1. Introduction
VeloPlan ("we", "us", "our") operates the website veloplan.me and provides a collaborative cycling trip planning service. This Privacy Policy explains how we collect, use, store, and disclose your personal data, including activity data from third-party fitness platforms.
2. Information We Collect
- Account Information: Name, email address, and profile picture (provided via Google, Strava, or email registration).
- Trip Data: Trip names, dates, locations, routes, itineraries, expenses, logistics, and member information that you create within VeloPlan.
- Strava Data: When you connect your Strava account, we access your saved routes (name, distance, elevation, GPS data) for import into trip planning. We do not access your private activities, heart rate, power, or health data unless you explicitly import them.
- Garmin Data: When you connect your Garmin account, we access your training and activity data (routes, distances, elevation, workout details) to integrate with trip planning. We use this data solely to display and organize your cycling activities within VeloPlan. We do not sell, share, or transfer your Garmin data to any third party.
- Payment Information: Subscription payments are processed by Lemon Squeezy (our Merchant of Record). We do not store credit card details.
3. How We Use Your Data
- To provide and maintain the VeloPlan service (trip planning, route management, expense tracking).
- To import and display your cycling routes and activities from connected platforms (Strava, Garmin).
- To enable AI-powered features (itinerary suggestions, packing lists, budget estimates) — your trip data may be sent to Google Gemini AI for processing. No personally identifiable information is included in AI requests.
- To send you service-related notifications (email verification, trip invitations, push notifications you opt into).
- To manage your subscription and process payments via Lemon Squeezy.
4. Third-Party Services & Data Sharing
We integrate with the following third-party services:
- Google OAuth: For authentication. We receive your name, email, and profile picture.
- Strava API: For importing cycling routes. We store OAuth tokens (encrypted) to access your routes on your behalf. You can disconnect Strava at any time from your profile settings, which revokes our access.
- Garmin Connect API: For importing training and activity data. We store OAuth tokens (encrypted) to access your data on your behalf. You can disconnect Garmin at any time, which revokes our access. We do not share your Garmin data with any other party.
- Google Gemini AI: For AI-powered trip suggestions. Only anonymized trip metadata (location, distances, dates) is sent — no personal information.
- Lemon Squeezy: For payment processing. See their privacy policy.
- Amazon Web Services (AWS): Our infrastructure provider. Data is stored in the EU (Frankfurt, eu-central-1).
We do not sell your personal data or activity data to any third party.
5. Data Storage & Security
- Your data is stored on AWS servers in the European Union (Frankfurt, Germany).
- OAuth tokens (Strava, Garmin) are encrypted at rest using AES-256 encryption.
- Authentication uses JWT tokens with short expiration (15 minutes) and secure HttpOnly refresh cookies.
- All connections are encrypted via HTTPS/TLS.
- We do not store payment card information — this is handled entirely by Lemon Squeezy.
6. Data Retention
We retain your account data and trip data for as long as your account is active. If you delete your account, all associated personal data, trip data, and OAuth tokens are permanently deleted within 30 days. Anonymized, aggregated usage statistics may be retained.
7. Your Rights
You have the right to:
- Access your personal data stored by VeloPlan.
- Correct inaccurate data via your profile settings.
- Delete your account and all associated data.
- Disconnect third-party services (Strava, Garmin) at any time from your profile, which immediately revokes our access to those platforms.
- Export your trip data (PDF export available for subscribed users).
- Withdraw consent for data processing at any time by deleting your account.
8. Cookies
VeloPlan uses essential cookies only:
- Authentication cookies: HttpOnly secure cookies for JWT refresh tokens.
- Local storage: User preferences and session data stored in browser local storage.
We do not use tracking cookies, analytics cookies, or advertising cookies.
9. Children's Privacy
VeloPlan is not intended for children under 16. We do not knowingly collect data from children under 16.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of VeloPlan after changes constitutes acceptance of the updated policy.
11. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at:
Email: privacy@veloplan.me