bases (including GDPR)
Depending on applicable law, we rely on one or more of the following:
Strava-specific restriction: We do not use Strava Data for aggregated analytics, product improvement, or customer insights in any way that violates the Strava API Agreement. We use Strava Data only to provide Summa’s functionality to you, and — only when you add a coach — to display your Strava-synchronized content to that coach in read-only form within Summa as part of the coaching feature you requested.
5. How we share information
We do not sell your personal information. We share data only as follows:
Exception (coaching): If you (athlete) voluntarily link another Summa user as your coach, Summa allows that coach to view (read-only) your diary content as rendered in Summa, including activities synchronized from Strava, solely to provide the feature you requested. This is not a sale or license of data to third parties for their own purposes. If you remove the coach link, that access ends (subject to short technical propagation / caching as applicable).
6. International transfers
Your information may be processed in Estonia, in the EEA, or in other countries where our hosting provider operates servers. If personal data is transferred to a country outside the EEA/UK that does not benefit from an adequacy decision, we implement appropriate safeguards as required by GDPR (for example Standard Contractual Clauses approved by the European Commission), in addition to any measures required by our hosting or subprocessors.
Strava is a US-headquartered service; connecting Strava may involve transfers to the United States subject to Strava’s policies and mechanisms.
7. Retention
8. Security
We implement technical and organizational measures appropriate to the risk, including:
Strava API security expectations: We use secure channels for Strava API traffic and protect tokens with appropriate access controls, consistent with the Strava API Agreement.
9. Your rights
Depending on your location, you may have rights to:
Estonia / EEA: You may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — https://www.aki.ee/en — or another competent supervisory authority in your country of residence or work.
Strava controls: Some data originates in Strava; you can also manage permissions and deauthorize Summa in your Strava account settings.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have, contact us and we will delete it.
11. Cookies and similar technologies
We use strictly necessary cookies (or local storage) for authentication and security. We do not use analytics or non-essential advertising cookies at this time. If that changes, we will update this policy and obtain consent where required by law.
12. Automated decision-making
We do not use your personal data for solely automated decisions with legal or similarly significant effects.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version at https://summa.run/privacy (or the URL we notify) and update the “Last updated” date. If changes are material, we will provide additional notice as required by law (e.g. email or in-app notice).
Continued use of the Service after the effective date of changes may constitute acceptance where permitted by law.
14. Contact
Pavel Olar
Pärnu mnt. 139f, 11314 Tallinn, Estonia
Email: pavel.olar@gmail.com
Applies to: the Summa web application at https://app.summa.run and, where applicable, the marketing site https://summa.run.
Controller / operator: Pavel Olar (natural person, individual developer), Pärnu mnt. 139f, 11314 Tallinn, Estonia.
Contact (privacy & data requests): pavel.olar@gmail.com
Related pages: Terms of Service ·
1. Summary
Summa is a personal running diary and training log. We process your information to run your account, sync and display your training data, and improve the reliability and security of the service.
- We do not sell your personal information.
- We do not use Strava Data (data obtained from Strava about you) for machine learning, artificial intelligence model training, or similar purposes — such use is prohibited under the Strava API Agreement and is not part of our product.
- Training content you store in Summa is not made available for general browsing by other Summa users. The Service does not offer a user-facing control to publish your diary to all other registered users. The only way another registered user can see your diary in Summa is if you voluntarily add them as your coach using an invite code they provide, which grants them read-only access as described below.
2. Who we are
Pavel Olar (“we”, “us”, “our”) operates Summa (“Service”) as an individual developer based in Estonia.
For EU/UK data protection law, the controller of personal data processed through Summa is Pavel Olar at the address above, unless we inform you otherwise.
3. Information we collect
3.1 Account and profile
When you register or use the Service, we may process:
- Credentials and identifiers: email address, username, and password (stored using secure hashing; we do not store your password in plain text).
- Profile details you choose to provide: such as display name or profile image URL, if supported by the product.
- Technical session data: cookies or similar technologies needed for authentication and security (e.g. session, CSRF protection).
Depending on how you use Summa, we may process:
- Activities imported from Strava after you connect your Strava account, including metadata and metrics made available through the Strava API (for example: time, distance, sport type, heart rate where provided, laps, titles/notes as exposed by Strava, and related fields we store to render your diary). Exact fields may evolve with the API and product.
- Activities or files you import manually, such as data from an official Strava export (e.g. archive you download from Strava and upload to Summa), within the limits supported by the product.
- Notes and diary content you enter in Summa.
3.3 Strava connection data
If you connect Strava, we process:
- OAuth tokens (access and refresh tokens) and related Strava athlete identifiers needed to synchronize data.
- Webhook-related technical records needed to process Strava events (for example activity created, updated, deleted, or deauthorization), within the limits of our implementation.
If you use Summa’s coaching features, we may process:
- Coach mode and invite codes: whether you have enabled coach mode, and a short alphanumeric invite code associated with your account so athletes can link to you (the code identifies your account only within Summa).
- Athlete–coach link: which user (if any) you have designated as your coach, and which users you coach, only as created through the in-product bind flow (entering a coach’s code or removing the link).
- Resulting access: when an athlete has linked a coach, the coach’s account may view the athlete’s diary and Strava-synchronized activities in Summa in read-only form, only to provide the coaching relationship the athlete initiated. Coaches do not receive your Strava tokens; access is mediated through Summa’s application.
3.5 Service operations, security, and support
We may process:
- Server and application logs (e.g. IP address, timestamps, request paths, error diagnostics) for security, troubleshooting, and abuse prevention. We retain such logs only as long as needed for these purposes (typically a limited number of days; exact periods may vary with configuration).
- Communications you send us (e.g. support email) and our replies.
When Summa calls the Strava API on your behalf, Strava processes information under Strava’s own policies. You should read:
Disclosure required by Strava: Under the Strava API Agreement, Strava may monitor and collect usage data and information related to our use of the Strava API and Strava Platform in connection with Summa, and may use such information for Strava’s business purposes (including compliance, support, and improving the API). That processing is governed by Strava’s documents, not this policy.
4. Purposes and legal bases (including GDPR)
Depending on applicable law, we rely on one or more of the following:
Purpose | Examples | Typical legal basis (EU/UK GDPR-style) |
Provide the Service | account, login, displaying your diary, syncing from Strava | Contract (Art. 6(1)(b) GDPR) |
Coach–athlete feature | invite codes, link records, read-only diary view for a coach you add | Contract (Art. 6(1)(b) GDPR) |
Connect and sync Strava | OAuth, API calls, webhooks | Contract; Consent where Strava or law requires explicit consent for certain processing |
Security & abuse prevention | logs, rate limiting, fraud prevention | Legitimate interests (Art. 6(1)(f)); sometimes legal obligation |
Comply with law | responding to lawful requests | Legal obligation (Art. 6(1)(c)) |
Improve reliability of the Service | diagnostics that do not violate Strava’s restrictions on Strava Data | Legitimate interests, configured to minimize personal data |
Strava-specific restriction: We do not use Strava Data for aggregated analytics, product improvement, or customer insights in any way that violates the Strava API Agreement. We use Strava Data only to provide Summa’s functionality to you, and — only when you add a coach — to display your Strava-synchronized content to that coach in read-only form within Summa as part of the coaching feature you requested.
5. How we share information
We do not sell your personal information. We share data only as follows:
- Strava: When you connect Strava, Summa exchanges data with Strava’s systems strictly as needed for OAuth, API access, and webhooks. Strava’s terms apply to Strava’s platform.
- Infrastructure providers (“processors”): we use a VPS / hosting provider to run the application, database, and backups. That provider processes data on our instructions. We use written agreements where required by law (e.g. GDPR Article 28).
- Professional advisers: lawyers, accountants, or auditors where necessary and subject to confidentiality.
- Authorities: if we believe disclosure is required by applicable law, court order, or legal process, or to protect rights, safety, and security.
Exception (coaching): If you (athlete) voluntarily link another Summa user as your coach, Summa allows that coach to view (read-only) your diary content as rendered in Summa, including activities synchronized from Strava, solely to provide the feature you requested. This is not a sale or license of data to third parties for their own purposes. If you remove the coach link, that access ends (subject to short technical propagation / caching as applicable).
6. International transfers
Your information may be processed in Estonia, in the EEA, or in other countries where our hosting provider operates servers. If personal data is transferred to a country outside the EEA/UK that does not benefit from an adequacy decision, we implement appropriate safeguards as required by GDPR (for example Standard Contractual Clauses approved by the European Commission), in addition to any measures required by our hosting or subprocessors.
Strava is a US-headquartered service; connecting Strava may involve transfers to the United States subject to Strava’s policies and mechanisms.
7. Retention
- Account data: kept while your account is active.
- Coach–athlete links and invite codes: kept while you use those features; removed when you remove a coach, stop coach mode, or delete your account, according to the Service implementation.
- Strava tokens and Strava-imported data: kept while Strava remains connected, unless you delete specific content in-product where supported. If you disconnect Strava or Strava sends a deauthorization event, we delete or anonymize Strava connection data and Strava-imported content in line with our product implementation.
- Strava deletions: If an activity is deleted in Strava, we remove the corresponding copy in Summa as soon as reasonably practical via sync or webhooks, and in any case we aim to comply with Strava’s requirements (Strava currently requires reflection within 48 hours for deletions on Strava — verify the current Strava API Agreement).
- Backups: residual copies may persist in encrypted backups for a limited period (typically up to approximately 90 days, depending on backup rotation).
- Support emails: retained as long as needed to handle your request and any follow-up, generally not longer than 24 months unless a legal claim or obligation requires longer retention.
8. Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (HTTPS/TLS) for the public application.
- Industry-standard password hashing.
- Access controls for server and database where applicable.
Strava API security expectations: We use secure channels for Strava API traffic and protect tokens with appropriate access controls, consistent with the Strava API Agreement.
9. Your rights
Depending on your location, you may have rights to:
- Access your personal data.
- Rectify inaccurate data.
- Erase data (“right to be forgotten”) where conditions are met.
- Restrict or object to certain processing.
- Data portability for data you provided, where applicable.
- Withdraw consent where processing is consent-based (this does not affect lawfulness before withdrawal).
- Lodge a complaint with a supervisory authority.
Estonia / EEA: You may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — https://www.aki.ee/en — or another competent supervisory authority in your country of residence or work.
Strava controls: Some data originates in Strava; you can also manage permissions and deauthorize Summa in your Strava account settings.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have, contact us and we will delete it.
11. Cookies and similar technologies
We use strictly necessary cookies (or local storage) for authentication and security. We do not use analytics or non-essential advertising cookies at this time. If that changes, we will update this policy and obtain consent where required by law.
12. Automated decision-making
We do not use your personal data for solely automated decisions with legal or similarly significant effects.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version at https://summa.run/privacy (or the URL we notify) and update the “Last updated” date. If changes are material, we will provide additional notice as required by law (e.g. email or in-app notice).
Continued use of the Service after the effective date of changes may constitute acceptance where permitted by law.
14. Contact
Pavel Olar
Pärnu mnt. 139f, 11314 Tallinn, Estonia
Email: pavel.olar@gmail.com
Summa.run
