Privacy Policy
Last updated: 30 May 2026
Climb Hub ("we", "us", "our") operates the Climb Hub mobile application and related services. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data We Collect
Information you provide
- Account data: email address, username, display name, password (hashed), profile photo
- Profile data: climbing styles, skill level, location (city/region), bio, pronouns (optional, with user-controlled public visibility)
- Content: posts, climb logs, ratings, comments, photos, beta videos (short climbing-tip videos up to 60 seconds and 75 MB — including any audio track captured by your device's microphone while filming) and the JPEG poster thumbnails the app extracts from them locally before upload, event RSVPs, messages. The "upload without sound" toggle on the beta-video composer mutes in-app playback and strips the audio track from any branded share variant we render for off-platform sharing, but the audio in your original uploaded file remains in our object storage until you delete the post or your account.
- Business data: if you register a climbing gym or business, its name, address, hours, and contact info
- Third-party board credentials: if you connect a Kilter Board or MoonBoard account, we store your username and password for that service. Passwords are encrypted at rest using AES-256-GCM. These credentials are used solely to sync your climbing logbook and are deleted immediately when you disconnect the account.
Information collected automatically
- Device info: device type, operating system, app version
- Usage data: screens visited, features used, timestamps
- Activity status: a "last active" timestamp, updated when you open the app, used to order your friends and messaging lists so recently active people appear first. We do not display your exact activity time to other users.
- Error logs: crash reports and error data to improve stability
- IP address: collected with API requests for security and rate-limiting
Bluetooth data (Kilter Board connectivity)
When you use the optional Kilter Board connectivity feature to illuminate climb holds on a physical board, the app interacts with Bluetooth Low Energy (BLE) devices on your device:
- Bluetooth scan results: during scanning, your device temporarily receives the names, Bluetooth MAC addresses, and signal strength (RSSI) of nearby Bluetooth devices in order to identify your Kilter Board. This data is processed locally on your device for the sole purpose of showing you a list of boards you can connect to.
- Board connection: once you select a board, the app sends illumination commands (which holds to light up, and their colours) to the board over Bluetooth.
- Not transmitted to our servers: Bluetooth scan results, MAC addresses, RSSI values, and the details of any board interaction are never sent to Climb Hub servers or to any third party. All Bluetooth data stays on your device and the board you connect to.
- Location permission (Android): Android requires location permission in order for apps to scan for Bluetooth devices. Climb Hub requests this permission solely to enable Bluetooth scanning for the Kilter Board feature. We do not use this permission to collect or store your geographic location. You can revoke this permission at any time in your device settings; the Kilter Board feature will be unavailable but the rest of the app will work normally.
- Entirely optional: the Kilter Board connectivity feature is opt-in. If you do not use it, no Bluetooth data is collected or processed at all.
Information from third parties
- Social login: if you sign in with Google, Apple, or Facebook, we receive your name and email from the provider. We do not access your contacts, posts, or other social data.
- Climbing board data: if you connect a Kilter Board or MoonBoard account, we import your climbing logbook (send history, grades, dates) from those services. We also import publicly available climb catalogue data (climb names, grades, setters) to populate the climb database.
2. How We Use Your Data
| Purpose | Legal basis |
|---|
| Provide and maintain the service | Contract performance |
| Authenticate your identity | Contract performance |
| Show your content to friends and the community | Contract performance / Consent |
| Order your friends and messaging lists by recent activity | Legitimate interest |
| Send transactional emails (password reset, account alerts) | Contract performance |
| Improve the app and fix bugs | Legitimate interest |
| Sync your climbing logbook from connected third-party services | Consent |
| Enable optional Bluetooth connectivity to a physical Kilter Board | Consent |
| Prevent abuse, fraud, and security threats | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not sell your personal data to third parties. We do not use your data for behavioural advertising.
3. Data Sharing
We share data only in these limited circumstances:
- With other users: your profile, posts, and climb logs are visible to friends or friend-of-friends based on your privacy settings
- Service providers: we use third-party services to operate the platform:
- Amazon Web Services (hosting, file storage, including S3 + CloudFront delivery for photos, beta videos, and thumbnails)
- Cloudflare Stream (adaptive-bitrate streaming delivery and thumbnail generation for beta videos; the video file and its generated thumbnails are processed and stored on Cloudflare's global content-delivery network)
- Resend (transactional email)
- Expo (push notifications)
- Firebase / Google Cloud (push notifications for production builds)
- Kilter Board / MoonBoard (climbing logbook sync, only when you connect your account)
These providers process data on our behalf under data processing agreements.
