Privacy Policy — Defensive Pedal

Effective date: 23 April 2026 · Last updated: 23 April 2026

This Privacy Policy explains how Antifragil SRL ("Antifragil", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the Defensive Pedal mobile application and related services (together, the "Service"). It applies to all users of the Service worldwide and is designed to comply with the EU General Data Protection Regulation (GDPR) and Romanian Law No. 190/2018.

Summary in plain language. Defensive Pedal helps you cycle safely by calculating risk-aware routes, showing community hazards, and providing weather and air-quality awareness. To do that, we need your location while you're planning or riding a route, and optionally your email address if you sign in. We never sell your personal data and never use it for advertising. You can delete your account and all associated data at any time by emailing victor@defensivepedal.com.

1. Who we are (Data Controller)

Antifragil SRL is the data controller responsible for the personal data processed through Defensive Pedal.

Legal name: Antifragil SRL
Registered in: Romania
Contact email: victor@defensivepedal.com

You can use the contact email above for any privacy-related question, to exercise your rights, or to report a concern.

2. What personal data we collect

2.1 Account and profile data

You can create an account in one of two ways. You choose the method at sign-up.

Email and password sign-up. You provide an email address and a password. Your password is transmitted only over an encrypted (TLS) connection and is stored exclusively as a salted cryptographic hash (bcrypt) by our authentication provider, Supabase Auth. We never see, log, or store your password in plaintext. After you sign up, we send a verification email to the address you provided; clicking the verification link confirms that the address belongs to you. You must verify your email address before your account is fully activated.
Sign in with Google (OAuth). If you prefer, you can authenticate with your Google account. In that case we receive your verified email address and a unique Google account identifier from Google. No password is set on your account; authentication is delegated to Google each time you sign in.

In both cases, we store a unique account identifier, the associated email address, the sign-up timestamp, and (for email/password accounts) the bcrypt hash of your password. The following profile fields are optional and only collected if you provide them:

Display name — used inside the app and in community content you choose to share.
Profile picture — you may upload a photo from your device gallery or capture one using the device camera. The image is stored on our servers and displayed on your profile and next to content you share in the community feed. Access to the camera is used solely for this purpose and is requested only when you choose to capture a profile picture.

2.2 Location data

Precise GPS location (foreground) — used to show your current position on the map, plan routes from your current location, and calculate distances to hazards, weather stations, and points of interest.
Precise GPS location (during an active trip) — while you are navigating a route, we record a trail of GPS points (a "breadcrumb track") so we can display your progress, compute the traveled distance and elevation profile, and later replay the trip in your history.
Approximate location — derived from your IP address when you open the app, used to show relevant weather and air-quality information for your city.

We do not collect location data when you are not using the app and have no active navigation session.

2.3 Trip and activity data

Route details: origin, destination, chosen route variant (safe / fast / flat), distance, duration, elevation profile, timestamps.
Trip breadcrumb tracks (the recorded GPS trail), stored against your account.
Derived metrics: average speed, safety score, climb/descent totals.
Progression data: experience points (XP), streak counts, badge unlocks, tier, and leaderboard position.

2.4 Community content you submit

Hazard reports (location, type, optional description, timestamp).
Hazard votes and confirmations.
Post-ride feedback, ratings, and written comments.
Likes, love reactions, and comments on other users' shared trips.
Shared trips that you explicitly publish to the community feed.

2.5 Device and technical data

Device model, operating system version, app version, and preferred language.
A pseudonymous Expo push notification token, used only if you enable notifications.
Anonymized crash logs and stack traces, used to diagnose bugs.

2.6 Preferences and settings

App preferences (theme, distance units, default bike type, voice guidance, map POI visibility, notification preferences, quiet hours).
Opt-in states for community features.

2.7 Data we do not collect

We do not collect advertising identifiers.
We do not serve advertising, and we do not share your data with advertising networks.
We do not collect contacts, SMS content, call history, or microphone audio.
We do not sell your personal data to any third party.

3. Why we process your data and on what legal basis

Purpose	Data categories used	Legal basis (GDPR Art. 6)
Authenticating you and maintaining your account	Email, hashed password (for email/password accounts), Google account ID (for OAuth accounts), device data	Performance of a contract (Art. 6(1)(b))
Calculating routes, navigation, and showing hazards along your path	Precise location, trip data, preferences	Performance of a contract (Art. 6(1)(b))
Recording trip history and replays	Breadcrumb tracks, trip data	Performance of a contract (Art. 6(1)(b))
Community feed, hazard reporting, leaderboards	Shared trips, hazards, reactions, display name, profile picture	Consent (Art. 6(1)(a)) — these features are opt-in
Sending push notifications (daily weather, hazard alerts, community interactions)	Push token, preferences	Consent (Art. 6(1)(a)) — you enable notifications during onboarding or in Settings
Diagnosing crashes and improving app stability	Crash logs, device data, app version	Legitimate interest (Art. 6(1)(f)) in operating a reliable service
Protecting the Service against abuse, fraud, or security threats	Device data, account activity	Legitimate interest (Art. 6(1)(f)) in ensuring network and information security
Complying with legal obligations and responding to lawful requests	As required	Legal obligation (Art. 6(1)(c))

Where processing is based on your consent, you can withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal. You can do this from the in-app Settings screen or by contacting us at the address above.

