Privacy Policy

Last Updated: December 30, 2024

Welcome to Bike Registry. Your privacy is critically important to us. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our global bicycle registry platform and related services.

This policy applies to our website, mobile applications (iOS and Android), and all associated services. By using our services, you agree to the collection and use of information in accordance with this policy.

1. Who We Are

Data Controller:
Bike Registry Oy
Business ID: 3594642-9
Email: privacy@bike-registry.com
Support: support@bike-registry.com

We are the data controller responsible for your personal information. If you have any questions about this privacy policy or how we handle your data, please contact us at the email addresses above.

For EU users: Our lead supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu). You have the right to lodge a complaint with them or your local data protection authority.

2. What Personal Data We Collect

We collect different types of information depending on how you use our services:

2.1 Account Information (Required)

Email address – used for account creation, authentication, and communication
Password – stored securely using bcrypt encryption (not collected if you use Apple Sign-In or Google Sign-In)
Account type – Individual, Business, or Admin user

2.2 Profile Information (Optional)

Name – to personalize your experience
Address and location – to help locate registered bicycles and facilitate ownership transfers
Phone number – for account security and communication about transactions
Business details – for business accounts (company name, registration number)

2.3 Bicycle Registration Data

Serial numbers – unique identifier for each registered bicycle
Bike details – brand, model, year, color, description
Photos – images of your bicycle for identification
Purchase receipts – proof of ownership documents (optional)
Location data – city and country where the bike is registered

2.4 Transaction and Payment Data

When you purchase services (such as registration stickers or premium features):

Payment information – processed by Stripe (we do not store full credit card numbers)
Billing address – required for payment processing
Transaction history – order details, dates, and amounts

2.5 Communication Data

Messages – when you contact other users through our anonymous relay system
Support inquiries – correspondence with our support team
Notification preferences – your choices about receiving emails and push notifications

2.6 Technical and Usage Data (Automatically Collected)

Device information – type, operating system, unique device identifiers
IP address – for security, fraud prevention, and approximate location
Log data – pages visited, features used, timestamps, errors
Session data – authentication tokens, session duration, device fingerprints
Cookies and tracking data – see Section 10 for details

2.7 Search Logs

We maintain logs of all public bicycle searches to ensure transparency and prevent misuse. These logs include:

Timestamp of search
Search type (serial number, QR code, or API)
Searcher's email (if logged in) or anonymous identifier
IP address
Search query (not linked to personal data in public results)

3. How and Why We Collect Your Data

We collect your information through:

3.1 Collection Points

Registration forms – when you create an account
Bike registration – when you add a bicycle to the registry
File uploads – when you upload photos or documents
Payment processing – when you make purchases
Mobile app – when you use our iOS or Android applications
Website interactions – through cookies and analytics
Third-party authentication – Apple Sign-In, Google Sign-In
Support requests – when you contact us for help
Search activity – when you look up bicycle information

3.2 Purposes of Processing

We use your personal data for:

Account management – creating and maintaining your account
Service delivery – enabling bicycle registration and ownership verification
Ownership transfers – facilitating secure bike transfers with dual confirmation
Theft prevention – helping identify stolen bicycles and prevent fraud
Payment processing – handling purchases of stickers and premium features
Communication – sending transactional emails, notifications, and updates
Customer support – responding to your inquiries and resolving issues
Security – protecting against fraud, abuse, and unauthorized access
Legal compliance – meeting our legal obligations (tax records, regulatory requirements)
Service improvement – analyzing usage to enhance our platform (where consent is required or legitimate interest applies)
Marketing – sending promotional emails (only with your explicit consent)

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Purpose	Legal Basis
Account creation and management	Contract – necessary to provide our services
Bicycle registration and transfers	Contract – core service delivery
Payment processing	Contract – necessary to complete purchases
Customer support	Contract and Legitimate Interest
Security and fraud prevention	Legitimate Interest – protecting our users and platform
Legal compliance (tax, regulatory)	Legal Obligation
Search logging and transparency	Legal Obligation and Legitimate Interest
Analytics and service improvement	Legitimate Interest (where not requiring consent)
Marketing communications	Consent – you can opt out anytime
Cookies (non-essential)	Consent – managed through our cookie banner
Push notifications (mobile)	Consent – managed in your device settings

You have the right to object to processing based on legitimate interest. Contact us to exercise this right.

