Privacy Policy

Working draft pending review by a German tech lawyer. Operational placeholders (hosting provider, retention windows, supervisory authority) are marked [in brackets] below and will be filled in before final publication. Last updated: 2026-05-23.

1. Controller

The data controller within the meaning of Art. 4 (7) GDPR is:

Hans Fritz
Riedener Str. 8
81475 München
Email: hans@bikelog.de

Full contact details are in the Impressum.

2. What we collect, why, and on what legal basis

Data	Why we collect it	Legal basis (GDPR)
Username, email, password hash, FTP, max HR	Operating your account, computing zones / training-load	Art. 6 (1) (b) — contract performance
Uploaded ride files (GPX/TCX/FIT) and derived data (geometry, simplified routes, sidecar JSON)	Providing the service you signed up for	Art. 6 (1) (b) — contract performance
Photos you attach to rides	Providing the service you signed up for	Art. 6 (1) (b) — contract performance
Follow graph, ride sharing settings	Providing the social features of the service	Art. 6 (1) (b) — contract performance
Server access logs (IP, user-agent, timestamps)	Security, abuse detection, debugging	Art. 6 (1) (f) — legitimate interest
Session cookies	Keeping you signed in	Art. 6 (1) (b) — contract performance
OAuth client registrations + API access tokens	Letting you authorise third-party applications	Art. 6 (1) (a) — consent (your explicit grant)
API application form submissions	Reviewing requests for API access	Art. 6 (1) (b) — pre-contractual measures
Third-party access tokens (Garmin / Wahoo / Coros) + activity data fetched from them	Synchronising your rides from a linked fitness device	Art. 6 (1) (a) — consent (your explicit grant at link time)

We do not collect or process: device fingerprints, advertising identifiers, contact lists, location data outside of the activity files you upload yourself, or any data we don't need to run the service.

We do not sell, rent, or share your data with advertisers or analytics services. There are no third-party trackers on the site.

3. Third-party data flows

Three categories: hosting/infrastructure, applications you authorise via Bikelog's OAuth (outbound), and fitness platforms you link Bikelog to via their OAuth (inbound).

3.1 Hosting & infrastructure

[HOSTING PROVIDER NAME], [LOCATION] — runs the servers Bikelog is deployed on. Order processing under Art. 28 GDPR is in place via [LINK TO AVV / DPA].
Email delivery via [EMAIL PROVIDER OR "the Operator's own MTA"] — for account-related emails (password reset, API application notifications). Address only used for the purpose of sending the email.

3.2 Third-party applications (OAuth)

When you authorise a third-party application through the OAuth flow on /api/oauth/authorize.php:

The application receives access tokens scoped to the permissions you granted.
Through those tokens, the application can read (and where the scope permits, write) the corresponding subset of your data.
The application holds copies of any data it fetches on its own infrastructure, outside the Operator's control.
The Operator manually reviews each application before approval. Approval is not an endorsement, and the Operator is not responsible for what an authorised third party does with the data you've granted it.
You can revoke an application's access at any time in /settings.php. Revoking stops future data flow. It does not recall copies the application has already made — for that, you must contact the application's operator directly using their own GDPR / privacy process.

3.3 Linked fitness platforms (Garmin Connect, Wahoo Cloud, Coros)

If you choose to link a Garmin Connect, Wahoo Cloud, or Coros account in your Bikelog Settings:

The link is established via the third party's OAuth flow. Bikelog stores only the access token they issue (encrypted at the database row level). We never receive your password to the third party.
After linking, the third party notifies Bikelog when new activities are recorded; Bikelog fetches those activities (ride data, GPS track, sensor channels, device + activity metadata) and stores them on Bikelog as if you had uploaded them manually. The same retention rules described in §4 apply.
The third party is a separate data controller for the copy of your data they keep on their own servers. We process data we fetched as a controller in our own right; the third party processes the data they hold under their own privacy policy.
Legal basis: Art. 6 (1) (a) GDPR — your explicit consent at link time (granted to both Bikelog and the third party via their OAuth consent screen). You can withdraw the consent on either side at any time without affecting the lawfulness of processing that has already taken place (Art. 7 (3) GDPR).
Revocation: disconnecting in Bikelog → Settings → Connected Services stops Bikelog from fetching new data and deletes the stored access token. Disconnecting on the third party's side (e.g. Garmin Connect → Connected Apps) achieves the same effect from the other direction. Activities already fetched and stored on Bikelog remain unless you also delete them on Bikelog (one-off delete per ride, or "Delete account" for the full wipe).
Limits of erasure (mirror of §6): deleting the link, your Bikelog account, or even your data from Bikelog does not delete the copy of that data held by the third party. For that you must use the third party's own privacy / account-deletion process.
For the Garmin Connect integration specifically, Bikelog is bound by the Garmin Developer Program / API Terms of Use in addition to this Privacy Policy. We commit to using the data only for the purposes you authorised, to not sell or share it with advertisers, and to delete the access token promptly on disconnection. Equivalent commitments apply to Wahoo Cloud and Coros under their respective developer terms.

3.4 Fonts

The site loads typefaces from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). Your browser fetches the fonts directly from Google's servers; Google receives your IP address. No cookies or identifiers are sent to Google by Bikelog. If this is unacceptable, self-hosting these fonts is on the operator's roadmap.

4. Storage location and duration

Storage location: EU (see [HOSTING PROVIDER LOCATION] in section 3.1).
Account data: kept while your account is active. Deleted immediately when you delete your account, with the limits stated in section 6 below.
Logs: rotated after [N] days (typical default for [HOSTING PROVIDER]).
Backups: encrypted, retained for [N] days. Account deletion removes you from live storage immediately; backups age out automatically.

5. Your rights under GDPR

You have the right to:

Access (Art. 15) — get a copy of your personal data. Bikelog provides this as a one-click export from /settings.php ("Download all my data") in addition to fulfilling written requests.
Rectification (Art. 16) — correct inaccurate data. Most fields are self-service in /settings.php.
Erasure (Art. 17, "right to be forgotten") — delete your data. Self-service via "Delete account" in /settings.php. See section 6 for what cannot be deleted on your behalf.
Restriction of processing (Art. 18).
Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format. The export above satisfies this; the source files (GPX/TCX/FIT) are returned in their original format.
Objection (Art. 21) — to processing based on legitimate interest.
Withdraw consent (Art. 7 (3)) — for any processing based on consent (notably OAuth client authorisations).

Complain to a supervisory authority (Art. 77):

[SUPERVISORY AUTHORITY NAME]
[SUPERVISORY AUTHORITY ADDRESS]
[SUPERVISORY AUTHORITY URL]

To exercise any of these rights, contact the email in section 1. We will respond within one month of receipt (Art. 12 (3) GDPR).

6. Limits of erasure — third-party copies

Bikelog can only delete data it controls.

This applies in both directions of any data sharing you've set up:

Apps you authorised via Bikelog's API may have copied your data onto their infrastructure during the time they had access. Deleting your Bikelog account does not automatically remove those copies. Contact the application's operator through their own privacy process.
Fitness platforms you linked Bikelog to (Garmin, Wahoo, Coros) still hold their own original copy of every activity on their own servers — independent of Bikelog. Disconnecting the link in Bikelog stops us from fetching new activities, but their copy remains until you delete it through their account-management process.

This is an inherent property of the data-sharing model in both directions, not a defect: an authorisation that couldn't be revoked at the source side wouldn't be a meaningful authorisation in the first place.

7. Cookies

Bikelog uses a single first-party session cookie to keep you signed in. It is:

Set only after you sign in;
HttpOnly (not readable by JavaScript);
SameSite=Lax;
Removed when you sign out or when the session expires.

There are no advertising cookies, analytics cookies, or third-party trackers.

8. Security

We hash passwords with bcrypt; we never store plaintext passwords. API access tokens are stored as SHA-256 hashes. Transport security is provided by HTTPS (TLS). Servers are kept up to date with security patches. Access to live infrastructure is restricted to the Operator.

No system is perfectly secure. If you suspect your account has been compromised, change your password immediately and contact us.

9. Children

Bikelog is not directed at children under 16. If you are under 16, do not create an account without the consent of a parent or guardian. If you become aware that a child under 16 has registered without consent, please contact us.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in the service or in applicable law. Material changes will be announced on the site and/or by email to your registered address at least 30 days before they take effect.

11. Contact

Questions, requests, or complaints regarding this Privacy Policy: see section 1.