4. How we share data with third parties

We use a small number of carefully selected service providers ("processors") to operate Defensive Pedal. These providers process personal data on our behalf under written agreements that restrict their use of the data to the purposes we specify.

Provider	Purpose	Country
Google LLC	Google OAuth sign-in, Google Play Services, Firebase Cloud Messaging (for push), Google Cloud Run (API hosting in region `europe-central2`)	United States / European Union
Supabase Inc.	User authentication (email/password with bcrypt password hashing, and OAuth via Google), transactional email delivery for email-address verification, database (PostgreSQL + PostGIS), file storage for profile images	United States (primary region may be EU)
Mapbox Inc.	Map tiles, geocoding, address autocomplete, routing, terrain elevation	United States
Open-Meteo GmbH	Weather forecasts and air-quality data (no personal account; only approximate coordinates are sent)	Germany / European Union
OpenStreetMap Foundation (Overpass API)	Bicycle parking and rental location data (no personal account; only bounding-box queries are sent)	United Kingdom / European Union
Expo (650 Industries Inc.)	Push notification delivery infrastructure	United States
Self-hosted OSRM routing server	Safety-scored cycling route calculation	European Union (GCP `europe-central2`)

We do not share personal data with third parties for their own independent commercial purposes. We may disclose personal data if required by law (for example, in response to a valid court order or lawful governmental request) or to protect the rights, property, or safety of Antifragil SRL, our users, or others.

5. International data transfers

Some of our processors (notably those based in the United States) process data outside the European Economic Area. Where personal data is transferred to a country that has not received an adequacy decision from the European Commission, we rely on appropriate safeguards under Article 46 of the GDPR, including Standard Contractual Clauses (SCCs), together with supplementary technical measures (encryption in transit and at rest, access controls).

You can request a copy of the safeguards in place by contacting us at victor@defensivepedal.com.

6. How long we keep your data

We retain personal data only for as long as necessary to provide the Service and fulfill the purposes described in this Policy.

Account and profile data: for as long as your account is active. Deleted within 30 days after account deletion, except where we are legally required to keep it longer.
Trip history and breadcrumb tracks: for as long as your account is active, unless you delete individual trips earlier from the Trips screen.
Community content (shared trips, comments, hazard reports): until you delete the content or your account. Content you delete is removed from public view immediately and permanently erased within 30 days.
Crash logs and diagnostic data: retained for up to 90 days in identifiable form, then aggregated or deleted.
Legal and compliance records: retained as long as required by applicable law (typically up to 5 years for financial and tax-related records, if applicable).

Aggregated or anonymized data (from which you cannot be identified) may be retained indefinitely for statistical and safety-research purposes.

7. Your rights under the GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights in relation to your personal data:

Right of access — obtain a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your data, subject to certain exceptions.
Right to restriction of processing — ask us to limit how we use your data in certain circumstances.
Right to data portability — receive a copy of your data in a structured, machine-readable format, or have it transmitted to another controller.
Right to object — object to processing based on legitimate interests, including to stop community or diagnostic processing at any time.
Right to withdraw consent — where processing is based on consent, withdraw it at any time.
Right not to be subject to automated decision-making — we do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.

To exercise any of these rights, please email victor@defensivepedal.com. We will respond within one month of receiving your request (extendable by two further months in complex cases, as permitted by the GDPR).

You also have the right to lodge a complaint with the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, 010336 București, Romania
Email: anspdcp@dataprotection.ro
Website: https://www.dataprotection.ro

If you reside in another EU/EEA country, you may also contact the supervisory authority of your country of residence.

8. How we protect your data

We apply industry-standard technical and organizational measures to protect personal data, including:

TLS/HTTPS encryption for all network traffic between the app, our API, and our processors.
Encryption at rest for databases and file storage, using provider-managed keys.
Role-based access controls and least-privilege service accounts.
Authentication tokens stored securely on-device.
Regular dependency updates and security patches.
Monitoring and logging of production systems for security events.

No system can be guaranteed 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where legally required, inform affected users.

9. Children's privacy

Defensive Pedal is intended for users aged 18 and over. We do not knowingly collect personal data from children under the age of 16 (or the equivalent minimum age in your country). If you believe that a child under that age has provided personal data to us, please contact us at victor@defensivepedal.com and we will delete the information promptly.

10. Permissions we request on your device

Permission	Why we request it	When it's requested
Fine location (GPS)	Current position, route planning, navigation, trip recording, nearby hazards	Before the first route plan or navigation session
Background location (optional)	Continuing to record your trip when the screen is off during active navigation	Before starting navigation, if you opt in
Camera	Capturing a profile picture	Only when you tap to take a profile photo
Photo library / media	Selecting an existing image as your profile picture	Only when you tap to pick a profile photo
Notifications	Weather updates, hazard alerts, community interactions	Onboarding, and editable from Settings
Internet	Communi