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period
Account information	Until account deletion + 30 days
Bicycle registration data	Until manually deleted by owner or account closure + 90 days
Transaction records	7 years (legal requirement for accounting)
Payment information	Not stored (handled by Stripe); transaction IDs kept per above
Support communications	3 years from last contact
Search logs	2 years for transparency and abuse prevention
Session data	Until logout or token expiration (7 days for access tokens, 30 days for refresh tokens)
Cookies	According to cookie-specific retention (see Section 10)
Deleted account data	30 days in backup systems, then permanently deleted

When you delete your account, we permanently remove your personal data, except where retention is required by law or for legitimate purposes (e.g., fraud prevention, resolving disputes).

6. Who We Share Your Data With

We do not sell your personal data. We share your information only as described below:

6.1 Service Providers (Data Processors)

These companies process data on our behalf under strict contractual terms:

Vercel – Cloud hosting and serverless infrastructure (USA)
Privacy Policy: https://vercel.com/legal/privacy-policy
PostgreSQL (Vercel-hosted) – Database services (USA)
Covered by Vercel's privacy policy
Vercel Blob Storage – File and image hosting (USA)
Covered by Vercel's privacy policy
Stripe – Payment processing (USA)
Privacy Policy: https://stripe.com/privacy
Stripe is PCI-DSS compliant and certified under EU-U.S. Data Privacy Framework
Resend – Transactional email delivery (USA)
Privacy Policy: https://resend.com/legal/privacy-policy
Sentry – Error tracking and application monitoring (USA)
Privacy Policy: https://sentry.io/privacy/
Expo – Push notification services for mobile apps (USA)
Privacy Policy: https://expo.dev/privacy
Google Sign-In / Apple Sign-In – Third-party authentication (USA)
Google Privacy Policy: https://policies.google.com/privacy
Apple Privacy Policy: https://www.apple.com/legal/privacy/

6.2 Public Information

When you register a bicycle, the following information becomes publicly searchable (without revealing your identity):

Bicycle serial number
Brand, model, color, year
City and country (not full address)
Theft status (if marked as stolen)
Photos (if you choose to make them public)

Your email, name, phone number, and full address are never publicly displayed. We provide an anonymous contact relay system for communication between users.

6.3 Legal and Safety Disclosures

We may disclose your information when required by law or to:

Comply with legal obligations (court orders, subpoenas)
Protect our rights, property, or safety
Prevent fraud or security threats
Enforce our Terms of Service

6.4 Business Transfers

If Bike Registry is acquired or merged with another company, your data may be transferred to the new owner, who will continue to honor this privacy policy.

7. International Data Transfers

We are based in Finland (EU), but our service providers may process data outside the European Economic Area (EEA), primarily in the United States.

Safeguards for International Transfers:

Standard Contractual Clauses (SCCs) – approved by the European Commission
Data Privacy Framework – Stripe is certified under EU-U.S. Data Privacy Framework
Binding Corporate Rules – where applicable for multi-national processors
Adequacy Decisions – transferring to countries recognized by the EU as providing adequate protection

These safeguards ensure your data receives equivalent protection to GDPR standards, regardless of where it is processed.

8. How We Protect Your Data

We implement robust technical and organizational security measures:

8.1 Technical Measures

Encryption in transit – All data transmitted using TLS/SSL (HTTPS)
Encryption at rest – Sensitive data encrypted in our databases
Password security – Passwords hashed using bcrypt (industry standard)
Access controls – Role-based permissions and authentication
API rate limiting – Protection against brute-force attacks
Session management – Secure JWT tokens with expiration
Security monitoring – Sentry for error detection and anomaly tracking

8.2 Organizational Measures

Data minimization – We collect only what's necessary
Access restrictions – Limited employee access to personal data
Vendor agreements – Strict data processing agreements with all service providers
Regular security reviews – Ongoing assessment of security practices
Incident response plan – Procedures for handling data breaches
Employee training – Privacy and security awareness programs

8.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

Notify affected users within 72 hours of discovery
Inform the relevant supervisory authority (Finnish Data Protection Ombudsman)
Provide details of the breach and steps you should take
Implement corrective measures to prevent future breaches

9. Your Rights Under GDPR

As a user in the EU/EEA, you have the following rights regarding your personal data:

9.1 Right of Access

You can request a copy of all personal data we hold about you. We will provide this in a structured, commonly used format.

How to exercise: Email privacy@bike-registry.com with "Data Access Request" in the subject line. We will respond within 30 days.

9.2 Right to Rectification

If your personal data is inaccurate or incomplete, you can request corrections.

