Defensive Pedal
Privacy Policy
Last updated: 6 May 2026
Who we are
Defensive Pedal is operated by Victor Rotariu, sole proprietor, based in Brașov, Romania. For privacy and data-subject requests, contact privacy@defensivepedal.com.
What we collect
- Account data: email address, display name, profile photo (optional).
- Ride data: planned routes, GPS breadcrumb trail, distance, duration, elevation gain, route mode, and derived metrics like CO₂ savings.
- Community content you create: hazard reports, ride shares, comments, reactions, and votes.
- Crash diagnostics (on by default; legitimate-interest basis under GDPR Art 6(1)(f) for service-stability — opt out anytime in Profile → Privacy & analytics): app version, device model, OS version, anonymised stack traces. No location, no personal data.
- Product analytics (opt-in only, off by default): anonymous usage events when you explicitly enable it in Profile → Privacy & analytics. Helps us prioritise the roadmap. No GPS tracking.
Why we collect it
Routing, navigation, and safety guidance are the core service. Trip history, badges, and the leaderboard depend on stored ride data. Crash reports help us fix defects faster. We do not sell your data and we do not use it for advertising.
How long we keep it
- Account and profile: while your account is active.
- Ride summaries (distance, duration, CO₂, route mode): while your account is active.
- Raw GPS breadcrumb trails: 90 days, then automatically truncated. You can opt to keep them longer in Profile → Account.
- Hazard reports: 45 days past their expiry, then deleted.
- Inactive accounts: deleted after 24 months without sign-in. We send a warning email at 23 months.
Your rights under GDPR
You have the right to access your data, correct it, request deletion, object to specific processing, and receive a portable copy of the data you have provided to us in a commonly used machine-readable format (Article 20). See how to delete your account for the in-app and email-based deletion paths and what gets removed. For data export or other rights, contact privacy@defensivepedal.com — we respond within 30 days.
Sub-processors and third-party services
The app and its backend rely on the following providers to deliver the service. Each receives only the minimum data needed for its function.
- Supabase — database, anonymous and email-based authentication. Currently US region; we plan to migrate to EU.
- Google Cloud Run — API hosting, EU region (europe-central2 / Warsaw).
- Mapbox — map tiles, geocoding, terrain elevation, and the standard cycling routing engine. The Mapbox SDK's own anonymous-usage telemetry is disabled in our builds.
- OpenStreetMap (OSRM & Overpass) — our custom safety-scored routing server (osrm.defensivepedal.com, self-hosted on Google Cloud) and the Overpass API for bicycle parking, rental, and bike-shop locations. Receives the GPS coordinates needed to compute the request.
- Open-Meteo — weather and air-quality data shown in the route preview and 9 a.m. weather notification. Receives the GPS coordinates of the location being queried.
- Google OAuth — used only when you choose “Sign in with Google”. Google sees your email and display name as part of the identity exchange.
- Expo Push Service (exp.host) — relays push notifications (hazard alerts, weather warnings, streak nudges) to your device. Receives the push token and notification payload.
- Google Play Install Referrer — Android system service that tells us which install campaign brought you to the app. No PII is collected.
- Sentry — anonymised crash reports, EU region. On by default under a legitimate-interest legal basis (GDPR Art 6(1)(f)) since crash diagnostics are essential to keep the routing service safe and stable. You can object and disable it anytime in Profile → Privacy & analytics.
- PostHog — anonymised product analytics, EU host (eu.i.posthog.com). Off by default; transmitted only when you explicitly opt in.
- Firebase App Distribution — used for tester preview builds only (not production). Firebase Analytics is not shipped in our builds.
Contact
Privacy and data-subject requests: privacy@defensivepedal.com
For Romanian users, ANSPDCP (the data protection authority) is the competent supervisory authority: dataprotection.ro.