Your data,yours alone.
1. Hosting
France / European Union. No core data (profile, bikes, hours, service records) ever leaves the EU. No cross-Atlantic replication, no CDN that sees your data.
2. Data collected
Email, profile (nickname, optional club), declared bikes, service records entered, riding sessions (hours, BLE RSSI, device battery level). No continuous location, no ad tracking, no browser fingerprinting.
3. Third parties
Stripe receives strictly what it needs for payment (amount, email, billing address). Our billing provider receives billing data (name, address, VAT number if a business, amounts) to issue the official invoices. Transactional email via our own SMTP. No other resale, no commercial sharing.
4. Cookies
Strictly necessary: session, preferences (theme, language). No analytics or advertising cookies. No burdensome consent solution is required — we set nothing that would call for one.
5. Your GDPR rights
Access, rectification, portability, erasure. “Export my data” and “Delete my account” buttons in the app, under Settings → Privacy. Effective deletion happens 30 days after the request (cancelable grace period), then a full cascade purge.
6. Retention period
Active account: as long as you use it. Deleted account: 30-day grace period then deletion. Invoices: 10 years (legal accounting obligation, hosted at our billing provider, encrypted).
7. DPO contact
dpo@horotag.com. Reply within 30 days maximum (GDPR art. 12). If a complaint remains unresolved, you may refer the matter to the CNIL.
