Privacy Policy

1. Information We Collect

a. Account information. If you create an account we collect:

• Your display name
• Your email address
• A password, which is stored only as a one-way bcrypt hash — we never store or see your plain-text password
• The date your account was created and a record that you accepted our Terms and Conditions

You can browse routes and view the map without creating an account. If you choose “Continue without account” we do not collect any account information.

b. Location data (mobile app only).

• When you tap Start Navigation on a route, the app reads your precise GPS location from your device using the operating system’s Location Services.
• Location data is processed entirely on your device to show your position on the map, detect when you are off-route, and trigger audio narratives at the correct points. Your location is not transmitted to our servers and is not stored after you stop navigation.
• If you grant “Always” / background location permission, the app continues to receive location updates while it is in the background so navigation keeps working when your phone is locked or in a handlebar mount. Background tracking stops as soon as you tap Stop.
• You can revoke location permission at any time in your device settings. Navigation features will stop working but the rest of the app will continue to function.

c. Content you upload. If you upload a GPX route file or audio narrative, the file and any title or description you provide are stored on our servers and associated with your account.

d. Authentication tokens. When you sign in, short-lived access tokens and refresh tokens are stored in your device’s secure storage (the iOS Keychain or the Android Keystore) so you do not have to sign in on every launch.

e. On-device cache. The mobile app caches route data and downloaded audio narratives in the app’s private storage so routes can be used when you have no signal. This data never leaves your device and is removed when you uninstall the app or clear its data.

f. Technical and log data. Like most online services, our backend automatically receives standard request information when your browser or app contacts us, including your IP address, the time of the request, the URL requested and basic device/browser identifiers (user-agent). This information is used for security, debugging and abuse prevention and is retained for a limited period.

We do not use third-party analytics, advertising SDKs, cross-app tracking, cookies for advertising, or any form of behavioural profiling. We do not access your contacts, photos, microphone, calendar or health data.

2. How We Use Your Information

We use the information described above only to:

• Create, secure and manage your account
• Authenticate you when you sign in
• Provide route browsing, map display, GPS navigation and audio playback
• Allow you to upload and manage your own routes and audio
• Operate, maintain, debug and protect the Service from abuse
• Send essential service messages relating to your account when needed (we do not send marketing emails)
• Comply with legal obligations

We do not sell your personal information, and we do not share it with third parties for advertising or marketing purposes.

3. Legal Basis (UK / EU users)

Where the UK GDPR or EU GDPR applies, our legal bases for processing are:

• Performance of a contract — to provide the account and navigation features you ask for.
• Legitimate interests — to keep the Service secure, prevent abuse and improve reliability.
• Consent — for access to Location Services, which the operating system requests separately and which you can withdraw at any time.
• Legal obligation — where we have to retain or disclose information to comply with applicable law.

4. Service Providers and Sharing

We share information only with the following categories of service providers, who act as data processors on our behalf and are contractually required to protect your data:

• Render Services, Inc. (render.com) — hosts our backend API and PostgreSQL database in Render’s Frankfurt, Germany region (within the European Economic Area). Render processes account data, uploaded routes and standard request logs on our behalf.
• Apple Inc. and Google LLC — distribute the mobile app via the App Store and Google Play and provide the operating-system Location Services that the app uses on your device. We do not receive your individual identity from the stores beyond what they expose in their standard developer reports.
• Apple Maps (iOS) and Google Maps (Android) — render the map tiles inside the app. Map providers may receive your approximate location when you view the map, governed by their own privacy policies.

We may also disclose information if we are legally required to do so, or where strictly necessary to investigate suspected fraud, abuse or threats to safety.

5. Where Your Data Is Stored

Account data and content you upload are stored on servers located in Frankfurt, Germany, within the European Economic Area (EEA). For users in the United Kingdom, transfers from the UK to the EEA are covered by UK adequacy regulations and do not require additional safeguards. For users in the EEA, no international transfer takes place.

Render Services, Inc. is incorporated in the United States and may, in limited circumstances (for example to provide technical support), access data from the United States. Where this happens, Render relies on appropriate safeguards including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

6. Data Security

• All traffic between the app, the website and our backend uses HTTPS.
• Passwords are stored only as bcrypt hashes; we never see your plain-text password.
• Authentication tokens on your device are stored in the iOS Keychain or Android Keystore.
• Access to the production database is restricted to a small number of administrators.

No internet-based service can be guaranteed completely secure, but we take reasonable technical and organisational measures to protect your information.

7. Data Retention

• Account information is retained for as long as your account is active.
• If you delete your account, your account record (display name, email, password hash) is permanently removed from our database. Routes you uploaded are kept in the public catalogue but are no longer linked to you.
• On-device caches (routes, audio, tokens) are removed when you sign out, clear the app’s data, or uninstall the app.
• Backend request logs are retained for up to 90 days for security and debugging, then deleted or anonymised.

8. Your Rights and Choices

You have the following rights regarding your personal data:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate information.
• Deletion — delete your account at any time directly inside the mobile app via Settings → Account → Delete Account. This permanently removes your account and personal information from our database. You can also email us to request deletion.
• Withdraw consent — revoke Location Services permission for the app at any time in your device settings.
• Object or restrict — ask us to stop or limit certain processing.
• Portability — receive your data in a structured, machine-readable format where applicable.
• Complain — UK residents may complain to the Information Commissioner’s Office (ico.org.uk); EU residents may complain to their local data protection authority.

To exercise any of these rights, email us at the address in section 11. We will respond within one month.

9. Children’s Privacy

The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised effective date. Material changes will also be communicated through the app or by email where appropriate.

11. Contact Us

For privacy questions, data subject requests, or any other concerns about this policy, contact us at:

info@wheremywheelsgo.uk