Privacy Policy

Effective date: 17 April 2026 · Controller: Feral Ventures Limited

This policy explains what personal data Bikestack collects, why, how it is used, and your rights under UK GDPR and the Data Protection Act 2018.

For any privacy questions or to exercise your rights, contact us at privacy@bikestack.app.

1. Who we are

Feral Ventures Limited is the data controller for personal data processed through Bikestack. We are registered in England and Wales.

Contact: privacy@bikestack.app

2. Data we collect and why

Account data

What: email address, display name, avatar photo, password (hashed — we never see it in plain text).

Why: to create and manage your account.

Legal basis: performance of contract.

Profile preferences

What: username, mechanic skill level, riding frequency, disciplines, broad location label (e.g. "Yorkshire, England"), approximate location coordinates (used only to generate the location label — not your home address).

Why: to personalise maintenance suggestions and connect you with local riders. Location is collected at city/county level — we do not store your street address or precise GPS coordinates from your profile.

Legal basis: performance of contract; consent (location is optional and can be skipped).

Bike and component data

What: bike details (nickname, model, colour, frame size, notes), component specifications, purchase dates, purchase prices, serial numbers, bike photos, maintenance logs, service dates and costs.

Why: to provide the core service — maintenance tracking, service history, and public build pages.

Legal basis: performance of contract.

Note: serial numbers are stored privately and never displayed publicly. Purchase prices are private to your account.

Strava integration data

What: Strava OAuth access and refresh tokens (encrypted at rest); ride data including distance, moving time, elevation, ride start coordinates (latitude/longitude), activity name, and timestamp. We also store the raw Strava API response for debugging and data integrity purposes.

Why: to sync your rides automatically and update component mileage after each activity. Ride start coordinates are used to fetch weather data for the ride and are then retained as part of your ride record.

Legal basis: consent (you explicitly connect Strava via OAuth). You can disconnect Strava at any time from Settings, which revokes our access for future syncs. Previously synced ride data remains until you delete it or close your account.

Important: Strava's own Privacy Policy governs how they handle your data independently of Bikestack.

Usage and analytics data

What: page views, feature interactions, and general usage patterns collected via Plausible Analytics.

Why: to understand how the service is used and improve it.

Legal basis: legitimate interests.

Privacy note: Plausible is cookieless and does not collect or store any personally identifiable information. No IP addresses are stored. See Plausible's privacy policy.

Public page view tokens

What: an anonymous random token stored in your browser's sessionStorage to count unique views of public build pages.

Why: to show bike owners how many unique visitors their public build page has had.

Legal basis: legitimate interests. The token is not linked to your identity and is cleared when you close your browser tab.

Email communications

What: your email address and the content of communications (maintenance reminders, account notifications).

Why: to deliver service emails (account verification, maintenance reminders) and, with your consent, product updates.

Legal basis: contract (transactional emails); consent (optional notifications, which you can disable in Settings).

3. Cookies and local storage

Bikestack uses the following cookies and browser storage:

Session cookies (Supabase): strictly necessary to keep you logged in. These cannot be disabled without breaking the service.
localStorage (onboarding state): used to persist your onboarding progress client-side. Cleared when onboarding is complete.
sessionStorage (view token): anonymous token for counting build page views. Cleared when you close the tab.

We do not use advertising cookies or third-party tracking cookies. Plausible Analytics operates without any cookies.

4. Who we share your data with

We do not sell your data. We share data only with the following sub-processors necessary to operate the service:

Processor	Purpose	Location
Supabase	Database, authentication, file storage (backups)	EU (AWS eu-west-1)
Cloudflare R2	Photo and avatar storage	EU
Resend	Transactional email delivery	US (SCCs in place)
Plausible Analytics	Privacy-preserving, cookieless analytics (no personal data)	EU
Strava	Ride data sync (only when you connect Strava)	US (SCCs in place)
Open-Meteo	Weather data for rides (ride coordinates sent, no account data)	EU

We may also disclose data if required to do so by law or in response to valid legal process.

5. How long we keep your data

Account data: retained for as long as your account is active. Deleted within 30 days of account closure.
Bike, component and maintenance data: same as account data.
Ride data (including Strava synced rides): retained while your account is active. You can delete individual rides from within the app, or request bulk deletion at any time.
Photos: deleted from storage within 30 days of removal from your account or account closure.
Strava tokens: deleted immediately when you disconnect Strava.
Email logs: retained for up to 30 days by Resend for delivery reporting, then deleted.

We may retain anonymised, aggregated data (e.g. total ride counts) indefinitely as it cannot be used to identify you.

6. Your rights under UK GDPR

You have the right to:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete your personal data ("right to be forgotten"). You can delete your account directly from Settings, which triggers automatic deletion.
Restriction: ask us to pause processing of your data in certain circumstances.
Portability: request your data in a machine-readable format (JSON export).
Object: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, withdraw it at any time (e.g. disconnect Strava, turn off email notifications).

To exercise any of these rights, email privacy@bikestack.app. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data rights have been violated.

7. Security

We take reasonable technical and organisational measures to protect your data, including:

Passwords hashed using bcrypt (handled by Supabase Auth).
Strava OAuth tokens encrypted at rest.
All data transmitted over HTTPS/TLS.
Row-level security on the database — users can only access their own data.
Access to production systems restricted to authorised personnel only.

No system is 100% secure. In the event of a data breach affecting your rights, we will notify you and the ICO as required by law within 72 hours of becoming aware.

8. Children's data

Bikestack is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact us at privacy@bikestack.app and we will delete the account promptly.

Users aged 13–17 should have a parent or guardian review this policy.

9. Changes to this policy

We may update this policy from time to time. We will notify you by email or in-app notice before material changes take effect. The effective date at the top of this page will always reflect the current version.