Skip to content
Back to home

Privacy Policy

App: bikested (mobile application for iOS and Android) Operator: Tomáš Ross, self-employed individual (Czech "OSVČ"), with registered office at Hanácká 62/63, 751 24 Přerov, Czech Republic, company ID: 87884020, VAT ID: CZ9112194487 (VAT-identified person under § 6g of Czech Act No. 235/2004 Coll., on VAT), registered in the Trade Licensing Register maintained by the Municipal Authority of Přerov (the "Operator" or "we") Contact: privacy@bikested.com Document version: 1.2 Effective from: 15 June 2026 Last updated: 5 July 2026


1. Introduction

This Privacy Policy (the "Policy") describes what personal data we collect, why we use it and what rights you have when you use the bikested mobile application (the "App" or "Service").

The Operator is the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the "GDPR") and Czech Act No. 110/2019 Coll., on personal data processing.

If you have any questions about this Policy, please contact us at privacy@bikested.com.


2. Definitions

  • Personal data – any information relating to an identified or identifiable natural person.
  • Processing – any operation performed on personal data (collection, storage, modification, use, sharing, deletion).
  • Data subject (user) – the natural person whose data we process; in the context of the App, the person who has created an account.
  • Controller – the Operator, who determines the purposes and means of processing.
  • Processor – a third party that processes data on behalf of the Controller under a data processing agreement (DPA).
  • Anonymised data – data that cannot be linked to a specific person and is not subject to the GDPR.

3. What data we process

3.1 Data you provide directly

Registration and account:

  • email address (with Apple Sign In this may be an anonymised relay address in the form …@privaterelay.appleid.com)
  • password (stored exclusively as a bcrypt hash, never in plaintext; not applicable when registering via Apple / Google Sign In)
  • optional: display name, biography (max. 280 characters), username, profile picture

Cyclist profile (optional):

  • height (cm), weight (kg), FTP (W), experience level

Garage and bikes:

  • brand, model, year, size, type (MTB / road / gravel / urban / BMX / e-bike), colour, purchase date and price, bike photo, custom notes

Bike components:

  • brand, model, year, weight, purchase date and price, notes

Service log:

  • type of work, description, date, kilometres at service, cost, who performed the work (DIY / shop), shop name (optional), photos

AI assistant:

  • the content of messages you type into the chat

Paid subscription (Lite / Plus):

  • subscription details (type, length, start and end date, status)

Note: Payment data (card number, etc.) we do not process directly – payments are processed exclusively by Apple App Store or Google Play under their own policies.

3.2 Data generated through use of the App

  • user identifier (UUID) assigned by Supabase
  • timestamps of account creation, last sign-in, recent activity
  • preferences (AI response style, notification preferences, language, theme)
  • daily AI usage aggregate (message count, token count – for cost-guard purposes)
  • log of service tasks, kilometre milestones, bike anniversaries
  • aggregated statistic: total kilometres ridden per bike

3.3 Data from connected services

Apple Health / Health Connect (optional, on-device): If you choose Apple Health (iOS) or Health Connect (Android) as your activity source, we read only:

  • your cycling activities (workouts of type "cycling") and their distance, date and time

Reading happens on your device, is read-only (we never write anything to Apple Health or Health Connect), and Apple and Google are not recipients of this data from us. The ride distance is then stored in our database to compute mileage and service intervals. We do not read heart rate, GPS, calories, sleep or any other health data.

99Spokes (bike database – server-side): When you search for a bike brand/model when adding it to your garage, the query is sent through our server to 99Spokes. We do not send any of your personal data – only a text query such as "Trek Fuel EX 8".

3.4 Technical and diagnostic data

Crash and error reports (Sentry, EU region): On unexpected errors or crashes, anonymised diagnostics is sent to Sentry (server in Germany):

  • OS type and version, device model, language
  • App version, error stack trace, breadcrumbs
  • our user identifier (UUID) – to group errors of the same user during debugging
  • We do NOT collect IP address, precise geolocation, screen content or user input

Sentry is configured with tracesSampleRate = 0.2 (sampling 20 % of transactions in production) and without default PII (sendDefaultPii = false).

