Privacy Policy
Last updated: February 2026
1. Data Controller
FABWIND LDA, Portugal (NIF: PT516581716) is the data controller for MyClub within the meaning of the EU General Data Protection Regulation (GDPR). Contact: info@myclubride.com
2. Data We Collect
| Category | Data | When |
|---|---|---|
| Account | Name, email, profile photo | Google/Apple sign-in |
| Location | GPS coordinates | During rides only (foreground + background with permission) |
| Rides | GPS tracks, distance, elevation, duration, speed, segment times | When you record or import a ride |
| Groups | Group name, membership, ride results, leaderboards | When you create/join a group |
| Device data | Heart rate, power, cadence | If you connect Garmin/Wahoo via OAuth |
| Strava data | Your segment efforts, KOMs, PRs, heart rate, power, kudos count, activity ID | If you connect Strava via OAuth (your personal data only, shown only to you) |
| Photos | Images, GPS location of photo | If you add photos to a ride |
| Technical | Device model, OS version, app version, crash logs | Automatically |
3. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the service — recording rides, displaying live positions, segment matching, notifications.
- Legitimate interest (Art. 6(1)(f)): Improving the app, preventing abuse, crash analytics.
- Consent (Art. 6(1)(a)): Background location access, optional third-party integrations (Garmin, Wahoo, Strava), family tracking link sharing. You can withdraw consent at any time.
4. How We Use Your Data
- Display your position during Live Rides (visible to ride group members only).
- Match rides against segments and update leaderboards.
- Send ride notifications and group updates.
- Generate post-ride summaries (stats, photos, awards).
- Deliver routes to connected Garmin/Wahoo devices.
- If you connect Strava: display your personal Strava highlights (KOMs, PRs, segment times, heart rate, power) in your private post-ride view; upload your ride to your Strava profile (phone-only riders); update your Strava activity with ride details and photo gallery link.
- Enable family tracking via shareable browser link (no app required for viewers).
- Detect potential crashes and relay SOS alerts to your group and emergency contacts.
- Improve the app, fix bugs, analyse usage patterns (aggregated, non-personal).
5. Data Sharing
We do NOT sell your data. Your data is shared only in the following circumstances:
- Your group: Ride data, live GPS position, segment results, and photos are visible to members of your group during and after rides.
- Family tracking: If you enable family tracking, your live position and speed are visible via a unique link. You control when this is active.
- Third-party platforms: If you connect Garmin, Wahoo, or Strava via OAuth 2.0, ride data is shared according to those platforms' own privacy policies. You can disconnect at any time.
- Infrastructure providers: Firebase (Google Cloud, EU region), Mapbox (route display). These act as data processors under GDPR-compliant agreements.
- Legal requirements: If required by Portuguese or EU law, court order, or regulatory authority.
6. Live Ride GPS
During a Live Ride, your real-time GPS position is shared with your ride group only. This data is transmitted via Firebase Realtime Database (EU region) and is automatically deleted when the ride ends. Your completed ride track (the recorded route) is retained as part of your ride history.
6b. Activity Route Intelligence
When you connect Garmin, Wahoo, or use the MyClub GPS recorder and grant route contribution consent, anonymised route shapes from your activities are stored to power loop suggestions in the group’s Propose a Ride flow. The anonymised shape consists of the polyline only — the first and last 200 metres are trimmed, and no timestamps, heart rate, power, or cadence data are included. These anonymised route shapes are retained indefinitely.
Separately, a compact timestamped GPS track (latitude, longitude, and timestamp only, at approximately 10-second sampling) is retained for up to 12 months to enable retroactive segment matching when group captains create new segments. This track does not include heart rate, power, or cadence.
Consent withdrawal: Withdrawing route contribution consent deletes your contributed route shapes, compact GPS tracks, and scrubs your identifier from other members’ track metadata. Withdrawing leaderboard consent anonymises your segment efforts (display name replaced with “Former Member”, profile image removed) and deletes your personal-best leaderboard entries. Both can be withdrawn independently from Settings. Account deletion fully removes all data including effort records.
Surface lookup: GPS coordinates from your activities are sent to the OpenStreetMap Overpass API to classify road surface types (paved, gravel, unpaved). No personal identifiers are transmitted — only geographic coordinates. The resulting surface classification is stored with the anonymised route shape.
7. Crash Detection & SOS
If crash detection is enabled, the app uses phone accelerometer and gyroscope data to detect potential impacts. If triggered, an alert containing your GPS position is sent to your group and designated emergency contacts. This feature is a communication tool only and does not contact emergency services (112/911). Sensor data used for crash detection is processed locally on your device and is not stored on our servers.
8. Family Tracking
The family tracking feature generates a unique, time-limited browser link that shows your live position and speed. This link does not require the viewer to install an app or create an account. The link expires when the ride ends. You can disable this feature at any time.
