BikeDo Privacy Policy
Last updated: May 6, 2026
1. Data Controller
The controller of your personal data is Błażej Kapała, sole proprietor trading as GREEN.MEDIA.PL – Błażej Kapała, registered office: 34-125 Sułkowice, ul. Wiśniowa 30, Poland; correspondence address: 43-215 Jankowice, ul. Borowikowa 3a/4, Poland; tax ID (NIP): 5532346285; statistical number (REGON): 380966136 (the "Controller", "we").
Contact
- Privacy / GDPR matters: [email protected]
- General contact: [email protected]
- Postal address: 43-215 Jankowice, ul. Borowikowa 3a/4, Poland
2. Scope
This policy describes how the Controller processes the personal data of users of the BikeDo mobile application (iOS and Android) and the website bikedo.app (collectively the "Service", "BikeDo").
3. Age of users
BikeDo is intended for users who are at least 13 years old. Users under 16 require consent from a parent or legal guardian (in line with Article 8 GDPR and Polish law). The Service is not intended for children under 13.
If you become aware that an account was created by a child under 13, please contact [email protected] — we will delete the account and related data without undue delay.
4. What data we collect
4.1. Data you provide
- Account: email address, password (hashed one-way — we never see your password), name/nickname, handle, bio, profile picture
- Bikes: brand, model, year, type, frame, wheels, drivetrain, weight, purchase price, purchase date, purchase location, description and other specs
- Photos: bike photos and photos attached to service records
- Service history: entries, dates, descriptions, costs
- Reminders: service due dates, categories
- Social content: comments, likes, spec requests, follows, shares
- Preferences: chosen language, push notification settings
4.2. Data collected automatically
- Device push identifiers (FCM token): used to send push notifications
- IP address: stored in server logs (typically for 30 days)
- App version identifier: sent in the
X-App-Versionheader - Device locale: synced from app preferences
- View tracking: profile view and bike view counters (used to display stats to users)
4.3. Cookies and similar technologies (web)
See section 9. Cookies below.
4.4. What we do NOT collect
- We do not collect precise location (GPS)
- We do not record audio or video
- We do not access contacts or SMS
- We do not collect payment data — the current version of the app does not accept payments
5. Purposes and legal bases
| Purpose | GDPR legal basis |
|---|---|
| Account and providing app functionality | Art. 6(1)(b) — performance of contract (Terms) |
| Sending push notifications (likes, comments, service reminders) | Art. 6(1)(b) and (f) — legitimate interest |
| Web traffic analytics (Google Analytics 4) | Art. 6(1)(a) — consent (cookie banner) |
| Cookieless pings (Consent Mode v2 — anonymous stats before consent) | Art. 6(1)(f) — legitimate interest |
| Crash and error reporting (Firebase Crashlytics) | Art. 6(1)(f) — service stability |
| Security, abuse prevention, server logs | Art. 6(1)(f) — legitimate interest |
| Handling complaints, asserting claims | Art. 6(1)(f) |
| Legal obligations (e.g. responding to lawful requests) | Art. 6(1)(c) |
6. Categories of recipients
Your data may be shared with the following categories of recipients:
6.1. Infrastructure and service providers (processors)
- Hetzner Online GmbH (Germany / Finland) — application server hosting
- Cloudflare, Inc. (USA) — CDN, DDoS protection, image storage (R2)
- Google LLC / Google Ireland Ltd. — Firebase (Cloud Messaging, Crashlytics, in-app Analytics), Google Analytics 4 (web)
- Apple Inc. — APNs for iOS push notifications, distribution via App Store
- Google LLC — distribution via Google Play
- Bunny.net — web font delivery
6.2. Other categories
- IT, hosting, legal and accounting service providers — within what is necessary to provide their services
- Public authorities — when required by law (e.g. court orders, law enforcement requests)
6.3. What we do NOT do
- We do not sell your data
- We do not share data with marketers or data brokers
- We do not build advertising profiles
7. Transfers outside the European Economic Area
Some of our providers (Google, Cloudflare, Apple) are based in the United States or process data in other countries. Such transfers rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- European Commission adequacy decisions (e.g. EU-US Data Privacy Framework, where the recipient is certified)
