Privacy Policy

Last updated: June 10, 2026

Walk to Mordor ("the App", "we", "us") is a collaborative fitness app that turns your daily steps into progress along a shared journey across Middle-earth with your group. This policy explains what data we collect, how we use it, and the choices you have.

Information we collect

  • Your name and email address (your email is encrypted at rest).
  • Your daily and cumulative step counts and your progress along the journey.
  • Your time zone, used to schedule a daily step sync.
  • If you choose to connect Google Health: read-only access to your daily step count from the Google Health API (scope activity_and_fitness.readonly), along with the OAuth access and refresh tokens needed to read it (tokens are encrypted at rest).

How we use your information

We use your information solely to provide the App: to record your steps, show your position and your group's position on the journey map, and track milestones. We do not sell your data, and we do not use it for advertising.

Google user data — Limited Use

The App's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, step data obtained from the Google Health API is used only to display your progress within the App, is never sold, is never used for advertising, and is not transferred to others except as necessary to provide this feature, to comply with applicable law, or as part of a merger or acquisition.

How your data is protected

  • Personally identifiable data (your email and any Google tokens) is encrypted at rest.
  • Passwords are stored only as salted bcrypt hashes — never in plain text.
  • All traffic is served over encrypted connections (HTTPS/TLS).

Data retention and deletion

We keep your data only while your account is open. You are in control:

  • Disconnecting Google Health revokes our access token with Google and stops any further syncing. Your existing progress remains in the App.
  • Closing your account permanently deletes your account and all associated data — your step history, journey progress, milestones, and any stored Google tokens — and revokes the Google grant. This action cannot be undone.

Third-party services

  • Google — OAuth sign-in and the Google Health API (only if you connect it).
  • Heroku — application hosting and database infrastructure.

Changes to this policy

If we change how the App accesses, uses, stores, or shares your data — including Google user data — we will update this page and revise the "Last updated" date above. Continued use of the App after a change takes effect constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Please open an issue on our GitHub.

← Back