Privacy Policy

App: bikested (mobile application for iOS and Android) Operator: Tomáš Ross, self-employed individual (Czech "OSVČ"), with registered office at Hanácká 62/63, 751 24 Přerov, Czech Republic, company ID: 87884020, VAT ID: CZ9112194487 (VAT-identified person under § 6g of Czech Act No. 235/2004 Coll., on VAT), registered in the Trade Licensing Register maintained by the Municipal Authority of Přerov (the "Operator" or "we") Contact: [PRIVACY_EMAIL] Document version: 1.0 Effective from: [EFFECTIVE_DATE] Last updated: [LAST_UPDATED]

1. Introduction

This Privacy Policy (the "Policy") describes what personal data we collect, why we use it and what rights you have when you use the bikested mobile application (the "App" or "Service").

The Operator is the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the "GDPR") and Czech Act No. 110/2019 Coll., on personal data processing.

If you have any questions about this Policy, please contact us at [PRIVACY_EMAIL].

2. Definitions

Personal data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on personal data (collection, storage, modification, use, sharing, deletion).
Data subject (user) — the natural person whose data we process; in the context of the App, the person who has created an account.
Controller — the Operator, who determines the purposes and means of processing.
Processor — a third party that processes data on behalf of the Controller under a data processing agreement (DPA).
Anonymised data — data that cannot be linked to a specific person and is not subject to the GDPR.

3. What data we process

3.1 Data you provide directly

Registration and account:

email address
password (stored exclusively as a bcrypt hash, never in plaintext)
optional: display name, biography (max. 280 characters), username, profile picture

Cyclist profile (optional):

height (cm), weight (kg), FTP (W), experience level

Garage and bikes:

brand, model, year, size, type (MTB / road / gravel / urban / BMX / e-bike), colour, purchase date and price, bike photo, custom notes

Bike components:

brand, model, year, weight, purchase date and price, notes

Service log:

type of work, description, date, kilometres at service, cost, who performed the work (DIY / shop), shop name (optional), photos

AI assistant:

the content of messages you type into the chat

Premium subscription:

subscription details (type, length, start and end date, status)

Note: Payment data (card number, etc.) we do not process directly — payments are processed exclusively by Apple App Store or Google Play under their own policies.

3.2 Data generated through use of the App

user identifier (UUID) assigned by Supabase
timestamps of account creation, last sign-in, recent activity
preferences (AI response style, notification preferences, language, theme)
daily AI usage aggregate (message count, token count — for cost-guard purposes)
log of service tasks, kilometre milestones, bike anniversaries
aggregated statistic: total kilometres ridden per bike

3.3 Data from connected services

Strava (optional connection): If you connect your Strava account, we process:

OAuth access and refresh tokens (encrypted in Supabase Vault)
your Strava ID, name and profile data (for display in the UI only)
the list of your bikes from Strava and their gear_id
your activities (rides): distance, date and time, sport type, assigned gear_id, activity ID
We do not process GPS coordinates, segments, elevation profile or other detailed ride data.

The Strava integration operates under the Strava API Agreement. Strava data remains subject to Strava's policies even after deletion of your bikested account.

99Spokes (bike database — server-side): When you search for a bike brand/model when adding it to your garage, the query is sent through our server to 99Spokes. We do not send any of your personal data — only a text query such as "Trek Fuel EX 8".

3.4 Technical and diagnostic data

Crash and error reports (Sentry, EU region): On unexpected errors or crashes, anonymised diagnostics is sent to Sentry (server in Germany):

OS type and version, device model, language
App version, error stack trace, breadcrumbs
our user identifier (UUID) — to group errors of the same user during debugging
We do NOT collect IP address, precise geolocation, screen content or user input

Sentry is configured with tracesSampleRate = 0.2 (sampling 20 % of transactions in production) and without default PII (sendDefaultPii = false).

Push notifications:

Expo push token of the device (stored in user_push_tokens)
platform (iOS / Android), device identifier (optional)

4. Purposes and legal bases for processing

Purpose	Categories of data	Legal basis
Account creation, sign-in	Email, password, user ID	Contract (Art. 6(1)(b) GDPR)
Garage features (bikes, components, service log)	Bike, component, service data	Contract (Art. 6(1)(b))
AI assistant (chat)	Message content, garage context, daily usage aggregate	Contract (Art. 6(1)(b))
Strava kilometre sync	Strava OAuth tokens, activities	Consent (Art. 6(1)(a)) — connection is voluntary
Push notifications about service intervals and milestones	Push token, notification preferences	Consent (Art. 6(1)(a)) — iOS / Android system permission
Crash & error reports (Sentry)	Anonymous diagnostics + user ID	Legitimate interest (Art. 6(1)(f)) — operational stability
Public garage profile (`/u/<username>`)	Public profile and bike data of your choice	Consent (Art. 6(1)(a)) — visibility is `private` by default
Premium subscription and billing	Subscription status, subscription identifier	Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) — tax records
Fraud and abuse prevention	Account data, IP address at registration (Supabase)	Legitimate interest (Art. 6(1)(f))
Usage analytics for App improvement	Anonymised aggregates	Legitimate interest (Art. 6(1)(f))

5. Recipients of personal data (processors)

We have data processing agreements (DPAs) under Art. 28 GDPR with the following providers:

Processor	Purpose	Processing location	Transfer safeguards
Supabase, Inc. (USA)	Backend (auth, DB, storage, edge functions, realtime)	EU (region [SUPABASE_REGION])	DPA + EU SCCs 2021/914
Anthropic, PBC (USA)	AI assistant (Claude API)	USA	DPA + SCCs; data is not used for model training (zero-retention API)
Sentry (Functional Software, Inc.) (USA)	Crash and error tracking	EU (Frankfurt, de.sentry.io)	DPA + SCCs; no PII
Strava, Inc. (USA)	Kilometre sync — only on your connection	USA	OAuth, per Strava API Agreement
99Spokes, Inc. (USA)	Bike specs database — text queries only, no PII	USA	Server-to-server, no personal data
RevenueCat, Inc. (USA)	Subscription state verification	USA	DPA + SCCs; only user identifier and transaction metadata
Voyage AI (USA)	Vector embeddings of knowledge base (server-side, no user data)	USA	No personal data
Apple Inc.	App distribution, push notifications (APNs), payment processing	Global	Apple Privacy Policy
Google LLC	App distribution, push notifications (FCM), payment processing	Global	Google Privacy Policy
Expo Application Services	Push notification service, OTA updates	USA	DPA + SCCs

We do not sell your personal data to any third party. We share data only with the above processors and only to the extent necessary to operate the App.

6. International transfers

Some of our processors are based outside the European Economic Area (EEA), in particular in the USA. For such transfers we apply:

Standard Contractual Clauses (SCCs) as in Commission Implementing Decision (EU) 2021/914
EU-US Data Privacy Framework (DPF), where the relevant processor is certified
additional technical safeguards (TLS in transit, AES at rest)

A copy of these safeguards is available on request at [PRIVACY_EMAIL].

7. Retention periods

Category	Retention period
Account data (email, profile, password)	For the lifetime of the account + 30 days after deletion (technical clean-up)
Garage, components, service log	For the lifetime of the account; deleted on account deletion
Strava OAuth tokens	Until Strava is disconnected or the account is deleted
AI conversations and messages	For the lifetime of the account (you can delete individual conversations)
AI daily-usage logs	90 days for cost-guard purposes, then aggregated
Sentry crash reports	30 days (default), 90 days for production with `replay`
Account deletion log (`account_deletion_log`)	7 years (accountability under Art. 5(2) GDPR)
Tax records of Apple/Google → Operator payouts (royalties)	10 years per § 35 of Czech Act No. 235/2004 Coll., on VAT
Push tokens	Until sign-out or device deactivation

After these periods, data is automatically and irreversibly deleted or fully anonymised.

8. Public profile and content sharing

The App allows you to optionally publish your cyclist profile and bikes at bikested.com/u/<username> (visibility defaults to private). If you set visibility to public or unlisted:

public — your profile is discoverable in the "Find riders" section and indexable by search engines
unlisted — accessible only via direct link, not publicly discoverable
private (default) — visible only to you

For each bike you decide whether it should be public (is_public) and which of its parts are visible (components, service log, kilometres, purchase price, story timeline). This choice is revocable at any time in profile settings.

Sharing milestone cards and bike links (Premium feature): When you share a generated card or a link to a bike, the bike's metadata (name, photo, kilometres) is visible in the link preview on third-party platforms (Instagram, WhatsApp, Facebook). This is voluntary and requires the bike to be public.

9. AI assistant — special notice

When you use the AI assistant:

The content of your messages is sent to Anthropic (Claude API) via our secure server (Supabase Edge Function ai-chat)
We send your garage context together with each message (bike brands and models, components, the latest 5 service log entries) — without it the AI could not give useful answers
We do NOT send your email, name, photos, exact birth date or other identifiers beyond what is necessary for the answer
Anthropic retains the content of queries for a maximum of 30 days for abuse monitoring purposes, does not use them for model training
The conversation is also stored in our database — you can delete it yourself at any time from the conversation list

The AI assistant is not a professional advisory tool. Its answers are informational; for safety-critical work on brakes, steering and drivetrain, always consult a certified mechanic. See Terms of Service, Art. 7.

10. Strava integration — special notice

If you connect your Strava account:

the connection is fully voluntary and revocable at any time in App settings
we can read only your bikes and activities; we cannot write or react to anything in your Strava account
on disconnect we delete all tokens from Supabase Vault and the Strava ID association with your bikested account
activities synced to bikested remain in our database after Strava is disconnected (as part of your service data); you can delete them individually or by deleting the account

Strava data is subject to the Strava Privacy Policy and API Agreement. The Operator is not responsible for data processing within the Strava service.

11. Push notifications

The App may send push notifications about:

kilometre milestones
upcoming service intervals
optional weekly activity summaries

Notifications can be granularly enabled/disabled in Settings → Notifications and entirely disabled in iOS / Android system settings.

We use Expo Push Notifications, which relays notifications via APNs (Apple) or FCM (Google).

12. Children

The App is not intended for children under 16. If we discover that we have processed data of a child under 16 without parental consent, we will delete the data without delay.

If you are a parent or legal guardian and believe your child has provided data to the App, please contact us at [PRIVACY_EMAIL].

13. Security

To protect your personal data we implement:

Technical measures:

transport encryption (TLS 1.2+) between the App and all processors
storage encryption (Supabase Postgres at-rest encryption, AES-256)
bcrypt password hashing
encryption of Strava OAuth tokens in Supabase Vault
Row-Level Security (RLS) in PostgreSQL — a user can only see their own data
separation of the Anthropic API key on the server (the App never knows the key)

Organisational measures:

principle of least privilege
regular dependency updates (npm audit, Dependabot)
crash and anomaly monitoring (Sentry)
DPA with all processors
account deletion accountability log per GDPR

Confidentiality and integrity: We take reasonable measures to ensure the confidentiality, integrity and availability of your data. However, no system can be 100 % secure. In case of a security incident posing a high risk to your rights, we will inform you within 72 hours in accordance with Art. 33 and 34 GDPR.

14. Your rights

You have the following rights under the GDPR:

Right	How to exercise it
Access (Art. 15)	Most data is visible directly in the App. Full export on request at [PRIVACY_EMAIL].
Rectification (Art. 16)	Directly in the App (Profile → Cyclist profile; Bike → Edit) or by email
Erasure ("right to be forgotten", Art. 17)	App → Settings → Account & Security → Delete account (deletion is immediate and irreversible)
Restriction of processing (Art. 18)	By email at [PRIVACY_EMAIL]
Data portability (Art. 20)	By email at [PRIVACY_EMAIL] (machine-readable JSON export)
Objection (Art. 21)	By email at [PRIVACY_EMAIL]; against processing based on legitimate interest (Sentry, analytics)
Withdraw consent (Art. 7(3))	Disconnect Strava / disable notifications / set profile visibility to `private` in App, or by email
Complaint to supervisory authority (Art. 77)	Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Praha 7, posta@uoou.cz, www.uoou.cz

We respond to requests within 30 days of receipt (the period may be extended by another 60 days in particularly complex cases).

15. Cookies and similar technologies

The App does not use cookies (it is a native mobile application, not a website). We use:

MMKV — local key-value storage on the device for offline data cache and user preferences; nothing is sent off-device
Expo SecureStore — encrypted storage for Supabase session tokens
AsyncStorage — unencrypted storage for non-critical cache (TanStack Query persister)

None of these stores is shared with third parties and all are deleted alongside the App.

The web version of the profile (bikested.com/u/<username>) may use functional cookies necessary for proper rendering (theme choice) and anonymous analytics (page-view counts). Details in Web Cookies Policy (to be added when the web is deployed).

16. Changes to this Policy

We may update this Policy from time to time (e.g., when adding a new feature or processor). We will inform you of material changes:

in-app banner on next App launch
email to the address on the account
updated "Last updated" date in the document header

Continued use of the App after changes take effect constitutes acceptance of the updated Policy.

17. Contact and supervisory authority

Operator / Controller: Tomáš Ross Hanácká 62/63, 751 24 Přerov, Czech Republic Company ID: 87884020 VAT ID: CZ9112194487 (VAT-identified person) Email: [PRIVACY_EMAIL]

Supervisory authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů) Pplk. Sochora 27, 170 00 Praha 7, Czech Republic Phone: +420 234 665 111 Email: posta@uoou.cz Web: www.uoou.cz

You have the right to lodge a complaint with the Office for Personal Data Protection if you believe that the processing of your personal data infringes the GDPR.

This document has been drafted in compliance with Regulation (EU) 2016/679 (GDPR), Czech Act No. 110/2019 Coll., on personal data processing, App Store Review Guidelines (5.1.1) and Google Play Developer Program Policies (User Data).