Privacy Policy

1. Introduction

Cyclingevents ("we," "us," or "our") operates the website cyclingevents.online (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is Cyclingevents, operated via cyclingevents.online. For data protection inquiries, please contact us at the details provided on our Contact page.

3. Personal Data We Collect

We collect the following categories of personal data:

• Account Information: Name, email address, and profile picture provided by your OAuth provider (Google, Strava, or Facebook).
• Authentication Data: OAuth tokens required to maintain your session. We do not store your passwords.
• User-Generated Content: Events you create (title, description, location, dates, uploaded files), RSVPs, and event reports.
• Geolocation Data: Approximate location when you grant browser geolocation permission, used solely to center the map on your area.
• Usage Data: IP address, browser type, pages visited, and timestamps, collected automatically for security and analytics.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Consent (Art. 6(1)(a)): Geolocation data is collected only with your explicit browser permission.
• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service (account creation, event management, RSVPs).
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, rate limiting, and fraud prevention.

5. How We Use Your Data

• To create and manage your account
• To display events on the map and allow RSVP functionality
• To show your name and avatar on events you create or attend (subject to your privacy settings)
• To process event reports and enforce community guidelines
• To detect and prevent spam, abuse, and unauthorized access
• To improve and maintain the Service

6. Third-Party Services

We use the following third-party services that may process your data:

• Google (OAuth, Maps): Authentication and map rendering. Subject to Google's Privacy Policy.
• Strava (OAuth): Authentication. Subject to Strava's Privacy Policy.
• Facebook (OAuth): Authentication. Subject to Meta's Privacy Policy.
• Supabase: Database hosting and file storage. Data is stored in EU data centers.
• Vercel: Website hosting. Subject to Vercel's Privacy Policy.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. Event data created by you may be anonymized rather than deleted to preserve community event history.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data.
• Right to Rectification (Art. 16): Request correction of inaccurate data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18): Request restriction of processing.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, please contact us via our Contact page. We will respond within 30 days.

9. Cookies

We use essential cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and do not require consent under GDPR. We do not use advertising or tracking cookies.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encrypted connections (HTTPS/TLS), secure authentication (OAuth 2.0 with JWT sessions), rate limiting, Content Security Policy headers, and access controls. However, no method of electronic transmission or storage is 100% secure.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our third-party service providers. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Supervisory Authority

If you are located in the EU/EEA and believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local Data Protection Authority.

15. Contact

For questions about this Privacy Policy or to exercise your data protection rights, please visit our Contact page.