PRIVACY Updated July 15, 2026

Minimal proof.
Public settlement.

Scope and contact

This notice covers Lock In. Lock In keeps one offchain record: your Strava connection, described below. There is no other product account, and an optional Lock In handle is public contract state rather than a private account. The contact below handles privacy requests, security reports, and funds incidents.

Website and wallet

The app reads the public address of the wallet you connect and public Monad state to display locks and prepare transactions. Before requesting admission or a check-in, the app asks you to sign a human-readable, five-minute wallet challenge. A successful signature creates a strictly necessary Secure, HttpOnly, SameSite=Strict browser cookie, bound to that wallet and website origin for up to 12 hours. The cookie contains a server-authenticated session token, not your signature or private key. Create and join admission uses your public wallet, action, Lock ID where applicable, nonce, and expiry. Hosting and RPC providers may process technical data such as IP address, device, request time, and logs under their own policies.

Social profile, score, and reactions

You may choose a public Lock In handle for your wallet. It is optional and separate from your Strava identity. Setting, changing, or clearing it creates permanent public events. Clearing removes the active handle from normal Lock In surfaces and releases it for reuse, but cannot erase its history. Accepted mission days publish non-transferable Lock Score events: at most 10 overall points per wallet and UTC day, and each hashed service identity can score only for its first linked wallet in that mission. Another wallet's valid completion can still affect its Lock payout without earning points. This reduces multi-wallet farming but does not prove a unique human across services. The owner can hide an abusive handle without hiding the wallet or score. Points and high-fives never affect settlement or payouts.

Invite codes

A LOCK-… invite code is derived from a public onchain Lock ID and includes a typo-detection checksum. It is intended to be shared. It is not secret, does not identify a person, and does not bypass wallet authentication, admission rules, capacity, or stake requirements.

Connecting Strava

You authorise Lock In through Strava's own consent screen, granting permission to read your activities including private ones. Lock In never sees your Strava password. Strava gives Lock In two tokens for your account. They are stored encrypted with AES-256-GCM on Lock In's server, tied to your wallet address, and are never sent to your browser, never placed in a cookie, and never written to logs. Disconnecting revokes the grant at Strava and deletes the stored connection.

What Lock In reads

When you check in, Lock In's server asks Strava for the activities that started inside that day of the lock. It reads the activity ID, name, sport type, start time, distance, moving and elapsed time, elevation gain, GPS presence, trainer status and Strava's flag status. It does not read your route, your other days, or anything about other athletes.

What Monad publishes

A check-in publishes, in public Monad calldata: the distance, moving and elapsed time, elevation gain, the activity start time, your wallet, the lock and the day, plus three values derived from your Strava data by hashing: one standing for your athlete account, one standing for that single activity, and one summarising the activity. The raw Strava identifiers are not published, though a hash is not anonymity: anyone who already knows an identifier can confirm a match. Your route, your activity title, your Strava login and your other activities are not published. Anything published on Monad is permanent and cannot be deleted.

What stays out

Your Strava tokens are never exposed to your browser, to other users, or to the blockchain. They are decrypted only in server memory, to talk to Strava, which is the one place they are sent. Your route and your Strava password never reach Lock In at all: Strava asks for your password, on its own domain.

Offchain retention

Lock In stores your encrypted Strava tokens, your Strava athlete ID and the granted scopes, for as long as you stay connected, plus a short-lived record of used authorization links. Disconnecting revokes the grant at Strava and deletes the whole row, tokens included. The wallet-authentication cookie expires after at most 12 hours. Deleting an offchain record never erases what a check-in already published in Monad calldata.

Purpose and rights

Data is used to bind proof to the requesting wallet and lock, reject replay or impersonation, prepare transactions, render public state and rankings, route invites, display reactions, moderate abusive handles, control access, and answer support. Lock In does not sell a user profile. Depending on applicable law, you may request access, correction, deletion, restriction, or objection for offchain data controlled by Lock In. You can clear your active handle, but Lock In cannot erase its historical events, other Monad records, or data controlled by independent services.

Contact

Email mookipstore@hotmail.com for a privacy request, incident, or support issue.