How to exercise: Update your profile directly in your account settings, or contact us at support@bike-registry.com.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to legal exceptions (e.g., we must retain transaction records for 7 years for tax purposes).

How to exercise: Delete your account through the app or website settings, or email privacy@bike-registry.com. Data will be permanently removed within 30 days.

9.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances (e.g., while disputing accuracy).

How to exercise: Email privacy@bike-registry.com with "Restrict Processing" in the subject line.

9.5 Right to Data Portability

You can receive your data in a machine-readable format and transfer it to another service.

How to exercise: Email privacy@bike-registry.com requesting data export. We will provide a JSON file within 30 days.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: For marketing, click "unsubscribe" in any email or adjust settings in your account. For other objections, email privacy@bike-registry.com.

9.7 Right to Withdraw Consent

Where processing is based on consent (marketing, non-essential cookies, push notifications), you can withdraw consent anytime without affecting prior lawful processing.

How to exercise:

Marketing emails: Click unsubscribe link or adjust account settings
Push notifications: Manage in your device settings (iOS/Android)
Cookies: Adjust preferences in our cookie banner or browser settings

9.8 Right to Lodge a Complaint

If you believe we have not handled your data properly, you can complain to:

Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)
Website: https://tietosuoja.fi/en/home
Email: tietosuoja@om.fi

You may also contact your local data protection authority in your EU country.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience and analyze site usage.

10.1 Types of Cookies We Use

Category	Purpose	Duration	Consent Required
Strictly Necessary	Authentication, security, session management	Session to 30 days	No (essential)
Functional	Language preferences, user settings	1 year	No (legitimate interest)
Analytics	Usage statistics, performance monitoring (Sentry)	13 months	Yes
Marketing	Advertising, retargeting (if applicable)	13 months	Yes

10.2 Managing Cookies

You can control cookies through:

Our cookie banner – Appears on your first visit; manage preferences anytime
Browser settings – Most browsers allow you to refuse cookies
Mobile app settings – Manage tracking in iOS/Android privacy settings

Note: Disabling strictly necessary cookies may prevent certain features from working properly.

10.3 Do Not Track (DNT)

We respect browser Do Not Track signals. When DNT is enabled, we disable non-essential tracking.

11. Third-Party Services in Our Mobile Apps

Our mobile applications integrate the following third-party SDKs that collect data:

Service	Purpose	Data Collected	Privacy Policy
Expo	App framework, push notifications	Device info, push tokens	https://expo.dev/privacy
Sentry	Crash reporting, error tracking	Device info, error logs, user ID	https://sentry.io/privacy/
Stripe	Payment processing	Payment info, billing address	https://stripe.com/privacy
Google Sign-In	Authentication (Android)	Email, name, profile picture	https://policies.google.com/privacy
Apple Sign-In	Authentication (iOS)	Email (or relay), name	https://www.apple.com/legal/privacy/
Expo Camera	QR code scanning, photo capture	Camera permissions (local only)	https://expo.dev/privacy
Expo Notifications	Push notifications	Device push token, notification preferences	https://expo.dev/privacy

All third-party services are bound by their respective privacy policies. We select providers with strong privacy practices and GDPR compliance.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@bike-registry.com. We will delete such information immediately.

13. Marketing and Communications

13.1 Types of Communications

Transactional Emails (cannot opt out):

Account verification and password resets
Ownership transfer confirmations
Purchase receipts and order updates
Security alerts

Marketing Emails (opt-in):

Product updates and new features
Tips for bike safety and theft prevention
Promotional offers (if applicable)

13.2 How to Opt Out

Click "unsubscribe" in any marketing email
Adjust preferences in your account settings
Email us at privacy@bike-registry.com

You will continue to receive transactional emails necessary for the service, even after opting out of marketing.

13.3 Push Notifications (Mobile App)

You can enable or disable push notifications in your device settings:

iOS: Settings > Notifications > Bike Registry
Android: Settings > Apps > Bike Registry > Notifications

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements.

How we notify you:

Email notification for material changes that affect your rights
In-app banner highlighting the update
Updated "Last Updated" date at the top of this policy

We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or your personal data:

Email:
privacy@bike-registry.com (for privacy inquiries)
support@bike-registry.com (for general support)

Response Time: We aim to respond to all privacy requests within 30 days (as required by GDPR).

Data Protection Officer: For formal privacy inquiries, contact our DPO at privacy@bike-registry.com.

We are committed to transparency and protecting your privacy rights.