Hexathlon

Privacy Policy

Last updated: 12 June 2026

1. Who we are

Hexathlon is operated by Rosterbox Limited (company no. 09776167), registered in England and Wales at 5 The Ridings, Cringleford, Norwich, NR4 6UJ, UK (“Hexathlon”, “we”, “us”). We are the data controller for the personal data described in this policy. For any privacy questions or to exercise your rights, contact us at support@hexathlon.run.

2. Scope

This policy covers the Hexathlon mobile app, the Hexathlon website, and our backend services. Hexathlon is a year-long road-running competition that scores age-graded race results.

3. Information we collect

  • Account details: email address, and a securely hashed password if you register with email/password.
  • Profile details: first and last name, gender, date of birth, postcode, and running club (where you choose to provide them). Date of birth and gender are used for age-grading your results.
  • Social sign-in data: if you sign in with Google, Apple, or Facebook, we receive a provider account ID, your email (where available), your name, and a profile picture URL. Apple may provide a private-relay email. Facebook email is optional and only received if you allow it. We use this solely to create and authenticate your account.
  • Race & performance data: race results matched or linked to you (event, date, time, age-grade), and — if you choose to link it — your parkrun ID and the public parkrun results associated with it.
  • Device data: a push-notification token and device platform (iOS/Android) if you enable notifications.
  • Communications: records of emails we send you and support correspondence.

The Hexathlon mobile app does not use third-party analytics, advertising, or tracking SDKs, and we do not build advertising profiles or use your data for advertising. Our public website uses Google Analytics for basic, aggregated visitor statistics, and only after you consent — see Cookies & analytics below.

4. How and why we use your data (legal bases)

  • To create and run your account and deliver the competition — performance of a contract.
  • To match, age-grade and score race results — performance of a contract / legitimate interests.
  • To send service emails (email verification, password resets, email-change confirmation, and decisions on your requests) — performance of a contract / legitimate interests.
  • To send push notifications about your account and competition — consent (you can turn these off on your device).
  • To keep the service secure and prevent abuse — legitimate interests.

We do not send marketing emails.

5. Sensitive data

The only special-category-adjacent data we hold is your date of birth (and gender, for age-grading). We never display your date of birth publicly, and it is permanently deleted when you delete your account.

6. Public information

Leaderboards and competition standings may display your name, club, age category, and race results to other users. Your email, date of birth, and postcode are never shown publicly.

7. parkrun and third-party race data

If you link a parkrun account, we retrieve your publicly available parkrun results to score them within Hexathlon. parkrun results are public data published by parkrun; we link and score them only at your request. You can unlink at any time.

8. Who we share data with (processors)

We share data only with service providers who process it on our behalf under contract:

  • Neon — managed PostgreSQL database hosting.
  • Google Cloud (Cloud Run, Cloud Functions, Cloud Storage, Pub/Sub) — application hosting, result processing, and file/image storage.
  • Vercel — website hosting.
  • Google Analytics — aggregated website visitor statistics, loaded only with your consent (see Cookies & analytics).
  • Resend — transactional email delivery.
  • Expo — push-notification delivery.
  • Google, Apple, Facebook — only where you choose to sign in with them.

We do not sell your personal data.

9. International transfers

Some providers (e.g. authentication and email providers) may process data outside the UK. Where they do, we rely on appropriate safeguards such as UK adequacy regulations or Standard Contractual Clauses.

10. Data retention

We keep your personal data while your account is active. When you delete your account, your personal data is permanently deleted (see Deleting your account & data below). Public race result records sourced from third parties may remain in our systems but are unlinked from you and no longer identify you via your account.

11. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict or object to processing of your data, and to data portability. You can exercise most of these directly in the app, or contact us at support@hexathlon.run. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

12. Children

Hexathlon is intended for users aged 16 and over. We do not knowingly collect data from anyone under 16. If you believe a child under 16 has provided us with data, contact support@hexathlon.run and we will delete it.

13. Security

Passwords are stored hashed (bcrypt). We use encrypted connections and access controls. No system is perfectly secure, but we take reasonable measures to protect your data.

14. Deleting your account & data

You can permanently delete your Hexathlon account and all associated personal data at any time, directly in the app:

  1. Open the Hexathlon app and go to Settings.
  2. Scroll to Account and tap Delete Account.
  3. Type DELETE to confirm.

Your account and personal data — including your name, email, date of birth, gender, postcode, club, linked sign-in providers, linked parkrun profile, devices, and competition records — are then permanently and irreversibly deleted from our systems. This data cannot be recovered.

Public race results originally sourced from third parties (e.g. parkrun or uploaded race files) may remain on record as public results, but are unlinked from your account and no longer associated with you.

If you signed up with Facebook and want to confirm deletion of the data we received from Facebook, deleting your account as above removes it. If you cannot access the app, email support@hexathlon.run and we will delete your data on request.

15. Cookies & analytics

Our website uses a small number of cookies and similar technologies:

  • Essential: we store your cookie choice (accept or reject) in your browser so we don’t ask you again. This is necessary to remember your preference and is not used to track you.
  • Analytics (optional): with your consent, we use Google Analytics to understand how many people visit the site, which pages are popular, and the general device types used (for example iOS or Android). This helps us improve the site. The legal basis is your consent.

When you first visit, we show a banner asking you to Accept or Reject analytics cookies. We do not set any analytics cookies until you click Accept. If you Reject, Google Analytics runs in a limited, cookieless mode that collects only aggregated, non-identifying statistics and does not store cookies on your device or identify you.

Google Analytics is provided by Google, which acts as our processor. Some data may be processed outside the UK under appropriate safeguards (see International transfers). We do not use Google Analytics for advertising. You can change your choice at any time by clearing your browser’s site data for this website, which will make the banner appear again. The Hexathlon mobile app does not use Google Analytics or any advertising or tracking SDKs.

16. Changes to this policy

We may update this policy from time to time. We will update the “Last updated” date above and, where appropriate, notify you in the app.

17. Contact

Rosterbox Limited, 5 The Ridings, Cringleford, Norwich, NR4 6UJ, UK — support@hexathlon.run.