Legal
Privacy Policy
This is a courtesy translation. The Dutch version of this Privacy Policy is the legally binding version. In case of discrepancies, the Dutch text prevails.
1. Introduction
Grupetti, the sole proprietorship registered at the Dutch Chamber of Commerce under number [KVK NUMBER], located at [ADDRESS] ("Grupetti", "we", "us"), values the protection of your personal data. This Privacy Policy describes how we collect, use, share, and protect your personal data when you use our Platform.
This policy applies to the website grupetti.cc, the mobile application Grupetti (iOS and Android), the web dashboard, and all associated services (the "Platform").
2. Data controller
For account data and platform usage: Grupetti is the data controller within the meaning of Article 4(7) GDPR.
For club member data: The Club is the data controller; Grupetti acts as the data processor on behalf of the Club in accordance with the Data Processing Agreement.
Contact details:
| Name | Grupetti |
| Address | [ADDRESS] |
| KvK | [KVK NUMBER] |
| privacy@grupetti.cc |
Grupetti is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, given the nature and scope of the processing activities.
3. What data we collect
3.1 Data you provide directly (Art. 13 GDPR)
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email, password (hashed via bcrypt), profile photo | Account management and authentication |
| Profile | Phone number, emergency contact name and phone, bio | Contact information and safety within the club |
| Club | Club name, description, logo, brand colors, city, country, language, social media accounts | Club management and public page |
| Rides | Ride sign-ups, speed group, attendance, ride reports, photos with captions | Ride management, statistics, and social media content |
| Routes | GPX files, distance, elevation, polyline | Route library |
| Sponsors | Sponsor name, logo, contact details, website, Instagram/Facebook handles, value, duration | Sponsor management and deliverable tracking |
| Events | Event details, ticket prices | Event organization and ticket sales |
3.2 Data for payment processing (via Stripe)
Club Admins receiving payments via Stripe Connect Express provide the following data directly to Stripe (not to Grupetti):
- Full name and date of birth
- Address
- Bank details (IBAN)
- KvK number (for Dutch Clubs)
- Identity document (for KYC verification by Stripe)
Grupetti receives from Stripe only: the Stripe Account ID, connection status, and transaction data (amounts, dates, status updates). Grupetti does not store bank details, credit card numbers, or identity documents.
3.3 Automatically collected data
| Category | Data | Purpose |
|---|---|---|
| Device data | Push tokens, platform (iOS/Android) | Sending push notifications |
| Website usage | Page visits (anonymized, via Vercel Analytics) | Website improvement |
3.4 Data from third parties (Art. 14 GDPR)
| Source | Data | Purpose |
|---|---|---|
| Strava (after your explicit OAuth connection) | Activities: distance, elevation, speed, duration, route polyline, timestamp, activity type | Ride matching, group ride detection, ride card generation, description enrichment |
| Google/Apple OAuth (when registering via OAuth) | Name, email, profile photo | Account creation |
| Club Admin (when inviting) | Email address of the invited member | Sending invitation |
3.5 Data we do not collect
- We do not collect precise GPS location data from your device. Location data on rides comes from GPX routes and Strava activities.
- We do not collect biometric data, health data, or special categories of personal data.
- We do not display ads and do not collect data for advertising purposes.
4. Legal bases and purposes of processing (Art. 6 GDPR)
| Processing activity | Legal basis | Explanation |
|---|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) | Necessary to provide the service |
| Ride management (sign-ups, attendance, speed groups) | Contract performance (Art. 6(1)(b)) | Core Platform functionality |
| Member management and directory display | Contract performance (Art. 6(1)(b)) | Club members can find each other |
| Payment processing via Stripe | Contract performance (Art. 6(1)(b)) | Ticket sales and payouts |
| Ride card and social media content generation | Contract performance (Art. 6(1)(b)) | User-requested functionality |
| Strava connection and activity sync | Consent (Art. 6(1)(a)) | Only after explicit OAuth authorization; revocable |
| Push notifications | Consent (Art. 6(1)(a)) | Via OS permission dialog; revocable via settings |
| Email digest (weekly) | Consent (Art. 6(1)(a)) | On/off in notification settings |
| Strava description enrichment | Consent (Art. 6(1)(a)) | Opt-in per user in settings |
| Website analytics (Vercel Analytics) | Legitimate interest (Art. 6(1)(f)) | Interest: website improvement and error detection. Minimal privacy impact due to anonymization. |
| Fraud prevention and platform security | Legitimate interest (Art. 6(1)(f)) | Interest: protection of Users and Platform integrity |
| Sharing emergency contact in incidents | Vital interests (Art. 6(1)(d)) | Only in emergencies to protect life or health |
| Tax administration (transaction data) | Legal obligation (Art. 6(1)(c)) | Retention obligation under tax legislation (7 years) |
You can withdraw consent at any time via your account settings, without affecting the lawfulness of processing prior to withdrawal.
