Privacy Policy
Last updated: 15 July 2026
1. Who we are
Festi ("we", "us", "our") is a cycling community platform where riders can create a profile, plan and share rides and routes, form groups, and connect with other cyclists. It is open to anyone with a valid email address. If you have questions about this policy, contact us at info@festicycling.com.
2. Data we collect
We collect only the data you provide or that is generated by your use of the service:
- Account information— your name, username, and email address when you register, together with a securely hashed password.
- Profile image— an optional avatar you upload in your profile. Uploaded images are processed in your browser (resized and converted to WebP) and stored in our object storage.
- Account status — a role field (user or admin) and, if applicable, a ban record including reason and expiry date, managed by site administrators.
- Session data— authentication tokens, IP address, and browser type stored per active session. If an administrator uses the impersonation feature, that session is flagged with the administrator's ID for audit purposes.
- Community & content data— groups, rides, routes and start locations, group and direct messages, follows, and notifications you create or generate.
- Activity & usage data— an activity log of key actions (e.g. logins, registrations, group and ride events) including IP address, browser type, and timestamps, retained for security and debugging purposes.
We do not collect payment information. Festi is free to use.
3. How we use your data
- To provide, maintain, and improve the service.
- To authenticate you and keep your account secure.
- To display your uploaded profile and group images from our object storage.
- To plan and display rides and routes — when you use the map and route planner, the coordinates you select are sent to our map tile and routing providers (see §5) to render maps and calculate routes.
- To send transactional emails (e.g. email verification, password reset) via our email provider. We do not send marketing emails without your explicit consent.
- To protect against abuse — rate limiting is applied to sensitive endpoints, and request metadata is logged to prevent brute-force attacks and misuse.
- To enforce platform rules — administrators may view account status, ban abusive accounts, and in exceptional support cases impersonate an account. All impersonated sessions are logged and attributable to the acting administrator.
4. Legal basis (GDPR)
If you are located in the European Economic Area, we process your data under the following legal bases:
- Contract— processing necessary to provide the service you signed up for, including account management and transactional emails (Art. 6(1)(b) GDPR).
- Legitimate interests— security logging, abuse prevention, and platform integrity (Art. 6(1)(f) GDPR).
- Consent— any optional processing that relies on your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.
5. Third-party services
We use the following sub-processors:
Cloudflare, Inc.
Hosting, content delivery, and image storage (Cloudflare R2). Cloudflare may log IP addresses and request metadata for security and reliability.
Location: USA / global edge network · Privacy policy
Neon (PostgreSQL)
Database hosting for your account and community data.
Location: EU (Frankfurt) · Privacy policy
MapTiler
Map tiles for the ride map. Coordinates of the map view are sent to render tiles.
Location: EU (Switzerland) · Privacy policy
BRouter
Route calculation for the ride planner. Selected waypoint coordinates are sent to compute routes.
Location: EU (Germany) · Privacy policy
Each provider is bound by their own privacy policy and, where applicable, standard contractual clauses under GDPR. Where a provider processes data outside the EU/EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.
6. Data retention
We retain your account and community data for as long as your account is active. When you delete your account, your personal data (including uploaded images) is removed. Anonymised, aggregated statistics may be retained. Server and activity logs are kept only as long as necessary for security and debugging.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- access the personal data we hold about you (Art. 15);
- correct inaccurate data (Art. 16);
- request deletion of your data — the "right to be forgotten" (Art. 17);
- object to or restrict certain processing (Art. 18, 21);
- data portability — receive your data in a machine-readable format (Art. 20).
To exercise any of these rights, email info@festicycling.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), for example the data protection authority of your German federal state.
8. Cookies & local storage
Festi uses only strictly necessary cookies. Session cookies are used solely for authentication and expire when you sign out or after the session lifetime (7 days). These do not require consent under § 25(2) TTDSG. We also use browser local storage to remember your cookie notice preference. We do not use third-party advertising or cross-site tracking cookies.
9. Security
Passwords are never stored in plain text — they are stored as a secure cryptographic hash. All data in transit is encrypted via HTTPS/TLS. We apply rate limiting on sensitive endpoints to prevent brute-force attacks. Administrator actions (role changes, bans, impersonation) are restricted to authenticated admin accounts, and all impersonated sessions are logged.
10. Children's privacy
Festi is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us so we can delete it.
11. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by updating the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the revised policy.
12. Contact
Questions or concerns about this policy? Reach us at info@festicycling.com.