Push notifications:

  • Expo push token of the device (stored in user_push_tokens)
  • platform (iOS / Android), device identifier (optional)

4. Purposes and legal bases for processing

PurposeCategories of dataLegal basis
Account creation, sign-inEmail, password, user IDContract (Art. 6(1)(b) GDPR)
Garage features (bikes, components, service log)Bike, component, service dataContract (Art. 6(1)(b))
AI assistant (chat)Message content, garage context, daily usage aggregateContract (Art. 6(1)(b))
Apple Health / Health Connect kilometre syncDistance and time of cycling activities (physical-activity data)Explicit consent (Art. 9(2)(a) together with Art. 6(1)(a) GDPR) – connection is voluntary
Push notifications about service intervals and milestonesPush token, notification preferencesConsent (Art. 6(1)(a)) – iOS / Android system permission
Crash & error reports (Sentry)Anonymous diagnostics + user IDLegitimate interest (Art. 6(1)(f)) – operational stability
Public garage profile (/u/<username>)Public profile and bike data of your choiceConsent (Art. 6(1)(a)) – visibility is private by default
Paid subscription and billingSubscription status, subscription identifierContract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) – tax records
Fraud and abuse preventionAccount data, IP address and browser signals at registration and login (Supabase, Cloudflare Turnstile)Legitimate interest (Art. 6(1)(f))
Usage analytics for App improvementAnonymised aggregatesLegitimate interest (Art. 6(1)(f))

5. Recipients of personal data

5.1 Processors (Art. 28 GDPR)

We have data processing agreements (DPAs) under Art. 28 GDPR with the following processors. They process personal data exclusively on our instructions and for the purposes set out below:

ProcessorPurposeProcessing locationTransfer safeguards
Supabase, Inc. (USA)Backend (auth, DB, storage, edge functions, realtime)EU (region eu-west-1, Ireland)DPA + EU SCCs 2021/914
OpenRouter, Inc. (USA)AI gateway – routes AI assistant and AI lookup queries to model providersUSADPA + SCCs; does not use query content for model training
Google LLC (USA)AI model provider (Gemini) – generates AI assistant answers (via the OpenRouter gateway)USA / globalDPA + SCCs; paid-API queries are not used for model training
Anthropic, PBC (USA)AI model provider (Claude) – selected AI assistant answers (via the OpenRouter gateway)USADPA + SCCs; queries are not used for model training, content retained for max. 30 days for abuse-monitoring purposes
Sentry (Functional Software, Inc.) (USA)Crash and error trackingEU (Frankfurt, de.sentry.io)DPA + SCCs; no PII
RevenueCat, Inc. (USA)Subscription state verificationUSADPA + SCCs; only user identifier and transaction metadata
Voyage AI (USA)Vector embeddings – converting the content of your query into a vector to retrieve relevant guides (RAG), only for queries requiring the knowledge baseUSADPA + SCCs
Expo Application ServicesPush notification service, OTA updatesUSADPA + SCCs
Cloudflare, Inc. (USA)Bot protection for registration and login (CAPTCHA Turnstile)USADPA + SCCs + EU-US DPF; Turnstile uses no cookies or cross-site tracking, processes only the IP address and technical browser signals for the duration of verification

5.2 Independent controllers and other recipients

The following entities do not act as our processors but as independent controllers under their own privacy policies. Data reaches them only when you yourself activate or use the relevant service:

EntityContextLocationRegime
Apple Inc.App distribution, push notifications (APNs), payment processingGlobalIndependent controller per Apple Privacy Policy
Google LLCApp distribution, push notifications (FCM), payment processingGlobalIndependent controller per Google Privacy Policy
Partner e-shops and the eHUB affiliate networkOpening a shop offer from the Upgrade advisor (Czech market only) – the link opens in your browserCZ / EUIndependent controllers under their own policies; the App passes them none of your personal data (opening the link discloses your IP address to them, as with any web link)

5.3 Services that receive no personal data

ServiceContext
99Spokes, Inc. (USA)Searching bike specifications happens via a live server-to-server query containing only the bike-name text (e.g., "Trek Fuel EX 8") – without any of your personal data and without your IP address. 99Spokes is therefore not a processor of personal data and no DPA is required.

We do not sell your personal data to any third party. We share data only to the extent necessary to operate the App.


6. International transfers

Some of our processors are based outside the European Economic Area (EEA), in particular in the USA. For such transfers we apply:

  • Standard Contractual Clauses (SCCs) as in Commission Implementing Decision (EU) 2021/914
  • EU-US Data Privacy Framework (DPF), where the relevant processor is certified
  • additional technical safeguards (TLS in transit, AES at rest)

A copy of these safeguards is available on request at privacy@bikested.com.


7. Retention periods

CategoryRetention period
Account data (email, profile, password)For the lifetime of the account + 30 days after deletion (technical clean-up)
Garage, components, service logFor the lifetime of the account; deleted on account deletion
Apple Health / Health Connect activities (distance)For the lifetime of the account (part of your service data); delete individually or by deleting the account
AI conversations and messagesFor the lifetime of the account (you can delete individual conversations)
AI daily-usage logs90 days for cost-guard purposes, then aggregated
Sentry crash reports90 days (we do not use Session Replay)
Account deletion log (account_deletion_log)Email anonymised after 24 months; the remaining record (no personal identifier) kept 7 years (accountability under Art. 5(2) GDPR)
Tax records of Apple/Google → Operator payouts (royalties)10 years per § 35 of Czech Act No. 235/2004 Coll., on VAT
Push tokensUntil sign-out or device deactivation

After these periods, data is automatically and irreversibly deleted or fully anonymised.


8. Public profile and content sharing

The App allows you to optionally publish your cyclist profile and bikes at https://bikested.com/u/<username> (visibility defaults to private). If you set visibility to public or unlisted:

  • public – your profile is discoverable in the "Find riders" section and indexable by search engines
  • unlisted – accessible only via direct link, not publicly discoverable
  • private (default) – visible only to you

For each bike you decide whether it should be public (is_public) and which of its parts are visible (components, service log, kilometres, purchase price, story timeline). This choice is revocable at any time in profile settings.

Sharing milestone cards and bike links: When you share a generated card or a link to a bike, the bike's metadata (name, photo, kilometres) is visible in the link preview on third-party platforms (Instagram, WhatsApp, Facebook). This is voluntary and requires the bike to be public.


9. AI assistant – special notice

When you use the AI assistant:

  • The content of your messages is sent via our secure server (Supabase Edge Function ai-chat) to the OpenRouter gateway, which routes the query to the AI model provider – by default Google (Gemini model), for selected responses Anthropic (Claude model)
  • We send your garage context together with each message (bike brands and models, components, the latest 5 service log entries) – without it the AI could not give useful answers
  • For queries that require a lookup in our knowledge base of guides, the content of your query is also sent to Voyage AI to convert it into a vector (embedding) and retrieve relevant passages
  • We do NOT send your email, name, photos or other identifiers beyond what is necessary for the answer
  • The AI providers do not use the content of your queries for model training; Anthropic retains content for a maximum of 30 days for abuse-monitoring purposes
  • The conversation is also stored in our database – you can delete it yourself at any time from the conversation list

Do not enter sensitive personal data into the chat. The AI assistant is for bike-maintenance advice. Please do not include special categories of personal data within the meaning of Art. 9 GDPR (health data, ethnic origin, sexual orientation, etc.) or personal data of third parties. If you nevertheless enter such data, you do so on the basis of your explicit consent (Art. 9(2)(a) GDPR) and at your own responsibility.

The AI assistant is not a professional advisory tool. Its answers are informational; for safety-critical work on brakes, steering and drivetrain, always consult a certified mechanic. See Terms of Service, Art. 7.


10. Connected activity sources – special notice

You may optionally sync your mileage from one of these sources (only one source is active at a time): Apple Health or Health Connect. The connection is always fully voluntary and revocable at any time in App settings.

Apple Health and Health Connect:

  • we read only the distance, date and time of cycling activities – no heart rate, GPS, calories, sleep or any other health data; access is read-only
  • we use the activity data solely to compute your bikes' mileage and service intervals. We never use it for advertising, marketing, profiling or data mining, and we do not sell it or share it with third parties for such purposes
  • for Apple Health / Health Connect, reading happens on your device; you grant consent in the system dialog and can revoke it at any time in Settings → Privacy → Health (iOS) or in the Health Connect app (Android)
  • the imported ride distance remains in our database after the source is disconnected (as part of your service data); you can delete it individually or by deleting the account

Apple Health and Health Connect are local aggregators on your device (Apple / Google), governed by their own policies.