- Additional technical safeguards (encryption at rest and in transit)
8. Data retention
| Data type | Period |
|---|---|
| User account and related content | Until you delete the account, or after ≥ 36 months of inactivity (preceded by notice) |
| Server logs (IP, requests) | 30 days |
| Push identifiers (FCM token) | Until the account is deleted or the app is uninstalled (inactive tokens are auto-cleared) |
| Analytics cookies (Google Analytics) | Up to 14 months (_ga), 24 hours (_gid) |
| Consent cookies (NEXT_LOCALE, bikedo:consent) | 12 months |
| Data needed for claims | Until the limitation period expires (typically 6 years for individuals under Polish law) |
| Data processed under legal obligations (e.g. accounting) | As required by law (e.g. 5 years for accounting records) |
9. Cookies
The bikedo.app website uses the following cookies and similar technologies:
9.1. Essential cookies (always active)
| Name | Purpose | Lifetime |
|---|---|---|
NEXT_LOCALE | Remember the chosen website language | 12 mo. |
bikedo:consent (localStorage) | Remember your cookie consent choice | 12 mo. |
9.2. Analytics cookies (after consent)
| Name | Purpose | Lifetime |
|---|---|---|
_ga | Google Analytics 4 user identifier | 14 mo. |
_ga_<XXXX> | Google Analytics session state | 14 mo. |
Before you give consent, Google Analytics runs in Consent Mode v2 — we send anonymous pings without identifiers, which lets us count traffic without profiling individual users.
You can change your consent at any time by clearing site data in your browser — the banner will reappear.
10. Your GDPR rights
You have the following rights, which we will fulfil free of charge and without undue delay (within 30 days):
- Right of access to your data
- Right to rectification — most data can be edited by you in the app
- Right to erasure ("right to be forgotten") — delete the account and related data. You can do this in the app (Settings → Account → Delete account) or by emailing [email protected]
- Right to restrict processing
- Right to data portability — receive your data in a machine-readable format (JSON)
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time (without affecting prior processing)
- Right to lodge a complaint with the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych — uodo.gov.pl) or the supervisory authority in your country of residence
To exercise your rights, please contact [email protected].
11. Automated decisions, profiling
We do not make decisions about you based solely on automated processing — including profiling — that produce legal effects or significantly affect you.
The bike recommendation algorithm in the app feed uses your likes and follows to personalise content — this has no legal effect or significant impact on you.
12. Data security
We apply appropriate technical and organisational measures, including:
- Password hashing (bcrypt)
- Transport encryption (HTTPS/TLS, HSTS)
- Access tokens (Laravel Sanctum)
- Limited employee and contractor access
- Regular backups
- Server software updates
Despite our efforts, no IT solution is 100% secure. In the event of a personal data breach, we notify users and the Polish data protection authority in accordance with Articles 33 and 34 GDPR.
13. Push notifications
Push notifications (e.g. "Adam liked your bike") are sent:
- with system-level consent granted in the app (iOS/Android)
- via Apple (APNs) or Google (FCM) infrastructure
- with per-category preferences manageable in app settings
You can disable notifications at any time in your phone's system settings or in the app preferences.
14. Changes to this policy
We may update this policy. We will notify you of material changes by:
- in-app notice
- email (where the change affects your rights)
- updating the "Last updated" date at the top of the document
The current version is always available at bikedo.app/privacy.
15. Final provisions
This policy is governed by Polish law and complies with the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016).
In matters not regulated here, Polish law applies, in particular the GDPR and the Polish Personal Data Protection Act of 10 May 2018.
If you have any questions about this policy, please contact [email protected].