CRC is still in development. Feel free to explore! Check out the Games pages, sign up to create your profile, or join our Discord.

CRC

Privacy Policy

Last updated: March 7, 2026

Contents

  1. Introduction
  2. Information We Collect
  3. Legal Basis for Processing
  4. How We Use Your Information
  5. Information Sharing
  6. Cookies & Tracking
  7. Data Retention
  8. Your Rights
  9. Children's Privacy
  10. Data Security
  11. Data Breach Notification
  12. International Transfers
  13. Changes to This Policy
  14. Contact Us

1. Introduction

Welcome to Challenge Run Community ("CRC", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit challengerun.net (the "Website") and use our services.

By using the Website, you acknowledge the collection and use of information as described in this Privacy Policy. Where we rely on your consent for specific processing activities (such as analytics), we will ask for it separately.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when you:

  • Create an account: Display name, runner ID, bio, social media links, location (optional), pronouns (optional)
  • Sign in with OAuth: Information from Discord or Twitch (username, avatar, email address)
  • Submit runs: Game, category, completion time, video links, platform, challenge details
  • Customize your profile: Avatar image, banner image, accent color, status message
  • Contact support: Your message content and contact information

2.2 Information Collected Automatically

When you access the Website, we may automatically collect:

  • Device information: Browser type, operating system, device type
  • Usage data: Pages visited, time spent, referring URLs (via Cloudflare Web Analytics, only with your consent)
  • IP address: Processed by Cloudflare for security purposes. We do not store raw IP addresses in our own database.
  • Cookies and local storage: See Section 6 and our Cookie Policy

2.3 Information from Third Parties

When you sign in using Discord or Twitch, we receive your username, display name, profile avatar, email address (if shared), and unique provider ID. We do not receive your password or gain the ability to post on your behalf.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Website
  • Create and manage your account
  • Display your runner profile and submitted runs
  • Verify and moderate submissions
  • Respond to support requests
  • Detect and prevent fraud, abuse, or security issues
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for advertising or profiling.

5. Information Sharing

5.1 Public Information

Your runner profile (display name, bio, social links, avatar, banner, location if provided), submitted runs, and achievements are publicly visible by design. You control what optional information appears on your profile and can edit or remove it at any time.

5.2 Service Providers

We share data with trusted third parties who help us operate the Website:

  • Supabase (Supabase Inc.) — Database hosting and authentication. Privacy Policy
  • Cloudflare (Cloudflare, Inc.) — Hosting, CDN, security, and analytics. Privacy Policy

These providers process data on our behalf under Data Processing Agreements (DPAs) and have their own privacy policies governing how they handle data.

5.3 Legal Requirements

We may disclose your information if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect rights, safety, or property, or to prevent fraud or illegal activity.

5.4 Business Transfers

If CRC is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We would notify you before your data becomes subject to a different privacy policy.

6. Cookies & Tracking Technologies

We use cookies and similar technologies (localStorage) to operate the Website and, with your consent, to understand usage patterns. For details, see our Cookie Policy. You can manage your preferences at any time via in the footer.

7. Data Retention

We retain your information based on the following schedule:

  • Active account data: Retained for as long as your account is active and needed to provide services.
  • After account deletion: Personal data is deleted or anonymized within 30 days, except where required by law.
  • Anonymized run records: Retained indefinitely to preserve community leaderboard integrity. Anonymized data cannot be traced back to you.
  • Support communications: Retained for up to 2 years after resolution, then deleted.
  • Audit and moderation logs: Retained for 1 year for accountability purposes.
  • Backup copies: Purged within 90 days of the data being deleted from live systems.

Run submissions may be anonymized (rather than deleted) to preserve the integrity of community leaderboards. Anonymized data cannot be traced back to you.

8. Your Rights

8.1 For All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your account and personal data
  • Portability: Receive your data in a commonly used, machine-readable format
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

Many of these rights can be exercised directly through your Account Settings, where you can export your data, manage cookie preferences, and delete your account without contacting us.

8.2 For EU/EEA/UK Residents (GDPR)

You additionally have the right to restrict processing, object to processing based on legitimate interests, and lodge a complaint with your local supervisory authority. We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

8.3 For California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, request deletion, opt out of the sale or sharing of personal information, request correction, and exercise your rights without discriminatory treatment. We do not sell or share personal information as defined by the CCPA/CPRA.

8.4 Exercising Your Rights

Many rights can be exercised directly through your Account Settings. For requests that cannot be handled through self-service, contact us at privacy@challengerun.net. We will verify your identity before processing your request and respond within 30 days. If a request is complex, we may extend this by an additional 60 days with prior notice.

9. Children's Privacy

The Website is not intended for children under 13 years of age (or under 16 where required by law). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal information, please contact us at privacy@challengerun.net and we will promptly delete such information.

10. Data Security

We implement appropriate technical and organizational security measures to protect your personal data, including encryption of data in transit (TLS) and at rest, access controls restricting who can access user data, and regular review of our security practices. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected users without undue delay. Notifications will describe the nature of the breach, the likely consequences, and the measures taken to address it.

12. International Data Transfers

CRC is operated from the United States. Your data is processed by our service providers in the United States and other locations.

For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or our service providers' equivalent transfer mechanisms. Our primary service providers (Supabase and Cloudflare) maintain Standard Contractual Clauses and equivalent safeguards for international data transfers.

By using the Website, you acknowledge that your information may be transferred to countries that may have different data protection laws than your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. For significant changes, we will provide a prominent notice on the Website.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.