Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller is:
- Name: Daniel Tisdall
- Email: contact@danwt.com
2. Information We Collect and Lawful Basis
Under GDPR, we must have a lawful basis for processing each type of personal data. The table below sets out what we collect and why:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email, display name, date of birth, gender | Account creation, leaderboard categories | Contract performance (Art. 6(1)(b)) |
| Region selection | Local feed and segment matching | Contract performance (Art. 6(1)(b)) |
| Activity data (GPS routes, distance, elevation, heart rate, power) | Display activities, compute segment efforts and leaderboards | Contract performance (Art. 6(1)(b)) |
| Photos, captions, comments, messages | Social features, content display | Contract performance (Art. 6(1)(b)) |
| Analytics (PostHog) | Understand usage patterns, improve the app | Legitimate interest (Art. 6(1)(f)) — you can opt out in Settings |
| Crash reports (Sentry) | Detect and fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Content moderation (OpenAI) | Detect policy violations in user content | Legitimate interest (Art. 6(1)(f)) — community safety |
| Push notification token | Send notifications about likes, comments, trophies | Consent (Art. 6(1)(a)) |
| Partner matching profile (fitness, location, schedule) | Suggest compatible riding partners | Consent (Art. 6(1)(a)) |
3. Location Data
Grupeta uses the region you select during onboarding (not GPS tracking) to show local segments and riders. Activity routes from FIT/GPX files contain GPS coordinates which are stored to display maps and detect segment efforts. We do not track your location in the background.
4. Health & Fitness Data
Activity files may contain heart rate, power, and cadence data. This data is processed to compute statistics (average speed, elevation gain) and is stored alongside your activity. We do not share fitness data with third parties or use it for advertising.
5. Automated Decision-Making and Profiling
Grupeta uses algorithmic profiling to suggest riding partners. The matching considers: fitness level (30%), geographic proximity (25%), schedule compatibility (20%), preferred distance (15%), and ride frequency (10%). This profiling is based on your consent and you can opt out at any time in Settings, which will disable partner suggestions.
Under GDPR Article 22, you have the right to:
- Request an explanation of how the matching works
- Object to profiling
- Request human review of any automated decision that significantly affects you
To exercise these rights, email contact@danwt.com.
6. Content Moderation
User-generated content (captions, comments, images) may be reviewed by automated moderation tools (OpenAI moderation API) to detect policy violations. Flagged content is logged for review. We do not use your content to train AI models.
7. Third-Party Services and International Transfers
We share data with the following processors:
| Service | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) | N/A (EU) |
| PostHog | Analytics | EU (Frankfurt) | N/A (EU) |
| Sentry | Crash reporting | EU (Frankfurt) | N/A (EU) |
| OpenAI | Content moderation | US | Standard Contractual Clauses (SCCs) |
| Apple / Google | OAuth sign-in | US | EU-US Data Privacy Framework |
| Expo / EAS | Push notifications, app builds | US | Standard Contractual Clauses (SCCs) |
8. Data Retention
We retain your data for the following periods:
- Account data (email, name, DOB, gender): lifetime of account
- Activity data (routes, stats): lifetime of account
- Messages: lifetime of account, deleted within 30 days of account deletion
- Photos: lifetime of account, deleted within 30 days of account deletion
- Analytics data: 26 months (PostHog default)
- Crash logs: 90 days (Sentry default)
When you delete your account, all personal data is removed via cascading deletion. Anonymised, aggregated statistics (e.g. segment effort counts) may be retained. We may retain data where required by law.
9. Your Rights
Under EU GDPR and Spanish LOPDGDD
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your account and all associated data (available in-app under Settings)
- Export your data in portable format (JSON and GPX)
- Object to or restrict processing
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Lodge a complaint with the AEPD (Agencia Española de Protección de Datos) at www.aepd.es
Under UK GDPR and Data Protection Act 2018
If you are based in the United Kingdom, you have the same rights as above under UK GDPR. Your supervisory authority is the Information Commissioner's Office (ICO). You can lodge a complaint at ico.org.uk/make-a-complaint.
To exercise any of these rights, contact contact@danwt.com. We will respond within 30 days.
10. Data Portability
You can request an export of your personal data. Activity data will be provided in GPX format (compatible with Strava, Garmin Connect, and other cycling platforms). Account and social data will be provided in JSON format. To request an export, email contact@danwt.com.
11. Push Notifications
Push notifications are sent only with your consent (granted via the iOS system permission prompt). You can disable notifications at any time in your device settings. We do not send marketing push notifications without your explicit opt-in, in compliance with LSSI-CE (Spain) and PECR (UK).
12. Children
Grupeta is not directed at children. The minimum age to use Grupeta is 16 years. In Spain, the minimum age for data processing consent is 14 (LOPDGDD); in the UK it is 13 (Data Protection Act 2018). We do not knowingly collect data from anyone under these ages. If you believe a child has provided us with personal data, please contact us to have it removed.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via in-app notification. Continued use of Grupeta after changes constitutes acceptance.
14. Contact
For privacy-related questions, contact contact@danwt.com.
See also: Cookie Policy | Terms of Service | Community Guidelines