5. Necessity of data provision
| Data | Required/Voluntary | Consequence of not providing |
|---|---|---|
| Name and email | Required (contractual) | Account cannot be created |
| Password | Required (contractual) | Login not possible |
| Phone number | Voluntary | Not visible to club members |
| Emergency contact | Voluntary | Not available during incidents |
| Profile photo | Voluntary | Default avatar is shown |
| Strava connection | Voluntary (consent) | No activity sync; ride cards without personal stats |
| Stripe KYC data | Required for payments (contractual + legal) | Club cannot receive payments |
6. Who we share data with
We share personal data only with the following parties, and only to the extent necessary for providing the Services:
| Party | Service | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, storage, serverless functions | EU (Frankfurt, Germany) | No transfer outside EU |
| Stripe Technology Europe, Ltd. | Payment processing, KYC verification | EU (Ireland) / US | EU-US Data Privacy Framework + SCCs |
| Strava, Inc. | Activity synchronization (only after your explicit connection) | US | SCCs |
| Vercel, Inc. | Website hosting and anonymized analytics | EU / US | SCCs |
| Resend, Inc. | Transactional emails and digest | US | SCCs |
| Expo (One Signal) | Push notifications | US | SCCs |
| MapTiler AG | Map rendering (no personal data shared) | EU (Switzerland) | Adequacy decision Switzerland |
| Open-Meteo | Weather data (no personal data shared) | EU | No transfer |
"SCCs" refers to Standard Contractual Clauses, the mechanism approved by the European Commission for transferring personal data outside the EU/EEA.
We never sell your personal data to third parties. We do not display ads on the Platform and do not share data with advertisers.
7. Club members and controller responsibility
7.1 When a Club uses the Platform to manage members, the Club is the data controller for the personal data of its members. Grupetti processes this data on behalf of the Club as a data processor.
7.2 This means:
- The Club determines which members are invited and which data is collected
- The Club is responsible for informing its members about the processing, referring to this Privacy Policy
- Members can exercise their rights against both the Club and Grupetti
- Processing is governed by a Data Processing Agreement between Grupetti and the Club
7.3 Club Admins have access to member data (name, email, role, attendance) via the dashboard. Club Admins are obligated to treat this data confidentially.
8. Data security (Art. 32 GDPR)
We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- All communication is encrypted via TLS/HTTPS
- Passwords are stored hashed (bcrypt via Supabase Auth)
- Database access is secured with Row Level Security (RLS) — users can only see data of clubs they are members of
- API requests require valid JWT tokens with a validity period of 1 hour
- OAuth tokens for Strava are stored encrypted with automatic refresh
- Payment data is processed and stored exclusively by Stripe
- Regular security updates of all dependencies
- Production environment access is limited to the owner of Grupetti
9. Data retention
| Data | Retention period | Reason |
|---|---|---|
| Account and profile | Until you delete your account | Contract performance |
| Club data | Until the Club is dissolved | Contract performance |
| Ride data and sign-ups | Until the Club is dissolved | Contract performance + club history |
| Strava activities | Until you disconnect Strava or delete your account | Consent |
| Transaction data (amounts, dates) | 7 years after transaction | Legal retention obligation (tax legislation) |
| Stripe KYC data | Retained by Stripe per their retention policy | Legal obligation of Stripe |
| Vercel Analytics | Maximum 90 days (anonymized) | Legitimate interest |
| Push tokens | Until you disable notifications or delete your account | Consent |
| Email invitations | 90 days after sending if not accepted | Contract performance |
Upon account deletion, all personal data is permanently deleted (hard delete) via the delete-account functionality. Anonymized or aggregated data that cannot be traced to you is not retained. Transaction data that we are legally required to retain is deleted after the statutory period expires.
10. Your rights (Art. 15-22 GDPR)
| Right | Description | How to exercise |
|---|---|---|
| Access (Art. 15) | Request what personal data we process about you | Via privacy@grupetti.cc or account settings |
| Rectification (Art. 16) | Correct inaccurate data | Via your profile in the app/dashboard |
| Erasure (Art. 17) | Permanently delete your account and all data | Via "Delete account" in the app/dashboard |
| Restriction (Art. 18) | Request restriction of processing of your data | Via privacy@grupetti.cc |
| Portability (Art. 20) | Receive your data in JSON format | Via privacy@grupetti.cc |
| Objection (Art. 21) | Object to processing based on legitimate interest | Via privacy@grupetti.cc |
| Withdraw consent (Art. 7(3)) | Withdraw Strava connection, notifications, email digest | Via account settings in the app/dashboard |
We will respond to requests within 30 days. For complex requests, this period may be extended once by 2 months; you will be informed accordingly.
You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
- Website: autoriteitpersoonsgegevens.nl
- Phone: 088 - 1805 250
- P.O. Box 93374, 2509 AJ The Hague
11. Automated decision-making
Grupetti does not use automated decision-making or profiling with legal effects or similarly significant effects on Users within the meaning of Article 22 GDPR.
The club leaderboard and Strava group ride detection are algorithmic features but do not have legal or similarly significant effects on Users.
12. Children
The Platform is not intended for children under 16 years of age, in accordance with the age limit in the Dutch GDPR Implementation Act (UAVG). We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it without delay.
13. Changes
We may update this Privacy Policy from time to time. For material changes, we will notify you at least 30 days in advance via email or an in-app notification. The most recent version is always available at grupetti.cc/privacy. Previous versions can be requested via privacy@grupetti.cc.
14. Contact
For questions about this Privacy Policy or the processing of your personal data:
| Name | Grupetti |
| Address | [ADDRESS] |
| privacy@grupetti.cc | |
| KvK | [KVK NUMBER] |