VeloViewer Limited – Privacy Policy

We are VeloViewer Limited (referred to as we, us and our in this Privacy Policy), a company incorporated in England and Wales with company registration number 09153903 and whose registered office address is Unit 33, Century Business Centre, Century Business Park, Manvers, Rotherham, South Yorkshire, S63 5DA, United Kingdom.

The information set out in this Privacy Policy is provided to individuals whose personal data we process (you or your) as data controller, in compliance with our obligations under the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations SI 2019/419) (GDPR).

---

This Privacy Policy includes:

1. Data controller details
2. How we collect your information
3. Information we collect and purpose for processing
4. Sharing your information
5. International transfers
6. Retention of personal data
7. Your rights in respect of your personal data
8. Automatic decision making
9. Security
10. Cookies
11. Changes to this Privacy Policy
12. When you are located outside of the UK

---

1. Data controller details
   1. We are the data controller in relation to the processing of the personal information that you provide to us.
   2. Where your personal information is provided to us via the Strava app or website (strava.com) we are joint controllers with Strava in relation to the processing of such personal information.
   3. You can contact us by email at veloviewer@gmail.com (please include “Personal Data Request” in your subject heading to ensure it receives the correct attention).
2. How we collect your information
   1. Generally, the information we hold about you comes from the way that you engage with us, for example by doing any of the following:
      1. through engaging with us via our website (Site);
      2. providing us with information in the course of subscribing with us (if you are a client or visitor of our Site);
      3. providing us with information in the course of performing a contract we have in place with you or your business;
      4. through your personal information being provided to us by Strava on your behalf;
      5. contacting us offline, for example by telephone, SMS, email or by post; and
      6. interacting with us using social media.
   2. We may also obtain information from publicly available sources, including public databases, registers and records.
3. Information we collect and purpose for processing
   1. The types of personal data that we may collect, use, store and transfer about you will depend on the relationship we have with you (i.e. whether you are a customer or a visitor of our Site or a member receiving our services). We have set out below the types of information collected together with the purpose and legal grounds for processing.

   Personal data	Relationship	We may use your information for the following purposes, based on the following legal grounds:
   Contact information (name, email address and Strava account details)	Customers, members, subscribers/potential customers, members, subscribers Members of our Site Customers, members, subscribers connecting via Strava	If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of registering your account with us; for the purpose of providing services to you pursuant to any agreement between us. If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, to communicate with you regarding our service and fees (e.g. re any changes to our Site or services); for dealing with any complaints or issues raised by you; for insight purposes (e.g. to analyse market trends and demographics, and develop the service which we offer to you or other individuals in the future) and for notifying you once your membership has expired. Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other relevant legal or regulatory requirements.
   Payment information (such as transaction history)	Customers/subscribers to our services	If it is necessary for the performance of our contract: for the purpose of receiving payments from you via PayPal. If it is in our legitimate business interests to do so: for internal record keeping for administration purposes and retaining evidence of payment transactions. Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other relevant legal or regulatory requirements.
   Technical and device information/ social networks	All visitors of our Site (including customers and subscribers)	If it is in our legitimate interests to do so: we may use certain technical log data (such as your IP address) for research or statistical purposes; to analyse user traffic and for ensuring the proper administration of our Site; for analytics and insight purposes e.g. to monitor market trends and demographics and to improve the user experience within our Site; and to ensure that content from our Site is presented in the most effective manner for you and for your device from which you access our Site and/or the services we offer through the Site.
   Special category personal data / Health data	Customers/subscribers to our services once they connect their Strava account	If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of providing our services to you pursuant to any agreement between us and to enable you to experience the full functionality of our services. When we have your explicit consent to do so: we may process your health data when you have consented to such data being processed and shared by Strava with third parties. The only health data we process is received directly from Strava if you have consented. Health data we process may include height, weight, age, gender, heart rate and power but any such data we process will be collected by Strava initially.
   Cookies (and other web-tracking technology)	All visitors of our Site	If it is in our legitimate interests to do so: We only use essential “cookies” which are implemented via our Site for the effective operation of our Site. Please refer to the Cookies section at paragraph 10 for more information about the type of cookies used and how we use cookies/tracking technologies within our Site.

