In an ideal world, I wouldn’t have to write a big post about two major players in the endurance sports world having a catfight. Rather, in an ideal quarantined world we’d just put both players in a Zoom call, stream it on YouTube and watch them battle it out with former GCN host Matt Stephens commentating.
But said world doesn’t exist, and thus, I’m going to try and explain all the drama. Ironically, after talking to both sides – neither actually disagrees. At least on anything substantial. Some minor differences here and there, but ultimately they actually both agree on who did what. Where they differ is on what should happen going forward.
The TLDR here is simple: Strava cut-off access for the Ironman VR Club because they violated the API agreement. That means if you were using Strava to sync activities into the newly instantiated Ironman Virtual Club, you’re SOL now. You’ll have to manually take a bunch of steps to get those workouts to that weekly competition.
Is Strava right in their move here? Probably.
Is Ironman right too? Also…probably.
Except, like all good crime stories, there’s a French Connection.
In the Beginning:
As with most companies over the past few weeks, Ironman looked to find a way to keep their customers (and fanbase) engaged in their business. With races off for the foreseeable future, they turned to figuring out how to run some indoor-ish events instead. That effort was effectively split into two pieces. The first piece was getting pros racing bikes on a livestream with the Rouvy app, dubbed Ironman VR Series. That portion is incredibly cool (watch last week’s here), and honestly a model for where virtual endurance sports racing can go in terms of production quality (despite being run out of people’s bedrooms). That part isn’t in trouble.
The other half of the plan was for ‘everyone else’ (non-pros). For that, they made Ironman Virtual Club (but they sometimes also call it Ironman VR Club, sometimes Ironman VR). You’d join the Ironman Virtual Club using a quick sign-up form, then link your device accounts to Strava, Garmin, Suunto, or Polar and then complete a weekly ‘race’. It wasn’t so much a true race, as it was attaining a certain mileage level across two runs and one bike within a specific time period. Once you completed your required mileage levels on the device of your choice, it’d sync the completed activity via Strava to the Ironman Club website and you’d get credit for that. Various prizes and social butterfly postings would ensue.
The challenge is, Ironman doesn’t have the expertise in-house to construct something like this. So they turned to a small French company based in Paris called Sport Heroes. That company has years of experience creating virtual events just like this. They’ve done it for mostly French customers, but big recognizable names like Air France and UNICEF, among many others. Their platform has some 1.2 million users on it across the various company customers they support. This can include corporate wellness programs and virtual races. And within that, they support more than just Garmin/Suunto/Polar/Strava workout uploads, but also uploads from other platforms like Under Armor and TomTom.
So, at first glance all would seem pretty straightforward. Sure, the Ironman Virtual Club had some teething pains around activity sync, but that’s to be expected for anything semi-last minute at such scale. However, what wasn’t expected to Strava, was how it was architected behind the scenes.
See, of the 41,000 applications that have Strava API (Application Platform Interface) access, each of them is assigned a unique identifier. Specifically, an authorization key that’s unique to that application. Be it a big partner like Garmin, Zwift, or Fitbit, a medium -sized partner like FulGaz, or a single hobbyist dude in a studio apartment with three fake test users. If the company wants to develop separate applications they need separate keys. Mind you, getting a key is as easy as ordering adult toys on Amazon. It takes just a few minutes and you’re on your way to self-satisfaction.
The challenge here was that when Sport Heroes created the Ironman Virtual Club platform, they didn’t request a new key for just that application. Instead, they used their existing key. Which, was the same key they’d been using for the last 6 years for all their applications and corporate customers. All these companies would just be shuffled under a single Strava API key. The practical meaning to that was somewhat simple: If you signed up for a Ironman Virtual Club account and then authenticated to Strava, you didn’t see ‘Ironman’ in the list of partners but instead saw ‘Sport Heroes’.
In Strava’s eyes, that was a big no-no. It violated their terms of service outlined on the API start page.
“You are solely responsible for the confidentiality of your API Token and may not share your API Token with any other developer or use it for more than one application or service.”
More specifically, Strava says what Sport Heroes is doing is a violation of GDPR and CCPA. From their perspective, that put them on the hook legally to inform users and severe the connection. If they did nothing and someone got wind, they argued that someone could say Strava let it happen.
To illustrate what this looks like, I’ve made a simple drawing. I could have whipped something up in Visio, but honestly, this is easier. If people can do WebEx calls in their pajamas with fake backgrounds, then I can make a drawing with my kids crayons on previously used paper.
The other companies there on the right are things like Air France and other corporate customers. But it’s the single API connection shared among all these different projects/apps/companies that’s the sticking point.
Whereas, below is what it ‘should’ have looked like in order to appease Strava’s terms of service as well as regulatory concerns:
Now, the point of some debate is whether or not the data was comingled within the Sport Heroes platform. Meaning, are all of the user data from Strava in a single repository at Sport Heroes, or are they separate databases for each company customer? Strava says they’re all in one pile, but Sport Heroes says it’s a bit more complicated. For some of their corporate customers they are totally separate silos. While others share the same database but don’t have rights across it. They say there’s no awareness across these sets unless a user specifically consents to it.
Strava says that some proof to the contrary is that if you delete the connection between Strava and Ironman Virtual Club, it doesn’t actually delete the activities as it should. They note that if you were to re-connect to Ironman Virtual Club, then you’ll find your existing activities from before that then resided in the Sport Heroes (app/platform). These shouldn’t be there at this point since the connection was severed.
Frankly, I’m not sure it really matters a ton in this context. Some 60,000 users agreed to terms of service when they signed up for an Ironman Club account that clearly spelled out what was happening. And to date, they haven’t violated those terms in any obvious way.
Get Me A Calendar:
When the Ironman Club launched is the first time Strava realized what was happening. The same day you as a user found out about it, was the same day Strava found out about it. Which isn’t to say Strava didn’t know what Sport Heroes was doing, at least in passing.
According to Sport Heroes they had a video conference last fall that detailed their operations and forward-looking business plans. This included an outline of how things worked today and the existing customers. At no point during that call or afterwards did Strava raise concerns about the technical implementation that had been in place for the last 6 years. Inversely, it’s also not clear how deep that call went into the implementation.
In talking with Strava, given they have some 41,000 API partners, they can’t reasonably investigate and interrogate every single one on a monthly basis. Instead, they tend to pay more attention to a given partner when the user count profile rises high enough (or, some other racket occurs). Fair enough, that’s how most companies operate. In other words, the squeaky wheel gets the oil.
