Privacy Policy

Last updated: 17 May 2026

Who We Are

Route Raiser is operated by Curtis Timson. If you have any questions about this privacy policy, please contact us via the social links in the footer.

What Data We Collect and Why

Account Data

If you create an account, we store your email address and a hashed password (or a third-party OAuth token if you sign in via Google). This data is held in Supabase and is used solely to authenticate you and to send you notifications you have explicitly requested. The legal basis is the performance of a contract (Article 6(1)(b) UK GDPR).

Segment Follows

If you choose to follow a donation segment on a fundraising map, we store the following information: your user ID, the fundraising page ID, the donation ID, the donor's public display name (as shown on the JustGiving fundraising page), and the calculated distance along the route at which the segment ends. This data is used to send you a single email notification when the runner passes the end of your followed segment. The donor's display name is publicly visible on the JustGiving fundraising page; we store it solely to identify the segment in your dashboard and notification email. The legal basis is legitimate interests (Article 6(1)(f) UK GDPR). You can delete any followed segment from your dashboard at any time.

Analytics (Google Analytics 4)

If you accept cookies, we use Google Analytics 4 to understand how visitors use this site. Google Analytics collects information such as pages visited, time spent on pages, your browser type, and your approximate location (country/city level). Your IP address is anonymised before it is stored. Google Analytics sets the following cookies: _ga and _ga_JNBBRYVLPG.

Legal Basis for Processing

We only set analytics cookies with your explicit consent (Article 6(1)(a) UK GDPR). You can withdraw your consent at any time by clicking Cookie settings in the footer.

Data Retention

Google Analytics data is retained for 14 months.

Third-Party Data Processors

We use the following third-party data processors:

• Supabase, Inc. — stores account credentials and segment follow data. Hosted on AWS in the EU (Ireland). See Supabase's Privacy Policy.
• Resend, Inc. — sends transactional notification emails. Based in the United States; transfers are made under the EU-US Data Privacy Framework. See Resend's Privacy Policy.
• Google LLC — analytics (only if you accept cookies). Based in the United States; transfers are made under the UK Extension to the EU-US Data Privacy Framework. See Google's Privacy Policy.

Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate personal data
• Erasure of your personal data
• Restriction of processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us via the social links in the footer.

How to Withdraw Consent or Manage Cookies

You can withdraw your consent at any time by clicking Cookie settings in the footer of any page. This will reset your preferences and show the consent banner again. You can also clear cookies directly in your browser settings.

Right to Complain

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.