Privacy Policy

Last updated: March 2026

1. Controller

Stefan Wienert, Frankfurt a.Main, Germany
Email: mail@mybike.parts
Website: mybike.parts

2. Our Principles

• Transparency in every process step
• Data minimization — we only collect what we actually need
• Only technically necessary cookies — no advertising, no tracking cookies
• No third-party social media SDKs, ad networks, or external analytics services
• Fonts are self-hosted — no requests to Google Fonts or other CDNs

3. Categories of Data Subjects

Users and visitors of this website (collectively "users").

4. Data Collected on Every Page Visit

When you access our website, your browser automatically transmits connection data to our web server. This includes:

• IP address
• Browser type and version (User-Agent)
• Referring page (Referrer)
• Date and time of access
• Pages visited

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring stable and secure operation of the website.

Retention: Server logs are deleted after 90 days.

5. User Accounts

You can create an account to write reviews, add product links, and create bike builds.

5.1 Data Stored

• Email address — for login and account communication
• Password — stored encrypted (bcrypt), never in plain text
• Display name — optional, shown publicly next to your contributions
• Description / bio — optional, shown on your profile
• Blog URL, Strava URL — optional, shown on your profile
• Profile picture — optional upload, or automatically downloaded from your OAuth provider

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing the service you registered for).

5.2 OAuth Sign-In (Google, Strava)

You may sign in using your Google or Strava account. When you do, we receive:

• Google: email address, display name, profile picture URL
• Strava: athlete ID, display name, profile picture URL, Strava profile URL

We only request the minimum permissions needed (email and profile). We do not access your Google Drive, Gmail, Strava activities, or other private data.

Your profile picture is downloaded once and stored on our server. We do not maintain an ongoing connection to your OAuth provider.

5.3 Sessions

When you log in, we create a session record containing:

• IP address at login time
• User-Agent at login time

This data is used for security purposes (detecting unauthorized access). Sessions are deleted when you log out or when your account is deleted.

5.4 Account Deletion

You can request deletion of your account and all associated data by contacting mail@mybike.parts. Upon deletion, the following data is permanently removed:

• Your user account and profile data
• All sessions
• All your reviews and comments
• All product links you submitted
• All bike builds you created
• All uploaded images

6. User-Generated Content

6.1 Product Reviews and Comments

When you write a review, we store:

• Review text, rating, usage level, purchase date, variant
• Uploaded photos
• Your user ID (linked to your display name)

Reviews are publicly visible. Changes to reviews are tracked in a version history for quality assurance.

6.2 Bike Builds

Bike builds you create store: build name, component selections, optional URLs, uploaded images, and an optional AI-generated summary. Builds can be published publicly via a unique link.

6.3 Product Links

When you add product links, the URL, title, and your user ID are stored. Changes are tracked in version history.

Legal basis: Art. 6(1)(b) GDPR — providing the service you actively use.

7. Internal Usage Analytics

We analyze website usage with a self-hosted, internal system (no third-party analytics service). No data is transmitted to external parties.

Data collected:

• IP address — masked before storage (last digits removed)
• Browser and device information (User-Agent)
• Pages visited and referrer
• Country and region (derived from masked IP, no precise geolocation)

What we do NOT do:

• No analytics cookies are set
• No user profiles are created from analytics data
• Analytics visits are not linked to user accounts

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in improving our service.

Retention: Detailed usage data is automatically deleted after 12 months. Anonymized, aggregated statistics (e.g., page views per day) are stored indefinitely without personal reference.

8. Error Logging

To detect and fix technical issues, we use a self-hosted error logging system on our own servers. No data is transmitted to external services.

Error reports may include: IP address, browser information, error description, and affected page.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in stable operation.

Retention: Error logs are deleted after 90 days.

9. Cookies

We use only technically necessary cookies. No consent banner is needed because we do not use any tracking, advertising, or optional cookies.

CookiePurposeDurationType Session cookieAuthentication, CSRF protectionPersistent (until logout)Necessary LocaleLanguage preference (EN/DE)1 yearNecessary

10. Embedded YouTube Videos

Some pages embed YouTube video players. When you load a page with an embedded video, your browser connects directly to YouTube (Google LLC) servers. YouTube may set its own cookies and collect data according to Google's Privacy Policy.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in presenting video content relevant to our reviews.

11. Email Communication

We send emails only for:

• Account verification (upon registration)
• Password reset (upon your request)

We do not send marketing emails or newsletters.

12. AI Processing

We use AI services (Deepseek API) to generate summaries of publicly available forum discussions and to classify product categories. No user personal data is sent to AI services. Only publicly available product descriptions and forum content are processed.

13. Data Recipients

• Hosting provider — our web server and infrastructure operator (data processing agreement in place)
• Google LLC — only when you use Google OAuth sign-in or view embedded YouTube videos
• Strava Inc. — only when you use Strava sign-in

We do not sell, trade, or otherwise share your personal data with third parties.

14. Transfer to Third Countries

When you use Google OAuth or view embedded YouTube videos, data may be transferred to the United States (Google LLC). This transfer is covered by Google's participation in recognized data transfer mechanisms. Strava Inc. is also based in the United States.

Apart from these specific interactions, no regular data transfer to countries outside the EU/EEA takes place.

15. Security Measures

In accordance with Art. 32 GDPR, we implement appropriate technical and organizational measures:

• Encrypted connections (HTTPS) for all data transmission
• Passwords stored with bcrypt hashing
• Regular backups
• Access controls and principle of least privilege
• Self-hosted analytics and error logging (no external data flows)
• Sensitive parameters filtered from application logs

16. Your Rights Under GDPR

As a data subject, you have the following rights:

• Access (Art. 15) — request confirmation and a copy of your stored data
• Rectification (Art. 16) — request correction of inaccurate data
• Erasure (Art. 17) — request deletion of your data
• Restriction (Art. 18) — request restricted processing
• Portability (Art. 20) — receive your data in a structured, machine-readable format
• Objection (Art. 21) — object to processing based on legitimate interest
• Complaint (Art. 77) — file a complaint with a supervisory authority

To exercise your rights, contact: mail@mybike.parts

17. Legal Bases Summary

• Art. 6(1)(a) — Consent (e.g., OAuth sign-in)
• Art. 6(1)(b) — Contract performance (user accounts, reviews, builds)
• Art. 6(1)(f) — Legitimate interest (server logs, analytics, error tracking, security)

18. Changes to This Policy

We may update this privacy policy to reflect changes in our data processing practices. We recommend reviewing this page periodically.