Privacy Policy

This is an English translation for convenience. The German version is legally binding.

This privacy policy informs you about the nature, scope and purpose of the processing of personal data when using Workshop.bike (the "application") in accordance with the General Data Protection Regulation (GDPR).

1. Controller

The controller within the meaning of the GDPR is:

Björn Wolf
Kleeberger Str. 82
35510 Butzbach
Germany
Email: bjoern@workshop.bike

2. Data protection officer

We are not required to appoint a data protection officer. For any data protection questions, please contact the controller named above directly.

3. General information on legal bases

We process personal data only on a valid legal basis. Depending on the processing, we rely in particular on:

  • Art. 6 (1) (a) GDPR – your consent (e.g. connecting third-party accounts, push notifications, marketing emails).
  • Art. 6 (1) (b) GDPR – performance of the usage contract and provision of application features (e.g. account, tracking, maintenance reminders).
  • Art. 6 (1) (f) GDPR – our legitimate interests (e.g. secure and stable operation, error analysis, protection against abuse).

4. Hosting

We host the application with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The servers are located in Germany. Hetzner processes the data generated in the application on our behalf on the basis of a data processing agreement (Art. 28 GDPR). The legal basis is Art. 6 (1) (b) and (f) GDPR. Further information: Hetzner privacy policy.

5. Server log files

When you access the application, information is automatically collected in server log files transmitted by your browser:

  • browser type and version
  • operating system used
  • referrer URL
  • hostname of the accessing device
  • time of the server request
  • IP address

This data serves the technical provision, security and stability of the application. The legal basis is Art. 6 (1) (f) GDPR. This data is not merged with other data sources.

6. Cookies and local storage

We use cookies and comparable technologies. Strictly necessary cookies are set without consent pursuant to § 25 (2) TDDDG; their processing is based on Art. 6 (1) (f) GDPR.

  • Session cookie (_workshop_bike_session): strictly necessary to manage your login and to protect against cross-site request forgery (CSRF). Lifetime up to two weeks.
  • Acquisition cookie (acquisition): a first-party cookie that, on your first visit, records the source (e.g. referrer, UTM parameters) through which you reached us. It is used solely for our own statistical analysis of where sign-ups come from and is not shared with third parties. Lifetime 90 days. The legal basis is Art. 6 (1) (f) GDPR.
  • Web push data: if you enable browser notifications, we store the subscription data required for this (see section 16).

7. Registration and user account

To use the application you create an account. During registration and ongoing operation we process:

  • email address
  • name (optional)
  • password (stored only encrypted as a hash)
  • time zone and language setting
  • timestamps of last login and activity
  • a personal token for the email upload feature (see section 10)

The legal basis is Art. 6 (1) (b) GDPR (performance of the usage contract).

8. Data stored in the application

When you use the application, we store the content you enter or import in order to provide the features to you:

  • bike information (name, manufacturer, model, type, year, colour, purchase date, notes)
  • components and equipment (name, mileage, installation/maintenance data)
  • ride data (date, distance, duration, elevation, activity type, description)
  • GPS/route data (geo-coordinates) of imported or uploaded rides
  • performance metrics (e.g. power, heart rate, cadence) and ride weather data
  • maintenance and service history as well as paired sensors

This data is used exclusively to provide the features (tracking, maintenance reminders, statistics). The legal basis is Art. 6 (1) (b) GDPR.

9. Email delivery

For sending emails (e.g. account and system notifications) we use the service Postmark (Wildbit, LLC / ActiveCampaign, USA). Your email address and the respective message content are processed. A data processing agreement is in place with the provider. The legal basis is Art. 6 (1) (b) and (f) GDPR. For transfers to third countries see section 17.

10. Email upload of ride files

You can send ride files (GPX/FIT/TCX) by email to a personal upload address (upload+{token}@inbound.workshop.bike). Incoming emails are received via Postmark, the attachment is imported and the email is then processed. The legal basis is Art. 6 (1) (b) GDPR.

