Privacy Policy

Velox ("we", "us", "our") is a mobile application for tracking bicycle component service intervals. This Privacy Policy explains what personal data we collect, why we collect it, and how you can control it. By using Velox, you agree to the practices described here.

1. What data we collect

Account data

When you sign in with Google or Apple, we receive your name, email address, and profile picture from the identity provider. We store this to identify your account and personalise the app experience. We do not receive or store your Google or Apple password.

App data

We store the data you enter in the app: bikes (names, brands), components (types, names, installation dates, custom service intervals), ride logs (distance in km, duration in hours, date), and service records (dates, notes, costs). This data is tied to your account and stored on our servers.

Push notification token

When you allow push notifications, Expo generates a device push token. We store this token to be able to send you service reminders. You can revoke notification permission at any time in your device settings.

Strava data (optional)

If you connect your Strava account, we receive and store your Strava athlete ID, display name, profile picture, and the list of bikes registered on Strava. When syncing activities, we import ride distance, moving time, and date. We do not access your heart rate, power data, GPS routes, or any other Strava data not listed here. You can disconnect Strava at any time in Settings.

Payment data

Premium subscriptions are processed entirely by Apple App Store or Google Play through RevenueCat. We do not receive, store, or have access to your payment card details. We receive only your subscription status (Free or Premium) from RevenueCat.

Analytics and session recordings (PostHog)

We use PostHog, a product analytics platform, to understand how users interact with Velox and to improve the app. PostHog collects:

• Usage events — actions such as signing in, adding a bike, logging a ride, recording a service, and connecting Strava. Each event includes a timestamp and your plan tier (Free or Premium). You are identified by an internal pseudonymous ID — we do not pass your name or email address to PostHog.
• Session recordings — periodic screenshots of the app screen that show how you navigate and interact with the UI. Text you type into input fields is masked and never captured. Recordings are used solely to identify usability issues.

PostHog is operated by PostHog, Inc. All data is processed and stored on servers located in the European Union (PostHog EU Cloud). PostHog's privacy policy is available at posthog.com/privacy. Analytics is disabled in development builds of the app.

Crash reporting (Sentry)

We use Sentry to automatically detect and report application crashes and errors. When the app crashes or encounters an unexpected error, Sentry sends us a report containing the error type, stack trace, app version, and device information (OS version, device model). We do not attach your name, email address, or any other personal identifier to these reports.

Sentry is operated by Functional Software, Inc. All data is processed and stored on servers located in the European Union (Sentry EU region). Sentry's privacy policy is available at sentry.io/privacy.

Website analytics (Google Analytics 4)

We use Google Analytics 4 (GA4) on our website (usevelox.app only — not in the mobile app) to understand how visitors find and navigate the landing page. GA4 is configured with Consent Mode v2 with all storage denied by default, which means it operates in cookieless mode: no tracking cookies are set, and Google uses aggregated, anonymised signals to model traffic patterns. We do not use GA4 for advertising or remarketing. The data collected includes page views, referral sources, approximate geographic region (country level), and device type.

Google Analytics is operated by Google LLC. Data may be transferred to and processed on Google's servers in the United States; Google relies on Standard Contractual Clauses as the legal transfer mechanism. Google's privacy policy is available at policies.google.com/privacy.

Technical data

Our servers log IP addresses and request timestamps for security and debugging purposes.

2. Why we collect it

• Account management — to identify you and secure your account.
• Core functionality — to store your bikes, components, rides, and service records and serve them back to you across devices.
• Push notifications — to alert you when a component service interval is due.
• Strava sync — to automatically import your ride data so you don't have to enter it manually.
• Subscription management — to unlock Premium features for paying users.
• Analytics and session recordings — to understand how the app is used and to improve usability and features (PostHog, in-app); to understand how visitors navigate the landing page (Google Analytics 4, website only).
• Crash reporting — to detect, diagnose, and fix application errors quickly.
• Security and debugging — to detect abuse and diagnose server errors.

3. Legal basis (GDPR)

If you are in the European Economic Area, our legal basis for processing your data is:

• Contract performance — processing necessary to provide the Velox service you have signed up for (account, app data, push tokens).
• Consent — processing of Strava data, which you explicitly authorise by connecting your Strava account.
• Legitimate interests — analytics and session recordings (PostHog), website analytics (Google Analytics 4), crash reporting (Sentry), and server-side logging, where our interest in improving and securing the service does not override your rights and freedoms. You have the right to object to this processing at any time (see Section 6).

4. Data sharing

We do not sell your personal data. We share data only with the service providers necessary to run Velox:

• Hetzner Online GmbH — our VPS provider, located in Germany (EU). Your data is stored on their servers.
• PostHog, Inc. — product analytics and session recordings, processed on PostHog EU Cloud (EU servers). Only pseudonymous usage data is shared; no name or email address is transmitted.
• Functional Software, Inc. (Sentry) — crash reporting, processed on Sentry EU region (EU servers). Only technical error data is shared; no personal identifiers are attached to reports.
• Expo / RevenueCat / Strava — as described in sections above, limited to what is required for each integration.
• Google LLC (Google Analytics) — aggregated, cookieless website analytics on usevelox.app. Data may be processed in the US under Standard Contractual Clauses.
• Google / Apple — only for the initial sign-in token exchange. We do not share your ongoing usage data with them.

We may disclose your data if required by applicable law or to protect the rights, property, or safety of Velox, our users, or the public.

5. Data retention

We retain your account and app data for as long as your account is active. If you delete your account, all personal data associated with it — bikes, components, rides, service records, push tokens, and Strava connection — is permanently deleted within 30 days. Server access logs are retained for up to 90 days for security purposes. Analytics events and session recordings held by PostHog and crash reports held by Sentry are retained in accordance with their respective data retention policies.

6. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Object to or restrict certain processing — in particular, you may object at any time to the processing of your data for analytics and crash reporting purposes, which we carry out on the basis of legitimate interests.
• Data portability (receive your data in a machine-readable format).
• Withdraw consent (e.g. disconnect Strava, disable push notifications).

To exercise any of these rights, delete your account in the app (Settings → Delete account) or contact us at hello@usevelox.app. We will respond within 30 days.

7. Children

Velox is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with their data, contact us and we will delete it promptly.

8. Security

We use HTTPS for all data in transit, hashed tokens for authentication, and access-controlled servers. No system is perfectly secure — if you believe your account has been compromised, please contact us immediately.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top and notify you via push notification or email. Continued use of Velox after changes constitutes acceptance of the updated policy.

10. Contact

Velox is operated by Tomasz Gabrysiak.
Email: hello@usevelox.app