CycleNet — Privacy Policy v1.0

Effective date: 2026-05-29 · Operator: Jorasoft · Contact: serifoglu.can@gmail.com

CycleNet ("the app") is a social network for cyclists. This policy explains what data the app collects, why, where it is stored, and how you can control or delete it.

1. Summary

• We store the minimum data needed to run the app: your profile, the rides you choose to save, your social graph, and your messages.
• We do not sell your data, do not run third-party ad SDKs, and do not ingest your location in the background.
• You can hide the start and end of every shared ride with the privacy radius (250 m fuzzy grid + first/last meters dropped).
• You can delete your account from inside the app — see "Deletion" below.

2. Account & sign-in

Sign-in uses Sign in with Apple or Google Sign-In. We receive only the identifier the provider returns (Apple user id / Google sub) plus, optionally, your name and a relay email if you grant them. We do not see your password.

Your profile (display name, optional photo, bio, preferred units, language) is stored in Google Firestore under users/{uid} and is readable by other signed-in users so the social features (follows, messages, leaderboards) can work.

3. Rides & location

Location is only sampled while you actively press Bas Pedala (Start Ride). The app does not collect location in the background, does not use Significant Location Changes, and does not run when you close the app or end a ride.

When you save a ride, the polyline (the list of GPS points), distance, duration, elevation, average speed, and optional photo are stored under routes/{routeId}. You choose whether the ride is public (shareable, appears in feeds/leaderboards) or private (only you can see it).

Privacy radius. If enabled, the first and last N meters of the polyline are dropped before upload, and the exposed start/end points are snapped to a 250-meter grid so your home location is not exposed by markers, distance-to-you sorting, or leaderboards.

4. Sensors & HealthKit

Bluetooth heart-rate & cadence sensors. If you opt in, the app connects to standard GATT sensors (services 0x180D, 0x1816) and stores readings only inside the active ride record. We never connect to a sensor without your explicit pairing action.

Apple Health (HealthKit). If you grant permission, finished rides are written to Health as HKWorkout samples. Health permission can be revoked any time from iOS Settings → Health → Data Access & Devices. We do not read your historical Health data unless you tap "Import from Apple Health," which lists only cycling workouts in a date range you choose.

Apple Watch companion. When you record from the watch, ride data is sent to your phone via on-device Wireless Connectivity (WCSession). It does not transit our servers until you press Save.

5. Social features

Follows, likes, messages, group chats, and the activity feed work by writing documents to Firestore that other signed-in users can read according to our security rules:

• 1:1 messages are visible only to the two participants. Conversation IDs are derived from sorted user IDs.
• Group chats are visible only to current members of the group.
• Block is enforced server-side: blocking a user removes mutual follows, prevents new messages, deletes messages between blocked pairs, and hides each user's content from the other.
• Activity feed shows public routes from people you follow. A Cloud Function fans the route out to your userFeeds/{uid}/items collection on write.

6. Push notifications

When you grant permission, an APNs device token is exchanged for a Firebase Cloud Messaging token and stored under users/{uid}/devices/{deviceId}. Tokens are deleted server-side as soon as the device reports registration-token-not-registered. You can turn notifications off in iOS Settings → CycleNet at any time.

7. Photos & camera

If you grant camera or photo-library access, the resulting image is uploaded only when you confirm (profile photo, ride memory, group photo). Images are stored in Firebase Storage; private images are gated by the same access rules as the parent document.

8. GPX import

Files imported via the GPX import screen (Strava, Komoot, Ride with GPS exports) are parsed locally on your device. Nothing leaves the device until you choose to save the resulting ride.

9. Analytics & crash reporting

The app uses Firebase Analytics and Crashlytics only for aggregate usage and crash diagnosis. Identifiers are reset when you delete your account. App tracking transparency (ATT) consent is requested before any tracking-class identifiers are collected.

10. Data retention

Active accounts: data is kept until you delete it.

Deleted accounts: profile, rides marked private, social graph, messages, and FCM tokens are erased within 30 days. Rides you posted as public remain visible but are anonymized (owner replaced with "Deleted user") so the community keeps what you contributed; you can delete individual public rides before account deletion if you prefer.

11. Children

CycleNet is intended for users aged 13 and over (16 in the EU/UK). The app does not knowingly collect data from children below that age.

12. Your rights

• Access / export. Email us at serifoglu.can@gmail.com; we will send your data within 30 days.
• Correction. Edit your profile in the app.
• Deletion. Settings → Account → Delete account. Two-step confirmation; takes effect immediately, server-side erasure within 30 days.
• Block / restrict. Use the block feature on any user from their profile.
• EU/UK/CA residents may contact us to exercise any local rights (GDPR Articles 15–22, UK GDPR, CCPA).

13. Where data is stored

Data is stored on Google Firebase (Firestore + Storage) in the region closest to the Jorasoft project. Standard Google Cloud security applies. Cross-border transfers are governed by Google's Standard Contractual Clauses.

14. Changes to this policy

If we make material changes we will note them in the app and update the effective date above.

15. Contact

Jorasoft · 07825 Blairstown, New Jersey · serifoglu.can@gmail.com