This Privacy Policy explains how Niels Meereboer ("we", "us", or "our") collects, uses, discloses, and processes your personal data when you use Velowatt (the "Service"), including our website, mobile application, application programming interfaces (APIs), and any integrated features.
We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Controller
The "Controller" responsible for the processing of your personal data under this Service is:
Niels Meereboer Hoher Weg 3 26605 Aurich Germany Email: n.l.meereboer@gmail.com
2. Categories of Personal Data We Process
We collect and process personal data that you provide to us directly, data generated automatically during your use of the Service, and data imported from connected external platforms.
Account Data: Your email address, username, password hashes, registration date, and system-generated authentication IDs. Activity & Performance Data: Workout files, recorded rides, cycling performance metrics (such as power, cadence, heart rate, speed, duration, and distance), training calendars, and custom cycling plans. Integration Data: If you explicitly authorize a connection to external fitness, training, or cycling platforms via OAuth (or similar authentication protocols), we collect integration tokens and the fitness files or metrics you choose to sync. AI Feature Data: Voice Recordings: Audio files of your voice commands when you use our hands-free voice control feature. Text Prompts: Written text or parameters you input to generate workouts or cycling plans. Billing & Subscription Data: Subscription status, plan details, payment history, and transactional tokens. We do not store raw credit card details on our servers; payments are processed securely by our payment gateway provider. Technical & Usage Data: IP address, device identifier, browser type, operating system version, access times, and crash logs.
3. Purposes and Legal Bases for Processing
We process your personal data under the following legal bases in accordance with the GDPR:
3.1 Performance of a Contract (Art. 6(1)(b) GDPR)
We process data necessary to establish, maintain, and execute our contract with you:
Creating and managing your user account and authenticating your logins.
Providing the core training features, ride logging, and performance analysis.
Processing subscription payments and billing.
Enabling voice control features (transcribing and executing your voice recording commands).
Generating custom workouts based on your text prompts or input parameters.
3.2 Consent (Art. 6(1)(a) GDPR)
We process data based on your prior explicit consent:
Connecting and synchronizing your account with external fitness or cycling platforms (e.g., pulling or pushing activity files). You can withdraw this consent at any time by disconnecting the integration in your account settings.
3.3 Legitimate Interests (Art. 6(1)(f) GDPR)
We process data where it is necessary for our legitimate interests (except where overridden by your interests or fundamental rights):
Security & Reliability: Analyzing server logs and crash reports to monitor platform stability, detect bugs, and defend against security threats, fraud, or abuse.
Trial Abuse Prevention: Generating and retaining a secure, non-reversible cryptographic hash of your email address when a free trial is claimed. This prevents multiple free trials from being claimed by the same email identity, and is retained even if you delete your account to protect our business model against systemic trial abuse.
4. Categories of Recipients of Personal Data
We do not sell your personal data. We share your personal data only with trusted service providers who process it on our behalf (as processors) under strict confidentiality agreements, or with third parties when you explicitly command us to do so.
Cloud Hosting & Infrastructure: Providers of database hosting, servers, and backend authentication infrastructure. Payment Gateways: Third-party payment processors who securely handle your billing details and process subscription transactions. Artificial Intelligence (AI) Services: External AI processing providers who process your voice recordings (for audio transcription) and text prompts (to generate structured workouts). Connected Platforms: External fitness or cycling platforms, but only if you explicitly choose to link your account and transmit your activity files to them.
5. International Data Transfers
Some of our third-party service providers (such as hosting and AI providers) are located outside the European Economic Area (EEA), particularly in the United States.
To ensure that your personal data receives an adequate level of protection when transferred outside the EEA, we implement appropriate safeguards in accordance with Art. 44 et seq. GDPR, including:
Standard Contractual Clauses (SCCs) approved by the European Commission, or Relying on adequacy decisions of the European Commission (such as the EU-U.S. Data Privacy Framework where applicable).
6. Data Retention and Deletion
We retain your personal data only as long as necessary to provide the Service, fulfill the purposes described in this Privacy Policy, or comply with legal retention requirements.
Active Accounts: We retain your personal data while your account is active. Account Deletion: If you delete your account through your profile settings, all associated personal data, activity files, and integration tokens will be permanently and irreversibly deleted from our active databases within thirty (30) days. Exceptions: Hashed trial markers (non-reversible email hashes) are retained indefinitely to enforce our free-trial policy. Basic billing records and transaction logs may be retained longer to comply with tax and commercial law obligations (e.g., German tax retention periods of up to 10 years).
7. Your Rights under the GDPR
As a data subject, you have the following rights under the GDPR:
Right of Access (Art. 15 GDPR): The right to obtain confirmation as to whether your personal data is being processed, and to receive a copy of your processed data. Right to Rectification (Art. 16 GDPR): The right to request the correction of inaccurate or incomplete personal data. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): The right to request the deletion of your personal data under certain conditions (e.g., when it is no longer needed for the contract). Right to Restriction of Processing (Art. 18 GDPR): The right to request that we restrict processing under specific circumstances. Right to Data Portability (Art. 20 GDPR): The right to receive your personal data in a structured, commonly used, and machine-readable format, and transfer it to another controller. Right to Object (Art. 21 GDPR): The right to object to processing based on legitimate interests (Art. 6(1)(f) GDPR) due to reasons arising from your particular situation. Right to Withdraw Consent: Where processing is based on your consent (e.g., third-party syncing), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please contact us at n.l.meereboer@gmail.com.
7.1 Right to Lodge a Complaint
You also have the statutory right to lodge a complaint with a competent data protection supervisory authority (Aufsichtsbehörde) if you believe that our processing of your personal data infringes the GDPR (Art. 77 GDPR). You may contact the supervisory authority at your habitual residence, place of work, or the place of the alleged infringement.
8. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of any material changes by posting the updated policy on this page with a new "Last updated" date, or by sending a direct notification in the app or via email.
9. Language of the Privacy Policy
This Privacy Policy is written in the English language. In the event of any discrepancies, disputes, or interpretation conflicts between the English version and any translated version of this policy, the English version shall govern and prevail.