11. Push notifications

The App may send push notifications about:

  • kilometre milestones
  • upcoming service intervals
  • optional weekly activity summaries

Notifications can be granularly enabled/disabled in Settings → Notifications and entirely disabled in iOS / Android system settings.

We use Expo Push Notifications, which relays notifications via APNs (Apple) or FCM (Google).


12. Children

The App is not intended for children under 16. If we discover that we have processed data of a child under 16 without parental consent, we will delete the data without delay.

If you are a parent or legal guardian and believe your child has provided data to the App, please contact us at privacy@bikested.com.


13. Security

To protect your personal data we implement:

Technical measures:

  • transport encryption (TLS 1.2+) between the App and all processors
  • storage encryption (Supabase Postgres at-rest encryption, AES-256)
  • bcrypt password hashing
  • Row-Level Security (RLS) in PostgreSQL – a user can only see their own data
  • separation of AI-service API keys on the server (the App never knows the keys)

Organisational measures:

  • principle of least privilege
  • regular dependency updates (npm audit, Dependabot)
  • crash and anomaly monitoring (Sentry)
  • DPA with all processors
  • account deletion accountability log per GDPR

Confidentiality and integrity: We take reasonable measures to ensure the confidentiality, integrity and availability of your data. However, no system can be 100 % secure. In case of a security incident posing a high risk to your rights, we will inform you within 72 hours in accordance with Art. 33 and 34 GDPR.


14. Your rights

You have the following rights under the GDPR:

RightHow to exercise it
Access (Art. 15)Most data is visible directly in the App. Full export on request at privacy@bikested.com.
Rectification (Art. 16)Directly in the App (Profile → Cyclist profile; Bike → Edit) or by email
Erasure ("right to be forgotten", Art. 17)App → Settings → Account & Security → Delete account (data is removed from the App immediately and irreversibly; removed from backups within 30 days at the latest)
Restriction of processing (Art. 18)By email at privacy@bikested.com
Data portability (Art. 20)By email at privacy@bikested.com (machine-readable JSON export)
Objection (Art. 21)By email at privacy@bikested.com; against processing based on legitimate interest (Sentry, analytics)
Withdraw consent (Art. 7(3))Disconnect the activity source / disable notifications / set profile visibility to private in App, or by email
Complaint to supervisory authority (Art. 77)Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Praha 7, posta@uoou.cz, www.uoou.cz – or the supervisory authority of the EU/EEA country of your habitual residence

We respond to requests within 30 days of receipt (the period may be extended by another 60 days in particularly complex cases).


15. Cookies and similar technologies

The App does not use cookies (it is a native mobile application, not a website). We use:

  • MMKV – local key-value storage on the device for offline data cache and user preferences; nothing is sent off-device
  • Expo SecureStore – encrypted storage for Supabase session tokens
  • AsyncStorage – unencrypted storage for non-critical cache (TanStack Query persister)

None of these stores is shared with third parties and all are deleted alongside the App.

The bikested.com web, including public profiles (/u/<username>), currently uses no cookies, analytics or tracking technologies. Details in the Cookies Policy.


16. Changes to this Policy

We may update this Policy from time to time (e.g., when adding a new feature or processor). We will inform you of material changes:

  • in-app banner on next App launch
  • email to the address on the account
  • updated "Last updated" date in the document header

Continued use of the App after changes take effect constitutes acceptance of the updated Policy.


17. Contact and supervisory authority

Operator / Controller: Tomáš Ross Hanácká 62/63, 751 24 Přerov, Czech Republic Company ID: 87884020 VAT ID: CZ9112194487 (VAT-identified person) Email: privacy@bikested.com

Supervisory authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů) Pplk. Sochora 27, 170 00 Praha 7, Czech Republic Phone: +420 234 665 111 Email: posta@uoou.cz Web: www.uoou.cz

You have the right to lodge a complaint with the Office for Personal Data Protection if you believe that the processing of your personal data infringes the GDPR. You may also lodge a complaint with the supervisory authority of the EU/EEA member state of your habitual residence or place of work.


This document has been drafted in compliance with Regulation (EU) 2016/679 (GDPR), Czech Act No. 110/2019 Coll., on personal data processing, App Store Review Guidelines (5.1.1) and Google Play Developer Program Policies (User Data).