Pedal AI — Privacy Policy
Last updated: 2026-06-15
This is a real privacy policy written in plain English. Pedal AI is a bike-route planner in beta, built by a one-person team (Rocco Guaragno, based in Colorado), available on the web and as iOS/Android apps. The policy below describes exactly what data we collect, why, and what you can do about it.
If you have any question this doesn't answer, email [email protected].
The short version
- You can use Pedal AI without an account — we keep an anonymous ID on your device to remember your routes and preferences. If you create an account (email/password or "Continue with Google"), we store your email and display name so your data syncs across devices.
- On the mobile app, with your permission, we use your location to navigate your ride — including in the background while your screen is off. That live location stays on your device for navigation; we don't transmit or store your ride GPS trace.
- The route prompts you type (e.g. "90 min paved, no traffic") and your start location are sent to Anthropic's Claude API to understand the request and write the ride brief.
- If you subscribe to Pedal AI Pro, payments are processed by Stripe. We never see or store your full card number — Stripe handles that. We store your subscription status and a Stripe customer ID so we know you're a paying member.
- We don't sell anything to anyone. No ads, no third-party trackers, no analytics SDKs, no fingerprinting.
- You can delete your account and all data yourself, in the app (Profile → Delete account), or by emailing [email protected].
The rest of this document is the detailed version.
What we collect
Automatically, when you use the app
- An anonymous device ID (looks like
u_56937950ef96e5f6), stored locally, so you can return and still see your saved routes before you ever make an account. It's tied to your device, not your name. - Standard server logs from our hosting provider (Railway) — IP address, request path, timestamp, user agent. Used for debugging and security. Retained for 30 days.
When you create an account (optional)
- Your email address and, if you set one, a display name. Accounts are handled by Supabase (our authentication provider).
- If you choose "Continue with Google," Google returns your email and basic profile (name) to complete sign-in. We never receive your Google password.
Your location
- Addresses you enter (start, finish, stops) are sent to a geocoding service (Photon / OpenStreetMap) to convert them into coordinates.
- Live location during a ride. On the mobile app, if you grant permission, we read your device's precise location while Ride Mode is active — including when the app is in the background or your screen is off — solely to show your position on the map and give turn-by-turn guidance. This live location is used on your device and is not sent to our servers or stored. You can revoke location access anytime in your phone's Settings (navigation simply won't track you).
Your rider profile & routes
- Profile: bike type, ability level, pace, and surface/path preferences you set.
- Saved routes (coordinates, name, brief), recent addresses, and any "roads to avoid" entries. Stored under your anonymous ID or your account.
When you subscribe to Pedal AI Pro (optional)
- Billing info via Stripe. Subscriptions are handled by Stripe, our payment processor. You enter your card details directly with Stripe — we never receive or store your full card number. Stripe shares back a customer ID, your subscription status (trialing/active/canceled), and the plan you chose, which we store to unlock Pro features and let you manage your plan. See Stripe's privacy policy at https://stripe.com/privacy.
When you connect Strava (optional)
- A Strava OAuth token (scoped to the
readpermission you grant) and your Strava athlete ID. We never see your Strava password. - An inferred summary of your recent rides — typical distance, duration, average speed, climb, dominant surface, and approximate (rounded) home location. We store the summary, not your individual GPS traces. If you upload a ride, Strava notifies us and we update that summary.
When you type a ride prompt
- Your prompt text and start location are sent to Anthropic's Claude API to parse intent and generate the ride brief. See Anthropic's policy at https://www.anthropic.com/legal/privacy. Prompt text is also kept in our server logs for 30 days for debugging.
What we do not collect
- Health data, heart rate, or power.
- Cookies for tracking or advertising; third-party analytics, ad SDKs, social pixels, or fingerprinting. There are none.
- Your Strava or Google password.
- Your live ride GPS trace — it stays on your device and is never uploaded.
Who we share data with
We share data only with the providers required to run the service:
| Provider | What they handle | Why |
|---|---|---|
| Supabase | Account email, display name, login | Authentication & account storage |
| Email + basic profile (only if you use Google sign-in) | To sign you in | |
| Anthropic (Claude API) | Your prompt text + start location | Parse the request, write the brief |
| Stripe (if you subscribe) | Card payment, subscription status | Process Pedal AI Pro payments |
| Photon / OpenStreetMap | Address queries; map data near routes | Geocoding, map tiles, routing data |
| Strava (optional) | Your OAuth token, activity IDs | Fetch your authorized ride data |
| Railway | Server logs + stored data (database) | Hosts our backend and database |
| Cloudflare | DNS for pedalai.bike |
Domain & email routing |
We don't sell, trade, or rent any of this data to anyone, for any purpose, ever.
Where it's stored
- Account data (email, display name) is managed by Supabase.
- Your preferences, saved routes, and avoidances live in a PostgreSQL database hosted on Railway (US region).
- Server logs live on Railway's infrastructure.
How long we keep it
- Your saved data persists while the beta is active so you can come back.
- Server logs: 30 days.
- If you delete your account (in-app via Profile → Delete account, or by email): we remove your account and associated data — saved routes and profile — right away; server logs age out within 30 days.
- Billing records: if you've subscribed, Stripe retains payment and invoice records as required by tax and accounting law, even after you delete your Pedal AI account. We keep only your subscription status and Stripe customer ID, which we remove when you delete your account.
- If Pedal AI shuts down: we'll give connected users at least 14 days' notice before deleting all data.
Your rights
- Delete everything yourself: in the app, open Profile → Delete account. This erases your account and your stored data. You can also email [email protected].
- See what we have: email [email protected] and we'll send you a copy.
- Disconnect Strava: revoke access at https://www.strava.com/settings/apps. Email us if you also want the learned preferences removed.
- Revoke location: turn off location for Pedal AI in your phone's Settings at any time.
GDPR / CCPA users have these rights regardless; we extend them to everyone by default.
Children
Pedal AI isn't designed for or marketed to anyone under 18, and we don't knowingly collect data about minors. If you believe we have, email [email protected] and we'll delete it.
Changes to this policy
If we change anything material (new data collection, new sharing, changed retention), we'll update the "Last updated" date above and notify account holders before it takes effect.
Contact
Email: [email protected] Operator: Rocco Guaragno, Colorado, USA