Privacy Policy
Last updated: 7 May 2026
1. Data Controller
The data controller is:
- Name: Daniel Tisdall
- Email: contact@danwt.com
2. Information We Collect and Lawful Basis
Under GDPR, we must have a lawful basis for processing each type of personal data. The table below sets out what we collect and why:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email, display name, date of birth, gender | Account creation, leaderboard categories | Contract performance (Art. 6(1)(b)) |
| Region selection | Local feed and segment matching | Contract performance (Art. 6(1)(b)) |
| Activity data (GPS routes, distance, elevation, heart rate, power) | Display activities, compute segment efforts and leaderboards | Contract performance (Art. 6(1)(b)) |
| Photos, captions, comments, messages | Social features, content display | Contract performance (Art. 6(1)(b)) |
| Analytics (PostHog) | Understand usage patterns, improve the app | Legitimate interest (Art. 6(1)(f)) — you can opt out in Settings |
| Crash reports (Sentry) | Detect and fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Content moderation (OpenAI) | Detect policy violations in user content | Legitimate interest (Art. 6(1)(f)) — community safety |
| Push notification token | Send notifications about likes, comments, trophies | Consent (Art. 6(1)(a)) |
| Partner matching profile (fitness, location, schedule) | Suggest compatible riding partners | Consent (Art. 6(1)(a)) |
| IP address, browser user-agent (when clicking shared links) | Deferred deep linking — so the app opens to the right content after install. Automatically deleted after 7 days. | Legitimate interest (Art. 6(1)(f)) — functional deep linking |
| Browser extension auth tokens (access token, refresh token) stored in chrome.storage.local | Authenticate with Grupeta from the Strava Exporter browser extension. Stored locally on device only. | Contract performance (Art. 6(1)(b)) |
3. Location Data
Grupeta uses the region you select during onboarding (not GPS tracking) to show local segments and riders. Activity routes from FIT/GPX files contain GPS coordinates which are stored to display maps and detect segment efforts. We do not track your location in the background.
4. Health & Fitness Data
Activity files may contain heart rate, power, and cadence data. This data is processed to compute statistics (average speed, elevation gain) and is stored alongside your activity. We do not share fitness data with third parties or use it for advertising.
5. Automated Decision-Making and Profiling
Grupeta uses algorithmic profiling to suggest riding partners. The matching considers: fitness level (30%), geographic proximity (25%), schedule compatibility (20%), preferred distance (15%), and ride frequency (10%). This profiling is based on your consent and you can opt out at any time in Settings, which will disable partner suggestions.
Under GDPR Article 22, you have the right to:
- Request an explanation of how the matching works
- Object to profiling
- Request human review of any automated decision that significantly affects you
To exercise these rights, email contact@danwt.com.
6. Content Moderation
User-generated content (captions, comments, images) may be reviewed by automated moderation tools (OpenAI moderation API) to detect policy violations. Flagged content is logged for review. We do not use your content to train AI models.
7. Third-Party Services and International Transfers
We share data with the following processors:
| Service | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) | N/A (EU) |
| PostHog | Analytics | EU (Frankfurt) | N/A (EU) |
| Sentry | Crash reporting | EU (Frankfurt) | N/A (EU) |
| OpenAI | Content moderation | US | Standard Contractual Clauses (SCCs) |
| Apple / Google | OAuth sign-in | US | EU-US Data Privacy Framework |
| Expo / EAS | Push notifications, app builds | US | Standard Contractual Clauses (SCCs) |
8. Data Retention
We retain your data for the following periods:
- Account data (email, name, DOB, gender): lifetime of account
- Activity data (routes, stats): lifetime of account
- Messages: lifetime of account, deleted within 30 days of account deletion
- Photos: lifetime of account, deleted within 30 days of account deletion
- Analytics data: 26 months (PostHog default)
- Crash logs: 90 days (Sentry default)
When you delete your account, all personal data is removed via cascading deletion. Anonymised, aggregated statistics (e.g. segment effort counts) may be retained. We may retain data where required by law.
9. Your Rights
Under EU GDPR and Spanish LOPDGDD
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your account and all associated data (available in-app under Settings)
- Export your data in portable format (JSON and GPX)
- Object to or restrict processing
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Lodge a complaint with the AEPD (Agencia Española de Protección de Datos) at www.aepd.es
Under UK GDPR and Data Protection Act 2018
If you are based in the United Kingdom, you have the same rights as above under UK GDPR. Your supervisory authority is the Information Commissioner's Office (ICO). You can lodge a complaint at ico.org.uk/make-a-complaint.
