Privacy Policy

BikeVitals (“we”, “us”, “our”) is operated as a personal project at bikevitals.com. This policy explains what data we collect, how we use it, and the choices you have. If anything here is unclear, email hello@bikevitals.com.

Summary

• We collect the minimum needed to run the product: your email, your bikes and components, and (if you connect Strava) your ride history.
• We never sell your data or share it with advertisers.
• Payments are handled by Stripe; we never see or store your card details.
• You can export or delete your account at any time from Settings.

1. What we collect

Account data

• Email address — used to sign in and to send transactional emails (confirmations, password resets, billing receipts, and the maintenance alerts you opt into).
• Password — stored as a bcrypt hash by our authentication provider (Supabase). We never see your plaintext password.

Product data

• Bikes, components, service events, and manually-logged rides you create in the app.
• Notification preferences (whether you want maintenance alerts and weekly digests).

Strava data (only if you connect)

If you choose to connect Strava, we request access to your activity history under Strava’s activity:read scope. We then store, per ride you import:

• Strava activity ID, start time, sport type, distance, moving time, and (where present) the Strava gear ID.
• OAuth access and refresh tokens, encrypted at rest in our database, used only to call the Strava API on your behalf.

We do not import GPS coordinates, photos, comments, kudos, or any social-graph data. Disconnecting Strava (Settings → Strava → Disconnect) revokes our tokens with Strava and stops all future syncing.

Billing data (only if you upgrade)

• We use Stripe to process payments. Your card number, CVC, and billing address are sent directly to Stripe and never touch our servers.
• We store the Stripe customer ID, subscription ID, subscription status, and next billing date — that’s the entire footprint.

Operational data

• Standard server logs (timestamp, route, response code, IP address) are retained briefly for security and debugging. We do not run third-party analytics or advertising trackers.

2. How we use it

• To run the product: showing your dashboard, computing component wear, syncing rides, sending the maintenance alerts you’ve opted into.
• To send transactional email: signup confirmations, password resets, billing receipts, payment-failure notices. These cannot be opted out of while the account is active.
• To process payments: only data necessary to identify your subscription is shared with Stripe.
• To protect the service: rate-limiting abusive traffic, investigating security incidents.

We do not use your data for advertising, profiling, or training machine-learning models.

3. Who we share it with

We share data only with the processors required to operate the service:

• Supabase — database, authentication, file storage. supabase.com/privacy
• Vercel — application hosting and edge functions. vercel.com/legal/privacy-policy
• Stripe — subscription billing. stripe.com/privacy
• Strava — only data you send by connecting Strava; we never send anything back. strava.com/legal/privacy
• Resend — transactional email delivery. resend.com/legal/privacy-policy

We will share data when required by law (subpoena, court order) or to investigate fraud or security incidents. We will never sell your data.

4. Where data is stored

Data is stored in our Supabase project (database) and on Vercel’s infrastructure (application). Both providers operate in the United States and the European Union; depending on routing, your data may transit through either. By using BikeVitals you consent to this transfer.

5. How long we keep it

• Active accounts: as long as your account exists.
• Deleted accounts: when you delete your account in Settings, all owned rows (bikes, components, rides, service events, notification preferences, Strava tokens, Stripe customer link) are removed within 30 days. Server logs containing your IP may persist up to 90 days for security purposes.
• Billing records: Stripe retains payment records for as long as legally required (typically 7 years) regardless of account deletion. We retain the linking customer ID for as long as Stripe holds the record.

6. Your rights

Regardless of where you live, you can:

• Access / export — Settings → Account → Export my data. You’ll get a ZIP containing every row tied to your user ID.
• Correct — edit your bikes, components, rides, and notification preferences directly in the app; change your email or password in Settings → Account.
• Delete — Settings → Account → Delete account.
• Disconnect Strava — Settings → Strava → Disconnect. We will revoke our tokens with Strava and stop syncing.
• Object / restrict — email hello@bikevitals.com with any specific concern.

If you’re in the EU, UK, or California, you also have rights under GDPR, the UK GDPR, and CCPA respectively to lodge a complaint with your local supervisory authority.

7. Security

• All traffic is served over HTTPS with HSTS enabled.
• Passwords are hashed with bcrypt by Supabase Auth; we never store plaintext.
• Row-level security policies ensure one user’s data cannot be read by another, even with a leaked anonymous key. See tests/rls in the repo.
• Webhook handlers verify cryptographic signatures (Stripe) or re-fetch from the source of truth (Strava).
• Strava and Stripe tokens never leave the server.

Found a security issue? See our SECURITY.md or email security@bikevitals.com.

8. Children

BikeVitals is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from anyone in that age group. If you believe we have, please contact us and we will delete it.

9. Changes to this policy

We’ll post any changes here and update the “Last updated” date above. For material changes (anything that broadens how we use or share your data), we’ll also email you.

10. Contact

General questions: hello@bikevitals.com
Privacy or data requests: privacy@bikevitals.com
Security issues: security@bikevitals.com