Privacy
Velo Garage Privacy Policy
VeloSummit Ventures ("we," "us," or "our") built Velo Garage as a personal cycling companion app. This Privacy Policy explains how we collect, use, store, and protect your information when you use Velo Garage for iOS.
Last updated: June 28, 2026
1. Information We Collect
1.1 Information You Provide
- Bike inventory data: Name, brand, model, year, type, color, purchase date, purchase price, estimated value, and notes.
- Serial numbers: Encrypted on-device using AES-GCM-256 before storage. Plaintext serial numbers are never written to the database.
- Bike fit measurements: Saddle height, reach, stem length, crank length, handlebar width, and related position data.
- Suspension and gearing setup: Rider weight, fork/shock travel, air pressures, sag measurements, chainring and cassette configuration, and tire dimensions.
- Maintenance records: Service type, dates, odometer readings, parts and product details, and reminder preferences.
- Recovery packet information: Owner name, phone number, and email address — stored locally on your device only and protected by biometric authentication (Face ID or Touch ID).
- Photos: Images you select from your photo library to associate with your bikes, stored as compressed JPEG files within the app's sandboxed storage.
- Preferences: Unit system (metric or imperial), temperature scale, rider weight, appearance mode, and notification settings.
1.2 Information from Connected Services
Strava (optional). If you connect your Strava account, we request read-only access to your activity history (activity:read_all scope) via OAuth 2.0. We import:
- Activity name, sport type, and start date
- Distance, moving time, and elapsed time
- Elevation gain, average and max speed
- Average watts, kilojoules, average and max heart rate, and suffer score (where available)
- The ride's GPS route, for map display (where available)
We do not post, modify, or delete any data on Strava.
Wahoo (optional). If you connect your Wahoo account, we request read-only access (user_read, workouts_read) via OAuth 2.0 with PKCE. We import:
- Workout name, sport type, and start date
- Distance, moving time, and elapsed time
- Elevation gain, average speed, average power, and energy (kilojoules)
- Average heart rate (where available)
- The ride's GPS route, read from the workout's FIT file, for map display (where available)
- Your Wahoo account name, to show which account is connected
We do not create, modify, or delete anything in your Wahoo account.
intervals.icu (optional). If you connect your intervals.icu account, we request read-only access to your activities (ACTIVITY:READ scope) via OAuth 2.0. We import:
- Activity name, sport type, and start date
- Distance, moving time, and elapsed time
- Elevation gain, average and max speed
- Average and max power, and average and max heart rate (where available)
- The ride's GPS route (latitude/longitude stream), for map display (where available)
- Your intervals.icu athlete name and ID, to show which account is connected
We do not modify anything in your intervals.icu account.
WHOOP (optional). If you connect your WHOOP account, we request read-only access (read:recovery, read:sleep, read:cycles, read:workout, read:profile, plus offline to keep the connection refreshed) via OAuth 2.0. We import:
- Readiness metrics: recovery score, heart rate variability (HRV), resting heart rate, sleep performance, sleep duration, and day strain — one record per WHOOP day
- Cycling workouts (imported as rides): workout name, sport type, start date, distance, duration, elevation gain, average speed, energy (kilojoules), and average and max heart rate (WHOOP records no GPS, so these rides carry no route)
- Your WHOOP member name, to show which account is connected
We do not create, modify, or delete anything in your WHOOP account. WHOOP data is used only to power your readiness card and ride history inside the app — it is never sold, licensed, shared with third parties, or used for advertising. WHOOP may separately monitor and collect data about this app's access to the WHOOP API, as described in the WHOOP API Terms of Use.
How sign-in works. For Strava, intervals.icu, and WHOOP, the one-time exchange of your sign-in code for an access token is performed by a small backend relay we operate, because those services require a confidential credential that must never ship inside the app. The relay uses your sign-in code only to obtain your access token and does not store your tokens, rides, or any personal data. Wahoo sign-in uses PKCE and is exchanged directly with Wahoo, with no relay. After sign-in, all of your activity and readiness data is fetched directly from the provider to your device — it never passes through our servers.
Apple Health (optional). If you grant permission, we read cycling workouts from Apple Health, including distance, duration, elevation gain, and energy burned. We may also read your latest body weight to prefill rider-weight defaults for tire pressure and suspension calculators. We do not write any data to Apple Health.
1.3 Information Collected Automatically
Location (temporary). When you use tire pressure or suspension features that display weather conditions, we request your approximate location and round coordinates to two decimal places before fetching current weather and elevation data. Your rounded coordinates are sent to the Open-Meteo API over HTTPS and are not stored, logged, or retained by the app.
We do not collect analytics, device identifiers, advertising identifiers, crash reports, or usage telemetry of any kind. There are no third-party analytics, advertising, or tracking SDKs in this app.
2. How We Use Your Information
We use your information solely to provide the app's core functionality:
- Display and manage your bike inventory, maintenance schedules, and equipment settings
- Calculate tire pressure, gearing, and suspension recommendations
- Import and display ride history from Strava, Wahoo, intervals.icu, WHOOP, and Apple Health
- Display your WHOOP recovery, sleep, and strain as an at-a-glance readiness card
- Use your latest Apple Health body weight, if permitted, to prefill rider-weight calculator defaults
- Sync bike data across your personal devices via iCloud (if enabled)
- Generate recovery packets to assist with theft reporting
- Send local maintenance reminder notifications
- Fetch weather and elevation data for calculator features
We do not use your information for advertising, profiling, behavioral analysis, or any purpose unrelated to the app's features.
3. How We Store and Protect Your Information
On-Device Storage
All data is stored locally on your device using SwiftData (backed by SQLite), protected by iOS file-level encryption and the app sandbox.
| Data | Storage | Protection |
|---|---|---|
| Serial numbers | SwiftData | AES-GCM-256 encryption; biometric authentication required to view |
| Connection tokens (Strava, Wahoo, intervals.icu, WHOOP) | iOS Keychain | Device-only; non-synchronizable; accessible only after first unlock |
| Encryption keys | iOS Keychain | Device-only; accessible only when device is unlocked |
| Recovery packets | SwiftData (local-only) | Never synced to iCloud; biometric authentication required |
| Imported activities (Strava, Wahoo, intervals.icu, WHOOP, Apple Health) | SwiftData (local-only) | Never synced to iCloud |
| WHOOP readiness (recovery, HRV, resting HR, sleep, strain) | SwiftData | Synced to your personal iCloud via CloudKit; encrypted at rest |
| Photos | SwiftData (externalStorage) + app documents cache | Synced to your personal iCloud via CloudKit |
| Preferences | UserDefaults | Standard iOS-protected storage |
iCloud Sync (Optional)
If you have iCloud enabled, the following data syncs to your personal iCloud account via CloudKit:
- Bike details (name, brand, model, type, and related specifications)
- Service events, fit snapshots, gearing setups, and suspension profiles
- Bike photos
- WHOOP readiness metrics (recovery, HRV, resting heart rate, sleep, and strain), so your readiness card stays consistent across your devices. This data lives only in your own private iCloud database, encrypted at rest, and is accessible only to you — it is never shared with us or any third party.
The following data never syncs to iCloud:
- Serial numbers (encrypted locally)
- Recovery packets (owner name, phone, email)
- Imported ride activities (Strava, Wahoo, intervals.icu, WHOOP, Apple Health)
- Connection tokens (Strava, Wahoo, intervals.icu, WHOOP) and HealthKit access
iCloud data is protected by Apple's iCloud security and encryption. If iCloud is unavailable or disabled, all data remains local.
Network Security
All network communication uses HTTPS (TLS encryption in transit). We do not implement certificate pinning.
4. Third-Party Services
We integrate with a limited number of third-party services. We do not sell, rent, or share your personal information with data brokers, advertisers, or marketing platforms.
| Service | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Strava | OAuth tokens (for authentication) | Import your cycling activities (read-only) | strava.com/legal/privacy |
| Wahoo | OAuth tokens (for authentication) | Import your cycling activities (read-only) | wahoofitness.com/privacy-policy |
| intervals.icu | OAuth tokens (for authentication) | Import your cycling activities (read-only) | intervals.icu |
| WHOOP | OAuth tokens (for authentication) | Import your readiness metrics and cycling workouts (read-only) | whoop.com/legal/privacy-policy |
| Apple HealthKit | None (read-only) | Import cycling workouts and latest body weight | apple.com/privacy |
| Apple iCloud (CloudKit) | Bike and equipment data | Cross-device sync | apple.com/privacy |
| Open-Meteo | Approximate coordinates | Weather and elevation lookups | open-meteo.com/en/terms |
| VeloSummit Ventures sign-in relay | OAuth sign-in code (transient) | Completes Strava / intervals.icu / WHOOP sign-in; stores nothing | This policy |
OAuth sign-in relay. Connecting Strava, intervals.icu, or WHOOP requires a confidential credential that cannot be shipped inside the app. A small backend relay we operate injects that credential to exchange your one-time sign-in code for an access token, then returns the token to your device. The relay processes the sign-in code transiently and does not store your tokens, rides, readiness data, or any personal data. Wahoo uses PKCE and needs no relay. Your activity and readiness data is always fetched directly from the provider to your device.
Open-Meteo is a free, open-source weather API. Requests include your latitude and longitude rounded to two decimal places, but no user identifiers, API keys, or authentication tokens. Open-Meteo does not track individual users.
5. Data Retention and Deletion
| Data | Retention | How to Delete |
|---|---|---|
| Bikes | Until you delete or archive them | Archive in-app; permanently removed after 30 days |
| Service, fit, gearing, and suspension records | Tied to the associated bike | Deleted when the bike is permanently removed, or delete individually |
| Photos | Tied to the associated bike | Remove individually, or deleted when the associated bike is permanently deleted |
| Imported activities | Indefinite | Delete individually in-app; rides from a connected service are also deleted when you disconnect that service |
| Recovery packets | Indefinite | Delete individually in-app |
| Strava connection | Until you disconnect | Disconnect in-app; tokens immediately cleared from Keychain and all imported Strava rides + mileage deleted |
| Wahoo connection | Until you disconnect | Disconnect in-app; tokens cleared from Keychain, Wahoo asked to revoke access, and all imported Wahoo rides + mileage deleted |
| intervals.icu connection | Until you disconnect | Disconnect in-app; token cleared from Keychain and all imported intervals.icu rides + mileage deleted (no provider revoke endpoint — revoke in intervals.icu settings) |
| WHOOP connection | Until you disconnect | Disconnect in-app; token cleared from Keychain. Your WHOOP readiness data is always deleted on disconnect (on every synced device); you choose whether to also delete imported WHOOP rides. Rides also recorded in Strava or Apple Health are kept either way. (No provider revoke endpoint — revoke in your WHOOP account settings.) |
| WHOOP readiness data | Until you disconnect | Deleted automatically when you disconnect WHOOP |
| Apple Health connection | Until you revoke access | Revoke in iOS Settings > Privacy & Security > Health |
| Location access | Per-request only | Revoke in iOS Settings > Privacy & Security > Location Services |
| Preferences | Indefinite | Reset by deleting and reinstalling the app |
To delete all app data, uninstall Velo Garage from your device. If iCloud sync was enabled, also remove the app's data from iCloud via Settings > [Your Name] > iCloud > Manage Storage.
6. Your Privacy Rights
You have full control over your data:
- Access: All your data is visible within the app at all times.
- Correction: Edit any bike, service, fit, or equipment record directly in the app.
- Deletion: Delete individual records or entire bikes. Disconnect third-party integrations at any time.
- Portability: Your data is stored on your device and optionally in your personal iCloud account.
- Consent withdrawal: Revoke Strava, Wahoo, intervals.icu, WHOOP, HealthKit, location, photo, or notification permissions at any time through the app or iOS Settings.
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you may have additional rights under GDPR or equivalent regulations. Your bike, activity, and readiness data is processed on your device and within your personal iCloud account. The only data that reaches our infrastructure is the transient OAuth sign-in code handled by our sign-in relay when you connect Strava, intervals.icu, or WHOOP — used solely to complete sign-in and never stored. We do not operate any server that retains your personal data.
7. Children's Privacy
Velo Garage is not directed at children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal information through the app, please contact us so we can assist with deletion.
8. No Advertising, No Tracking
Velo Garage contains:
- No advertisements
- No analytics or telemetry SDKs
- No crash reporting services
- No behavioral tracking or profiling
- No device fingerprinting
- No cross-app or cross-site tracking
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted at velogarage.app/privacy, with the "Last Updated" date revised accordingly. Continued use of the app after changes constitutes acceptance of the updated policy.
10. Contact Us
If you have questions or concerns about this Privacy Policy or your data, contact us at:
This privacy policy applies to Velo Garage for iOS, version 1.0 and later.