MB MBGlobal Active Challenges

Privacy policy

MBGlobal privacy policy for app, API, and website

This Privacy Policy explains what MBGlobal Active Challenges collects, why we collect it, how it is protected, and what controls you have when using the Android app, API services, admin workflows, and public website.

Effective date: March 5, 2026 Applies to: mbgobal.fit and MBStreak Android app Contact: support@mbgobal.fit

1) Scope and service roles

MBGlobal operates a fitness challenge platform composed of an Android application, a REST API, an admin console, and a public website. MBGlobal acts as the data controller for account, workout, challenge, and support data processed by this platform.

  • Android app: MBStreak (package com.mbglobal.mbstreak).
  • Public website: informational pages, leaderboard visibility, and contact form.
  • API: authentication, profile, workout, groups, challenges, and history services.
  • Admin panel: moderation and operational account oversight.

2) Data categories we collect

Account identity and authentication

  • Email address, display name, and password hash during account registration.
  • Access tokens and refresh tokens for signed-in sessions.
  • Refresh tokens are stored server-side as secure hashes.

Profile and preferences

  • Goal type, goal value, goal unit, timezone, cutoff time, and profile visibility flag.
  • Notification preference switches stored on device.
  • Device install identifier used to build a push token string.

Workout and activity records

  • Activity type, duration, optional distance, optional notes, and workout date.
  • Derived values: points, streak counters, goal-met status, and calorie estimates.
  • Workout history snapshots and daily summaries used for charts and calendar views.

Groups, challenges, and social visibility

  • Group membership, invite-code joins, challenge joins, progress, and rankings.
  • Challenge requests, moderation notes, and linked challenge IDs where applicable.
  • Display names and progress can appear in group and challenge leaderboards.

Website and support data

  • Contact form submissions: name, email, subject, message, and source page.
  • Security metadata: IP address, user agent, request identifiers, and rate-limit counters.
  • Session and CSRF cookies for website security and form integrity.

3) Permissions and sensitive access

  • Internet / network state: required to call MBGlobal API endpoints.
  • Coarse/Fine location (optional): used only when GPS Assist is enabled by user.
  • Location behavior: the app reads last known coordinates for in-app assistance; current workout sync payloads are based on activity fields and do not include a dedicated location field.
  • No ad SDKs: MBStreak does not integrate ad networks for profiling or monetization.

4) How we use personal data

  • Provide account authentication, session continuity, and secure API authorization.
  • Deliver core fitness features: workout logging, streak tracking, challenges, and leaderboards.
  • Operate community features: groups, challenge requests, moderation, and abuse prevention.
  • Maintain reliability: diagnostics, request metrics, and incident troubleshooting.
  • Communicate support responses for submitted website inquiries.

5) Data sharing and disclosure

  • Within the platform: your display name and progress can be visible to group/challenge peers.
  • Public endpoints: public challenges and public leaderboard data are intentionally exposed.
  • Service providers: infrastructure providers may process data to host and secure the service.
  • Legal compliance: data may be disclosed to satisfy valid legal obligations.
  • No sale of personal data: MBGlobal does not sell personal information.

6) Storage, retention, and security

On-device safeguards

  • Authentication session tokens are stored in encrypted preferences when available.
  • Feature caches and preference toggles are stored locally to support app responsiveness.
  • Users can clear app storage or uninstall to remove local cached content.

Server safeguards

  • Password values are never stored in plain text; hashes are stored instead.
  • Refresh tokens are hashed prior to storage and can be revoked on logout/rotation.
  • Access controls and operational logs are used to protect service integrity.

Data retention depends on account lifecycle, operational need, and legal requirements. Security and authentication records may be retained for fraud prevention and incident response.

7) Your rights and choices

  • Access and update profile fields directly from the app settings screen.
  • Control profile visibility and local notification preferences.
  • Request account data export, correction, or deletion by contacting support@mbgobal.fit.
  • Withdraw optional location permission at the Android OS level at any time.
  • Sign out to revoke active refresh token usage for that session flow.

8) Children and policy updates

MBGlobal services are intended for users able to consent under applicable law. If you believe a child has provided personal data without appropriate authorization, contact support@mbgobal.fit so we can review and remove data where required.

We may update this policy as features or legal requirements evolve. Material updates are published on this page with a revised effective date.