Privacy Policy
App: bikested (mobile application for iOS and Android) Operator: Tomáš Ross, self-employed individual (Czech "OSVČ"), with registered office at Hanácká 62/63, 751 24 Přerov, Czech Republic, company ID: 87884020, VAT ID: CZ9112194487 (VAT-identified person under § 6g of Czech Act No. 235/2004 Coll., on VAT), registered in the Trade Licensing Register maintained by the Municipal Authority of Přerov (the "Operator" or "we") Contact: privacy@bikested.com Document version: 1.2 Effective from: 15 June 2026 Last updated: 5 July 2026
1. Introduction
This Privacy Policy (the "Policy") describes what personal data we collect, why we use it and what rights you have when you use the bikested mobile application (the "App" or "Service").
The Operator is the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the "GDPR") and Czech Act No. 110/2019 Coll., on personal data processing.
If you have any questions about this Policy, please contact us at privacy@bikested.com.
2. Definitions
- Personal data – any information relating to an identified or identifiable natural person.
- Processing – any operation performed on personal data (collection, storage, modification, use, sharing, deletion).
- Data subject (user) – the natural person whose data we process; in the context of the App, the person who has created an account.
- Controller – the Operator, who determines the purposes and means of processing.
- Processor – a third party that processes data on behalf of the Controller under a data processing agreement (DPA).
- Anonymised data – data that cannot be linked to a specific person and is not subject to the GDPR.
3. What data we process
3.1 Data you provide directly
Registration and account:
- email address (with Apple Sign In this may be an anonymised relay address in the form
…@privaterelay.appleid.com) - password (stored exclusively as a bcrypt hash, never in plaintext; not applicable when registering via Apple / Google Sign In)
- optional: display name, biography (max. 280 characters), username, profile picture
Cyclist profile (optional):
- height (cm), weight (kg), FTP (W), experience level
Garage and bikes:
- brand, model, year, size, type (MTB / road / gravel / urban / BMX / e-bike), colour, purchase date and price, bike photo, custom notes
Bike components:
- brand, model, year, weight, purchase date and price, notes
Service log:
- type of work, description, date, kilometres at service, cost, who performed the work (DIY / shop), shop name (optional), photos
AI assistant:
- the content of messages you type into the chat
Paid subscription (Lite / Plus):
- subscription details (type, length, start and end date, status)
Note: Payment data (card number, etc.) we do not process directly – payments are processed exclusively by Apple App Store or Google Play under their own policies.
3.2 Data generated through use of the App
- user identifier (UUID) assigned by Supabase
- timestamps of account creation, last sign-in, recent activity
- preferences (AI response style, notification preferences, language, theme)
- daily AI usage aggregate (message count, token count – for cost-guard purposes)
- log of service tasks, kilometre milestones, bike anniversaries
- aggregated statistic: total kilometres ridden per bike
3.3 Data from connected services
Apple Health / Health Connect (optional, on-device): If you choose Apple Health (iOS) or Health Connect (Android) as your activity source, we read only:
- your cycling activities (workouts of type "cycling") and their distance, date and time
Reading happens on your device, is read-only (we never write anything to Apple Health or Health Connect), and Apple and Google are not recipients of this data from us. The ride distance is then stored in our database to compute mileage and service intervals. We do not read heart rate, GPS, calories, sleep or any other health data.
99Spokes (bike database – server-side): When you search for a bike brand/model when adding it to your garage, the query is sent through our server to 99Spokes. We do not send any of your personal data – only a text query such as "Trek Fuel EX 8".
3.4 Technical and diagnostic data
Crash and error reports (Sentry, EU region): On unexpected errors or crashes, anonymised diagnostics is sent to Sentry (server in Germany):
- OS type and version, device model, language
- App version, error stack trace, breadcrumbs
- our user identifier (UUID) – to group errors of the same user during debugging
- We do NOT collect IP address, precise geolocation, screen content or user input
Sentry is configured with tracesSampleRate = 0.2 (sampling 20 % of transactions in production) and without default PII (sendDefaultPii = false).
Push notifications:
- Expo push token of the device (stored in
user_push_tokens) - platform (iOS / Android), device identifier (optional)
4. Purposes and legal bases for processing
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Account creation, sign-in | Email, password, user ID | Contract (Art. 6(1)(b) GDPR) |
| Garage features (bikes, components, service log) | Bike, component, service data | Contract (Art. 6(1)(b)) |
| AI assistant (chat) | Message content, garage context, daily usage aggregate | Contract (Art. 6(1)(b)) |
| Apple Health / Health Connect kilometre sync | Distance and time of cycling activities (physical-activity data) | Explicit consent (Art. 9(2)(a) together with Art. 6(1)(a) GDPR) – connection is voluntary |
| Push notifications about service intervals and milestones | Push token, notification preferences | Consent (Art. 6(1)(a)) – iOS / Android system permission |
| Crash & error reports (Sentry) | Anonymous diagnostics + user ID | Legitimate interest (Art. 6(1)(f)) – operational stability |
Public garage profile (/u/<username>) | Public profile and bike data of your choice | Consent (Art. 6(1)(a)) – visibility is private by default |
| Paid subscription and billing | Subscription status, subscription identifier | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) – tax records |
| Fraud and abuse prevention | Account data, IP address and browser signals at registration and login (Supabase, Cloudflare Turnstile) | Legitimate interest (Art. 6(1)(f)) |
| Usage analytics for App improvement | Anonymised aggregates | Legitimate interest (Art. 6(1)(f)) |
5. Recipients of personal data
5.1 Processors (Art. 28 GDPR)
We have data processing agreements (DPAs) under Art. 28 GDPR with the following processors. They process personal data exclusively on our instructions and for the purposes set out below:
| Processor | Purpose | Processing location | Transfer safeguards |
|---|---|---|---|
| Supabase, Inc. (USA) | Backend (auth, DB, storage, edge functions, realtime) | EU (region eu-west-1, Ireland) | DPA + EU SCCs 2021/914 |
| OpenRouter, Inc. (USA) | AI gateway – routes AI assistant and AI lookup queries to model providers | USA | DPA + SCCs; does not use query content for model training |
| Google LLC (USA) | AI model provider (Gemini) – generates AI assistant answers (via the OpenRouter gateway) | USA / global | DPA + SCCs; paid-API queries are not used for model training |
| Anthropic, PBC (USA) | AI model provider (Claude) – selected AI assistant answers (via the OpenRouter gateway) | USA | DPA + SCCs; queries are not used for model training, content retained for max. 30 days for abuse-monitoring purposes |
| Sentry (Functional Software, Inc.) (USA) | Crash and error tracking | EU (Frankfurt, de.sentry.io) | DPA + SCCs; no PII |
| RevenueCat, Inc. (USA) | Subscription state verification | USA | DPA + SCCs; only user identifier and transaction metadata |
| Voyage AI (USA) | Vector embeddings – converting the content of your query into a vector to retrieve relevant guides (RAG), only for queries requiring the knowledge base | USA | DPA + SCCs |
| Expo Application Services | Push notification service, OTA updates | USA | DPA + SCCs |
| Cloudflare, Inc. (USA) | Bot protection for registration and login (CAPTCHA Turnstile) | USA | DPA + SCCs + EU-US DPF; Turnstile uses no cookies or cross-site tracking, processes only the IP address and technical browser signals for the duration of verification |
5.2 Independent controllers and other recipients
The following entities do not act as our processors but as independent controllers under their own privacy policies. Data reaches them only when you yourself activate or use the relevant service:
| Entity | Context | Location | Regime |
|---|---|---|---|
| Apple Inc. | App distribution, push notifications (APNs), payment processing | Global | Independent controller per Apple Privacy Policy |
| Google LLC | App distribution, push notifications (FCM), payment processing | Global | Independent controller per Google Privacy Policy |
| Partner e-shops and the eHUB affiliate network | Opening a shop offer from the Upgrade advisor (Czech market only) – the link opens in your browser | CZ / EU | Independent controllers under their own policies; the App passes them none of your personal data (opening the link discloses your IP address to them, as with any web link) |
5.3 Services that receive no personal data
| Service | Context |
|---|---|
| 99Spokes, Inc. (USA) | Searching bike specifications happens via a live server-to-server query containing only the bike-name text (e.g., "Trek Fuel EX 8") – without any of your personal data and without your IP address. 99Spokes is therefore not a processor of personal data and no DPA is required. |
We do not sell your personal data to any third party. We share data only to the extent necessary to operate the App.
6. International transfers
Some of our processors are based outside the European Economic Area (EEA), in particular in the USA. For such transfers we apply:
- Standard Contractual Clauses (SCCs) as in Commission Implementing Decision (EU) 2021/914
- EU-US Data Privacy Framework (DPF), where the relevant processor is certified
- additional technical safeguards (TLS in transit, AES at rest)
A copy of these safeguards is available on request at privacy@bikested.com.
7. Retention periods
| Category | Retention period |
|---|---|
| Account data (email, profile, password) | For the lifetime of the account + 30 days after deletion (technical clean-up) |
| Garage, components, service log | For the lifetime of the account; deleted on account deletion |
| Apple Health / Health Connect activities (distance) | For the lifetime of the account (part of your service data); delete individually or by deleting the account |
| AI conversations and messages | For the lifetime of the account (you can delete individual conversations) |
| AI daily-usage logs | 90 days for cost-guard purposes, then aggregated |
| Sentry crash reports | 90 days (we do not use Session Replay) |
Account deletion log (account_deletion_log) | Email anonymised after 24 months; the remaining record (no personal identifier) kept 7 years (accountability under Art. 5(2) GDPR) |
| Tax records of Apple/Google → Operator payouts (royalties) | 10 years per § 35 of Czech Act No. 235/2004 Coll., on VAT |
| Push tokens | Until sign-out or device deactivation |
After these periods, data is automatically and irreversibly deleted or fully anonymised.
8. Public profile and content sharing
The App allows you to optionally publish your cyclist profile and bikes at https://bikested.com/u/<username> (visibility defaults to private). If you set visibility to public or unlisted:
public– your profile is discoverable in the "Find riders" section and indexable by search enginesunlisted– accessible only via direct link, not publicly discoverableprivate(default) – visible only to you
For each bike you decide whether it should be public (is_public) and which of its parts are visible (components, service log, kilometres, purchase price, story timeline). This choice is revocable at any time in profile settings.
Sharing milestone cards and bike links: When you share a generated card or a link to a bike, the bike's metadata (name, photo, kilometres) is visible in the link preview on third-party platforms (Instagram, WhatsApp, Facebook). This is voluntary and requires the bike to be public.
9. AI assistant – special notice
When you use the AI assistant:
- The content of your messages is sent via our secure server (Supabase Edge Function
ai-chat) to the OpenRouter gateway, which routes the query to the AI model provider – by default Google (Gemini model), for selected responses Anthropic (Claude model) - We send your garage context together with each message (bike brands and models, components, the latest 5 service log entries) – without it the AI could not give useful answers
- For queries that require a lookup in our knowledge base of guides, the content of your query is also sent to Voyage AI to convert it into a vector (embedding) and retrieve relevant passages
- We do NOT send your email, name, photos or other identifiers beyond what is necessary for the answer
- The AI providers do not use the content of your queries for model training; Anthropic retains content for a maximum of 30 days for abuse-monitoring purposes
- The conversation is also stored in our database – you can delete it yourself at any time from the conversation list
Do not enter sensitive personal data into the chat. The AI assistant is for bike-maintenance advice. Please do not include special categories of personal data within the meaning of Art. 9 GDPR (health data, ethnic origin, sexual orientation, etc.) or personal data of third parties. If you nevertheless enter such data, you do so on the basis of your explicit consent (Art. 9(2)(a) GDPR) and at your own responsibility.
The AI assistant is not a professional advisory tool. Its answers are informational; for safety-critical work on brakes, steering and drivetrain, always consult a certified mechanic. See Terms of Service, Art. 7.
10. Connected activity sources – special notice
You may optionally sync your mileage from one of these sources (only one source is active at a time): Apple Health or Health Connect. The connection is always fully voluntary and revocable at any time in App settings.
Apple Health and Health Connect:
- we read only the distance, date and time of cycling activities – no heart rate, GPS, calories, sleep or any other health data; access is read-only
- we use the activity data solely to compute your bikes' mileage and service intervals. We never use it for advertising, marketing, profiling or data mining, and we do not sell it or share it with third parties for such purposes
- for Apple Health / Health Connect, reading happens on your device; you grant consent in the system dialog and can revoke it at any time in Settings → Privacy → Health (iOS) or in the Health Connect app (Android)
- the imported ride distance remains in our database after the source is disconnected (as part of your service data); you can delete it individually or by deleting the account
Apple Health and Health Connect are local aggregators on your device (Apple / Google), governed by their own policies.
11. Push notifications
The App may send push notifications about:
- kilometre milestones
- upcoming service intervals
- optional weekly activity summaries
Notifications can be granularly enabled/disabled in Settings → Notifications and entirely disabled in iOS / Android system settings.
We use Expo Push Notifications, which relays notifications via APNs (Apple) or FCM (Google).
12. Children
The App is not intended for children under 16. If we discover that we have processed data of a child under 16 without parental consent, we will delete the data without delay.
If you are a parent or legal guardian and believe your child has provided data to the App, please contact us at privacy@bikested.com.
13. Security
To protect your personal data we implement:
Technical measures:
- transport encryption (TLS 1.2+) between the App and all processors
- storage encryption (Supabase Postgres at-rest encryption, AES-256)
- bcrypt password hashing
- Row-Level Security (RLS) in PostgreSQL – a user can only see their own data
- separation of AI-service API keys on the server (the App never knows the keys)
Organisational measures:
- principle of least privilege
- regular dependency updates (npm audit, Dependabot)
- crash and anomaly monitoring (Sentry)
- DPA with all processors
- account deletion accountability log per GDPR
Confidentiality and integrity: We take reasonable measures to ensure the confidentiality, integrity and availability of your data. However, no system can be 100 % secure. In case of a security incident posing a high risk to your rights, we will inform you within 72 hours in accordance with Art. 33 and 34 GDPR.
14. Your rights
You have the following rights under the GDPR:
| Right | How to exercise it |
|---|---|
| Access (Art. 15) | Most data is visible directly in the App. Full export on request at privacy@bikested.com. |
| Rectification (Art. 16) | Directly in the App (Profile → Cyclist profile; Bike → Edit) or by email |
| Erasure ("right to be forgotten", Art. 17) | App → Settings → Account & Security → Delete account (data is removed from the App immediately and irreversibly; removed from backups within 30 days at the latest) |
| Restriction of processing (Art. 18) | By email at privacy@bikested.com |
| Data portability (Art. 20) | By email at privacy@bikested.com (machine-readable JSON export) |
| Objection (Art. 21) | By email at privacy@bikested.com; against processing based on legitimate interest (Sentry, analytics) |
| Withdraw consent (Art. 7(3)) | Disconnect the activity source / disable notifications / set profile visibility to private in App, or by email |
| Complaint to supervisory authority (Art. 77) | Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Praha 7, posta@uoou.cz, www.uoou.cz – or the supervisory authority of the EU/EEA country of your habitual residence |
We respond to requests within 30 days of receipt (the period may be extended by another 60 days in particularly complex cases).
15. Cookies and similar technologies
The App does not use cookies (it is a native mobile application, not a website). We use:
- MMKV – local key-value storage on the device for offline data cache and user preferences; nothing is sent off-device
- Expo SecureStore – encrypted storage for Supabase session tokens
- AsyncStorage – unencrypted storage for non-critical cache (TanStack Query persister)
None of these stores is shared with third parties and all are deleted alongside the App.
The bikested.com web, including public profiles (/u/<username>), currently uses no cookies, analytics or tracking technologies. Details in the Cookies Policy.
16. Changes to this Policy
We may update this Policy from time to time (e.g., when adding a new feature or processor). We will inform you of material changes:
- in-app banner on next App launch
- email to the address on the account
- updated "Last updated" date in the document header
Continued use of the App after changes take effect constitutes acceptance of the updated Policy.
17. Contact and supervisory authority
Operator / Controller: Tomáš Ross Hanácká 62/63, 751 24 Přerov, Czech Republic Company ID: 87884020 VAT ID: CZ9112194487 (VAT-identified person) Email: privacy@bikested.com
Supervisory authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů) Pplk. Sochora 27, 170 00 Praha 7, Czech Republic Phone: +420 234 665 111 Email: posta@uoou.cz Web: www.uoou.cz
You have the right to lodge a complaint with the Office for Personal Data Protection if you believe that the processing of your personal data infringes the GDPR. You may also lodge a complaint with the supervisory authority of the EU/EEA member state of your habitual residence or place of work.
This document has been drafted in compliance with Regulation (EU) 2016/679 (GDPR), Czech Act No. 110/2019 Coll., on personal data processing, App Store Review Guidelines (5.1.1) and Google Play Developer Program Policies (User Data).