Privacy Policy
Last updated: March 28, 2026
1. Who We Are
Marathon Index ("we", "us", "our") operates marathon-index.com — a free global guide to marathons and half-marathons. We are based in Sweden and comply with the EU General Data Protection Regulation (GDPR).
Contact: [email protected]
2. Data We Collect
2.1 Account Data (when you sign up)
- Name and email address (from Google or Strava OAuth)
- Profile photo URL (from OAuth provider)
- Username (auto-generated, editable)
2.2 User-Generated Content
- Race reviews and ratings
- Race results (finish times you submit)
- Training plans and workout logs
- Follow relationships with other users
2.3 Analytics Data (with your consent)
- Google Analytics 4 collects anonymized usage data (pages viewed, device type, approximate location at city level)
- No personally identifiable information is sent to Google Analytics
- Analytics only loads after you consent via the cookie banner
2.4 Cookies & Local Storage
| Name | Purpose | Duration |
|---|---|---|
| mi_user_session | Authentication session | 7 days |
| mi_cookie_consent | Your cookie preference | 1 year |
| _ga, _ga_* | Google Analytics (only with consent) | 2 years |
| mi_newsletter_emails | Newsletter signup tracking (localStorage) | Persistent |
3. Legal Basis for Processing
- Consent — Analytics cookies (you can decline via the cookie banner)
- Contract — Account data needed to provide the service (reviews, training plans)
- Legitimate interest — Essential cookies for authentication and site functionality
4. Third-Party Services
- Google OAuth — Authentication. We receive your name, email, and profile photo. Google Privacy Policy
- Strava OAuth — Authentication and activity sync. We receive your name and profile. Strava Privacy Policy
- Google Analytics 4 — Anonymized usage analytics (with consent). How Google uses data
- Cloudflare — CDN and DDoS protection. Cloudflare Privacy Policy
- Resend — Transactional email delivery. Resend Privacy Policy
5. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Data portability — receive your data in a structured format
- Object to processing based on legitimate interest
- Withdraw consent at any time (e.g., cookie preferences)
To exercise any of these rights, email [email protected]. We will respond within 30 days.
6. Data Deletion
You can request complete deletion of your account and all associated data (reviews, race results, training plans, follows, activity history) by emailing [email protected].
We will delete your data within 30 days and confirm the deletion via email.
7. Data Storage & Security
- Data is stored on a self-hosted server in Germany (Hetzner, Falkenstein datacenter)
- All connections are encrypted via TLS (HTTPS)
- Passwords are not stored — we use OAuth exclusively
- Session tokens are HttpOnly, Secure, and SameSite cookies
- Database is SQLite with file-system level access controls
8. Children
Marathon Index is not directed at children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us for deletion.
9. Changes
We may update this policy. Significant changes will be communicated via a banner on the site. The "Last updated" date at the top reflects the most recent revision.
10. Contact & Supervisory Authority
For privacy questions: [email protected]
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Sweden: Integritetsskyddsmyndigheten (IMY).