Data Protection & Privacy Policy

Brevet Cycling is a virtual cycling application built by cyclists for cyclists. This Privacy Policy details how we handle your personal data in compliance with the GDPR.

This page is a short summary. The full, current Privacy Policy — including how we process special-category health & biometric data (Art. 9 GDPR), AI processing, international data transfers, retention and your rights — is available inside the app and is the authoritative version.

1. Controller

Brevet Cycling is operated by the Brevet Cycling team. Contact details are available on our Impressum page.

2. Data We Collect

• Account data: Email address (used for login via one-time password)
• Profile data: Display name, country, weight, avatar (voluntarily provided)
• Ride data: Power, heart rate, speed, distance, elevation — recorded during virtual rides
• Connected services: OAuth tokens for Strava and Spotify (stored server-side, revocable at any time). The former Google Calendar integration was retired in 2026; the training-plan calendar is now an iCal feed served by us.

3. How We Use Your Data

• Authenticate your account
• Display your ride statistics, leaderboard rankings, and fitness tracking
• Publish your training plan as an iCal feed you can subscribe to (served by us, no third party involved)
• Import rides from Strava (only when you explicitly connect)

4. Third-Party Services

We integrate with Strava and Spotify. When you connect these services, we store OAuth tokens to act on your behalf; you can disconnect at any time from the Connections page, which deletes all stored tokens. Strava is an independent controller — the connection happens at your direction under your own Strava account and Strava's privacy policy.

We also offer optional AI coaching / assessment features powered by Google Vertex AI (Gemini models) in the EU. When you explicitly request AI processing, your training data is pseudonymised (no name, email or user ID) before it is sent. Google acts as our data processor under the Google Cloud Data Processing Addendum and is contractually barred from training its models on your data. This feature is consent-based and requires explicit confirmation.

Push Notifications (Google Firebase Cloud Messaging): When you allow push notifications in the companion app, your device token and IP address are processed by Google Ireland Ltd. to deliver notifications about AI coach reports and training plan changes. Google acts as a data processor under their Data Processing Terms. The OS permission dialog serves as your explicit consent (Art. 6(1)(a) GDPR). No notifications are sent without your permission. Your device token is deleted from our servers on logout or account deletion.

5. Data Storage

Your data is stored in the EU. We do not sell your data or share it with advertising networks. We use a limited number of processors (for example Google Cloud for AI coaching and push notifications) under data-processing agreements; where data is transferred outside the EEA we rely on EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. The full processor list and retention periods are in the in-app Privacy Policy.

6. Your Rights (GDPR)

You have the right to access, correct, delete, or export your personal data. Contact us via the email on our Impressum page.

7. Cookies

We set four strictly functional first-party cookies (session authentication, CSRF protection, known-device recognition for login notifications, and a companion-app hint). No tracking, analytics or advertising cookies are used — the full cookie table is in the in-app Privacy Policy.

8. Changes

We may update this policy. Changes will be posted on this page.

9. U.S. residents

If you are in the United States, see our U.S. State Privacy Notice (CCPA/CPRA and other states) and our Consumer Health Data Privacy Policy (Washington MHMDA, Nevada, Connecticut).

Back to Brevet Cycling