1. Introduction
Cyclingevents ("we," "us," or "our") operates the website cyclingevents.online (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is Cyclingevents, operated via cyclingevents.online. For data protection inquiries, please contact us at the details provided on our Contact page.
3. Personal Data We Collect
We collect the following categories of personal data:
- Account Information: Name, email address, and profile picture provided by your OAuth provider (Google, Strava, or Facebook), or email address when signing in via magic link.
- Authentication Data: OAuth tokens required to maintain your session. We do not store your passwords.
- User-Generated Content: Events you create (title, description, location, dates, uploaded files), RSVPs, and event reports.
- Payment Information: When you purchase a paid event tier, payment is processed by Stripe. We do not store your card details — Stripe handles all payment data securely. We store a reference to your Stripe customer ID to link invoices and receipts.
- Geolocation Data: Approximate location when you grant browser geolocation permission, used solely to center the map on your area.
- Usage Data: IP address, browser type, pages visited, and timestamps, collected automatically for security and analytics.
4. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- Consent (Art. 6(1)(a)): Geolocation data is collected only with your explicit browser permission.
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service (account creation, event management, RSVPs).
- Legitimate Interest (Art. 6(1)(f)): Security monitoring, rate limiting, and fraud prevention.
5. How We Use Your Data
- To create and manage your account
- To display events on the map and allow RSVP functionality
- To show your name and avatar on events you create or attend (subject to your privacy settings)
- To process event reports and enforce community guidelines
- To send email notifications about events you've joined (reminders, organiser alerts), only when you opt in via your notification settings
- To process payments for premium event tiers
- To detect and prevent spam, abuse, and unauthorized access
- To improve and maintain the Service
6. Third-Party Services
We use the following third-party services that may process your data:
- Google (OAuth, Maps): Authentication and map rendering. Subject to Google's Privacy Policy.
- Strava (OAuth): Authentication. Subject to Strava's Privacy Policy.
- Facebook (OAuth): Authentication. Subject to Meta's Privacy Policy.
- Supabase: Database hosting (PostgreSQL) and file storage. Data is stored in EU data centers. Subject to Supabase's Privacy Policy.
- Vercel: Website hosting and deployment. Subject to Vercel's Privacy Policy.
- Vercel Analytics: Privacy-friendly, first-party web analytics for page views and traffic sources. No personal identifiers are tracked. Data is aggregated and anonymized.
- Sentry: Error monitoring and performance tracking. When an error occurs, technical data (stack traces, browser info, URL) may be sent to Sentry for debugging. No personal content is intentionally collected. Subject to Sentry's Privacy Policy.
- Stripe: Payment processing for premium event tiers. Stripe collects and processes your payment information (card details, billing address) directly. We do not see or store your full card number. Subject to Stripe's Privacy Policy.
- Resend: Transactional email delivery. When you opt in to email notifications, your email address is shared with Resend solely to deliver event reminders, organiser alerts, and payment confirmations. Subject to Resend's Privacy Policy.
- Cloudmersive: Uploaded files are scanned for malware before storage. File content is sent to Cloudmersive's virus scanning API and is not retained after scanning.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. Event data created by you may be anonymized rather than deleted to preserve community event history.
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Art. 18): Request restriction of processing.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.
To exercise any of these rights, please contact us via our Contact page. We will respond within 30 days.
9. Cookies and Similar Technologies
We use the following cookies and similar technologies:
- Essential cookies: Required for authentication and session management (NextAuth session token, CSRF token). These are strictly necessary and do not require consent under GDPR.
- Analytics: Vercel Analytics collects anonymized, aggregated page view data. It does not use cookies or track individual users. No personal identifiers are collected.
- Error monitoring: Sentry may use local storage to correlate error reports within a browsing session. No advertising or third-party tracking cookies are used.
We do not use advertising cookies, social media tracking pixels, or any third-party marketing cookies.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encrypted connections (HTTPS/TLS), secure authentication (OAuth 2.0 with JWT sessions), rate limiting, Content Security Policy headers, and access controls. However, no method of electronic transmission or storage is 100% secure.
11. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our third-party service providers. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.
14. Supervisory Authority
If you are located in the EU/EEA and believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local Data Protection Authority.
15. Contact
For questions about this Privacy Policy or to exercise your data protection rights, please visit our Contact page.