So, re-wind to March 29th when the Ironman Club site went live and Strava realized the implications of it. According to them they pretty much immediately reached out to both Ironman and Sport Heroes to try and get things changed. They offered new and unique API keys, which they assumed would be a quick and simple operation. Companies swap API keys all the time according to Strava, which they say is a non-event.
But based on the way Sport Heroes architected their platform, such a swap was all but easy. Still, on April 6th Strava gave them 10 days to make the change, with a cut-off slated for April 16th. Between April 6th and April 15th, more or less nothing happened from the Sport Heroes side in terms of movement towards a change (both sides agree to this).
However, Sport Heroes says they requested a technical call multiple times, which they say was only given on April 15th. During that “technical call”, it didn’t sound like much technical discussion occurred (and both sides agree to this too). Strava was offering that if Sport Heroes at least fixed the Ironman connection short term, they’d give the company more time to sort out the remainder of their company customers. Whereas Sport Heroes was looking for other business guarantees and commitments from Strava. Ultimately, by 10:35PM European time on April 15th Sport Heroes had sent a note to Strava saying they couldn’t meet the timelines imposed, and would need four more weeks.
Strava cut them off the next morning US Pacific time (yesterday, April 16th).
From talking to both sides here, it sounds like there might have been a bit of presumptive assumptions going on. I get the feeling Sport Heroes had seen what had occurred with Relive nearly a year early and figured Strava was after them too. Concurrently, Strava is still a bit touchy on companies violating GDPR after the Relive fiasco. I think both sides feared the worst, and neither side seemed to want to back down.
(Because this post is already too long, I’ll simply note that no, this isn’t exactly like Relive. Strava says they actually want to keep Sport Heroes and Ironman Club in the platform and offered to help. That same offering wasn’t mirrored for Relive.)
Throwing Mud:
Of course, the fun doesn’t actually get started until after the cut-off occurs. That’s when both sides start to make their PR moves. Or in this case, all members of the threesome. The first was actually Strava, at around 8AM Pacific on April 16th. After cutting off sync of new activities from Strava to all of Sport Heroes (thus, impacting some 200,000-300,000 active Strava linked users well beyond just Ironman), Strava updated their support page with information about why they were doing what they were doing. You can read below pretty easily, so I won’t re-hash it.
They also published a short written statement from their CEO Michael Horvath:
“We’re big fans of all of the ways athletes in our community are inspiring and motivating each other right now. We’ve been working with our partners to help provide virtual race experiences for athletes whose races have been cancelled around the world. Strava is focused on athletes having a fun and safe experience using our platform and we discontinued Sport Heroes’ access to our API when we learned that they failed to give athletes transparency or clear choices about where their data is going and took no action after we asked them to fix the problem. We want to find ways to work with Sport Heroes going forward, but they have to fix it first.”
Now, the connection from Strava to Sport Heroes remains in place. It’s just that there’s no data flowing across it at this moment. Sorta like stadiums, hair salons, and restaurants right now. Turning that data flow back on is relatively straightforward if/when Sport Heroes makes the change.
Speaking of which, Sport Heroes updated their site as well – with what seems like it might be the understatement of the day. Polite though, similar to Strava.
However, Ironman themselves decided they didn’t want to be outdone. They went full Team Americana on the situation with this e-mail out to all users of the platform:
Now, I think we’d all agree that in terms of accuracy of the situation presented by each side, I’d rank them as follows:
Strava: Pretty accurate, debatable on Sport Heroes data consolidation aspects
Sport Heroes: Technically accurate, debatable dependent on point of view on who has to fix what
Ironman: Burn the ship down! Pretty misleading about the situation
Most misleading from Ironman was the opening statement that they were “informed by Strava this morning”. No, actually, they weren’t. They were informed nearly three weeks ago by Strava, then again numerous times. Both Strava and Sport Heroes agree upon that quite clearly. It’s just that based on what Strava is saying – Ironman pretty much just shrugged this off and tried to wash its hands of it into Sport Heroes lap.
Why not just fix it?
Obviously, that’d be easiest. But neither side seems to agree here that a fix is needed. In Strava’s eyes, the fix is simple: Just use a new API key like every other app.
To Sport Heroes though, that’s a huge re-write of their platform – irrespective of the Ironman aspect. Setting aside whether or not Sport Heroes is comingling data, the way their platform is architected to use that single key is a huge technical issue for them to solve. According to Paul-Emile Saab, their COO, it would take them approximately 4 weeks to do that. And that’s assuming they dropped everything else on their plate to deal with it.
Remember, Strava only asked for the Ironman bits to be solved for now, giving Sport Heroes time to sort out the rest of their corporate customers. But in Sport Heroes eyes, there wasn’t much technical difference there – the lift was the same either way. All in all the company would need about 15-20 different API keys. Technically that’d be a breeze for Strava, but practically that would mean a significant re-architecture behind the scenes for Sport Heroes.
And in their eyes – it’s not worth it.
In talking with Paul-Emile this evening, he says they’ve got no urgency on changing their architecture to support Strava. He says that at present users can directly link Garmin, Polar, and Suunto devices to their Ironman Club accounts, and via the larger Sport Heroes ecosystem they can link Adidas, Nike+, UnderArmour, TomTom, and many other devices.
Said differently, don’t expect a fix anytime soon.
Wrap-Up:
As I said at the beginning, it’s easy to see how both sides are probably right here. There’s no ambiguity that Sport Heroes is violating Strava’s terms of service in relation to the API. That’s spelled out in plain English in the second paragraph of the API terms “…and may not share your API Token with any other developer or use it for more than one application or service.” Whether or not that somehow violates GDPR or other regulatory bits as Strava claims is probably debatable.
Similarly though, Sport Heroes is also kinda right too. This isn’t a new platform, and it’s certainly not small. With 1.2 million users, undoubtedly it was on Strava’s radar. And certainly enough so that the meeting Sport Heroes had with Strava last fall with key Strava individuals that are responsible for the platform and the API. At no point did Strava say that violated the rules then.
Still, as anyone who has sat in a corporate video conference of what is effectively a status update or sales pitch – it’s rare that you’d leave that call and go off looking for violations of some agreement. No, you’d leave that call and go about the rest of your day. It’s like finding out later on the money is missing.
Could the two have come to some extension of time agreement here? Probably. But it also doesn’t sound like either side trusted the other enough to let that happen. And it certainly doesn’t sound like Ironman stepped in to play a helpful mediator, their e-mail shows that side of the story far more clearly than any of my conversations with the other two parties already had.
Ultimately, in the pursuit of user protection, users get hurt. Who to ultimately pin the blame on is a much tougher question.
FOUND THIS POST USEFUL? SUPPORT THE SITE!
Hopefully, you found this post useful. The website is really a labor of love, so please consider becoming a DC RAINMAKER Supporter. This gets you an ad-free experience, and access to our (mostly) bi-monthly behind-the-scenes video series of “Shed Talkin’”.
Support DCRainMaker - Shop on Amazon
Otherwise, perhaps consider using the below link if shopping on Amazon. As an Amazon Associate, I earn from qualifying purchases. It doesn’t cost you anything extra, but your purchases help support this website a lot. It could simply be buying toilet paper, or this pizza oven we use and love.
If moving to an app-specific key is such a huge undertaking for Sport Heroes, I’d suspect they’re commingling a *lot* of data on their platform. I spend a lot of time dealing with this sort of architecture for clients and if I built something that shared authentication/API keys across projects, I’d be out on my arse (for good reason)..
It sounds like Sport Heroes has approached this as if they own everything and see the different client interfaces as “skins” on their offering. I wonder if all of the customers understood that when they signed up with Sport Heroes? Does their GDPR language accurately represent that as well?
Hi,
I am Boris, founder & CEO at Sport Heroes.
We reassure you, we know what we are doing and have always worked and built by ensuring the security of our users’ data.
The fact is that we have built our architecture with a Single-Sign-On authentification, which is one of the best pratice in the IT world, and to connect to Strava (or other devices) it we need to use only one API key.
Does Strava use different Garmin APIs keys to provide specific API to each of their 3rd party? No. It is exactly the same mechanism…
There are always several ways to look at something, so here’s our side of the story: link to bit.ly
Don’t hesitate if you need a precision ;)
Boris Pourreau.
Hello Boris
That’s a strange view on term single sign on. I agree with Strava that users should be aware in detail who is processing their data what for. Accepting the transfer of data to the Ironman VR does not include the intention of an approval of transfer to your platform in general, with applications no one knows of.
I don’t acuse you for evil intentions, but I’m closer to Stavas understanding of GDPR than yours.
Regards, Rainer
Well actually SSO has nothing to do with good security practices.
Indeed SSO is a convenience, a tolerance that came in the IT world in order to facilitate users life using dozens of different front ends, because remembering dozen of different secrets is a pain in the ass for the vast majority of people in organizations.
Secrets wallets that most web browsers provide today is a similar feature.
Good practices resides in the way you implement the SSO feature, not in the fact that you implemented it or not, so at then end depending on how you implement it it can also become a major security hole.
But that’s not the point in the story, there is not need to argue on it. People have posted dozens of post and reactions, all arguing on technical points. To my opinion, the discuss around your architecture and the costs related to a tremendeous change in your architecture should not enter in the debate at all.
The only point that is of interest, is that you do not respect the GDPR, period. And trying to back this with technical debates, or who-is-bad-guy-who-is-good-guy is useless and childish.
Personaly I am not interested in the technical debate, the technical details are pretty simple though, however I am interested in the protection of my data.
The GDPR was adopted by the european parliament because such kind of situations are common in the IT world, lots of companies do not protect their users data or simply do not even comply with what they told their users they do with their data.
It is a fairly simple situation, you comply with your commitment to respect the GDPR or you get out of the API. I’m not working for Strava, I have no business interest with them, but I consume a huge amount of APIs in my daily business, I also provide a lot of APIs, I would be particularly angry that someone would not deliberately comply with it’s commitment to use my API properly.
Also there is a time for negociation, but as they are also legal implications for Strava (towards their own users), there is also a time for action, and to my opinion Strava would be in fault if they did not protected their users data.
Users who are worried by this cut off and complain about Strava should simply look twice to the story and think what it tells at the end regarding their data protection on the Internet.
In fairness to Sport Heroes, having a different API key for each application doesn’t really add anything significant privacy wise. The data is still flowing into their systems and databases; they are still responsible for ensuring that data for application A is firewalled off from application B, and vice versa. The only difference would be that Strava would have a greater degree of visibility into which specific application a given piece of data is supposed to be directed towards. Not where it actually ends up (and hence how many applications might, in theory, have access to it).
So if you don’t trust Sport Heroes to do the right thing, it _doesn’t matter_ whether they’re using one API key, or hundreds. They still have the data and could – at least in principle – commingle it after receiving it, even if it came via different API keys. The only way to ensure that level of privacy is to audit the way the data is handled after it goes through the API link, and there’s no way Strava would do that in the general case.
But I’ll definitely concur that Ironman is very much in the wrong in how they’re spinning it. These nuances are difficult to get right, but they aren’t even trying.
Whether or not Sports Heroes co-mingles the data is irrelevant here. Strava’s primary goal is to avoid culpability in the case it is happening. Multiple API keys ensures that, if Sports Heroes is in violation of GDPR, it has nothing to do with Strava.
That’s not true. If Sports Heroes was in violation of GDPR, using data provided by Strava, having multiple API’s wouldn’t absolve Strava of their GDPR requirements.
It seems like you don’t really know GDPR very well.
Personal data may only be used for the explicit purposes the users consent for. Users consent for Ironman, but the way the system is setup Strava has no garantees it is only used as such. No garantees or tranparency = violation (art 5)
And since they are unable to prove to Strava there is no problem, they are likely in violation in other ways as well. Such as having no logging of data access. (art 30)
link to gdpr-info.eu
link to gdpr-info.eu
Hi all,
I am Boris, founder & CEO at Sport Heroes.
First of all, I wanted to say that Sport Heroes has nothing to be ashamed of in terms of data management or compliance with the GDPR. Strava’s accusations about security are unfounded and the subject of an API key doesn’t change anything.
Here is our version of the facts: link to bit.ly
Strava is also a middle men between hardware devices and a lot of developers. In your opinion, Strava, which is connected to 41,000 third-party developers, uses how many API keys from its data provider partners (Garmin, Polar, Zwift…)? However, as a third party developer, I do access data originally from Garmin via Strava.
So it’s exactly the same situation with Sport Heroes… The story Strava tells is easy for the general public to tell, but unfounded in the sense of data protection.
Strava is indeed a middle men between user data and external partners, *when its given explicit user consent with who to share which data*.
Users gave consent to share data for Ironman VR Club, they did not give a blank check for it to be used and shared with any of the other Sports Heroes customers/partners.
BTW, using SSO as the main argument for having a secure system architecture only gives me less confidence in the design.
In a perfect world, Matt Stephens would still be on GCN…
Thank you for investigating this and explaining it to users.
I, like many I’m sure, was upset at Strava, with the aforementioned Relive debacle fresh in my mind, not to mention Ironman’s email to users pointing the figure squarely at Strava. I fell for it. Shame on me, but shame on Ironman as well. That was deeply misleading.
Thank you again.
Why doesn’t garmin have this same issue that strava has? Or do they just not care?
Good on Strava to take the right steps on protecting user data. A lot of data must be mixed if Sport Heros can’t change the API keys. Either way they should be able to resolve it over time.
What kind of engineering went into Sport Heroes app that they need to refactor code in order to update an API key? Wtf?
It isn’t that they need to refactor code to update an API key. It’s that they need to redesign their applications so that each application uses a different API key.
The closest analogy I can come up with (which is fairly severely flawed, but anyway) is that it’s like having a landlord that has keyed all of their properties identically, so that one key will open up any of those houses – rather than having a different key for each property. Except that in this instance, it’s a single house at the back end, with a single key, that needs to be split into multiple houses, each with a different key.
From a software engineering perspective, that’s a non trivial exercise. But if they do it properly, it allows for a greater degree of data segregation and isolation. That said, as I commented earlier, it only provides a marginal improvement in security and privacy; there’s nothing (technically speaking) preventing commingling of the data from the different keys after it’s been pulled in. There are good reasons to do it, mind – but it goes a fair bit deeper than a quick glance at ten thousand feet would have you believe.
Thanks Stuart.
I am Boris, founder & CEO at Sport Heroes.
Thanks for your explanations :)
In fact, having a Single-Sign-On (your one key for all properties) is one of the best practice in term of data protection and security: link to en.wikipedia.org
It is easier to protect one lock and ensure maximum security than to protect 1000 different locks ;)
We have shared our view of the story, if you are interested: link to bit.ly
I don’t think SSO is really what you think it is. SSO is about a person or app having one trusted login for many related services. You’re doing the opposite, with many services having one login. In addition the security benefits of SSO don’t really apply when doing application to application authentication. Your app shouldn’t have trouble “remembering” a bunch of different credentials, it’s an app.
I fully believe that you could and may have implemented a secure system using only one api key for Strava, but it is almost certainly a better design pattern to have one key per application.
This apparent confusion about the meaning of SSO is pretty staggering, especially coming from the CEO of a company that handles tons of private data, hopefully securely.
Instead, minimizing the access rights of each account to what’s absolutely necessary for the intended function is good practice, and should apply here: link to en.wikipedia.org
Hi Boris,
Single Sign On is not a security control it’s a business requirement.
Access control is a security control.
Neither of which have much to do with GDPR and your responsibilities as a Data Processor. The key element is that you hold our data for Ironman VR separate from all other applications that we aren’t using.
Only then can access control become effective.
The confusion over SSO isn’t so staggering, they are the CEO. Now if this was the developer in charge of security saying that…..
Hi Ray, thanks for the excellent write-up of the situation! :)
As a Software Engineer and Solution Architect, familiar with these sorts of APIs, I’ll throw in my few thoughts and opinions ;)
Strava’s requirement for separate API keys is pretty standard, and necessary on a number of fronts, not just GDPR. It also, for example, limits the privacy impact if a key ever gets compromised, and allows the service provider (Strava) to perform granular access control, rate limited, etc. So as much as I hate to see service providers cutting off access to their APIs, I’ll concede in this case, they’re probably doing the right thing to protect their platform.
I’m actually a bit of a fan of Sport Hereos… I participate in their Running Heroes challenges here in Australia, and have been on some of their social runs too. Nice people. But very buggy platform! Silly bugs, like using different data fields for calculating time-remaining vs end date (sigh). But still great for a little extra motivation. Anyway, I would argue that whether they need one or many API keys, comes down: a) how the service is being presented to those signing up, and b) how that’s states in the T&Cs.
For example, a corporate customer got their staff to sign-up, and it was clearly presented as “You are signing up for the Sporting Heroes platform, so that you can access the Amce Co health service”, then I one API key is not in any violation (legally, or for the API terms), because its clearly still “the one applciation”, regardless of where the data is stored. In this case, using a separate API key would still be advisable though.
If, however (and I don’t if this is the case or not), Ironman VR was being presented as its own independent service, ie one where users can reasonably expect that their data is not automatically showing up on Running Hereos challenges too, then it most definitely must have its own API key as far as Strava’s terms are concerned (whereas legally, it would come down to the fine print of the T&Cs).
So all this brings me to the real cause: the Sport Heroes platform is clearly just not architected well. If it was, there’d be no friction… Sport Hereos would have just used a separate API key to begin with, or at least would have switched pretty quickly once Strava complained. In the end, there’s clearly a technical limitation (on Sport Heroes platform), and all the rest of just fallout from that.
That said, there’s just two ways forward:
1. Sport Heroes does the work to support multiple API keys; or
2. Ironman VR is re-positioned as just another Sports Heroes promotion / campaign in partnership with Ironman VR (which a number of companies already do, such as theIconic).
I’m sure IronmanVR would prefer #1, to maintain the strength of their branding (and do no more work).
I’m sure Strava would prefer #1, to maintain control of their platform, and protect their users’ experience.
I guess Sport Heroes would just prefer whichever is easier to do, which sounds like #2, since otherwise they probably would have done #1 already.
Well, that’s enough loose speculation from me about things I’m only vaguely aware of ;)
Good follow-up. Much appreciated.
Question: I was/am in the Ironman VR series. Anytime we went to look at results or check our progress in a race, it was reflected on our Ironman Virtual Club dashboard, but clicking on anything would launch Sport Heroes in a different window. Additionally, we had to sign up for Sport Heroes to participate. Wouldn’t this meet the requirements of only needing one API key you mention?
Thanks again for the info. Cheers.
T
Yes. The idea that using one API key would break GDPR is ridiculous.
Moreover, Strava acting as a data security regulator when interacting with competitors is a little rich. OK, Sports Heroes broke their API policy, but Strava claiming they are breaking GDPR or are being suspect with your data seems like a worse offence to me.
Hello Paul,
I’m Boris from Sport Heroes.
Thanks for your comment, glad to know that you enjoy Running Heroes in Australia, hoping that you will encounter in the future less problems than in the past ;)
In fact it is important to understand one thing: Sport Heroes offers multiple services (Running Heroes, Cycling Heroes, United Heroes, IRONMAN VC, etc.) that are ALWAYS offered from a single product. It is personalised and adapted to each context, but it is the same product.
It is important to know that 20% of our users use several of our services. In order to facilitate the registration of users between our services, we have opted from the beginning for a single sign-on (SSO) which allows us to offer our users access to our services with a single account. From a security and data protection point of view, this is the best we can do in our case: link to en.wikipedia.org.
This SSO also allows our users to connect their devices and trackers to their account, without the need to repeat the operation multiple times. For this reason, we are only connected to all our partners with a single API key. This is a standard that in no way compromises the security of user data.
Similarly, Strava, which is connected downstream with 41,000 developers, is not connected upstream 41,000 times with Garmin or Suunto .
To learn more about this story, we have written our version of the facts: link to bit.ly
Thank you and see you soon on one of our experiences :)
Boris.
I’m sorry but you are making a front-end feature a requirement for a back-end feature. That is very bad software design.
How one of the underlying services (applications, sites) connects to Strava should have zero impact to how your users connect to your platform.
Okay, but can we expect to see any software updates to the Forerunner 410 anytime soon?
Off topic, but a great running watch!
Interesting Times,
Personally I’ve been using link to au.runningheroes.com for a number of years which is a Australian site for various ‘rewards’ and ‘challenges’. I’ve won a number of valuable prizes and happy to provide access to my activity data.
I am also connected to the Iconic sports Challenge which is an affiliated promotion offering $50~$150 vouchers for achieving particular challenges (45min workout, run 16km, etc).
I note on the Sports Heros Help they report:
We are currently experiencing issues with the synchronization of your Strava activities. Waiting for Strava to fix the technical issues on their side, we highly recommend you to connect another provider as this could take a while to be solved.
And I’ve just received a push notification from the Running Heros App “We are expirencing issues with Strava”
API keys aside there is also a business complexity. While IMVR syncs to garmin, Rouvy doesn’t. That puts the imvr/rouvy partnership in murky water if their attitude is as you say for Strava. Thanks for the write-up Ray. Clarifying as always.
Brian,
That is correct, though you will be able to download the .fit/tcx file direct from Rouvy websites to upload to the platform of your choosing. A number of ‘cloud’ apps are able to be connected including Strava, training peaks, and even the ability to email your .fit file directly to your email after the conclusion of each ride.
SportHeroes and all their publications is just data mining for large corporate to sell you more stuff, ads and profile you..
Still that doesn’t explains you why they can’t have multiple API keys, this is not like different oauth tokens gives you privacy…
I wonder if this was just plain lazyness or that they don’t have the application platform code anymore to make that (somewhat tiny) change to handle multiple registration tokens….
Hello,
I think there’s lot of unsubstantiated allegations about a startup that looks serious and well known…
I recommend that you read Sport Heroes’ response: link to bit.ly
Richard (or Boris, or whatever your name really is), you need to stop. When I first saw your comment, my reaction was to think that you were a sock puppet. Or an astroturfer. Either way, it was pretty clear to me that you were associated with the company and trying to spin it.
Ray’s comment about your comment coming from the same IP address as Boris’ only served to confirm what was already pretty obvious.
And here’s the thing. When you take such underhanded tactics in such a ham-fisted way, you only undermine your credibility. That’s BEFORE I bothered to read that link – and frankly, that link doesn’t serve to support your arguments in the way you seem to think they do. I’ve been working in IT for over twenty years, and it reads, to me, like a mish-mash of arguments tossed together in the hope that one of them sticks, without any real coherence or underlying story to explain the architecture of your systems.
To be blunt, before you popped up here, my leanings were towards Strava’s version of events. Afterwards? They’re very strongly towards Strava’s version of events.
And here’s the thing. GPS data is potentially very sensitive. People start, and finish, activities at their home regularly. I’m careful about what I upload for exactly that reason; many people are not. I know of at least one case where a friend was tracked to his home by Strava followers; fortunately, in that instance, there was no harm, but the potential is very real. Theft (how many triathletes own expensive bikes?) is the least concern here. Your record needs to be spotless for people to trust you with that data. It isn’t. And your actions here are only serving to smear those spots and make them bigger, more obvious.
Do better.
I do my cycling on trainer road that then syncs to Garmin.
Runs synced direct with Garmin from my watch will sync to IMVR but the rides don’t.
Is there some sort of blockage of items syncing onwards?
The separate API issue is a clear violation. If nothing else when you join a service shouldn’t it be the name of the service you joined, ie, Ironman VR. When you are reviewing your connections it should be clear who you’re connected to. If nothing else, this is why they should have used a separate API years ago.
I have no sympathy for them. If they had architected it the proper way in the beginning this would not have happened. I wonder if it was one of those projects, one day we will fix this and it just got pushed down the list.
Suspect its even bigger than that…. those of us who play in this space, have all seen environments that are built in such a way, that some of things that you’d ideally do are virtually impossible without taking crazy approaches to workarounds…. it reaches a point where the only realistic option is a major (if not entire) rewrite…. and then you start to realise that the data model behind it is wrong, and you need to migrate and transform the existing data, and there’s a lot of it, so its both expensive and difficult, and there’s the issue of the data pot filling all the while you’re trying to transfom it, and the CEO won’t let you go offline for 24hrs to solve that conundrum… and… and…and… and before you know it, you’v sighed, stopped fighting for rewrite, find yourself working on the 19th code release that works around the problem, and everything is starting to get really buggy… tell me i’m wrong.
Even if things aren’t a mess on the backend, it is probably still a pain. There are things that aren’t “hard” to do but still a decent amount of work. Get new keys, update the code, update the data, QA it, then do a switchover that is seamless and nothing breaks.
Luckily, I have never had to do that. :-)
“on previously used paper” — love this! Made me chuckle today, thanks DCR!
What else would you expect from Ironman?
You gotta love Ironman’s response to all of this. It is like encountering a polite argument between two people and you start to beat them up to resolve their differences…lol
As I´m not able to link Ironman VC and Wahoo directly – is there any work around for this?
I’ve been in software development for almost 30 years, SH are either lazy or up to no good, either way it is a clear breach of both Strava API AND good software design rules, to find a company doing this today still scares me.
Too true – and for every situation like this you hear about, theres that many more you haven’t! (yet)
Sounds pretty likely the dev who had a hand in this is long gone.
If my Zwift acitvity syncs directly to Strava, my Strava syncs to Garmin Connect, will be Garmin Connect syns to IMVR?
Glad I found this article though as I may have fallen for IM’s email otherwise.
>If my Zwift acitvity syncs directly to Strava, my Strava syncs to Garmin Connect,
> will be Garmin Connect syns to IMVR?
By contract Garmin Connect will not forward on data from Zwift to other services; this is by Zwift requirement and contract requirement. That’s how zwift avoids what Strava is scared of. And Strava was right to be worried the things GDPR lawyer chase is crazy but that’s another topic post.
My garmin forwards to zwift no problem. I just completed VR3 this way
It would be interesting to know if Ironman or sports heros plan to monetise the activity data, and whether that’s against the strava API terms
With previous incidents I have very much been against Strava (in fact, I cancelled my Summit subscription after the Relive fallout last year), but as a software architect, I can only wholeheartedly agree with Strava here.
I was shitting on Strava for 2.5 years, ever since their early ’17 new CEO hire. Recently the old CEO came back and I’ve been quite impressed with the redirection and energy of the service (both user-facing and internally).
Sounds fairly easy:
Need to sync data from Strava
It’s for `xxxx`, a Sports Hero client (eg. Ironman)
Get xxxx’s Strava API key from your new table of keys instead of just using the all-round key
Continue as normal
If their backend is written so that kind of change can’t be made easily then something extremely wrong.
Even if it is that easy, it still takes time to develop, test, and do a cutover plan that minimizes outage time and risk. Assuming some backend tech debt that makes some parts of it tricky, their estimate of 4 weeks doesn’t seem that crazy. You really can’t afford to mess up a change like this.
How long before Garmin, Suunto and Polar follow Strava’s lead. Perhaps then Sport Hero’s will rethink?
If Sport Hero don’t change, then opportunity for Ironman to work with someone else.
The signing up to events through Ironman, Active and Sport Hero was a complete balls ache.
Doesn’t Strava do the same with all those apps already? They pull your recorded data from other tracking devices too.
Perhaps Ironman had several options to activate this and they chose Sport Heroes because they considered it the best option for their needs.
Agree with Strava’s approach here, it is clearly stated in their API t&c. But how about the other conditions such that you are not permitted to use the API to facilitate virtual competitions or racing. That could have used that to stop access to data.
Strava are technically, legally and in terms of privacy – Sport Heroes don’t know how to architect applications or segregate data, and likely have a monolithic architecture from the days when they were a small company and never invested in rearchitecture.
Ironman clearly don’t understand, or possibly don’t care, about privacy – you can’t just hide behind a load of text in Ts&Cs which the law already recognises that nobody reads.
Data owners and processors have clear responsibilities and due diligence requirements that extend beyond their own IT infrastructures and APIs.
BINGO. Ironman is pounding their fist on the table “while the grown-ups talk” because they don’t understand the underlying issue.
I think Sports Heros “get it” but is resigned to the fact that their platform isn’t compatible with Strava’s terms and conditions, and it would be so costly to re-tool there’s no point for them to do it.
I’m with Strava (and GDPR) on this one. If I hit “delete” or “revoke access”, I expect all of my data to be expunged, not remain on a third party server.
Hi,
Now this has happened I don’t see anyway to get a ride from rouvy (which has the official ironman VC course) into ironman VC club. Am I missing something obvious?
Hey Hugh,
If you check out the ride in Strava or on Rouvy.com you’ll be able to download and upload the .fit(or .tcx) file to your computer and similarily upload that to Ironman VR.
Hope this helps!
As my Mom always told me “two wrongs don’t make a right”. Sport Heroes appears to have been doing wrong for a while.
Ray as usual I love your attempts to remain impartial here for all the right reasons, so please allow me to call out the elephant in the room here which you very lightly alluded to… in this case both the Chinese run Ironman brand and Strava are wrong. Its pure karma to see these two cancelling each other out. Hopefully soon we will see a large triathlon corp event that pays its pro athletes a decent winning fees and a sports tech company that doesn’t rip & re-implement ideas while shutting down the smaller tech companies that blindly utilise their api services. There are so many ways they could work together however both these two seem to be unfit to keep holding onto market share.
You’re missing the point. They -can- use the Strava API, all they have to do is to use their own API key, instead of using the same key for a number of different applications. And that’s a very reasonable demand, and something that’s true for pretty much every API.
The Chinese sell Ironman in march to Advance Publications!
link to sportbusiness.com
Ah, the beauty of contracted software work. Looks to me as if Sports Heroes is stalling to turn a big, self-imposed change into billable hours while Ironman is insisting on getting that Strava connection they thought they had already bought.
Strava, while being well in their right to require Sports Heroes to have a compliant implementation, is getting all the first glance evil looks, whereas Ironman VR and Sports Heroes, both being rather obscure, enjoy the exposure stemming from the drama.
This is so typical of Ironman, the most entitled company ever. Look at the way it is treating it’s customers with regards to postponed races. It only cares about itself and could care less about the folks who actually spend thousands of dollars with it.
Just curious what they’re doing wrong there? They’ve been great in offering either deferral to next year or a pile of other races. I’m not sure what else they could do other than a full refund and that’s very unrealistic. Hotels and airfare aren’t lost investments either
I’m just wondering how to get virtual rides over to the Sports Heros platform at this point. Garmin doesn’t forward Zwift, for example.
garmin does fwd zwift. Just tried is this morning
Ray: will you be doing a review soon of the red crayon outline watch in this post? Does it come in blue?
Thanks in advance.
I have a COROS watch (which I love), so I take it that there is no way for me to import a Zwift or Rouvy ride to participate in Ironman’s virtual race series? The outdoor run solution is easy, just use an app on my phone, as much of a pain that is, but I’m not riding outside right now. This mess is going to hurt participation in the VT series…
Jamie,
The Ironman VR series requires route completion on the designated Rouvy AR Ironman course, so unfortunately you’re correct that a COROS activity would not be counted in the Ironman VR event.
I’m suddenly reminded of one of the reasons why I don’t do IM branded events.
I hope Wildflower comes back…
Interestingly enough… I am unable to delete my sport heroes account or my Ironman VR account …
When I saw the email from IM about this, I thought it was Strava on another high horse like the Relive thing. But this is legit. I deal with API keys and reusing the same key is literally a violation of the first sentence in the T&Cs. And Sport Heroes saying that they need a complete application rewrite to fix it is a massive failure by their architecture group. The first thing you look at when dealing with 3rd party integrations is their API & you understand their requirements.
Honestly, it’s all fine by me because I dropped my Strava linking before IM VR2 since they said that you should only have one service linked anyway & I already have Garmin connected.
Now.. if you were to chose their partner Rouvy, like me, it turns out you have to open account with either UA or RK if you want to join… (no way).
In the ideal world -of any degree of idealism- there were just two viable option for this:
Rouvy2Strava2IMVR (gone)
Rouvy2Garmin2IMVR (na)
And so it happens that Rouvy’s competition seems now a more convenient tracker app choice.
I don’t think they can, at least not officially, the Strava T&C’s say that you cannot use the API for virtual competitions or races.
As a software engineer, depending on how Sports Heroes application is architected, I can appreciate it may be a major undertaking to re-architect their application if it hasn’t been designed in from the outset to use multiple API keys.
However, this is something that Sports Heroes should have been aware of. Just because they have been interfacing with Strava for a relatively long period of time does not excuse them from “overlooking” changes to the Strava API T&Cs, which I think were made quite some time ago. They’ve had more than enough time to incorporate these changes, and indeed, the Relive fiasco should have prompted them into action well before now.
As for Ironman VR… well. Sounds like they seriously need a new PR department. They turned what was a somewhat unfortunate situation into a fiasco!
Competition of the year!
I used to work at Sport Heroes a few years back, when it was less sophisticated and was just Running Heroes and Cycling Heroes. As I recall they had a project to put things under one ecosystem. The idea being they could simplify the programming and also cross sell the various platforms. So it wasn’t an accident they knew what they were doing. I left before GDPR but data protection was definitely an afterthought back then.
That’s the problem of most companies I’m afraid. Security and privacy only come to mind when things like this happens or when they have a major security incident. And even then…
Strava is completely right here. Sport Heros and Ironman Virtual do not have a leg to stand on. I hope EU sues them straight to bankruptcy. Privacy matters
Ironman its a company like others like Relieve ( also doing a better and free job) and dont make a BIG insukts against Strava, besides IRONMAN the company always do a BIG problem when everyone uses his BRAND, so Ironman its not different than Strava just charge more
Great article again Ray. Thanks.
For now I’ve deleted my account at Ironman VC/Sports Heroes.
Security should be by design, and using one api for for all customers isn’t, no matter what your architecture is at the backend.
When SH or IM VC has fixed this, I’ll join again.
Strava
Strava pulls a decent amount of power plays for a company that’s still pivoting it’s business model every couple of months..
I really don’t care why Strava and SportHeroes are arguing. All that matters to me is that right now, my indoor cycling rides (Peloton, linked to Strava) aren’t being logged in the IRONMAN VR Club platform. So I did some research and experimenting and came up with a solution: https://medium.com/@smartwatermelon/how-to-get-your-peloton-rides-into-ironman-vr-club-b344511b6f62?source=ifttt————–3
I hope this works for you. It does what I need. Good luck.
Shame, user suffers..
For those interested, it looks that Rouvy deployed their API to connect directly.
And I read no complain from them even though they have much at stake.
Serious approach: you solve for your users fast, and keep any business discussions off the line.
Hello all,
At Sport Heroes, given the tough times, we regret this decision and wish to continue working with Strava, hoping that a solution will soon be found. In the meantime, we cannot let Strava accuse us without reason, here is our version of the facts. As you know, there are always two sides of the moon, I suggest you read our version of the facts: link to bit.ly
Hey thanks for engaging.
Your link doesn’t seem to cover certain relevant points;
– is our data segregated from (not stored in the same place) all your other data for your other services?
Our data is being shared for processing solely for the purposes of the Ironman VR, it should not be stored alongside or be able to be processed by any other application.
This is an entirely distinct issue from who has access to our data. Is it stored in the same database as other services?
Did they admit to having one database shared access multiple applications used by different companies.
Should there be a data breach, multiple organisations data is laid bare, if each application for each company had its own data base there would be addition protection, I.e. only one data base for one company is breached.
Likewise, if a code update is faulty it is possible to give access to the wrong company, also is it not possible that have multiple organisations data.
I would also ask whether the terms and conditions for are explicit in saying that the client data for iron man is being hosted by a third party and that third party in storing data in Singular database storing data for organisations for which the client has no agreement.
Solution is simple, one database per client, one api per client app. Problem solved. Data is kept safe and is traceable with no issues of who sees what and no possibility of cross contamination. Protect the client data and ensure good accountability. That is good practice
Hello Malcolm,
Personally I don’t know who is right between IM or Sport Heroes but I can say that you are all wrong about architecture.
You talk like you’re an expert, but have you even been in the tech industry?
Have you ever eared about SaaS (Software as a Service) platforms?
ALL softwares are now getting delivered as services, directly online and they are not at all having one database per client… One the contrary! The main principle of SaaS is to mutualize clients into one single architecture.
Here is a reminder: link to hackernoon.com
It’s amazing to see so-called experts who don’t know anything about it…
In that case, I understand Sport Heroes work as a Platform-As-A-Service.
Hi Tom…I mean Boris. Sorry, it can be a bit confusing when the CEO of the company (Sport Heroes) is pretending to comment under other fake usernames. Also, Hi Richard, I mean…again, Boris.
Here’s the thing I don’t get: Do you think I’m stupid? Seriously.
Did you think I wouldn’t notice that you were commenting under multiple users from the same computer? Did you forget I worked in IT – including in data security – for over a dozen years primarily with high-security institutions?
How exactly, did you think this would help your credibility in data security matters? How exactly, did you think this would make users trust you, more than Strava? And how exactly did you think commenting as a fake user about your own company was a good idea? Also, how many other places are you doing this that didn’t notice?
? – details make a blog bold.
This is golden stuff. Thanks Ray!!!
From my point of view, Strava clearly made the best decision.
Sportheroes clearly doesnt adhere to the same (quite basic) security standards as Strava does. So a break-up then can only be the best move.
But as you outlined, the throwing mud part is priceless. Especially here in the comment-section.
Tom/Boris: Saas implies (at most) hosting the data in 1 place. That’s totally different from merging all the databases. Even your scrappy link is not proving your point.
Besides the obvious point that using fake usernames is extremely shady, there’s one thing that bothers me even more:
The CEO of a company that’s handling my data has so little IT knowledge that he isn’t able to use VPNs and different systems / virtual machines to pull off his stunts.
In consulting we always say: Don’t let sales or marketing guys without any basic IT knowledge run an IT business. That’s almost always a recipe for disaster.
@Ray: Totally your call, but personally I would inform both Strava and Ironman of the situation here. Seems highly likely to me that Sports Heroes lacks the proper know-how to run an operation like that. That’s on top of their CEO following a very questionable ethical standard.
If this was being done as SaaS using a modern, containerized infrastructure with a microservices architecture then what Tom/Boris is saying could be true. But just because he’s claiming they’re providing SaaS to their customers means that it’s architected correctly under the covers. In fact, if this was being done correctly, then the whole issue of individual API keys would be moot since they would have already been doing that since each customer would have it’s own containerized instance of the application. If the data all exists in a single database then it’s just a simple query to send the data to the correct customer but that’s hardly data separation in the event of a breach.
That said, this is hardly healthcare or financial data and data segregation by unique id isn’t illegitimate. Strava on it’s side has long had a rather inflated sense of its own importance and I think this is more evidence of it. But Sport Heroes is proving to be a poor actor by obfuscating what its doing and replying here with multiple accounts which means me not trust them. If they had data that mattered to me in any way I would care but since it’s for a silly competition at Ironman, I also don’t really care.
This is the best comment I’ve read on your site Ray. Keep up the good work.
And Boris (and Tom and Richard) were never heard from again…
It’s quite clear that Strava’s business model relies, in part, on aggregating user data from different services and platforms under a sigle platform with unique user IDs. The strava API is key to accomplishing that goal, but it also makes sense that they want to keep this integration exclusive. The prohibition of shared API tokens is clearly designed to shut out competitors.
Unless the API is challenged under Anti-trust laws. it seems quite clear that Strava are in the right, and Sport Heroes are in the wrong.
Is the quickest fix not for Ironman just to re-brand their logo “Ironman VR” with “Facilitated by Sport heros” in small writing.
Much of the site has sports hero branding anyway (like the help and FAQ’s)
Also, I’m pretty sure when I signed up for VR1 I created a sports hero account and accepted their terms as part of the registration process
I’ve just checked the sports hero T’s&C’s (which I didn’t read when I registered for Ironman VR1). It talks about the “connected experience” where it hosts events for 3rd parties (in this case Ironman).
I don’t see what Strava’s problem is here (given that I had to create an account with sports hero)
Surely this is no different to someone like zwift hosting a race for a 3rd party
>>from Sport hero terms>>
Connected Experience” refers to the services proposed/the program to share data, encourage and reward sporting effort proposed by the Sites developed by the Sport Heroes Group on its own behalf (Running Heroes, Cycling Heroes, Skiing Heroes) and on behalf of third parties
4.1 How to register Registration is free and does not involve any costs to the Member. To register for a Connected Experience, Users should go to the Connected Experiences Site and click on “Register”. The following information is requested on the Site during the registration process: – Last name – First name – Email address – Password This information may vary from one Connected Experience to another. Users may also register through their Facebook or Google accounts. As soon as this information is provided via the Connected Experience Site, and the Site and Connected Experience terms and conditions have been accepted by the User, the User becomes a Member of Sport Heroes. The new Member is then invited to connect their Partner Application and will be directed towards the Sport Heroes Platform
My god here’s how I view it from a simple mind perspective. Strava has the platform, the customer data, etc. If IM wanted to use said platform they should have been on the up and up with Strava and could have avoided all this.
Rock n Roll (owned by Ironman), have just announced the “Rock n Roll Virtual Run Club”
Which also looks like its on on the Sport Hero’s platform
This, unfortunately, means that anyone who tracks their runs directly to Strava (for example, from an Apple Watch) will be shut out of participating in the RnR Virtual Club. Unless they manually export from Strava and import into a supported service, e.g. Garmin Connect.
Or Use link to tapiriik.com been awhile since I’ve used it (my activities go to Google Connect and from there Strava, Training Peaks, & Running Heros)
ALOT of this over my head but I think those two graphics should be nominated for some kind of award journalism! That’s some great WFH stuff!
I’ll just put this here..
Ray – you’re actually a very clever man to make sense of all of this than articulate it in a way that your readers / followers can understand it too!
Hello!
1)Hint: I’ve used tapirjik service to spread my garmin activities in other trackers services. So I’m only syncing to garmin abd few seconds later got kudos on strava. strava is like community and koms, garmin like data storage, plans, calendar etc…
2)And I was very surprised by unknown for me service called “Sport Heroes” when connecting Strava to ironmanVC.
Maybe IM didnt want to bother with IT stuff like web servers, databases, parsing activities and used other provider, but it wasnt clear for me when connecting strava to IM all my data will be on 3rd party provider side.
ps: anyway completed all IM VRs.
For IronmanVR5 I am still waiting for half my results to come in. I used Strava and I was now connected with Runkeeper. I received a mail that Runkeeper was having synch issues, so I connected ‘Map my Run’, without any results. After that I connected Runtastic, also without any results. Finally I also tried Fitbit, but I couldn’t upload my files there.
It’s wednesday and I ran and biked my ass off to get close to the top 10, but so far there is nothing and in two days VR6 is about to start. Anyone has any idea why Ironman VR have so many synch-issues atm? And also any idea when they are going to be solved?
Hey MM,
I think for new trackers you need to firstly LINK IT and then do activity. Probably they skip activities before the date of tracker connection. Read carefully tutorial or terms, I think something like that was mentioned there.
Thanks!
You’re probably right. But Runkeeper (that used to synch) still doesn’t synch completely either. My half marathon and 90K bike are showing up, but my 5K is greyed out saying ‘Another activity has been added in this time slot.’ while there is no other activity.
I received a mail that I am a finisher, but when I log in it says that I didn’t make it to the finish line and the progression is stuck at 67%.
So far, it was not too bad, but now that Garmin is down, it may be a very quiet VR16…
If you want to run a Virtual Race anyway, the RunnerMaps Virtual Races link to runnermaps.nl are also a free alternative, and the use Strava. You may have to manually upload your activity.
Is this the same Ironman that just acquired Fulgaz? Fulgaz says they “joined” Ironman, so maybe acquired is the wrong term. Is this going to be a good thing or a bad thing?