- Bluetooth devices you connect to: when you use the optional Kilter Board connectivity feature, the app sends illumination commands directly to your physical board over Bluetooth. No account, profile, or personal data is transmitted — only the hold-illumination payload required by the board.
- Off-platform sharing initiated by you: when you tap "Share video" on a beta video, our servers add a Climb Hub intro, watermark, and outro to your video and return the resulting MP4 to your device. From there, your device's operating system share menu lets you send the file to any installed app (messaging apps, social media, email, file storage, etc.). Once you send the file via your OS share menu, the recipient and any platform they use is outside Climb Hub's control. The branded video has no copy protection and may be re-shared, downloaded, or stored by recipients indefinitely. Deleting the original beta video on Climb Hub does not recall copies that have already been distributed off-platform. Only share videos you are comfortable distributing publicly.
- Legal requirements: we may disclose data if required by law, court order, or to protect the safety of our users
- Internal test accounts ("bots"): Climb Hub staff may operate a small number of internal automated test accounts. These accounts can read your public posts and, if you have manually accepted them as a friend, your friends-only posts — the same data any regular friend would see. Bots cannot read your direct messages, cannot send you messages, and do not appear in mentions, comments, likes, or notifications shown to you. We use these accounts to test and monitor the service, not to interact with you.
4. Data Retention
- Account data: retained while your account is active. After account deletion, personal data is removed within 30 days.
- Content: posts, climb logs, and beta videos (along with their poster thumbnails and any branded share variants we have rendered for off-platform sharing) are deleted when you delete them or when your account is deleted. Underlying video and image files are removed from our object storage and CDN cache within 30 days of deletion. Copies of branded videos that you or other users have already sent off-platform via the OS share menu are outside our control and cannot be recalled.
- Error logs: retained for 30 days.
- Server logs: retained for 14 days.
- Third-party board credentials: encrypted credentials are deleted immediately when you disconnect the account, or when your Climb Hub account is deleted.
- Bluetooth data: not retained. Scan results exist only in memory while the scan is active and are discarded when you leave the Board Connect screen.
5. Your Rights
Depending on your location, you may have the following rights:
- Access: request a copy of the personal data we hold about you
- Correction: ask us to correct inaccurate data
- Deletion: ask us to delete your account and associated data
- Portability: request your data in a machine-readable format
- Objection: object to processing based on legitimate interest
- Withdrawal of consent: withdraw consent where processing is based on consent
To exercise any of these rights, contact us at climb.hub.the.app@gmail.com. We will respond within 30 days.
6. California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal data)
- Non-discrimination for exercising your privacy rights
7. European Residents (GDPR)
If you are in the European Economic Area, the UK, or Switzerland, our legal bases for processing are outlined in Section 2. You have the rights listed in Section 5, plus the right to lodge a complaint with your local data protection authority.
Some of our service providers — including Amazon Web Services, Cloudflare, Resend, and Google — process and store data on servers located in the United States, and in Cloudflare's case on a global content-delivery network. Where data is transferred outside the EEA, the UK, or Switzerland, it is protected by appropriate safeguards such as Standard Contractual Clauses.
8. Children's Privacy
Climb Hub is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Security
We protect your data using:
- HTTPS encryption for all data in transit
- Bcrypt hashing for passwords
- AES-256-GCM encryption for stored third-party credentials
- End-to-end encryption for private messages (Curve25519 / XSalsa20-Poly1305)
- Access controls and authentication on all infrastructure
- Regular security reviews
No system is 100% secure. If you discover a vulnerability, please report it to climb.hub.the.app@gmail.com.
10. Cookies and Tracking
The Climb Hub mobile app does not use cookies. We do not use third-party tracking or analytics SDKs. Error reporting is handled by our own infrastructure.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and notify you within the app for material changes.
12. Contact Us
For privacy-related inquiries:
