Privacy Policy

Duostride is a private training log. Your data stays yours. We don't sell it, share it, or use it for advertising. You can export or delete everything at any time.

Hackerman AB (org.nr 559079-1918), based in Gothenburg, Sweden, is the data controller for personal data processed via Duostride.

Email address. Used for login codes and account-related communication only. We don't send marketing or newsletters.

Activities. What you log or import: activity type, start time, timezone, duration, distance, ascent, heart rate summary, GPS track, and notes.

Settings. Display preferences: date format, time format, week start day, and timezone.

Sessions. A session token stored in an HTTP-only cookie. Sessions expire after 30 days.

Providing your email address is necessary to create an account and use Duostride. Without it we can't authenticate you or process payment. Activity data is something you choose to log or import. Providing none of it is fine, but the app won't be very useful.

If you connect your Garmin account, we store an OAuth access token and refresh token to receive your activities automatically. We only access activity data. You can disconnect at any time, which removes the stored tokens.

To show you your training log. That's it. We don't analyze your data for other purposes, don't build profiles, and don't share anything with third parties.

Legal basis under GDPR: performance of the contract you've entered into with us (running the training log you've paid for), and legitimate interests for fraud prevention and the minimal deletion log described below.

Duostride does not do automated decision-making or profiling. Nothing we compute about your training has legal or similarly significant effects on you.

We use Plausible for usage statistics. Plausible is hosted in the EU, uses no cookies, and does not collect personal data or build user profiles. We track page views and a small number of named events (signup, activity import) as aggregate counts only. Nothing in our analytics is tied to an individual user.

Data is stored in a PostgreSQL database hosted in the EU, encrypted at rest and in transit (TLS). Access is restricted to the operator's environment. Sessions use HTTP-only, secure, SameSite cookies. Garmin OAuth tokens are stored encrypted. No data passes through Google, Facebook, or any ad-supported service. GPS maps use OpenTopoMap tiles, served directly from OpenTopoMap.

We keep each category of data only as long as we actually need it:

• Email and account data: while your paid year is active, plus the 90-day grace period after it ends. Then permanently deleted.
• Activities and notes: same as account data.
• Sessions: 30 days from last login.
• Login codes: 15 minutes, then expired.
• Garmin tokens: while you're connected, deleted on disconnect or account deletion.
• Deletion-log fingerprint: a SHA-256 hash of your email address kept for 2 years post-deletion, then purged automatically.
• Plausible analytics: aggregate counts only, never tied to your account. Plausible's own retention applies.

You can export all your data from the settings page in a standard format. You can delete your account and all associated data at any time. Deletion is immediate and permanent.

When you delete your account we keep a minimal record for up to 2 years: a one-way hash (SHA-256) of your email address and the deletion timestamp. The hash lets us detect repeat fraud (signup → refund → delete loops) and answer "did this account exist?" for support, without retaining your address itself. After 2 years the record is purged automatically.

If your paid year ends without a renewal, your account enters a 90-day grace period. During this time the app is locked, but your data is preserved and any connected sources (like Garmin) keep syncing in the background. You can pay for another year at any point in the 90 days to restore full access. You can also export everything as JSON from the locked landing page. We send warning emails 30 days and 7 days before deletion. After 90 days, your account and all data is permanently deleted.

• Vercel for hosting and edge delivery
• Neon for PostgreSQL database
• Resend for transactional email (login codes)
• Paddle for payment processing and billing
• Plausible for privacy-friendly analytics
• OpenTopoMap for map tiles (GPS routes)
• Garmin for optional activity sync (only if you connect)

None of these services receive your training data except as needed to operate.

Some of these processors are based outside the EU/EEA (notably Vercel and Resend in the United States). Transfers rely on the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.

Under GDPR you have the right to access, correct, delete, export, restrict, or object to processing of your personal data, and to withdraw consent at any time. Most of these you can do yourself from the settings page. For anything else, email hello@duostride.com.

You also have the right to lodge a complaint with the Swedish data protection authority (Integritetsskyddsmyndigheten, imy.se) or your local supervisory authority in the EU/EEA.

One cookie: your session token. HTTP-only, secure, SameSite=Lax. Expires after 30 days. No tracking cookies, no analytics cookies, no third-party cookies.

Duostride is not directed at anyone under 16. We don't knowingly collect data from children.

If this policy changes, we'll update the date at the top. Material changes will be noted on the site.

Questions about this policy? Reach us at hello@duostride.com.