   1. We only collect Special Categories of Personal Data about you in the form of health data which is collected by Strava and shared with us. We do not collect any other Special Categories of Personal Data (including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
4. Sharing your information
   1. Please note that personal information we are holding about you may be shared with and processed by:
      1. regulators, fraud prevention agencies or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
      2. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
      3. other parties and/or their professional advisers involved in a matter where required as part of the conduct of the services;
      4. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
      5. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet services, hosting and data storage and security platform providers, our bank, and payment processing providers) so that they may help us to provide you with the services and information you have requested; and
      6. any organisation to whom we may transfer our agreement with you or if we sell (or negotiate to sell) our business or any of our assets (provided that adequate protections and safeguards are in place).
   2. Please note that we may include links within our Site to third party social media providers such as Facebook and X (formerly known as Twitter), but we will not share your information with such providers without your consent.
   3. Your activities or content generated when you use our services may be visible by other members of our services; however, any such activities and content will be private so that it is visible to you only unless and for the duration you consent to such activities and content being visible publicly by ticking the relevant check box within your VeloViewer account page.
5. International transfers
   We will not transfer personal data relating to you to a country which is outside the UK or EEA unless:
   1. the country or recipient is covered by an adequacy decision of the UK government under GDPR Article 45;
   2. appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the approved International Data Transfer Agreement for transfers of personal data outside the UK); or
   3. one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary):
      1. the transfer is necessary to perform, or to form, a contract to which we are a party:
         1. with you; or
         2. with a third party where the contract is in your interests;
      2. the transfer is necessary for the establishment, exercise or defence of legal claims;
      3. you have provided your explicit consent to the transfer; or
      4. the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.
6. Retention of personal data
   1. We have systems in place to periodically review and delete data that is no longer being used by us for the purposes set out in this Privacy Policy. Unless we are required or permitted by law to hold on to your data for a specific retention period, we will only hold your personal information within our systems for a period of 10 years since your last interaction with us or until you unsubscribe for our services or request for your data to be deleted in accordance with paragraph 6.3.
   2. Where we no longer need your personal information, we will dispose of it in a secure manner.
   3. In some circumstances you can ask us to delete your data: see your legal rights at paragraph 7 below for further information. If you are a member and unsubscribe from the membership you have the option to delete all your data when you unsubscribe, although in any event your data will be automatically deleted once you unsubscribe. If you are a current subscriber to our services, you also have the ability to erase all of your data stored on our servers which has been collected via Strava by clicking the link (https://veloviewer.com/update). Please note that the deletions envisaged by this paragraph 6.3 will not delete payment and transaction information that we have collected as we are required to retain such information for accounting and tax purposes, which will be retained until it is no longer required to be held by us for such purposes or by law or following 10 years.
   4. In some circumstances we will anonymise and/or aggregate your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use that information indefinitely without further notice to you.
7. Your rights in respect of your personal data
   1. You have certain rights under existing data protection laws, including the right to (upon written request) access a copy of the personal data of yours that we are processing. In accordance with the Data Protection Act 2018 and the GDPR:
      1. you have the following rights:
         1. right to access: the right to request certain information about you, access to and copies of the personal information about you that we are holding
            (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs); and
         2. right to rectification: the right to have your personal information rectified if it is inaccurate or incomplete; and
      2. in certain circumstances, you will also have the following rights:
         1. right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your personal information from our systems (however, this will not apply if we are required to hold on to the information for compliance with any legal obligation, for tax or accounting purposes, or if we require the information to establish or defend any legal claim);
         2. right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;
         3. right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible;
            and
         4. right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.
      3. Please note that, if you withdraw your consent to the use of your personal information for purposes set out in this Privacy Policy, we may not be able to provide you with access to all or certain parts of our Site.
      4. If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. Please see further information on their website: ico.org.uk.
8. Automatic decision making
   We do not make decisions based solely on automated data processing, including profiling.
9. Security
   1. We keep your information protected by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:
      1. where appropriate, data is encrypted when transiting on our system or stored on our databases;
      2. all hardware used by us is stored in secured datacentres behind firewalls;
      3. we have implemented safeguards in relation to access and confidentiality in order to protect the information held within our systems, including restricting access to information by password and/or secure key; and
      4. restrictions are in place as to what information can be accessed via any location.
   2. We will do our best to protect your personal information, but we cannot guarantee the security of your information. It is important that all details of any username, password and/or other identification information created to access our Site (including via Strava when connecting your account) are kept confidential by you and should not be disclosed to or shared with anyone.
10. Cookies
    What are cookies
    1. Our Site uses cookies to distinguish you from other users of our Site. This helps us to provide you with a good experience when you browse our Site and also allows us to improve our Site.
    2. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your computer’s hard drive or device to store and sometimes track information about you.

    Types of cookies

    3. We only use Strictly necessary cookies: these are cookies that are required for the operation of our Site. They include, for example, cookies that enable you to log into secure areas of our Site and are required to authenticate your session against your Strava account.
    4. Generally, the strictly necessary cookies expire when you close the site: these are known as ‘session cookies’.

    How we use cookies

    5. You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

    Cookie Title and Cookie Name	Purpose	More information
    AWSALB	Amazon Web Services Load Balancer cookie.	Ensures the user’s connection is always to the same load-balanced server (“Sticky Sessions”). Typically has a 7 day expiration.
    AWSALBCORS	Amazon Web Services Load Balancer cookie.	Ensures the user’s connection is always to the same load-balanced server (“Sticky Sessions”). Typically has a 7 day expiration.
    PHPSESSION	Session-based cookie on the server to know who the user is between page loads.	Set up when initially loading the site. Typically expires when the browser is closed.
    auth	Flag to know if you have previously connected your Strava account to VeloViewer on this browser.	If set to 1, the server will automatically redirect to Strava for authentication rather than showing the not-logged-in view of VeloViewer. If already logged into Strava in the browser, Strava will auto-redirect back to VeloViewer and your own data will then be shown.

    Third parties

    1. We do not share the information collected by the cookies with any third parties save for as identified within the table above.

    Managing cookie settings

    1. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
11. Changes to this Privacy Policy
    We may amend this Privacy Policy from time to time, for example to keep it up to date, to implement minor technical adjustments and improvements or to comply with legal requirements. We will always inform you on our Site when we update this Privacy Policy, so please read it when you visit the Site (the “last updated” reference tells you when we last updated our Privacy Policy).
12. When you are located outside of the UK
    1. Your access to the Site or use or receipt of the services that we offer to you may be subject to other data protection laws and you must comply with all applicable laws and regulations (whether of the country in which you reside or from which you access the Site, receive the services, or otherwise). We will not be liable or responsible if you break any such law or regulation.
    2. We make no representation that the Site or our services are appropriate or available for use or receipt outside of the United Kingdom. If you access the Site or receive our services from any jurisdiction outside of the United Kingdom, you do so out of your own volition.

Last updated on 27 June 2024