Gothic Cycling Society / Cycle Club MCR

Privacy and data protection

This notice explains what the club app holds, what it is used for, what can appear publicly, and the choices available to members.

Who runs the app

Gothic Cycling Society (Cycle Club MCR) operates this invite-only club application. It is not presented here as a separate legal entity.

For a data question, correction request or concern: Contact a club organiser through the same route you use for your invitation or club administration.

What the app holds and why

Account, profile and membership

Supabase Authentication holds your sign-in email, authentication identity and session information. The club database holds your display name, optional avatar-path reference, club membership, role and status. These records let the app sign you in, keep the club invite-only, show permitted member information and enforce member, organiser and administrator access.

Invitations and administration

Invitations include the recipient email, intended role, expiry, use or revocation state, inviter reference and a one-way hash of the invitation token. Raw invitation tokens are not stored. Limited membership audit events record important role, status and invitation administration so club authority can be checked.

Availability and ride preferences

The app holds your In, Maybe or Out responses and your ride preferences for a scheduling window. These are used to plan rides. Individual responses and preferences are private and are not available to other members as raw records or to the public.

Rides and commitments

Private ride records can include the proposal and creator, commitments, precise times, exact meeting points, private route links, coordination notes, operational receipts and audit or lifecycle events. They are used to propose, organise and safely manage rides. Two In commitments lock a proposal; if a locked ride falls below two, it moves to Needs Review.

Notifications

The app holds your separate email and web-push preferences. If you enable push, it also stores the push endpoint, browser encryption keys, device label and user-agent information needed to deliver to that browser. Server-only event, delivery and retry records support reliable ride and deadline messages. Notification copy excludes identities, exact meeting points, private routes and coordination notes because previews can appear on a lock screen.

Public rides and private member data

Draft and Proposed rides are never public. For Locked In, Under review and Cancelled rides, a separate reduced-field projection may show only the date, approximate time or daypart, general start area, approximate distance and elevation, approved pace or category, short public description, anonymous confirmed-rider count and public state.

Public pages do not expose member or organiser identities, individual availability or commitments, exact meeting points, precise operational times, private route links, comments, contact details, coordination data, calendar files or provider hand-off links. Member calendar export requires an active member session.

Hosting, email and web push

Vercel hosts the web application. Supabase provides the database, authentication and session service. Passwordless sign-in and invitation messages are handed by Supabase to the club-controlled MailerSend custom-SMTP service. Application notification email uses that club-controlled SMTP boundary; recipient addresses are read from Supabase Authentication only while sending and are not copied into notification tables.

Web push is delivered using the browser push subscription and the push service selected by that browser. Those services necessarily receive the endpoint and delivery request. The app removes expired subscriptions when a push service reports that they are no longer valid.

How long data is kept

The repository does not set a single fixed retention period, so we do not claim one. Personal data is kept while it is needed to run membership, rides, notifications and the security rules described above. Expired or revoked invitations and limited audit records may remain where needed for safe club administration. Delivery retry evidence is bounded by the notification process. Members can use the deletion route below instead of waiting for an administrative retention cycle.

Delete your account and personal data

An active member can open Profile, choose Delete account, acknowledge permanence and type the confirmation phrase. A sign-in within the previous 15 minutes is required. The operation deletes the Auth account and sessions, profile, memberships, availability responses and preferences, ride commitments and private coordination notes, notification preferences, push subscriptions and recipient-linked delivery evidence.

Shared club and ride records can remain without your identity. Rides you created retain the shared ride but remove the creator reference. Ride and membership audit events can remain with actor and target references removed. Invitations addressed to you are invalidated and stripped of your email and token; invitations you created for somebody else can remain with your inviter reference removed. A limited account-deletion record remains with a random request ID, a salted one-way reference, outcome, time and counts. It contains no raw member ID, email, push endpoint, token, ride ID or private content.

Your choices and data rights

You can change email and push choices in Profile and remove a browser push subscription by disabling push. You can ask what data the club holds about you, request a correction, raise an objection or concern, or ask for deletion using the contact route above. The in-app route is the quickest way to delete the delivered account data. You may also raise a concern with the UK Information Commissioner's Office.

Cookies and analytics

The app uses essential Supabase session cookies to keep signed-in members authenticated. During invitation acceptance it briefly uses a secure, HTTP-only invitation-stage cookie. The repository contains no advertising cookies or analytics service, and the app does not currently use analytics tracking.

Activity uploads are not live

The app does not currently collect FIT, GPX or TCX activity files, or connect to Strava or Garmin. Provider connections, activity uploads and sharing controls are future work. This notice must be updated before any of those capabilities are introduced.