Privacy Policy
Last updated: 6 June 2026
1. Who we are
ViaTally is operated by Douglas Gilbert, an individual based in Spain ("we", "us", "our"). You can contact us at [email protected]. For data protection enquiries, use [email protected].
We are the data controller for personal data processed through viatally.com and the ViaTally mobile apps.
2. What data we collect
We collect the following categories of personal data:
- Account data: email address, username, display name, and avatar image.
- Profile preferences: distance and elevation units, language preference, and privacy settings.
- Activity data: GPX files you upload, ride names, distances, timestamps, and the GPS route geometry derived from them. If you connect Strava, we also receive activity metadata (name, distance, start time) from your Strava account.
- Media: photos and videos you attach to your rides, including any GPS coordinates embedded in the file metadata.
- Progress data: your coverage of EuroVelo routes, earned badges, and points-of-interest visit history.
- Technical data: IP address, browser type, device identifiers, error reports, and usage events (only if you accept analytics cookies).
- Push notification tokens: if you enable browser push notifications.
3. How and why we use your data
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the service (account, rides, progress) | Account, activity, progress data | Contract (Art. 6(1)(b) GDPR) |
| Transactional emails (waitlist approval, export ready) | Email address | Contract (Art. 6(1)(b) GDPR) |
| Error tracking and service stability | Technical data, user ID | Legitimate interest (Art. 6(1)(f) GDPR) |
| Usage analytics (only with consent) | Technical data, usage events | Consent (Art. 6(1)(a) GDPR) |
| Push notifications | Push token, email | Contract (Art. 6(1)(b) GDPR) |
We do not use your data for marketing without separate consent, and we do not sell your data to third parties.
4. Strava integration
If you connect your Strava account, you authorise ViaTally to access your Strava activity data under Strava's own privacy policy. Strava acts as an independent data controller for your data within its platform. We are responsible only for how we handle the data after receiving it from Strava. Your Strava access tokens are stored encrypted (AES-256-GCM).
5. Who we share your data with
We use the following third-party processors who may handle your personal data on our behalf:
| Service | Country | Purpose |
|---|---|---|
| Supabase | US | Database, authentication, file storage |
| Hetzner | DE | Web hosting infrastructure |
| Cloudflare | US | CDN and DDoS protection |
| Resend | US | Transactional email delivery |
| Better Stack | US | Error tracking and usage analytics |
| CARTO | ES | Map tile delivery |
| Expo | US | Mobile app over-the-air updates |
Transfers to US-based processors are covered by the EU–US Data Privacy Framework or Standard Contractual Clauses.
6. How long we keep your data
- Active accounts: we retain your data for as long as your account is active.
- Deleted accounts: when you delete your account, your data is marked for deletion and permanently purged after 30 days. You can cancel the deletion within this window by contacting us.
- Inactive accounts: if you have not logged in for 18 months, we will send you a warning email. If there is still no activity after 23 months, we will send a final notice. Accounts inactive for 24 months are automatically deleted (subject to the 30-day purge window).
- Waitlist accounts: the same inactivity policy applies from your sign-up date if you are never approved or never complete onboarding.
7. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data (right to be forgotten).
- Restrict processing in certain circumstances.
- Data portability — export your data via Settings › Data in the app.
- Object to processing based on legitimate interest.
- Withdraw consent for analytics at any time via the Cookie Policy page.
You can delete your account and export your data directly from Settings in the app. For other requests, email [email protected]. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Agencia Española de Protección de Datos (AEPD).
8. Cookies and tracking
We use cookies and local storage for authentication and, with your consent, for analytics. See our Cookie Policy for full details and to manage your preferences.
9. Children
ViaTally is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
10. Changes to this policy
For material changes (new data types, new third parties, or reduced user rights) we will notify you by email and display a notice in the app at least 30 days before the change takes effect. For minor changes (clarifications, updated sub-processor names) we will update the "Last updated" date without active notification.
11. Contact
General enquiries: [email protected]
Data protection matters: [email protected]