Privacy Policy

RideForge (“we”, “our”, “us”) is the data controller responsible for your personal data. We operate the website rideforge.io and the RideForge application.

Contact: privacy@rideforge.io

We collect the following categories of personal data:

• Account data — name, email address, and password hash (when you register with email). If you sign in with Google or Strava, we receive the profile information those services share with us.
• Activity data — ride history, power output, heart rate, speed, distance, and other metrics imported from Strava or entered manually.
• Health and fitness data — HRV readings, sleep duration, and subjective readiness scores you optionally provide. This data is classified as special category data under GDPR and is only processed with your explicit consent.
• Usage data — pages visited, features used, session duration, and device type, collected via Vercel Analytics in an anonymised and aggregated form.
• Communications — any messages you send to our support team.

We rely on the following legal bases under GDPR Article 6 (and Article 9 for health data):

• Contract performance (Art. 6(1)(b)) — processing your account data, activity data, and training plans is necessary to provide the RideForge service.
• Explicit consent (Art. 6(1)(a) / Art. 9(2)(a)) — we process special category health data (HRV, sleep) only on the basis of your explicit, freely given, and withdrawable consent.
• Legitimate interests (Art. 6(1)(f)) — anonymised analytics to improve the service, provided these interests are not overridden by your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — retaining records as required by applicable law.

We use your personal data solely to:

• Create and manage your account
• Generate personalised training plans and AI coaching responses
• Sync rides from Strava and display your training history
• Send transactional emails (account confirmation, password reset)
• Respond to support requests
• Improve the service through anonymised analytics

We do not sell, rent, or share your personal data with third parties for marketing purposes.

We share data with the following trusted processors, each bound by a data processing agreement:

• Supabase / PostgreSQL — database hosting (EU region)
• Vercel — application hosting and anonymised analytics
• Google (Gemini API) — AI coaching responses; prompts include your fitness data
• Resend — transactional email delivery
• Strava — when you connect your account, Strava shares your activity data with us under their own privacy policy

We will disclose your data if required by law or to protect our legal rights.

Some of our processors operate outside the EEA. Where data is transferred to third countries, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions issued by the European Commission.

We retain your personal data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g., financial records for up to 7 years).

Anonymised analytics data is retained indefinitely as it cannot be linked back to you.

As a data subject in the EEA or UK, you have the following rights:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data (“right to be forgotten”)
• Right to restriction — request that we limit how we process your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time without affecting prior processing
• Rights related to automated decisions — not to be subject to decisions based solely on automated processing that produce significant effects

To exercise any of these rights, contact us at privacy@rideforge.io. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., the Data Protection Authority in your country).

We use strictly necessary cookies to keep you signed in. With your consent, we also use analytics cookies. See our Cookie Policy for full details.

RideForge is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@rideforge.io.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the app at least 30 days before changes take effect.