9. Third-Party Integrations
Garmin Connect Integration
If you choose to connect your Garmin account to MyClub, we access your Garmin activity data to enhance your personal cycling experience. This data:
- Remains strictly personal and private to you — never shared with other MyClub users
- Is never sold or provided to third parties
- Can be disconnected at any time from your MyClub settings
What we access from Garmin:
- Activity API: Your ride activities (GPS tracks, heart rate, power, cadence, distance, elevation) to sync metrics to your MyClub ride history
- Courses API: Ability to push planned routes from MyClub's Route Studio to your Garmin device for turn-by-turn navigation during group rides
How we use this data:
- Sync heart rate, power, and cadence from Garmin-recorded rides to enrich your personal ride history in MyClub
- Push GPS routes from Route Studio to your Garmin device before group rides
- Import complete ride activities to share with your private cycling clubs
- Display your personal performance metrics in post-ride summaries
All data usage is strictly limited to enhancing your personal experience. No aggregation, no sharing with other users, no third-party access. Garmin Privacy Policy
- Garmin Connect: OAuth 2.0 authentication. See comprehensive Garmin data usage above. With your consent, anonymised route shapes from your activities may be stored to contribute to your group’s route library. See the Activity Route Intelligence section.
- Wahoo Cloud: OAuth 2.0. We receive ride data and can push routes. With your consent, anonymised route shapes from your activities may be stored to contribute to your group’s route library. See the Activity Route Intelligence section. Wahoo Privacy Policy
- Strava: OAuth 2.0. If you connect Strava, MyClub may: (a) read your own activity data to display your personal segment efforts, KOMs, PRs, heart rate, and power in your private post-ride view — this data is shown only to you and never shared with other users; (b) upload your ride to your Strava profile if you record on phone only (no Garmin/Wahoo connected); (c) update your Strava activity title and description with ride details and a photo gallery link, with your permission. Strava may also monitor and collect data related to MyClub’s use of the Strava API for its own business purposes (see Strava API Agreement). Strava Privacy Policy
- Google Maps / Mapbox: Route display and geocoding. No personal data is shared beyond the route coordinates being displayed.
- Firebase (Google Cloud): Authentication, database, hosting. Data stored in EU region. Firebase Privacy
You can disconnect any third-party integration at any time from the app settings.
10. Data Retention
- Account data: Retained while your account is active.
- Ride data: Retained while your account is active. You can delete individual rides at any time.
- Live GPS data: Automatically deleted when each ride ends.
- Family tracking links: Expire when the ride ends.
- Strava enrichment data: Retained while your Strava account is connected. Disconnecting Strava or deleting your account removes all Strava-sourced data.
- Account deletion: Deleting your account permanently removes all your data from our systems within 30 days. Aggregated, anonymised analytics data may be retained.
11. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Data portability — receive your data in a structured, machine-readable format (GPX, JSON).
- Restriction — request we limit processing of your data.
- Object — object to processing based on legitimate interest.
- Withdraw consent — at any time, for processing based on consent.
To exercise any of these rights, contact info@myclubride.com. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD — cnpd.pt) or your local EU supervisory authority.
12. International Transfers
Your data is processed and stored within the European Union (Firebase EU region). If any data is transferred outside the EU/EEA (e.g., for crash analytics), we ensure appropriate safeguards are in place as required by GDPR Chapter V, including Standard Contractual Clauses.
13. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), Firebase security rules, and authentication via Google/Apple OAuth. However, no system is 100% secure and we cannot guarantee absolute security.
14. Children
MyClub is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
15. Cookies & Local Storage
The MyClub app does not use cookies. The website (myclubride.com) uses essential cookies only for basic functionality (language preference). No advertising or tracking cookies are used.
16. Premium Subscriptions & Payment Data
If you subscribe to MyClub Premium, payment processing is handled by Stripe, Inc. We do not store your full credit card number, CVC, or bank account details. Stripe processes your payment and provides us with: a Stripe Customer ID, subscription status, plan type, trial status, and payment event data (success/failure). This data is stored in Firestore (EU region) and used to manage your subscription, enforce feature access, and handle cancellations or refunds.
Stripe's privacy policy: stripe.com/privacy
17. Advertising (Free Users)
Free users may see non-personalised banner advertisements via Google AdMob. AdMob may collect device identifiers and general location data for ad serving and frequency capping. Ads are never shown during active ride recording, over safety features (SOS, crash detection, live map), or on the paywall/checkout screen. Premium subscribers see no advertisements. You can review Google's advertising privacy practices at policies.google.com/privacy.
18. Changes to This Policy
We may update this policy at any time. Material changes will be communicated via the app or email. Continued use after changes constitutes acceptance. The "Last updated" date at the top reflects the most recent revision.
19. Contact
Questions about this privacy policy: info@myclubride.com
FABWIND LDA · Viseu, Portugal · NIF: PT516581716