bikedo.app
Abrir en la app
Policy available in Polish and English. Showing English version. PL · EN

BikeDo Privacy Policy

Last updated: May 6, 2026

1. Data Controller

The controller of your personal data is Błażej Kapała, sole proprietor trading as GREEN.MEDIA.PL – Błażej Kapała, registered office: 34-125 Sułkowice, ul. Wiśniowa 30, Poland; correspondence address: 43-215 Jankowice, ul. Borowikowa 3a/4, Poland; tax ID (NIP): 5532346285; statistical number (REGON): 380966136 (the "Controller", "we").

Contact

2. Scope

This policy describes how the Controller processes the personal data of users of the BikeDo mobile application (iOS and Android) and the website bikedo.app (collectively the "Service", "BikeDo").

3. Age of users

BikeDo is intended for users who are at least 13 years old. Users under 16 require consent from a parent or legal guardian (in line with Article 8 GDPR and Polish law). The Service is not intended for children under 13.

If you become aware that an account was created by a child under 13, please contact [email protected] — we will delete the account and related data without undue delay.

4. What data we collect

4.1. Data you provide

  • Account: email address, password (hashed one-way — we never see your password), name/nickname, handle, bio, profile picture
  • Bikes: brand, model, year, type, frame, wheels, drivetrain, weight, purchase price, purchase date, purchase location, description and other specs
  • Photos: bike photos and photos attached to service records
  • Service history: entries, dates, descriptions, costs
  • Reminders: service due dates, categories
  • Social content: comments, likes, spec requests, follows, shares
  • Preferences: chosen language, push notification settings

4.2. Data collected automatically

  • Device push identifiers (FCM token): used to send push notifications
  • IP address: stored in server logs (typically for 30 days)
  • App version identifier: sent in the X-App-Version header
  • Device locale: synced from app preferences
  • View tracking: profile view and bike view counters (used to display stats to users)

4.3. Cookies and similar technologies (web)

See section 9. Cookies below.

4.4. What we do NOT collect

  • We do not collect precise location (GPS)
  • We do not record audio or video
  • We do not access contacts or SMS
  • We do not collect payment data — the current version of the app does not accept payments

5. Purposes and legal bases

PurposeGDPR legal basis
Account and providing app functionalityArt. 6(1)(b) — performance of contract (Terms)
Sending push notifications (likes, comments, service reminders)Art. 6(1)(b) and (f) — legitimate interest
Web traffic analytics (Google Analytics 4)Art. 6(1)(a) — consent (cookie banner)
Cookieless pings (Consent Mode v2 — anonymous stats before consent)Art. 6(1)(f) — legitimate interest
Crash and error reporting (Firebase Crashlytics)Art. 6(1)(f) — service stability
Security, abuse prevention, server logsArt. 6(1)(f) — legitimate interest
Handling complaints, asserting claimsArt. 6(1)(f)
Legal obligations (e.g. responding to lawful requests)Art. 6(1)(c)

6. Categories of recipients

Your data may be shared with the following categories of recipients:

6.1. Infrastructure and service providers (processors)

  • Hetzner Online GmbH (Germany / Finland) — application server hosting
  • Cloudflare, Inc. (USA) — CDN, DDoS protection, image storage (R2)
  • Google LLC / Google Ireland Ltd. — Firebase (Cloud Messaging, Crashlytics, in-app Analytics), Google Analytics 4 (web)
  • Apple Inc. — APNs for iOS push notifications, distribution via App Store
  • Google LLC — distribution via Google Play
  • Bunny.net — web font delivery

6.2. Other categories

  • IT, hosting, legal and accounting service providers — within what is necessary to provide their services
  • Public authorities — when required by law (e.g. court orders, law enforcement requests)

6.3. What we do NOT do

  • We do not sell your data
  • We do not share data with marketers or data brokers
  • We do not build advertising profiles

7. Transfers outside the European Economic Area

Some of our providers (Google, Cloudflare, Apple) are based in the United States or process data in other countries. Such transfers rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • European Commission adequacy decisions (e.g. EU-US Data Privacy Framework, where the recipient is certified)
  • Additional technical safeguards (encryption at rest and in transit)

8. Data retention

Data typePeriod
User account and related contentUntil you delete the account, or after ≥ 36 months of inactivity (preceded by notice)
Server logs (IP, requests)30 days
Push identifiers (FCM token)Until the account is deleted or the app is uninstalled (inactive tokens are auto-cleared)
Analytics cookies (Google Analytics)Up to 14 months (_ga), 24 hours (_gid)
Consent cookies (NEXT_LOCALE, bikedo:consent)12 months
Data needed for claimsUntil the limitation period expires (typically 6 years for individuals under Polish law)
Data processed under legal obligations (e.g. accounting)As required by law (e.g. 5 years for accounting records)

9. Cookies

The bikedo.app website uses the following cookies and similar technologies:

9.1. Essential cookies (always active)

NamePurposeLifetime
NEXT_LOCALERemember the chosen website language12 mo.
bikedo:consent (localStorage)Remember your cookie consent choice12 mo.

9.2. Analytics cookies (after consent)

NamePurposeLifetime
_gaGoogle Analytics 4 user identifier14 mo.
_ga_<XXXX>Google Analytics session state14 mo.

Before you give consent, Google Analytics runs in Consent Mode v2 — we send anonymous pings without identifiers, which lets us count traffic without profiling individual users.

You can change your consent at any time by clearing site data in your browser — the banner will reappear.

10. Your GDPR rights

You have the following rights, which we will fulfil free of charge and without undue delay (within 30 days):

  1. Right of access to your data
  2. Right to rectification — most data can be edited by you in the app
  3. Right to erasure ("right to be forgotten") — delete the account and related data. You can do this in the app (Settings → Account → Delete account) or by emailing [email protected]
  4. Right to restrict processing
  5. Right to data portability — receive your data in a machine-readable format (JSON)
  6. Right to object to processing based on legitimate interest
  7. Right to withdraw consent at any time (without affecting prior processing)
  8. Right to lodge a complaint with the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych — uodo.gov.pl) or the supervisory authority in your country of residence

To exercise your rights, please contact [email protected].

11. Automated decisions, profiling

We do not make decisions about you based solely on automated processing — including profiling — that produce legal effects or significantly affect you.

The bike recommendation algorithm in the app feed uses your likes and follows to personalise content — this has no legal effect or significant impact on you.

12. Data security

We apply appropriate technical and organisational measures, including:

  • Password hashing (bcrypt)
  • Transport encryption (HTTPS/TLS, HSTS)
  • Access tokens (Laravel Sanctum)
  • Limited employee and contractor access
  • Regular backups
  • Server software updates

Despite our efforts, no IT solution is 100% secure. In the event of a personal data breach, we notify users and the Polish data protection authority in accordance with Articles 33 and 34 GDPR.

13. Push notifications

Push notifications (e.g. "Adam liked your bike") are sent:

  • with system-level consent granted in the app (iOS/Android)
  • via Apple (APNs) or Google (FCM) infrastructure
  • with per-category preferences manageable in app settings

You can disable notifications at any time in your phone's system settings or in the app preferences.

14. Changes to this policy

We may update this policy. We will notify you of material changes by:

  • in-app notice
  • email (where the change affects your rights)
  • updating the "Last updated" date at the top of the document

The current version is always available at bikedo.app/privacy.

15. Final provisions

This policy is governed by Polish law and complies with the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016).

In matters not regulated here, Polish law applies, in particular the GDPR and the Polish Personal Data Protection Act of 10 May 2018.

If you have any questions about this policy, please contact [email protected].

© 2026 BikeDo