This policy explains what personal data CycleConnect collects about you, how we use it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who is the controller of your data
The data controller is [SITE OWNER NAME / COMPANY NAME] of [REGISTERED ADDRESS]. You can contact us about this policy or your personal data at [CONTACT EMAIL].
2. What data we collect
We collect only the data we need to run the Platform:
- Account data — display name, email address, password (stored as a secure hash by our authentication provider), profile photo (optional), bio (optional), and home location (optional).
- Club / company data — if you register a club or company, the details you provide about that organisation.
- Activity data — events, trips, clubs, and rides you create, apply to, attend, or are interested in; messages you post in trip or event threads.
- Enquiry data — if you enquire about a holiday package, your name, email, party size, preferred dates, and message are shared with the relevant operator.
- Technical data — IP address, browser type, device information, and basic usage analytics, collected via our hosting and analytics providers.
- Cookies — a small number of cookies or similar storage are used to keep you signed in and remember your theme preference. We do not use advertising or tracking cookies.
3. How we use your data, and our lawful bases
Under UK GDPR we process your data on the following bases:
- Performance of a contract (Article 6(1)(b)) — to create and operate your account, display your posts, run the signup/login flow, and enable you to apply to and participate in trips, events, and clubs.
- Legitimate interests (Article 6(1)(f)) — to keep the Platform secure, prevent fraud and abuse, monitor performance, and improve the service. You can object to this processing at any time (see "Your rights" below).
- Consent (Article 6(1)(a)) — for optional features such as marketing emails (if we ever introduce them). You can withdraw consent at any time.
- Legal obligation (Article 6(1)(c)) — where we are required to process data to comply with UK law, for example responding to lawful requests from authorities.
4. Who your data is shared with
We never sell your personal data. We share it only with:
- Other users — your public profile (display name, photo, bio, location) is visible to other logged-in users. Messages you post in a trip or event thread are visible to other confirmed participants. When you apply to a trip, your name and message are visible to the organiser.
- Organisers and operators — when you apply to a community trip or enquire about a holiday package, the organiser or operator receives the information needed to respond (typically your name, email, and message).
- Our service providers — we use Supabase (hosted in the EU) for authentication, database, and file storage; Vercel for hosting the site; and OpenStreetMap/Nominatim for mapping and postcode geocoding. These providers process data on our behalf under appropriate contractual terms.
- Law enforcement or regulators — if we are required to do so by law, court order, or in order to protect the rights, property, or safety of users or the public.
5. International transfers
Your data is primarily stored within the UK or European Economic Area. Where any of our providers process data outside the UK/EEA, we rely on adequacy decisions or Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).
6. How long we keep your data
- Account data — while your account is active. If you delete your account, we remove your profile and anonymise your public posts within 30 days, except where we are required to retain data for legal or safety reasons.
- Trip and event messages — retained for as long as the associated trip or event exists, after which they are deleted with the parent record.
- Enquiries — retained for up to 24 months for operators to reference and respond, then deleted.
- Technical logs — typically retained for up to 90 days for security and debugging.
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you;
- Rectification — ask us to correct inaccurate or incomplete data;
- Erasure ("right to be forgotten") — ask us to delete your data, subject to certain legal exceptions;
- Restriction — ask us to pause processing your data while a dispute is resolved;
- Objection — object to processing based on legitimate interests;
- Portability — receive your data in a structured, machine-readable format;
- Withdraw consent — at any time, for processing based on consent.
To exercise any of these rights, email [CONTACT EMAIL]. We will respond within one month.
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
We use a small number of strictly-necessary cookies and similar storage:
- Authentication — to keep you logged in between visits (set by our authentication provider).
- Preference — to remember your theme choice (light or dark).
We do not use advertising, cross-site tracking, or analytics cookies that require consent under the Privacy and Electronic Communications Regulations (PECR). If we add analytics in future, we will update this policy and seek consent where required.
9. Security
We take reasonable technical and organisational measures to protect your data, including encryption in transit (HTTPS), encrypted storage of passwords (hashed, never stored in plain text), and strict access controls at our database and hosting providers. No online service can guarantee absolute security, but we will notify affected users and the ICO without undue delay if a reportable breach occurs.
10. Children
The Platform is intended for users aged 18 and over, or users aged 13–17 with parental consent. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete the account.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email or through a notice on the Platform. The "Last updated" date at the top of this page tells you when it was last revised.
12. Contact
Questions about your data or this policy? Email [CONTACT EMAIL].