Privacy Policy

Rotae ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our bike tracking application.

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using Rotae, you agree to the collection and use of information in accordance with this policy.

Rotae is currently in an early access launch phase. During this phase the service is free to use, but the data practices described in this policy apply equally regardless of whether you are on a free or paid plan.

Rotae is operated as a personal project by an individual (natural person) acting as sole data controller. For the purposes of the GDPR, the data controller is:

• Name: Daniel Garcia
• Email: hello@rotae.cc

We collect the following types of personal data:

Account Information

• Name (when provided)
• Email address
• Profile picture (optional, via OAuth)
• Authentication method (Google OAuth or email magic link)

Subscription and Payment Information

• Subscription tier (free or premium)
• Stripe customer ID (if you subscribe)
• Subscription status and billing period
• We do not store credit card numbers. All payment details are handled directly by Stripe.

Bike and Component Data

• Bike information (brand, model, year, type)
• Component details (name, category, install date)
• Maintenance history and logs
• Ride distance data

Technical Data

• IP address
• Device type and browser information
• Browser type and version
• Cookies and similar tracking technologies

We process your personal data under the following legal bases:

• Consent: You have given explicit consent for specific processing activities
• Contract: Processing is necessary for the performance of our service contract with you
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., security and fraud prevention)
• Legal Obligation: Processing is necessary to comply with legal obligations

We use your personal data for the following purposes:

• To create and manage your user account
• To provide bike and component tracking functionality
• To track maintenance history and provide reminders
• To detect and prevent fraud and security incidents
• To provide customer support and respond to inquiries

We may share your data with:

Service Providers

• Hosting and infrastructure (Vercel, regions within the US)
• Database services (Neon — managed PostgreSQL)
• Authentication services (Auth.js / NextAuth, Google OAuth)
• Transactional email (Resend — for magic link sign-in and account emails)
• Payment processing (Stripe — only if you subscribe to a paid plan)

Legal Requirements

We may disclose your data if required by law, court order, or to protect our rights, property, or safety

Data Sales

We do not sell, rent, or trade your personal data to third parties for marketing purposes

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States where our service providers are located.

We ensure appropriate safeguards are in place for such transfers:

• Data transfers to countries with adequacy decisions
• Standard contractual clauses approved by the European Commission
• Service providers with appropriate certifications

We retain your personal data for the following periods:

• Account, bike and component data: retained until you delete your account
• Account deletion: when you delete your account from the settings page, your user record and all related bike, component, maintenance and ride data are permanently and immediately removed from our database. There is no grace period or recovery window.
• Database point-in-time recovery: our hosting provider (Neon) retains short-term automated backups (approximately 24 hours on the current plan) for disaster recovery. Deleted data may persist in these backups until they roll off.
• Runtime and access logs: retained by our hosting provider (Vercel) for approximately 1 day on the current plan. We do not operate a separate long-term log store.
• Stripe payment records: if you subscribe, Stripe retains payment and billing records independently under its own retention policy and applicable tax and accounting law.

Under GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Restriction: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests

To exercise any of these rights, please contact us at:

Email: hello@rotae.cc

Rotae uses only the minimum cookies and local storage required for the application to function. We do not use advertising, marketing or analytics cookies, and we do not embed third-party trackers.

Essential Cookies

Authentication session cookies and CSRF protection cookies set by Auth.js (NextAuth). These are strictly necessary to keep you signed in and to protect against cross-site request forgery. Under ePrivacy and GDPR these do not require prior consent.

Consent Preference Storage

A small record of your cookie consent choice is stored in your browser's localStorage so we do not show you the banner on every visit. This is not transmitted to any server.

You can clear cookies and localStorage at any time through your browser settings. Disabling essential authentication cookies will prevent you from signing in.

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Strict access controls and authentication mechanisms
• Regular security assessments and updates
• Incident response procedures for data breaches

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the 'Last Updated' date. We encourage you to review this Privacy Policy periodically for any changes.

If you believe we have not complied with GDPR or have concerns about our data practices, you have the right to lodge a complaint with a supervisory authority.

The data controller is established in Spain. The competent lead supervisory authority is the Spanish Data Protection Agency (AEPD). Users located in other EU/EEA member states may alternatively lodge a complaint with their local data protection authority.

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain — www.aepd.es

If you have any questions about this Privacy Policy or our data practices, or if you want to exercise any of your GDPR rights, please contact the controller directly:

Email: hello@rotae.cc