Location (GPS)
Used only when you initiate ride recording. Never used for passive background tracking.
GDPR compliant
Processed under clear legal bases. You can access, correct, or delete your data at any time.
No sale of data
We do not sell personal data or use it for behavioral advertising profiling.
Introduction
Cycle2Connect ("C2C", "we", "our", "us") respects your privacy and is committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (GDPR).
This Privacy Policy applies when you use:
- The Cycle2Connect mobile application
- Associated web services
- Community, leaderboard, and event features
Personal data we collect
A) Account information
- Name
- Email address
- Username
- Date of birth
- Gender
- Country of residence
- University or educational institution
- Profile photo (optional)
- Authentication ID (backend management system)
B) Activity & performance data
- Ride distance
- Activity duration
- Activity date and time
- Average speed
- CO₂ savings calculations
- Location data used only for distance calculation
- Content you share through the Services
- Kudos, event participation
- Leaderboard ranking
C) Support information
- Information you provide when contacting us for support
D) Third-party accounts
- If you register or log in via Google or Apple, we receive basic profile data such as name and email address
E) Technical information
- Device type
- Operating system version
- App version
- IP address
- Log and diagnostic data
We do not collect special category data as defined in Article 9 GDPR.
How we use your data
We process personal data to:
- Create and manage user accounts
- Record cycling activities
- Calculate environmental impact metrics (e.g., CO₂ savings)
- Organize users into university teams and student groups
- Enable participation in the European Student Cycling Challenge
- Display rankings and statistics (individual, team, and university level)
- Manage events and group participation
- Ensure platform security and prevent misuse
- Improve and develop our services
- Generate aggregated and anonymized statistics for research and project reporting
- Send service-related updates and notifications about important changes
- Respond to support requests
We do not sell personal data.
How we share your information
Visible to other users
Your profile and activity data may be visible to other users and to universities or teams participating in challenges.
Service providers
We share data with trusted service providers who help operate the Services. They are contractually required to protect your data under GDPR-compliant agreements.
Third-party integrations
If you connect third-party services (e.g. Strava), your data may be shared with them under their own privacy policies.
Legal basis for processing
We rely on the following legal bases under GDPR:
- Contract performance (Art. 6(1)(b)) — providing the app's core features
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, service improvement
- Consent (Art. 6(1)(a)) — optional features such as GPS tracking
- Legal obligation (Art. 6(1)(c)) — where required by EU or national law
Data storage & security
Data is stored on secure cloud infrastructure (AWS EU region). We implement:
- Encrypted data transmission (HTTPS/TLS)
- Secure authentication
- Access controls
- Cloud security best practices
Data retention
We retain personal data:
- While your account is active
- As required by applicable law
- Until you request deletion
Upon account deletion, personal data is removed or anonymized within 30 days. Aggregated statistical data may be retained for reporting purposes.
Your rights
Under GDPR, you have the right to:
- Access your personal data
- Correct inaccurate information
- Request deletion of your data
- Restrict processing
- Request data portability
- Object to processing
- Withdraw consent at any time
We will respond to requests within 30 days in accordance with applicable data protection laws.
Contact: urska.pintar@kdrog.si
Minors and educational institutions
Cycle2Connect encourages participation in cycling and sustainable mobility among people of all ages, including students and young participants.
If users are under the age required by applicable national data protection laws, the use of the platform should be supported by a parent, legal guardian, or participating educational institution.
Third-party processors
We may use the following service providers:
- Auth0 — identity management
- Amazon Web Services — hosting (EU region)
- Amazon SES — email delivery
- Apple / Google — app distribution
All processors operate under GDPR-compliant data processing agreements.
Changes to this policy
We may update this Privacy Policy as the service evolves. We will update the effective date above and notify users of material changes.
Data Protection Commitment
Our commitment to data protection principles and applicable regulations.
Regulations we comply with
- Regulation (EU) 2016/679 (GDPR)
- Slovenian Data Protection Act
- EU digital platform regulations
Principles we implement
- Data minimization
- Purpose limitation
- Storage limitation
- Privacy by design
- Secure cloud infrastructure
- Data Processing Agreements with vendors
- Breach notification procedures
- User rights management workflows
What we do not do
- Automated legal decision-making
- Behavioral advertising profiling
- Sale of personal data
Location tracking is user-initiated only.
GDPR requests
For any data protection requests or inquiries, contact our data protection contact: