Climb Hub
Privacy Policy
Last updated: 16 April 2026
Climb Hub ("we", "us", "our") operates the Climb Hub mobile application and related services. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data We Collect
Information you provide
- Account data: email address, username, display name, password (hashed), profile photo
- Profile data: climbing styles, skill level, location (city/region), bio, pronouns (optional, with user-controlled public visibility)
- Content: posts, climb logs, ratings, comments, photos, event RSVPs, messages
- Business data: if you register a climbing gym or business, its name, address, hours, and contact info
- Third-party board credentials: if you connect a Kilter Board or MoonBoard account, we store your username and password for that service. Passwords are encrypted at rest using AES-256-GCM. These credentials are used solely to sync your climbing logbook and are deleted immediately when you disconnect the account.
Information collected automatically
- Device info: device type, operating system, app version
- Usage data: screens visited, features used, timestamps
- Error logs: crash reports and error data to improve stability
- IP address: collected with API requests for security and rate-limiting
Bluetooth data (Kilter Board connectivity)
When you use the optional Kilter Board connectivity feature to illuminate climb holds on a physical board, the app interacts with Bluetooth Low Energy (BLE) devices on your device:
- Bluetooth scan results: during scanning, your device temporarily receives the names, Bluetooth MAC addresses, and signal strength (RSSI) of nearby Bluetooth devices in order to identify your Kilter Board. This data is processed locally on your device for the sole purpose of showing you a list of boards you can connect to.
- Board connection: once you select a board, the app sends illumination commands (which holds to light up, and their colours) to the board over Bluetooth.
- Not transmitted to our servers: Bluetooth scan results, MAC addresses, RSSI values, and the details of any board interaction are never sent to Climb Hub servers or to any third party. All Bluetooth data stays on your device and the board you connect to.
- Location permission (Android): Android requires location permission in order for apps to scan for Bluetooth devices. Climb Hub requests this permission solely to enable Bluetooth scanning for the Kilter Board feature. We do not use this permission to collect or store your geographic location. You can revoke this permission at any time in your device settings; the Kilter Board feature will be unavailable but the rest of the app will work normally.
- Entirely optional: the Kilter Board connectivity feature is opt-in. If you do not use it, no Bluetooth data is collected or processed at all.
Information from third parties
- Social login: if you sign in with Google, Apple, or Facebook, we receive your name and email from the provider. We do not access your contacts, posts, or other social data.
- Climbing board data: if you connect a Kilter Board or MoonBoard account, we import your climbing logbook (send history, grades, dates) from those services. We also import publicly available climb catalogue data (climb names, grades, setters) to populate the climb database.
2. How We Use Your Data
| Purpose | Legal basis |
|---|
| Provide and maintain the service | Contract performance |
| Authenticate your identity | Contract performance |
| Show your content to friends and the community | Contract performance / Consent |
| Send transactional emails (password reset, account alerts) | Contract performance |
| Improve the app and fix bugs | Legitimate interest |
| Sync your climbing logbook from connected third-party services | Consent |
| Enable optional Bluetooth connectivity to a physical Kilter Board | Consent |
| Prevent abuse, fraud, and security threats | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not sell your personal data to third parties. We do not use your data for behavioural advertising.
3. Data Sharing
We share data only in these limited circumstances:
- With other users: your profile, posts, and climb logs are visible to friends or friend-of-friends based on your privacy settings
- Service providers: we use third-party services to operate the platform:
- Amazon Web Services (hosting, file storage)
- Resend (transactional email)
- Expo (push notifications)
- Firebase / Google Cloud (push notifications for production builds)
- Kilter Board / MoonBoard (climbing logbook sync, only when you connect your account)
These providers process data on our behalf under data processing agreements.
- Bluetooth devices you connect to: when you use the optional Kilter Board connectivity feature, the app sends illumination commands directly to your physical board over Bluetooth. No account, profile, or personal data is transmitted — only the hold-illumination payload required by the board.
- Legal requirements: we may disclose data if required by law, court order, or to protect the safety of our users
4. Data Retention
- Account data: retained while your account is active. After account deletion, personal data is removed within 30 days.
- Content: posts and climb logs are deleted when you delete them or when your account is deleted.
- Error logs: retained for 30 days.
- Server logs: retained for 14 days.
- Third-party board credentials: encrypted credentials are deleted immediately when you disconnect the account, or when your Climb Hub account is deleted.
- Bluetooth data: not retained. Scan results exist only in memory while the scan is active and are discarded when you leave the Board Connect screen.
5. Your Rights
Depending on your location, you may have the following rights:
- Access: request a copy of the personal data we hold about you
- Correction: ask us to correct inaccurate data
- Deletion: ask us to delete your account and associated data
- Portability: request your data in a machine-readable format
- Objection: object to processing based on legitimate interest
- Withdrawal of consent: withdraw consent where processing is based on consent
To exercise any of these rights, contact us at climb.hub.the.app@gmail.com. We will respond within 30 days.
6. California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal data)
- Non-discrimination for exercising your privacy rights
7. European Residents (GDPR)
If you are in the European Economic Area, the UK, or Switzerland, our legal bases for processing are outlined in Section 2. You have the rights listed in Section 5, plus the right to lodge a complaint with your local data protection authority.
8. Children's Privacy
Climb Hub is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Security
We protect your data using:
- HTTPS encryption for all data in transit
- Bcrypt hashing for passwords
- AES-256-GCM encryption for stored third-party credentials
- End-to-end encryption for private messages (Curve25519 / XSalsa20-Poly1305)
- Access controls and authentication on all infrastructure
- Regular security reviews
No system is 100% secure. If you discover a vulnerability, please report it to climb.hub.the.app@gmail.com.
10. Cookies and Tracking
The Climb Hub mobile app does not use cookies. We do not use third-party tracking or analytics SDKs. Error reporting is handled by our own infrastructure.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and notify you within the app for material changes.
12. Contact Us
For privacy-related inquiries: