Spectate1. Who we are
SpectateMe is operated by Stephen Hopkins, a sole trader registered in England and Wales (“we”, “us”, or “SpectateMe”). Our contact address is hello@spectateme.co.uk.
We are the data controller for the personal information described in this policy. This policy applies to the SpectateMe Android application and any websites we operate under spectateme.co.uk.
2. What information we collect and why
SpectateMe collects the minimum data needed to do its job: connect runners and their supporters during a race so they can find each other.
| Data | Why we collect it | How long we keep it |
|---|---|---|
| Precise GPS location (runner position and spectator live position) |
Core functionality — so the runner can receive proximity alerts as they approach each supporter's location. Spectator locations are shared with the runner only, never with other spectators. | Never stored. Transmitted in real time over an encrypted connection to the runner only (for spectator location) or to all session participants (for runner location). Not written to any database. |
| Your name (from your Google account) |
Displayed to other participants in your session so they can identify you (e.g. “Sarah is 50 m away”) | Stored while your account exists. Deleted when you delete your account. |
| Email address (from your Google account) |
Account identification and correspondence | Stored while your account exists. Deleted when you delete your account. Never shown to other users. |
| Google account ID | To manage your account, verify subscriptions, and prevent free-trial abuse after deletion | Deleted when you delete your account. A one-way cryptographic hash of your Google ID is retained for up to 14 months after deletion to prevent repeat free-trial use (see Section 6). |
| Subscription / entitlement status | To determine whether you have runner access | Deleted when you delete your account. |
| Session records (session ID, participants, timestamps — no location data) |
Support and diagnosis if something goes wrong during a race | Automatically deleted 5 days after session end. Deleted immediately when you delete your account. |
| Server application logs (internal user ID, display name, session ID, subscription status events, auth failure reasons) |
Operational diagnostics — identifying errors and debugging issues during races. Logs do not contain location data, email addresses, full Google IDs, or payment details. | Automatically deleted after 14 days. Stored in AWS CloudWatch Logs (London region, encrypted at rest). Not linked to session records after session deletion. |
3. Legal basis for processing
We process your personal data under UK GDPR on the following bases:
- Contract performance — processing your name, email, Google ID and location data to provide the app functionality you have signed up for.
- Legitimate interests — retaining a hashed identifier after account deletion to prevent abuse of our free trial offer. Our interest in preventing fraud is proportionate to the minimal data retained (a one-way hash — not your name, email, or raw Google ID).
4. How we share your data
We do not sell your data. We do not share it with advertisers. We share data only in these limited circumstances:
Within an active session
Your name and real-time GPS position are shared within your active session — but with an important distinction:
- Runner location is visible to all spectators in the session, so everyone can see the runner's progress on the map.
- Spectator location is visible to the runner only — never to other spectators. If a runner has multiple supporters spread across the course, each supporter's position is private from one another.
You initiate every session and choose who joins it.
Infrastructure providers (data processors)
- Amazon Web Services (AWS) — our cloud infrastructure provider, used to run the servers that relay location data and store account information. Servers are located in the UK (eu-west-2 / London region).
- Google — provides sign-in (Google Sign-In / OAuth 2.0). We receive your name, email address, and Google ID from Google when you sign in. Google’s own privacy policy applies to that sign-in process.
Legal requirement
We may disclose information if required by law or a valid legal process.
No analytics or advertising
SpectateMe does not use any analytics services, advertising networks, or tracking technologies. There are no third-party SDKs in the app beyond Google Sign-In and the Google Maps SDK (used to display the course map).
5. Security
All data in transit between the app and our servers is encrypted using TLS (HTTPS and WSS). Location data is never written to persistent storage. Account data held in our database (AWS DynamoDB) is encrypted at rest.
Application logs are written to AWS CloudWatch Logs (London region, encrypted at rest) and are automatically deleted after 14 days. Logs record operational events such as session creation, joins, and errors. They do not contain GPS coordinates, email addresses, or payment information.
If you become aware of any security concern, please contact us at hello@spectateme.co.uk.
6. Account deletion and data retention
You can request deletion of your account and all associated data at any time. To do so, email hello@spectateme.co.uk with the subject line “Delete my account”. We will process your request within 30 days.
When your account is deleted:
- Your name, email address, and Google ID are deleted from our systems.
- Your subscription or entitlement record is deleted.
- Any open sessions are closed.
- Session records relating to you are purged immediately (rather than waiting for the 5-day automatic purge).
What we keep after deletion
For up to 14 months following account deletion, we retain:
- A one-way cryptographic hash (SHA-256) of your Google ID. This hash cannot be reversed to identify you; it is a mathematical fingerprint only. We retain it solely to prevent someone from deleting their account and immediately creating a new one to obtain another free trial.
- Your Google Play purchase token (if you had an active or past Google Play subscription). We retain this solely to restore your subscription if you re-subscribe within the retention period. It is not shared with any third party beyond Google Play's own systems.
Both items are automatically and permanently deleted after 14 months.
More detail, including how to exercise your rights, is available on our FAQ page.
7. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data (see Section 6).
- Portability — request your data in a machine-readable format.
- Restriction — ask us to restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact us at hello@spectateme.co.uk. We will respond within one calendar month.
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
8. Children
SpectateMe is not directed at children under the age of 13 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
9. Changes to this policy
We may update this policy from time to time. The “last updated” date at the top of this page reflects when changes were last made. If changes are significant, we will notify users through the app. Continued use of SpectateMe after changes are posted constitutes acceptance of the updated policy.
10. Contact us
For any questions about this policy or your personal data:
- Email: hello@spectateme.co.uk
- Subject line for data requests: “Privacy Request”
- Subject line for deletion requests: “Delete my account”
We aim to respond to all requests within 30 days.