Under the Australian Privacy Act 1988 (Australian Privacy Principles)
If you are based in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to how we handle your personal information. You have the right to access and correct the personal information we hold about you. Your data is stored on servers in the EU (Supabase, Frankfurt) and analytics data is processed in the EU (PostHog, Frankfurt). Content moderation uses OpenAI, a US-based processor. These overseas transfers are made in accordance with the APPs. To access or correct your data, email contact@danwt.com. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
Under Thailand's Personal Data Protection Act 2022 (PDPA)
If you are based in Thailand, Thailand's PDPA applies. We collect and process GPS and activity data — which may constitute sensitive personal data under the PDPA — only with your explicit consent, given during onboarding. You have the right to access, rectify, erase, and receive a portable copy of your personal data. You may also withdraw consent and object to certain processing at any time. Your data is transferred to the EU (Supabase, PostHog) and to the US (OpenAI, Expo). These transfers are made under appropriate safeguards. The regulator is the Personal Data Protection Committee (PDPC). To exercise your rights or lodge a concern, email contact@danwt.com.
Under Taiwan's Personal Data Protection Act (PDPA)
If you are based in Taiwan, Taiwan's Personal Data Protection Act applies. You have the right to access, correct, and delete personal data we hold about you. You may also request that we cease collecting, processing, or using your data. Transfers of your data outside Taiwan (to EU and US processors listed in section 7) are made with your informed consent, given through your use of the service. To exercise your rights, email contact@danwt.com.
Under Indonesia's Personal Data Protection Law 2022 (PDP Law)
If you are based in Indonesia, Indonesia's PDP Law 2022 applies. Processing of your personal data is based on your consent, given during onboarding. You have the right to access, correct, and request deletion of your personal data. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal. Your data is transferred to the EU and US processors described in section 7. To exercise your rights, email contact@danwt.com.
Under South Africa's Protection of Personal Information Act 2013 (POPIA)
If you are based in South Africa, POPIA applies to how we handle your personal information. Processing is based on your consent, given during onboarding. You have the right to access, correct, and request deletion of your personal data, and to object to processing. You may withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal. Your data is transferred to EU and US processors described in section 7. To exercise your rights, email contact@danwt.com. If unresolved, you may contact the Information Regulator of South Africa.
To exercise any of these rights, contact contact@danwt.com. We will respond within 30 days.
10. Data Portability
You can request an export of your personal data. Activity data will be provided in GPX format (compatible with Strava, Garmin Connect, and other cycling platforms). Account and social data will be provided in JSON format. To request an export, email contact@danwt.com.
11. Push Notifications
Push notifications are sent only with your consent (granted via the iOS system permission prompt). You can disable notifications at any time in your device settings. We do not send marketing push notifications without your explicit opt-in, in compliance with LSSI-CE (Spain) and PECR (UK).
12. Children
Grupeta is not directed at children. The minimum age to use Grupeta is 16 years. In Spain, the minimum age for data processing consent is 14 (LOPDGDD); in the UK it is 13 (Data Protection Act 2018). We do not knowingly collect data from anyone under these ages. If you believe a child has provided us with personal data, please contact us to have it removed.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via in-app notification. Continued use of Grupeta after changes constitutes acceptance.
14. Contact
For privacy-related questions, contact contact@danwt.com.
15. Browser Extension (Grupeta Strava Exporter)
The Grupeta Strava Exporter is an optional Chrome extension that helps you import cycling activities from Strava into your Grupeta account. This section covers how the extension handles your data.
What the extension accesses
- Strava activity metadata — the extension reads your Strava training log (activity names, types, dates, and IDs) to identify cycling activities in the current Grupeta season. This metadata is processed entirely within your browser and is not transmitted to Grupeta or any other server.
- Activity files (.fit) — the extension can fetch original activity files from Strava using the same export URL you would use manually. You choose what happens to each file using the per-row buttons:
- Download .fit — the file is saved to your local Downloads folder. No data leaves your computer.
- Upload to Grupeta — the file (containing GPS track, heart rate, cadence, and timestamps) is fetched from Strava and uploaded directly to your own Grupeta account on our backend. It is stored and processed identically to a ride uploaded through the Grupeta app or the danwt.com/grupeta/upload web page, under the same retention and deletion policies described in sections 3, 4 and 8 of this policy.
- Grupeta authentication — when you sign in to your Grupeta account within the extension, your authentication tokens (access token and refresh token) are stored locally in the extension's isolated storage (
chrome.storage.local). These tokens are used solely to authenticate with Grupeta and are never shared with third parties.
What the extension does NOT do
- It does not collect analytics or telemetry
- It does not track your browsing activity
- It does not read or modify any web page other than Strava
- It does not transmit your Strava credentials or any data to third parties — only to your own Grupeta account when you click Upload
- It does not run in the background — it only fetches or uploads activities when you click a button in the extension popup
Data storage and deletion
All extension data (authentication tokens, scanned activity lists) is stored locally on your device in the extension's isolated storage. Uninstalling the extension removes all stored data. You can also sign out within the extension to clear your authentication tokens at any time.
See also: Cookie Policy | Terms of Service | Community Guidelines