11. Lifecycle and marketing emails

If you have consented or signed up, we use the service Loops (Loops, Inc., USA) to send you product and lifecycle information (e.g. tips, news) by email. For this we transmit your email address, a user identifier and associated usage and segmentation attributes. You can object at any time or unsubscribe via the link in every email. The legal basis is Art. 6 (1) (a) GDPR (consent) or Art. 6 (1) (f) GDPR. For transfers to third countries see section 17.

12. Error analysis and monitoring

To detect and fix technical errors and to monitor stability, we use the service Sentry (Functional Software, Inc., USA). In the event of an error, technical information (e.g. error messages, the affected request) and, for attribution, your internal account identifier (ID) are transmitted. No further personal data such as your IP address or email address is transmitted to Sentry. The ID is a pseudonymous identifier that only we can link back to you, using our database. The legal basis is Art. 6 (1) (f) GDPR (secure and error-free operation). For transfers to third countries see section 17.

13. Optional third-party integrations

The application offers voluntary integrations that you connect via OAuth and only after your explicit consent:

  • Strava (Strava, Inc., USA): import of activities including GPS/route data and profile information.
  • Wahoo (Wahoo Fitness): import of workouts from your connected devices.

You can disconnect at any time in the settings. The legal basis is Art. 6 (1) (a) GDPR (consent). For transfers to third countries see section 17.

14. External data services for ride analysis

To enrich your rides, we query information about the route coordinates from external services. For this, geo-coordinates of your ride are transmitted:

  • Open-Meteo: retrieval of historical weather data for the route and ride time.
  • OpenStreetMap / Overpass API: determination of the surface type (e.g. asphalt, gravel) along the route.

These requests are made server-side by us. Only the route coordinates and the ride period are transmitted. Personal identifiers such as your name, email address, account reference or IP address are not transmitted – these services therefore receive no data that identifies you. Open-Meteo and the Overpass API are operated within the EEA or a country with a recognised level of data protection. The legal basis is Art. 6 (1) (f) GDPR (provision of advanced analysis features).

15. Access by connected applications (API / MCP)

You can connect external applications, in particular AI assistants (e.g. via the Model Context Protocol), to your account via OAuth in order to read your own data. This access occurs solely at your initiative and can be revoked at any time in the settings. Processing by the connected third-party application is that party's responsibility. The legal basis is Art. 6 (1) (b) GDPR.

16. Push notifications

With your consent, we send browser push notifications (e.g. about maintenance reminders). For this we store the subscription data of your browser (endpoint and keys). Delivery is handled by your browser's push service. You can disable notifications at any time. The legal basis is Art. 6 (1) (a) GDPR.

17. Transfers to third countries

Some of the services used (in particular Strava, Loops, Sentry, Postmark) may transfer data to countries outside the European Economic Area, in particular the USA. Where there is no level of data protection recognised by an adequacy decision of the EU Commission, we base the transfer on appropriate safeguards pursuant to Art. 46 GDPR (in particular EU standard contractual clauses) or on certification under the EU-US Data Privacy Framework. For consent-based services, the transfer additionally takes place on the basis of your consent (Art. 49 (1) (a) GDPR).

18. Storage period

We store personal data only for as long as necessary for the stated purposes. Account and content data generally remain until you delete your account. Server log files are stored only for a short time. As soon as the purpose no longer applies or you request deletion, the data is deleted, unless statutory retention obligations apply.

19. Your rights

Within the scope of the statutory provisions, you have the following rights:

  • access to your stored data (Art. 15 GDPR)
  • rectification of inaccurate data (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection to processing (Art. 21 GDPR)
  • withdrawal of consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights and to delete your account and all associated data, contact us at bjoern@workshop.bike.

20. Right to lodge a complaint with a supervisory authority

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden, Germany
datenschutz.hessen.de

21. SSL/TLS encryption

For security reasons, this application uses SSL/TLS encryption. You can recognise an encrypted connection by "https://" in your browser's address bar.

22. Objection to advertising emails

We hereby object to the use of contact data published in the imprint for sending unsolicited advertising and information materials.

Privacy First: Workshop.bike does not use third-party advertising tracking cookies, does not sell data and does not show personalised advertising. Your data belongs to you.

Last updated: June 12, 2026